CloudBees Compliance v1.50.0

Released: June 16, 2025

Upgrade notes

Perform the following steps when upgrading your installation to the latest release:

cbc-release-1.50.0.zip is provided with this release. It contains example.tfvars, secrets-example.tfvars, and other .tf files with variable definitions and default values.

It also includes values-example.yaml for app-deploy, along with the latest infra-setup.sh, app-deploy.sh, and a new python script to generate the CloudFormation template for CasC (configuration as code) functionality.

.tfvars and helm values-env.yaml have been simplified in this release, and must be compared to the examples provided in the release bundle .zip file. Changes have been noted below for information.

Terraform

  • EKS version 1.31 is now the default supported version. eks_node_kuberneters_version must be set to 1.31, or commented out to use the default 1.31.

    EKS 1.32 support has been added as EXPERIMENTAL.

  • The following terraform variables are no longer required in tfvars, and are no longer in the example files:

    gh_oauth_app_client_id
gh_oauth_app_client_secret
AUTH_PROVIDER
AUTH0_API_CLIENT_ID
AUTH0_API_CLIENT_SECRET
AUTH0_CLIENT_ID
AUTH0_CLIENT_SECRET
AUTH0_DOMAIN
AUTH0_ORG_DEFAULT_ENABLED_CONNECTIONS
AUTH0_SYSTEM_ADMIN_ROLE
AUTH0_SECRET
API_TOKEN_SECRE
CH_JAVA_TRUSTSTORE_PWD
ORG_INVITATIONS_DISABLED
CH_ACTIONS_QUERIES_VERSION
FMS_JIRA_SLA_FIELD
FMS_JIRA_HOSTNAME
scope_check_enabled

  • For Jira webhook content encryption a new secret is required for the ui-ticket-service. Add WEBHOOK_ENCRYPTION_KEY to secrets.tfvars:

    WEBHOOK_ENCRYPTION_KEY = "<32 char random value>"

  • The following infra modules must be applied:

    • eks-infra

      • Upgrades the EKS cluster from 1.30 to 1.31.

    • iam-infra

    • secret-infra

      • Removes unused secrets, and adds new secrets.

Helm

To enable the new TruffleHog plugin, add the following to the goPluginServices node of values-<env>.yaml:

plugin-trufflehog:
  enabled: true

  • Helm values-env.yaml structure has been simplified:

    • Two new variables simplify the setting of image tags for all services and plugins:

      global:
  project:
    imageRegistryUri: imbrium
    releaseVersion: cbc-release-<version>

    • Core and UI services are enabled by default in the Helm chart, so they no longer need to be explicitly enabled in the values file.

    • GoLang plugins are separated and grouped under goPluginServices.

    • Java plugins are separated and grouped under javaPluginServices.

    • imagePullPolicy has been changed to IfNotPresent, and set as default in the Helm chart. Images are now only pulled when they are required. To change it back to Always, change the following:

      global:
  apps:
    default:
      imagePullPolicy: Always
      dbMigrationJobs:
        imagePullPolicy: Always

    • rdsCertVolume and s3Access enablement flags for individual services have been added to the default Helm values, so they do not need to be defined in the values file.

    • Services that require sidecars are enabled by default in the chart’s values file. Only client-specific domains must be added under sidecar.host, all common domains are already included in the Helm chart.

    • The total lines for Values YAML has been reduced from 4300+ to 550.