CloudBees Compliance v1.49.0

Released: May 15, 2025

Upgrade notes

Perform the following steps when upgrading your installation to the latest release:

Terraform
  • Apply secret-infra, to remove the secrets for the retired ui-organisation-service.

Helm
  • Remove the following values from values-<env>.yaml for the retired ui-organisation-service:

    ############################################################################################################ # ui-organisation-service ############################################################################################################ uiOrganisationService: enabled: true name: "ui-organisation-service" imageTag: "imbrium/ui-organisation-service:cbc-release-1.48.0" imagePullPolicy: Always replicas: 1 rdsCertVolume: true strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 autoscaling: enabled: false minReplicas: 2 maxReplicas: 4 targetCPUUtilizationPercentage: 80 resources: limits: memory: 1639Mi requests: cpu: 100m memory: 600Mi emptyDir: sizeLimit: 10Gi service: type: NodePort name: http-service port: 5001 dbMigration: name: "ui-organisation-service-migrate" imageTag: "imbrium/ui-organisation-service-migrate:cbc-release-1.48.0" database: "ch_ui" sidecar: enabled: true hosts: - "kube-system/kube-dns.kube-system.svc.cluster.local" - "./*.amazonaws.com" - "./aws.amazon.com" - "./*.keysight.com" - "./github.com" - "./*.github.com" - "./mariadb.internal.cbc.is.keysight.com" - "./*.{{ $.Release.Namespace }}.svc.cluster.local" - "./redis.internal.cbc.is.keysight.com" - "./*.service-now.com" - "./gitlab.com" - "./*.docker.io" - "./*.docker.com" - "./*.atlassian.net" - "./id.atlassian.com" - "./raw.githubusercontent.com" envVars: - name: CH_FINDINGS_ENABLED value: "true"
  • Increase the org-service memory limit to 600 MB:

    • In values-<env>.yaml, set orgService.resources.limits`memory to 600Mi:

      resources: limits: memory: 600Mi
New maintenance page functionality for upgrades

The new maintenance-page.sh script toggles between enabling or disabling access to the system during an upgrade.

To disable access during an upgrade, it routes all requests to the system to a maintenance page.

Graph database cleanups

Perform the following steps to clean deprecated data from the graph database:

  1. Add the following to app-deploy.sh:

    1. Add the following to MYSQL_HOST:

      NEO4J_HOST="neo4j.${ENV_NAME}.${PROJECT}.${ZONE}"
    2. Add the following to # Synchronising helm values to S3:

      ############################################################################### # Graph DB data clean up check ############################################################################### if [[ -z "$GRAPH_DB_CLEANUP" ]]; then echo "Variable is empty & setting as false" GRAPH_DB_CLEANUP="false" fi
    3. Update the following environment variables for kubectl run cbc-helmwave:

      { "name": "NEO4J_HOST", "value": "'"${NEO4J_HOST}"'" }, { "name": "GRAPH_DB_CLEANUP", "value": "'"${GRAPH_DB_CLEANUP}"'" }

To execute the data cleanup:

  1. Export GRAPH_DB_CLEANUP as true:

    export GRAPH_DB_CLEANUP="true"
  2. Execute the app-deploy.sh script as normal (no changes are required to the execution command):

    bash app-deploy.sh \ ${PROJECT} \ ${ENV_NAME} \ ${ZONE} \ ${REGION} \ ${DHUB_USER_NAME} \ ${DHUB_PASSWORD} \ ${DOCKERHUB_EMAIL} \ ${CLUSTER_NAME}
    GitHub App callback URLs

    With the removal of ui-organisation-service, the callback URLs for GitHub and GitHub Enterprise Apps must be reconfigured.

This must be done for both cloud and enterprise GitHub Apps.

Configure the GitHub App for all environments with the new Callback URL and Setup URL:

Callback URL https://{hostname}/app/api/accounts/github/callback (1) Setup URL https://{hostname}/app/api/accounts/github/callback (1)
1 Replace {hostname} with your hostname.