Export
Exporting configurations
The plugin supports exporting existing configurations as YAML.
This is a feature available to the Jenkins administrators under the http://[your_jenkins_url]/configuration-as-code/
URL.
Export feature is NOT intended to offer a directly usable jenkins.yaml configuration. It can be used for inspiration writing your own production-ready YAML, but be aware that export can be partial, or fail for some components.
Security notice
Jenkins configuration may include various sensitive information, including, but not limited to, credentials, secrets, administrative information about the instance and user personal data. The Configuration-as-Code plugin tracks secrets and represents them safely in the exported YAMLs, but it cannot prevent secrets from being exported in all cases. Ultimately, it is a responsibility of Jenkins administrators to ensure that the generated YAML files do not include sensitive information.
See more information about the masking logic below.
Data to be exported
Currently the plugin does not have a way to define which data should be exported. The following data is exported:
- System configuration under the Manage Jenkins link (global configurations, descriptor configurations, etc.)
- Agent configurations
- Views
- Credentials
Jobs and users are NOT exported by the plugin.
Secret masking
What will be masked:
- All hudson.util.Secret attributes
are exported in the encrypted form
- Encrypted form is readable only on the same instance, and hence the encrypted form cannot be restored from the file on other instances (see this article)
- Credential and secret definitions which use
hudson.util.Secret
internally. All plugins are expected to do so (documentation)
What will NOT be masked:
- Free-form fields like view and agent descriptions.
If they contain sensitive information, it will be exported.
- NOTE: Depending on the permission setup these items may be configured by non-admin users, Jenkins admins should keep it in mind while exporting configurations
- Plugins which do not use
hudson.util.Secret
for handling secret data. For example, unfixed plugins in this advisory are likely subject to this issue