CloudBees Compliance v1.46.1

Released: April 17, 2025

Installation notes

The following installation notes help explain changes across versions:

New environment variable for finding notifications

A new environment variable CH_FINDINGS_NOTIFY_SINCE has been added to Compliance Engine to define the start date for notification triggers.

Terraform

  • Added GitHub App & enterprise-related secrets to the ui-webapp-service.

  • Database Migrations has been added for external-connector-service.

  • In Tempo, incomplete multipart upload deletion has been changed from 2 days to 90 days.

Upgrade notes

Perform the following steps when upgrading your installation to the latest release:

Terraform

Apply the following infra modules:

  • secret-infra

    • Updates secret names to rename scc-scanner service to plugin-scc service.

    • Creates new secrets for the external-connector-service database.

  • base-infra

    • Updates the Tempo S3 bucket data retention.

  • eks-infra

    • Updates the EBS CSI driver, and kube-proxy add-ons.

      EKS 1.31 is now supported as optional.
Helm

  • A new environment variable CH_FINDINGS_NOTIFY_SINCE has been added to Compliance Engine to define the start date for notification triggers. Add this environment variable to complianceEngine.envVars in values-<env>.yaml:

          - name: CH_FINDINGS_NOTIFY_SINCE
        value: "2025-04-10T01:00:00.000Z"

  • To standardize plugin names, scc-scanner has been renamed plugin-scc.

    1. In values-env.yaml, replace the following:

      ############################################################################################################
# scc-scanner
############################################################################################################

    sccScanner:
      enabled: true
      name: "scc-scanner"
      imageTag: "imbrium/scc-scanner:cbc-release-1.45.0"

      with the following:

      ############################################################################################################
# plugin-scc
############################################################################################################

    pluginScc:
      enabled: true
      pluginType: "go"
      name: "plugin-scc"
      imageTag: "imbrium/plugin-scc:cbc-release-1.46.1"

    2. Add the environment variable CH_AUTHSERVICE_INTERNAL_BASEURL to pluginScc.envVars in values-<env>.yaml:

            envVars:
      - name: CH_AUTHSERVICE_INTERNAL_BASEURL
        value: http://ui-auth-service.{{ $.Release.Namespace }}.svc.cluster.local:5001

  • Add a database for external-connector-service:

    1. Add rdsCertVolume: true to externalConnectorService.

    2. external-connector-service requires access to mariadb.internal.<domain> for database access. Add the following to the whitelist to allow egress to the domain from external-connector-service:

              - "./mariadb.internal.<domain>"

    3. Add the following values for external-connector-service- in `values-<env>.yaml:

            dbMigration:
        name: "external-connector-service-migrate"
        imageTag: "imbrium/external-connector-service-migrate:cbc-release-1.46.1"
        database: ch_external_connector_service

  • ui-webapp-service requires requires access to GitHub to obtain groups and projects lists, so you need to whitelist github.com, enabling egress to github.com from ui-webapp-service. Add the following to uiWebappService.sidecar.hosts in values-<env>.yaml:

            - "./*.github.com"
        - "./github.com"

  • To enable plugin-qualys-was, add the following to values-<env>.yaml:

    ############################################################################################################
# plugin-qualys-was
############################################################################################################

    pluginQualysWas:
      enabled: true
      pluginType: "go"
      name: "plugin-qualys-was"
      imageTag: "imbrium/plugin-qualys-was:cbc-release-1.46.1"
      imagePullPolicy: Always
      replicas: 1

      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxSurge: 1
          maxUnavailable: 0

      autoscaling:
        enabled: false
        minReplicas: 2
        maxReplicas: 4
        targetCPUUtilizationPercentage: 60
        targetMemoryUtilizationPercentage: 70

      resources:
        limits:
          memory: 128Mi
        requests:
          cpu: 30m
          memory: 128Mi

      emptyDir:
        sizeLimit: 10Gi

      service:
        type: NodePort
        name: grpc-service
        port: 5001

      sidecar:
        enabled: false

  • To enable swagger-service, add the following to values-<env>.yaml:

    ############################################################################################################
# swagger-service
############################################################################################################

    swaggerService:
      enabled: yes
      pluginType: "go"
      name: "swagger-service"
      imageTag: "imbrium/swagger-service:cbc-release-1.46.1"
      imagePullPolicy: Always
      replicas: 1

      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxSurge: 1
          maxUnavailable: 0

      resources:
        limits:
          memory: 128Mi
        requests:
          cpu: 30m
          memory: 128Mi

      emptyDir:
        sizeLimit: 10Gi

      service:
        type: NodePort
        name: grpc-service
        port: 5001

      sidecar:
        enabled: true

  • To enable Tempo traces in Loki logs:

    1. Add the following to loki.datasource in env-values/loki-stack/values-default.yaml:

            jsonData: |
        derivedFields:
          - datasourceName: Tempo
            datasourceUid: Tempo
            matcherRegex: '"TraceID":\s*"([a-f0-9]+)"'
            name: TraceID
            url: $${__value.raw}
            urlDisplayLabel: 'View Trace'

    2. Add the following to grafana.datasources.datasources.yaml.datasources in env-values/loki-stack/values-default.yaml:

              jsonData:
          tracesToLogsV2:
            datasourceUid: 'loki'
            spanStartTimeShift: '-1h'
            spanEndTimeShift: '1h'
            tags: [{ key: 'service.name', value: 'app' }]
            filterByTraceID: true
            filterBySpanID: false

    3. Set Tempo trade data-retention period to 60 days (1440 hours), by replacing the following in env-values/tempo/values-<env>.yaml:

        compactor:
    compaction:
      compaction_cycle: 30m
      block_retention: 1440h

      With:

        retention: 1440h

  • Upgrade nginx-ingress controller to v1.12.1 to mitigate CVE-2025-1974, by upgrading the following keys in env-values/internal-nginx-ingress/values-<env>.yaml and env-values/nginx-ingress/values-<env>.yaml:

    1. controller:

      controller:
  name: controller
  image:
    ## Keep false as default for now!
    chroot: false
    # registry: registry.k8s.io
    image: ingress-nginx/controller
    ## for backwards compatibility consider setting the full image url via the repository value below
    ## repository:
    tag: "v1.12.1"
    digest: sha256:d2fbc4ec70d8aa2050dd91a91506e998765e86c96f32cffb56c503c9c34eed5b
    digestChroot: sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
    pullPolicy: IfNotPresent
    runAsNonRoot: true
    # -- This value must not be changed using the official image.
    # uid=101(www-data) gid=82(www-data) groups=82(www-data)
    runAsUser: 101
    # -- This value must not be changed using the official image.
    # uid=101(www-data) gid=82(www-data) groups=82(www-data)
    runAsGroup: 82
    allowPrivilegeEscalation: true
    seccompProfile:
      type: RuntimeDefault
    readOnlyRootFilesystem: false

    2. patch:

          patch:
      enabled: true
      image:
        # registry: registry.k8s.io
        image: ingress-nginx/kube-webhook-certgen
        ## for backwards compatibility consider setting the full image url via the repository value below
        ## repository:
        tag: v1.5.2
        digest: sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea
        pullPolicy: IfNotPresent
      # -- Provide a priority class name to the webhook patching job
      ##
      priorityClassName: ""
      podAnnotations: {}
      nodeSelector:
        kubernetes.io/os: linux
      tolerations: []
      # -- Labels to be added to patch job resources
      # labels: {}
      labels:
        sidecar.istio.io/inject: "false"
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000
        fsGroup: 2000
      # -- Admission webhook patch job RBAC
      rbac:
        # -- Create RBAC or not
        create: true
      # -- Admission webhook patch job service account
      serviceAccount:
        # -- Create a service account or not
        create: true
        # -- Custom service account name
        name: ""
        # -- Auto-mount service account token or not
        automountServiceAccountToken: true

    3. createSecretJob:

         createSecretJob:
      name: create
      # -- Security context for secret creation containers
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532
        runAsGroup: 65532
        allowPrivilegeEscalation: false
        seccompProfile:
          type: RuntimeDefault
        capabilities:
          drop:
            - ALL
        readOnlyRootFilesystem: true
---
    patchWebhookJob:
      name: patch
      # -- Security context for webhook patch containers
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532
        runAsGroup: 65532
        allowPrivilegeEscalation: false
        seccompProfile:
          type: RuntimeDefault
        capabilities:
          drop:
            - ALL
        readOnlyRootFilesystem: true

    4. For configmap, update the following:

      strict-validate-path-type: "false"

  • Increase memory limit for org-service to 512Mi by updating the following in env-values/cloudbees-compliance/values-<env>.yaml for orgService resources:

          resources:
        limits:
          memory: 512Mi