This page provides important notices about releases that may affect your upgrade efforts to the newest CloudBees CD/RO release.
Upgrade notes
The following upgrade notes affect this release:
- End of support for PostgreSQL 14
-
End of support for PostgreSQL 14 in the future releases. Please plan to upgrade your database before you upgrade CloudBees CD/RO.
- PostgreSQL 14 reaches end of life in CDRO version 2026.09
-
Starting with release 2026.06, CloudBees CD/RO no longer supports MySQL version 8.0 and PostgreSQL version 13 as system databases. PostgreSQL version 14 remains supported in this release but will no longer be supported as a system database in a future CloudBees CD/RO release. Plan to upgrade your database to a supported PostgreSQL version above 14 before upgrading CD/RO to a future release to ensure a supported upgrade path.
- Gateway API configuration now uses TLSRoute
-
The cloudbees-flow Helm chart now uses
TLSRouteby default for the built-in Flow Server (8443), STOMP (61613), and Flow Repository (8200) services instead ofTCPRoute. This change enables CloudBees CD/RO deployments to use only the Gateway API Standard-channel CRDs and allows multiple deployments to share a single LoadBalancer IP and port through SNI-based routing, while preserving end-to-end TLS termination at the backend pods. Before upgrading, update Gateway listeners for these ports to useprotocol: TLSwithtls.mode: Passthrough, verify that your Gateway API controller supportsTLSRoute, and ensure clients connect using hostnames that send SNI information. Customers who prefer to continue usingTCPRoutecan explicitly opt out through Helm chart configuration; however,TCPRouterequires the Gateway API Experimental-channel CRDs. Kubernetes version 1.31 or later is recommended for the Standard-channel TLSRoute v1 CRD.For more information refer How to configure Kubernetes Gateway API.
- Upgraded CloudBees Analytics OpenSearch to version 3.6.0
-
CloudBees Analytics OpenSearch is now upgraded to version 3.6.0. This upgrade provides the latest OpenSearch enhancements, bug fixes, performance improvements, and security updates, helping ensure a more stable and secure analytics platform.
- Ingress-nginx subchart deprecated
-
Starting in March 2026, the upstream
ingress-nginx controllerreached end of support and no longer receives security updates. As a result, thecloudbees-flowHelm chart no longer enables the bundledingress-nginx controllerby default. Existing deployments that rely on the previous default behavior may lose external ingress connectivity after upgrading unless they explicitly enable the bundled controller or configure an alternative ingress or Gateway API implementation.Action required: Before upgrading, determine whether your deployment depends on the chart’s default ingress-nginx configuration. If so, choose one of the following migration options:
-
Migrate to Gateway API by enabling
gatewayApi. For more information refer How to configure Kubernetes Gateway API. -
Explicitly retain the bundled controller by setting
ingress-nginx.enabled: true(temporary option). -
Use your own ingress controller by enabling ingress and configuring the appropriate IngressClass.
However, the bundled
ingress-nginxsub chart is available in CloudBees CD/RO release 2026.06.0 for compatibility but, it will deprecated in future releases. Plan to migrate to a separately managed ingress controller or a Gateway API implementation before upgrading to a future release.
-
- Upgrade kubectl argo rollout to version 1.9.0
-
The kubectl argo rollout plugin is upgraded to version 1.9.0.
- Upgrade Apache Zookeeper to version 3.9.5
-
Apache Zookeeper version is upgraded from version 3.9.4 to version 3.9.5.
- Upgraded Jetty to the latest secure version
-
CloudBees CD/RO now ships with an upgraded, security-patched version of Jetty. The REST API now strictly enforces the Content-Type: application/json header on requests that carry a JSON body. Clients that previously sent JSON payloads without this header will receive an error and must be updated to include:
Content-Type: application/json
Action required: Jenkins integrations If your Jenkins instance integrates with CloudBees CD/RO via the CloudBees CD plugin, upgrade the plugin to version 1.42 or later from the Jenkins plugin marketplace. Older plugin versions do not set the required Content-Type header and will fail to communicate with CD/RO after this upgrade.
- Updated underscore.js to version 1.13.8 to address security vulnerabilities
-
Updated the
Underscore.jsdependency to version 1.13.8 across all frontend modules to address known security vulnerabilities and ensure consistent dependency versions throughout the frontend codebase.
Installation notes
The following information is a running list of installation notes intended to help understand changes across versions:
- CloudBees Software Delivery Automation Helm charts are deprecated
- Remove support for EOL platforms
-
You must upgrade to a supported platform prior to upgrading to v2025.03.0 or later. If you upgrade to v2025.03.03 or later, and your operating system is not supported, CloudBees CD/RO will not behave as expected and the local agent will not run. Additionally, if you do upgrade to v2025.03.0, and your operating system is not supported, to fix related issues, you must:
-
Downgrade to your previous version.
-
Update to a supported operating system.
-
Upgrade to v2025.03.0 or later again.
-
- DOIS service will be removed in CloudBees CD/RO Helm chart
- EC-Artifact v2.0.0 is not bundled with this release
-
EC-Artifact v2.0.0 is not compatible with CloudBees CD/RO v2024.12 or earlier. Attempting to install it on an unsupported release will result in a failure that displays an
Unsupported versionerror message.
- Upgrading EC-SendEmail may be required prior to upgrade
- EC-SendEmail upgrade to v1.2.0
- Support for
nginx-ingresswill be deprecated from CloudBees CD/RO Helm charts in upcoming release
- Plugins that use SSL/TLS certificate validation must be updated
- When upgrading to v2023.12.0 on Kubernetes, new Analytics server certificates are required
- Remove support for Perl v5.8 from CloudBees CD/RO
- Kubernetes boundAgent images removed from Helm charts
- Unmatched DSL entries are by default treated as properties
- Kerberos keytabs management will be discontinued
- Behavior to update lists of Global Personas has changed
- ec-jruby and ec-jython wrappers deprecated
- Potential backward incompatibility
- CGI module and support removed
- Duplicate applications warning
- Apache ZooKeeper required update
- Legacy services applications and container entities
- Legacy webhook triggers
CloudBees CD/RO server installation binaries are signed for traditional installations so that you can verify their origin and authenticity. Verifying binaries is an optional step in the installation process that can help prevent a man-in-the-middle attack. For more information, refer to Verify installation binaries.
- Upgrading gateway agents
-
All gateway agents that meet the following criteria must be updated to CloudBees CD/RO v10.2+:
-
Your enterprise implements a multi-zone environment.
-
Agent versions are a combination of pre-v10.2 and v10.2+.
-
The access route to a v10.2+ agent is configured through a pre-v10.2 gateway agent.
-
- Configuring autostart services for Linux installations
-
Linux installations that you perform as a non-root user or without
sudopermissions cannot automatically start the CloudBees CD/RO server, web server, repository server, or agents. Instead, you must set up the service autostart after installation is complete. Refer to Configure autostart for non-root/non-sudo Linux installations to learn more.
- Upgrading your CloudBees CD/RO environment
-
Before starting an upgrade, make sure to back up your existing CloudBees CD/RO data. - Upgradable versions
-
Upgrades to CloudBees CD/RO 10.x are supported only from ElectricCommander 5.0. For upgrade instructions, refer to the Upgrade on traditional platforms.
- Updating the MySQL configuration before upgrading
-
Since release 8.0.1, CloudBees has instructed customers using a MySQL database to add the following two lines to their MySQL configuration:
init_connect='SET collation_connection = utf8_unicode_ci, NAMES utf8' skip-character-set-client-handshake
Before upgrading CloudBees CD/RO, you must remove these lines or comment them out. Otherwise, jobs will not start.
- Ensuring the correct default MySQL default collation
-
Make sure that the default collation for the MySQL database schema is set to
utf8_unicode_ciorutf8_general_ciand that no table in the schema overrides this setting. The CloudBees CD/RO server checks this configuration on startup and logs errors in the server log if it is not set correctly.If the collation is not configured correctly, entering non-ASCII text into CloudBees CD/RO can cause errors. For example, setting a release name to a non-ASCII value, and attempting a search, causes an exception.
If your MySQL database schema, or any tables within, are set to a non-UTF-8 collation order, refer to the Knowledge Base article KBEC-00385 - Converting a MySQL Database From Latin-1 to UTF-8 for detailed instructions about safely converting your schema to UTF-8. [NMB-26521, NMB-27459]
- Upgrading agents that run the
ec-groovyjob step in multizone deployments -
In multizone CloudBees CD/RO deployments, CloudBees CD/RO agents that are in a different zone than the CloudBees CD/RO server must be upgraded to version 9.0 or later for the
ec-groovyjob step to run successfully on those agents. You must also upgrade the gateway agents that lead back to the server’s zone, including those in any zones in between the agent’s zone and the server’s zone. [NMB-27490]For details about multiple zones and gateway agents, refer to Zones and gateways.
- Removing the
SSL 2.0 Client HelloorSSLv2Helloprotocol from your security configurations -
CloudBees recommends removing the
SSL 2.0 Client HelloorSSLv2Helloprotocol from your security configurations for all components. [NMB-27934, NMB-29326]-
Upgrade agents to the latest operating system version for security reasons.
-
If this warning appears on the Automation Platform UI:
Note: We recommend removing `SSL 2.0 Client Hello` format from server configuration and upgrade older agents as indicated on the Cloud/Resources Page to avoid security risk.then enter the following command on the CloudBees CD/RO server:
$ ecconfigure --serverTLSEnabledProtocol=TLSv1.2
-
- Upgrading the CloudBees Analytics server
-
This section provides information about upgrading the CloudBees Analytics server.
-
It is not possible to upgrade CloudBees Analytics v9.0.1 and below to CloudBees Analytics v10.2.0 and above. The installer exits with an error and an appropriate message when such an update is attempted. If you need to upgrade CloudBees Analytics v9.0.1 and below, you must first upgrade to a version between 9.1.0 and 10.1.0, or 9.0.2 and above. After that, you can upgrade CloudBees Analytics to v10.3.0 or higher. [NMB-31030]
-
For previous CloudBees Analytics upgrades from v9.0.1 and below: CloudBees Analytics data may contain obsolete indexes that are incompatible with CloudBees Analytics v10.2.0 and above. To work correctly, it is necessary to re-index these indexes before an upgrade. The installer prompts you to do this before upgrading.
-
In console mode and UI mode, the installer displays the following prompt if outdated indexes are detected:
One or more Elasticsearch indexes were created in an obsolete version of Elasticsearch. These indexes must be re-indexed for the upgrade to be successful. Do you want to start the reindexation? [n/Y]After an affirmative answer, the installer automatically reindexes and continues the upgrade.
-
In silent mode, the installer reindexes automatically.
-
-
Backing up and restoring custom settings
The CloudBees Analytics installer overwrites the
elasticsearch.ymlconfiguration file with a new file. This file includes aCustom Settingssection, which lets you add Elasticsearch settings not managed by the CloudBees Analytics server without being lost during an upgrade. The installer preserves the settings in theCustom Settingssection. [NMB-25850] -
Upgrading CloudBees Analytics clusters
The principle of forming a cluster in CloudBees Analytics has changed in v10.2 due to the update of Elasticsearch v7.10.2. In this regard, an additional action is required to upgrade to CloudBees Analytics v10.2 or later:
When updating the first master node, you must explicitly specify that it is the first node to be updated. If this action is not performed, any cluster that is being updated is placed out of service.
All installers have been instrumented to accommodate this change. Refer to Upgrade the CloudBees Analytics server for more details. [BEE-2717]
-
CloudBees Analytics server configuration notes
For a production environment, CloudBees recommends that you install the CloudBees Analytics server on a system separate from systems running other CloudBees CD/RO components (such as the CloudBees CD/RO server, web server, repository server, or agent). If you must install it on the same system (such as for testing or other non-production or trial basis situations), refer to CloudBees Analytics server with other components for details.
If your CloudBees Analytics server is configured with multiple nodes in a Kubernetes environment, you must pre-generate your certificates. For more information, refer to Install CloudBees CD/RO within Kubernetes.
Configuration notes
The following information highlights important configuration notices from previous releases:
- Performing a full import
-
During a full import, the import operation might hang in the following scenarios. To import successfully into CloudBees CD/RO 8.0 and newer versions, perform the appropriate workarounds [CEV-15447, CEV-11873]:
-
A manual process step in a process has formal parameters. The workaround is to remove the entry related to the property sheet for the job step that is associated with the manual process step.
-
In the exported XML file from an earlier release, two pipelines are in different projects, and both pipelines have no gate tasks. The flow associated with the pipeline is duplicated under both projects. The workaround is to remove the flow element under the projects.
-
- Limitations
-
When an application is cloned from one project (the original project) to another (the destination project), the tier maps for the application point to the environments with the same names in the destination project. To deploy the application to the environments in the original project, you must first create tier maps connecting the application to those environments.