CloudBees CI on modern cloud platforms

Rolling release: 2019-10-29

Based on Jenkins LTS 2.190.2-cb-5

New features

Managed Masters in specific Kubernetes namespaces (CPLT2-5876)

The Helm chart now provides a way to set up a namespace to schedule masters only.

Affinity/anti-affinity rules (CPLT2-5756)

Define affinity/anti-affinity rules for Operations Center

  • Must be scheduled on a Linux node

  • Prefer running on a different node than masters

Hibernation in managed masters (CPLT2-5737)

A common issue in installations with many masters is "I have a cluster with a lot of masters that aren’t being used most of the time". For those cases, CloudBees offers the managed master hibernation feature, which helps you "turn off" idle or unused masters.

Managed master hibernation is available only in CloudBees Core on modern cloud platforms as a Preview feature.

A Preview feature:

  • Has not undergone end-to-end testing with CloudBees products

  • Is provided without service-level agreements (SLA) and therefore does not include CloudBees' commitment on functionality or performance

  • May impact other stable areas of the product when used

  • May have limited documentation

  • May not be feature complete during the Preview period

  • May graduate from preview state to fully supported or be removed from the product

  • May introduce incompatible, backward-breaking changes that could revoke the ability to upgrade

Added compatibility with JCasC to Secure Requester Whitelist Plugin (JENSEC-603)

Added compatibility with the Jenkins Configuration as Code Plugin to Secure Requester Whitelist Plugin

Master provisioning update to OpenShift 4.1 (CPLT2-5821)

Problem: Master Provisioning is not compatible with OpenShift 4.1

Fix: Upgrade kubernetes-client to 4.4.2 which is compatible with OpenShift 4.1

Resolved issues

Helm chart values not mapped to templates (CPLT2-5992)

Problem: Some fields shown as available in the values.yaml file of the Helm chart were actually unused.

The unused fields that do not require configuration have been removed. Some other fields, have been mapped to templates so that service account names can be customized.

Disable DNS multicast by default (CPLT2-6001)

Problem: Jenkins Autodiscovery was enabled by default on Operations Center and both generated useless noise and created potential security issues.

Jenkins Autodiscovery is now disabled by default (using the system property hudson.DNSMultiCast.disabled).

Use up-to-date memory options for the jvm (CPLT2-6004)

Problem: On startup, some deprecated JVM flags were used to control RAM usage.

To fix this, we’ve updated to use the new recommended option of -XX:MaxRAMPercentage=70.0.

Sidecar injector clears existing annotations (CPLT2-5990)

Problem: Annotations are being cleared when sidecar-injector is used.

To fix this, Injection has been configured to preserve existing Pod annotations.

Updateblue-ocean to 1.19.0 (NGPIPELINE-679, -646, -638)

Upgraded Blue Ocean Plugin from 1.18.1 to 1.19.0. Blue Ocean was unable to show the visualization for Pipelines when build causes for the Pipeline were null. With this fix, Blue Ocean now checks if build causes are null before attempting to access them.

When viewing the visualization for an in-progress Pipeline Build in Blue Ocean, it was not possible to select sequential stages inside of a parallel stages other than the first sequential stage to show the steps for that stage in the lower half of the visualization until the stage completed. With this fix, sequential stages inside of a parallel stage can now be selected, even when they are still in progress.

The Blue Ocean Pipeline visualization showed in-progress and completed stages as if they had not started in some cases, and did not show the correct status until after the build was completed. With this fix, the Blue Ocean Pipeline visualization correctly shows the status of in-progress and completed stages even while the build is ongoing.

Operations Center Security realm issue (CTR-600)

Upgraded CloudBees Jenkins Enterprise New User Experience from 1.2.22 to 1.2.24. When the authorization strategy on Operations Center was not RBAC (Role Based Access Control), Operation Center’s SSO (single sign-on) was not functioning properly, even when the user was granted access to the master. Instead, after creating a team, users were redirected to the Team Master login page. With this fix, Operations Center correctly propagates the security realm to the master even when RBAC is not the authorization strategy.

Publish github-branch-source 2.5.8 (NGPIPELINE-703)

Upgraded GitHub Branch Source Plugin from 2.5.6 to 2.5.8. Users were unable to override default webhook URLs to receive webhook events, for example, in cases where a Jenkins master is behind a firewall and there is a proxy service to receive webhook events or the Jenkins master is down and there is queuing service to collect webhook events to be delivered to Jenkins master when it comes back up. With this fix, users can now use the JVM property jenkins.hook.url to configure a webhook URL.

For instances where an invalid repository URL was entered, the error was not handled properly. With this fix, when an invalid repository URL is entered, an error is displayed in the UI.

Update Jackson API Plugin 2.9.10 (JENSEC-533)

Upgraded Jackson2 API Plugin from to 2.9.10. Previous releases of Jackson were vulnerable to numerous CVEs listed in which are fixed in this release.

Update Jira Plugin 3.0.10

Upgraded JIRA Plugin from 3.0.9 to 3.0.10. The previously provided version of the Jira plugin, 3.0.9, bundled Jackson 1.x in its dependencies making it vulnerable to CVE-2017-7525. This upgrade to Jira plugin version 3.0.10 excludes these Jackson libraries.

Fix Copy with Builds error (CTR-680)

Upgraded Operations Center Context Plugin from to jobs could not be moved/copied using the Move/Copy/Promote feature. With this fix, there is a new file (permalinks) inside the builds folder which is autogenerated by Jenkins core, and the Move/Copy operations are overwriting it now.

Pipelines with groovy scripts issues (CTR-712, CTR-512)

Upgraded Pipeline Event Step from 1.5 to 1.7. The JSON field that is present for all inherited classes of Cause "_class" was missing on BuildTriggerCause, which was an issue when using it with groovy code in Pipelines. With this fix, the field "_class" is now present again. When creating Pipelines with groovy scripts, JSON files that contained a null attribute would cause the build to fail, and an exception was fired, "org.kohsuke.stapler.export.NotExportableException: class net.sf.json.JSONNull doesn’t have @ExportedBean". With this fix, when creating Pipelines with groovy scripts, if the JSON file has a null value, Jenkins will remove the attribute from the JSON when exporting it.

Memory leak issue (NGPIPELINE-673)

Upgraded PubSub Light Plugin from 1.12 to 1.13. When used with the SSE Gateway Plugin, the PubSub “light” Bus Plugin was generating a memory leak. With this fix, the plugins no longer generate a memory leak.

Update Script Security Plugin to 1.66 (NGPIPELINE-745, -741)

Upgraded Script Security Plugin from 1.63 to 1.66. A cache used by the class loader for sandboxed Groovy scripts was cleared out every time the garbage collector ran. This clearing out could lead to performance issues for complex sandboxed scripts, particularly in environments where the garbage collector ran frequently, as it significantly reduced the effectiveness of the cache. The cache used by the class loader for sandboxed Groovy scripts is no longer cleared out by the garbage collector.

Memory leak issue (NGPIPELINE-674)

Upgraded SSE Gateway Plugin from 1.17 to 1.20. When used with the SSE Gateway Plugin, the PubSub “light” Bus Plugin was generating a memory leak. With this fix, the plugins no longer generate a memory leak.

SSH keys issue (JENSEC-639)

Upgraded SSH Credentials Plugin from 1.17.1 to 1.17.3. SSH keys saved as credentials without a new line at the end of the key caused errors with downstream consumers of the SSH keys. With this fix, SSH keys saved as credentials without a new line at the end of the key now work as expected.

Kubernetes thread leaks in Operations Center (CPLT2-6014)

Problem: If the managed master hibernation monitor service wasn’t present, the thread count in Operations Center grew steadily as the dashboard was viewed.

The fix is to stop creating additional threads when this condition exists.

getState broken by lack of permissions (CPLT2-5987)

Problem: Installing a new version of the Master Provisioning Kubernetes plugin (for example, via an updated CloudBees Jenkins Operations Center Docker image) without any accompanying role changes for that service caused Kubernetes permissions errors. These errors could interfere with the calculation of a manager master’s state.

To fix this, the system that watches for changes in the managed master hibernation service has been updated. Kubernetes permissions errors are still reported and logged, but they no longer break other functionality.

Incomplete copy constructors cause issues (CPLT2-5980)

Problem: Some fields in a globally configured PodTemplate were lost when applied to actual builds. This caused failures in AbstractYamlPodTemplateFilter, among other things.

To fix this, the PodTemplate copy constructor now includes all fields.

Templates feature needed to be updated (CPLT2-5978)

Problem: the Templates feature had not been updated to match recent Jenkins changes in item renaming: there was an old rename UI (editing Name in Configure) in addition to the new UI (Rename link); and renaming templates did not work (an error was thrown).

To fix this, the UI for renaming both templates and templatized jobs/folders was updated to the current Jenkins standards.

Include affinity rules in agents definition (CPLT2-5968)

Problem: Agents could wind up on the same nodes as masters and agents.

To fix this, agents now use anti-affinity rules with Operations Center and Masters to prefer assignment on different nodes.

Update to depend on kubernetes-client-api (CPLT2-5849)

Previously, we were packaging the kubernetes-client Java library with the master-provisioning plugin.

We’ve reconfigured to depend on the new kubernetes-client-api plugin that provides the library, and no longer package the kubernetes-client library.

OperationsCenter.JavaOpts does not work (CPLT2-5845)

Problem: The OperationsCenter.JavaOpts Helm chart parameter did not work, due to a mistake in the chart’s expansion.

We’ve fixed this by correcting the usage point of the parameter.

Pod-template CLI command out of date (CPLT2-5730)

Problem: Some of the new fields (showRawYaml, yamlMergeStrategy) that are available in new versions of the Kubernetes plugin are not exposed through the pod-template CLI command.

To fix this, we now expose these fields in the pod-template CLI command.

Known issues