CloudBees Compliance v1.50.0

Released: June 16, 2025

Upgrade notes

Perform the following steps when upgrading your installation to the latest release:

cbc-release-1.50.0.zip is provided with this release. It contains example.tfvars, secrets-example.tfvars, and other .tf files with variable definitions and default values.

It also includes values-example.yaml for app-deploy, along with the latest infra-setup.sh, app-deploy.sh, and a new python script to generate the CloudFormation template for CasC (configuration as code) functionality.

.tfvars and helm values-env.yaml have been simplified in this release, and must be compared to the examples provided in the release bundle .zip file. Changes have been noted below for information.

Terraform
  • EKS version 1.31 is now the default supported version. eks_node_kuberneters_version must be set to 1.31, or commented out to use the default 1.31.

    EKS 1.32 support has been added as EXPERIMENTAL.
  • The following terraform variables are no longer required in tfvars, and are no longer in the example files:

    gh_oauth_app_client_id gh_oauth_app_client_secret AUTH_PROVIDER AUTH0_API_CLIENT_ID AUTH0_API_CLIENT_SECRET AUTH0_CLIENT_ID AUTH0_CLIENT_SECRET AUTH0_DOMAIN AUTH0_ORG_DEFAULT_ENABLED_CONNECTIONS AUTH0_SYSTEM_ADMIN_ROLE AUTH0_SECRET API_TOKEN_SECRE CH_JAVA_TRUSTSTORE_PWD ORG_INVITATIONS_DISABLED CH_ACTIONS_QUERIES_VERSION FMS_JIRA_SLA_FIELD FMS_JIRA_HOSTNAME scope_check_enabled
  • For Jira webhook content encryption a new secret is required for the ui-ticket-service. Add WEBHOOK_ENCRYPTION_KEY to secrets.tfvars:

    WEBHOOK_ENCRYPTION_KEY = "<32 char random value>"
  • The following infra modules must be applied:

    • eks-infra

      • Upgrades the EKS cluster from 1.30 to 1.31.

    • iam-infra

    • secret-infra

      • Removes unused secrets, and adds new secrets.

Helm

To enable the new TruffleHog plugin, add the following to the goPluginServices node of values-<env>.yaml:

plugin-trufflehog: enabled: true
  • Helm values-env.yaml structure has been simplified:

    • Two new variables simplify the setting of image tags for all services and plugins:

      global: project: imageRegistryUri: imbrium releaseVersion: cbc-release-<version>
    • Core and UI services are enabled by default in the Helm chart, so they no longer need to be explicitly enabled in the values file.

    • GoLang plugins are separated and grouped under goPluginServices.

    • Java plugins are separated and grouped under javaPluginServices.

    • imagePullPolicy has been changed to IfNotPresent, and set as default in the Helm chart. Images are now only pulled when they are required. To change it back to Always, change the following:

      global: apps: default: imagePullPolicy: Always dbMigrationJobs: imagePullPolicy: Always
    • rdsCertVolume and s3Access enablement flags for individual services have been added to the default Helm values, so they do not need to be defined in the values file.

    • Services that require sidecars are enabled by default in the chart’s values file. Only client-specific domains must be added under sidecar.host, all common domains are already included in the Helm chart.

    • The total lines for Values YAML has been reduced from 4300+ to 550.