CloudBees Compliance v1.46.1

Released: April 17, 2025

Installation notes

The following installation notes help explain changes across versions:

New environment variable for finding notifications

A new environment variable CH_FINDINGS_NOTIFY_SINCE has been added to Compliance Engine to define the start date for notification triggers.

Terraform
  • Added GitHub App & enterprise-related secrets to the ui-webapp-service.

  • Database Migrations has been added for external-connector-service.

  • In Tempo, incomplete multipart upload deletion has been changed from 2 days to 90 days.

Upgrade notes

Perform the following steps when upgrading your installation to the latest release:

Terraform

Apply the following infra modules:

  • secret-infra

    • Updates secret names to rename scc-scanner service to plugin-scc service.

    • Creates new secrets for the external-connector-service database.

  • base-infra

    • Updates the Tempo S3 bucket data retention.

  • eks-infra

    • Updates the EBS CSI driver, and kube-proxy add-ons.

      EKS 1.31 is now supported as optional.
Helm
  • A new environment variable CH_FINDINGS_NOTIFY_SINCE has been added to Compliance Engine to define the start date for notification triggers. Add this environment variable to complianceEngine.envVars in values-<env>.yaml:

    - name: CH_FINDINGS_NOTIFY_SINCE value: "2025-04-10T01:00:00.000Z"
  • To standardize plugin names, scc-scanner has been renamed plugin-scc.

    1. In values-env.yaml, replace the following:

      ############################################################################################################ # scc-scanner ############################################################################################################ sccScanner: enabled: true name: "scc-scanner" imageTag: "imbrium/scc-scanner:cbc-release-1.45.0"

      with the following:

      ############################################################################################################ # plugin-scc ############################################################################################################ pluginScc: enabled: true pluginType: "go" name: "plugin-scc" imageTag: "imbrium/plugin-scc:cbc-release-1.46.1"
    2. Add the environment variable CH_AUTHSERVICE_INTERNAL_BASEURL to pluginScc.envVars in values-<env>.yaml:

      envVars: - name: CH_AUTHSERVICE_INTERNAL_BASEURL value: http://ui-auth-service.{{ $.Release.Namespace }}.svc.cluster.local:5001
  • Add a database for external-connector-service:

    1. Add rdsCertVolume: true to externalConnectorService.

    2. external-connector-service requires access to mariadb.internal.<domain> for database access. Add the following to the whitelist to allow egress to the domain from external-connector-service:

      - "./mariadb.internal.<domain>"
    3. Add the following values for external-connector-service- in `values-<env>.yaml:

      dbMigration: name: "external-connector-service-migrate" imageTag: "imbrium/external-connector-service-migrate:cbc-release-1.46.1" database: ch_external_connector_service
  • ui-webapp-service requires requires access to GitHub to obtain groups and projects lists, so you need to whitelist github.com, enabling egress to github.com from ui-webapp-service. Add the following to uiWebappService.sidecar.hosts in values-<env>.yaml:

    - "./*.github.com" - "./github.com"
  • To enable plugin-qualys-was, add the following to values-<env>.yaml:

    ############################################################################################################ # plugin-qualys-was ############################################################################################################ pluginQualysWas: enabled: true pluginType: "go" name: "plugin-qualys-was" imageTag: "imbrium/plugin-qualys-was:cbc-release-1.46.1" imagePullPolicy: Always replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 autoscaling: enabled: false minReplicas: 2 maxReplicas: 4 targetCPUUtilizationPercentage: 60 targetMemoryUtilizationPercentage: 70 resources: limits: memory: 128Mi requests: cpu: 30m memory: 128Mi emptyDir: sizeLimit: 10Gi service: type: NodePort name: grpc-service port: 5001 sidecar: enabled: false
  • To enable swagger-service, add the following to values-<env>.yaml:

    ############################################################################################################ # swagger-service ############################################################################################################ swaggerService: enabled: yes pluginType: "go" name: "swagger-service" imageTag: "imbrium/swagger-service:cbc-release-1.46.1" imagePullPolicy: Always replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 resources: limits: memory: 128Mi requests: cpu: 30m memory: 128Mi emptyDir: sizeLimit: 10Gi service: type: NodePort name: grpc-service port: 5001 sidecar: enabled: true
  • To enable Tempo traces in Loki logs:

    1. Add the following to loki.datasource in env-values/loki-stack/values-default.yaml:

      jsonData: | derivedFields: - datasourceName: Tempo datasourceUid: Tempo matcherRegex: '"TraceID":\s*"([a-f0-9]+)"' name: TraceID url: $${__value.raw} urlDisplayLabel: 'View Trace'
    2. Add the following to grafana.datasources.datasources.yaml.datasources in env-values/loki-stack/values-default.yaml:

              jsonData:
                tracesToLogsV2:
                  datasourceUid: 'loki'
                  spanStartTimeShift: '-1h'
                  spanEndTimeShift: '1h'
                  tags: [{ key: 'service.name', value: 'app' }]
                  filterByTraceID: true
                  filterBySpanID: false
    3. Set Tempo trade data-retention period to 60 days (1440 hours), by replacing the following in env-values/tempo/values-<env>.yaml:

      compactor: compaction: compaction_cycle: 30m block_retention: 1440h

      With:

      retention: 1440h
  • Upgrade nginx-ingress controller to v1.12.1 to mitigate CVE-2025-1974, by upgrading the following keys in env-values/internal-nginx-ingress/values-<env>.yaml and env-values/nginx-ingress/values-<env>.yaml:

    1. controller:

      controller: name: controller image: ## Keep false as default for now! chroot: false # registry: registry.k8s.io image: ingress-nginx/controller ## for backwards compatibility consider setting the full image url via the repository value below ## repository: tag: "v1.12.1" digest: sha256:d2fbc4ec70d8aa2050dd91a91506e998765e86c96f32cffb56c503c9c34eed5b digestChroot: sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e pullPolicy: IfNotPresent runAsNonRoot: true # -- This value must not be changed using the official image. # uid=101(www-data) gid=82(www-data) groups=82(www-data) runAsUser: 101 # -- This value must not be changed using the official image. # uid=101(www-data) gid=82(www-data) groups=82(www-data) runAsGroup: 82 allowPrivilegeEscalation: true seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: false
    2. patch:

      patch: enabled: true image: # registry: registry.k8s.io image: ingress-nginx/kube-webhook-certgen ## for backwards compatibility consider setting the full image url via the repository value below ## repository: tag: v1.5.2 digest: sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## priorityClassName: "" podAnnotations: {} nodeSelector: kubernetes.io/os: linux tolerations: [] # -- Labels to be added to patch job resources # labels: {} labels: sidecar.istio.io/inject: "false" securityContext: runAsNonRoot: true runAsUser: 2000 fsGroup: 2000 # -- Admission webhook patch job RBAC rbac: # -- Create RBAC or not create: true # -- Admission webhook patch job service account serviceAccount: # -- Create a service account or not create: true # -- Custom service account name name: "" # -- Auto-mount service account token or not automountServiceAccountToken: true
    3. createSecretJob:

      createSecretJob: name: create # -- Security context for secret creation containers securityContext: runAsNonRoot: true runAsUser: 65532 runAsGroup: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - ALL readOnlyRootFilesystem: true --- patchWebhookJob: name: patch # -- Security context for webhook patch containers securityContext: runAsNonRoot: true runAsUser: 65532 runAsGroup: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - ALL readOnlyRootFilesystem: true
    4. For configmap, update the following:

      strict-validate-path-type: "false"
  • Increase memory limit for org-service to 512Mi by updating the following in env-values/cloudbees-compliance/values-<env>.yaml for orgService resources:

    resources: limits: memory: 512Mi