Installation notes
The following installation notes help explain changes across versions:
- New environment variable for finding notifications
-
A new environment variable
CH_FINDINGS_NOTIFY_SINCE
has been added to Compliance Engine to define the start date for notification triggers. - Terraform
-
-
Added GitHub App & enterprise-related secrets to the
ui-webapp-service
. -
Database Migrations
has been added forexternal-connector-service
. -
In Tempo, incomplete multipart upload deletion has been changed from 2 days to 90 days.
-
Upgrade notes
Perform the following steps when upgrading your installation to the latest release:
- Terraform
-
Apply the following infra modules:
-
secret-infra
-
Updates secret names to rename
scc-scanner
service toplugin-scc
service. -
Creates new secrets for the
external-connector-service
database.
-
-
base-infra
-
Updates the Tempo S3 bucket data retention.
-
-
eks-infra
-
Updates the EBS CSI driver, and
kube-proxy
add-ons.EKS 1.31 is now supported as optional.
-
-
- Helm
-
-
A new environment variable
CH_FINDINGS_NOTIFY_SINCE
has been added to Compliance Engine to define the start date for notification triggers. Add this environment variable tocomplianceEngine.envVars
invalues-<env>.yaml
:- name: CH_FINDINGS_NOTIFY_SINCE value: "2025-04-10T01:00:00.000Z"
-
To standardize plugin names,
scc-scanner
has been renamedplugin-scc
.-
In
values-env.yaml
, replace the following:############################################################################################################ # scc-scanner ############################################################################################################ sccScanner: enabled: true name: "scc-scanner" imageTag: "imbrium/scc-scanner:cbc-release-1.45.0"
with the following:
############################################################################################################ # plugin-scc ############################################################################################################ pluginScc: enabled: true pluginType: "go" name: "plugin-scc" imageTag: "imbrium/plugin-scc:cbc-release-1.46.1"
-
Add the environment variable
CH_AUTHSERVICE_INTERNAL_BASEURL
topluginScc.envVars
invalues-<env>.yaml
:envVars: - name: CH_AUTHSERVICE_INTERNAL_BASEURL value: http://ui-auth-service.{{ $.Release.Namespace }}.svc.cluster.local:5001
-
-
Add a database for
external-connector-service
:-
Add
rdsCertVolume: true
toexternalConnectorService
. -
external-connector-service
requires access tomariadb.internal.<domain>
for database access. Add the following to the whitelist to allow egress to the domain fromexternal-connector-service
:- "./mariadb.internal.<domain>"
-
Add the following values for
external-connector-service- in `values-<env>.yaml
:dbMigration: name: "external-connector-service-migrate" imageTag: "imbrium/external-connector-service-migrate:cbc-release-1.46.1" database: ch_external_connector_service
-
-
ui-webapp-service requires
requires access to GitHub to obtain groups and projects lists, so you need to whitelistgithub.com
, enabling egress togithub.com
fromui-webapp-service
. Add the following touiWebappService.sidecar.hosts
invalues-<env>.yaml
:- "./*.github.com" - "./github.com"
-
To enable
plugin-qualys-was
, add the following tovalues-<env>.yaml
:############################################################################################################ # plugin-qualys-was ############################################################################################################ pluginQualysWas: enabled: true pluginType: "go" name: "plugin-qualys-was" imageTag: "imbrium/plugin-qualys-was:cbc-release-1.46.1" imagePullPolicy: Always replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 autoscaling: enabled: false minReplicas: 2 maxReplicas: 4 targetCPUUtilizationPercentage: 60 targetMemoryUtilizationPercentage: 70 resources: limits: memory: 128Mi requests: cpu: 30m memory: 128Mi emptyDir: sizeLimit: 10Gi service: type: NodePort name: grpc-service port: 5001 sidecar: enabled: false
-
To enable
swagger-service
, add the following tovalues-<env>.yaml
:############################################################################################################ # swagger-service ############################################################################################################ swaggerService: enabled: yes pluginType: "go" name: "swagger-service" imageTag: "imbrium/swagger-service:cbc-release-1.46.1" imagePullPolicy: Always replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 resources: limits: memory: 128Mi requests: cpu: 30m memory: 128Mi emptyDir: sizeLimit: 10Gi service: type: NodePort name: grpc-service port: 5001 sidecar: enabled: true
-
To enable Tempo traces in Loki logs:
-
Add the following to
loki.datasource
inenv-values/loki-stack/values-default.yaml
:jsonData: | derivedFields: - datasourceName: Tempo datasourceUid: Tempo matcherRegex: '"TraceID":\s*"([a-f0-9]+)"' name: TraceID url: $${__value.raw} urlDisplayLabel: 'View Trace'
-
Add the following to
grafana.datasources.datasources.yaml.datasources
inenv-values/loki-stack/values-default.yaml
:jsonData: tracesToLogsV2: datasourceUid: 'loki' spanStartTimeShift: '-1h' spanEndTimeShift: '1h' tags: [{ key: 'service.name', value: 'app' }] filterByTraceID: true filterBySpanID: false
-
Set Tempo trade data-retention period to 60 days (1440 hours), by replacing the following in
env-values/tempo/values-<env>.yaml
:compactor: compaction: compaction_cycle: 30m block_retention: 1440h
With:
retention: 1440h
-
-
Upgrade
nginx-ingress
controller to v1.12.1 to mitigate CVE-2025-1974, by upgrading the following keys inenv-values/internal-nginx-ingress/values-<env>.yaml
andenv-values/nginx-ingress/values-<env>.yaml
:-
controller
:controller: name: controller image: ## Keep false as default for now! chroot: false # registry: registry.k8s.io image: ingress-nginx/controller ## for backwards compatibility consider setting the full image url via the repository value below ## repository: tag: "v1.12.1" digest: sha256:d2fbc4ec70d8aa2050dd91a91506e998765e86c96f32cffb56c503c9c34eed5b digestChroot: sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e pullPolicy: IfNotPresent runAsNonRoot: true # -- This value must not be changed using the official image. # uid=101(www-data) gid=82(www-data) groups=82(www-data) runAsUser: 101 # -- This value must not be changed using the official image. # uid=101(www-data) gid=82(www-data) groups=82(www-data) runAsGroup: 82 allowPrivilegeEscalation: true seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: false
-
patch
:patch: enabled: true image: # registry: registry.k8s.io image: ingress-nginx/kube-webhook-certgen ## for backwards compatibility consider setting the full image url via the repository value below ## repository: tag: v1.5.2 digest: sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## priorityClassName: "" podAnnotations: {} nodeSelector: kubernetes.io/os: linux tolerations: [] # -- Labels to be added to patch job resources # labels: {} labels: sidecar.istio.io/inject: "false" securityContext: runAsNonRoot: true runAsUser: 2000 fsGroup: 2000 # -- Admission webhook patch job RBAC rbac: # -- Create RBAC or not create: true # -- Admission webhook patch job service account serviceAccount: # -- Create a service account or not create: true # -- Custom service account name name: "" # -- Auto-mount service account token or not automountServiceAccountToken: true
-
createSecretJob
:createSecretJob: name: create # -- Security context for secret creation containers securityContext: runAsNonRoot: true runAsUser: 65532 runAsGroup: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - ALL readOnlyRootFilesystem: true --- patchWebhookJob: name: patch # -- Security context for webhook patch containers securityContext: runAsNonRoot: true runAsUser: 65532 runAsGroup: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - ALL readOnlyRootFilesystem: true
-
For
configmap
, update the following:strict-validate-path-type: "false"
-
-
Increase memory limit for org-service to 512Mi by updating the following in
env-values/cloudbees-compliance/values-<env>.yaml
fororgService
resources
:resources: limits: memory: 512Mi
-