CloudBees CI on modern cloud platforms 2.204.3.7

Rolling release: 2020-03-06

Based on Jenkins LTS 2.204.3-cb-9

Critical regression fixes in 2.204.3.7

Version 2.204.3.7 release fixes some regressions found in release 2.204.3.4. Installing the new release 2.204.3.7 is highly recommended to avoid these issues.

If you are updating from version 2.204.3.4 and you applied the workarounds, remove any workarounds upon update.

New features

Introducing CloudBees Pipeline Policies as a Preview feature (CTR-767)

While administrators would like to enable their developers to use pipelines freely, they still may need to set some restrictions based on industry-specific regulatory compliance or general best practice principles. Pipeline Policies provide a central way to enforce best practices across pipeline projects. The plugin uses runtime validation that works for both scripted and declarative pipelines, allowing administrators to include warnings or block the execution of pipelines if policy rules are violated. This initial release of Pipeline Policies is aimed at helping users avoid antipatterns that can damage the stability of their masters.

This only affects installations that use the Pipeline Policies Plugin.

S3 Publisher Plugin included in the CloudBees Assurance Program (FNDJEN-1852)

The 'S3 Publisher plugin' is now included in the CloudBees Assurance Program to guarantee its quality and integration inside CloudBees products. This plugin applies to all masters in CloudBees Jenkins Enterprise, CloudBees Jenkins Distribution, and CloudBees Core. It does not apply to the Operations Center.

Feature enhancements

Telemetry

The CloudBees Analytics Plugin collects metrics for analysis to help CloudBees make decisions about future product direction. The collected data is used to evaluate patterns of usage of our products.

For details about what data is collected, see Data collection for the CloudBees Analytics Plugin.

Helm 3 is now supported (CPLT2-6146)

Helm 3 is now the recommended method to install CloudBees Core on modern cloud platforms. Installation via the CloudBees installer has been deprecated as of the release of CloudBees Core on modern cloud platforms 2.204.3.4.

OperationsCenter.HostName is now optional (CPLT2-5856)

In prior versions of CloudBees Core on modern cloud platforms, OperationsCenter.HostName was required when you installed CloudBees Core using Helm.

Starting with CloudBees Core on modern cloud platforms version 2.204.3.4, OperationsCenter.HostName is now optional. If you omit it, CloudBees Core on modern cloud platforms uses Ingresses using wildcard hostnames and can be accessed through any hostname.

Support for authenticating with a remote GKE cluster (CPLT2-5818)

This enhancement provides support for Google service account credentials when connecting to remote Kubernetes clusters running on GKE.

Optional support for Kubernetes Pod Security Policies (CPLT2-6112)

Kubernetes Pod Security Policies can now be enabled by providing --set PodSecurityPolicy.Enabled=true when installing or upgrading the Helm chart.

Note that this enhancement conflicts with Kaniko setup because Kaniko requires root access.

SSD is now the default on AKS (CPLT2-6182)

When using OperationsCenter.Platform=aks, the storage class now defaults automatically to managed-premium in order to leverage solid state drives (SSDs).

Resolved issues

rbac.installCluster=false still produces cluster level resources (CPLT2-6200)

The option rbac.installCluster=false was not working as expected and cluster-wide resources were still generated.

This issue has been corrected so that when using rbac.installCluster=false, no cluster-wide resource is generated, as expected.

Kubernetes agent UI overlap (CPLT2-6185)

When using pod templates with a dynamic label, the generated name is long and overflows the widget.

This has been corrected so that the extra text now wraps to the next line.

Explicitly specify Ingress class to avoid warning on GKE (CPLT2-5898)

On GKE, warnings were displayed about defined ingresses.

To prevent these warnings, specify an Ingress class explicitly to prevent the GKE Ingress controller from picking them up.

Generate routes when specifying OperationsCenter.Platform=openshift/openshift4 (CPLT2-6208)

When using helm template targeting OpenShift, Ingresses are generated instead of Routes. The reason is since 2.204.1.3, the chart relies on capabilities instead of OperationsCenter.Platform to determine whether the target is OpenShift or Kubernetes.

In addition to Capabilities, which can be specified in the helm template command (--api-versions route.openshift.io/v1), the generation will honor OperationsCenter.Platform=openshift to generate Routes. This is the same behavior as before 2.204.1.3.

YAML parse error on cloudbees-core/templates/extra-configmap.yaml (CPLT2-6198)

The extra-configmap.yaml suffered a rendering problem when a label was not specified.

The rendering of extra-configmap.yaml is now correct whether a label is provided or not.

Readiness and liveness probes (CPLT2-5622)

Kubernetes resources for Operations Center and Managed Masters defined “liveness probes”, which would ask a controller to restart the pod if it stopped responding to basic web requests, but no “readiness probes” to determine when a pod was up and running. This lapse would cause misleadingly positive statuses from Kubernetes tools for Jenkins-based pods that had actually just started their containers. It also prevented use of the native Ingress system on GKE.

Readiness probes were added for both Operations Center and Managed Masters. It is possible to customize the timeouts if a pod is known to take an unusually long time to start under normal conditions.

Clean up use of profiles in CloudBees Core WAR files (CPLT2-6017)

Operations Center and Managed Master WARs for CloudBees Core on modern cloud platforms defined supposedly optional profiles for Kubernetes functionality, but then unconditionally enabled these profiles. Also, the Setup Wizard offered the option of installing a number of plugins that were actually installed unconditionally.

These profiles were removed, simplifying the plugin list and removing misleading options in the Setup Wizard.

Managed Masters in folders do not hibernate (CPLT2-6077)

Managed Masters in operations center, such as Team Masters, would not hibernate correctly.

This issue has been resolved in this release.

Form submissions were limited to 200,000 characters (JENKINS-60409)

This issue affected version 2.204.3.4, and is fixed in 2.204.3.7.

Users were unable to submit large forms to Jenkins. This issue resulted in users being unable to make system configuration changes or replay pipelines, for example.

If you applied the workaround, it should be removed upon update.

Deadlock between CJOC connection and Global Configuration save (CTR-1136)

If a master was connected to Operations Center while its global configuration was being saved via the web interface, the master→operations center communication thread and the HTTP request thread would deadlock. This deadlock would result in a master that could not communicate with Operations Center and eventually, if more global configuration saves were performed, a master that was unresponsive to the HTTP(s) requests.

The code has been updated to make the locking order consistent in both approaches, removing this deadlock.

This only affects installations that use the Operations Center Client Plugin.

The default Browsers role should grant View/Read (CTR-669)

Users who were assigned only the default Browsers role were unable to see all views, such as the pull requests tab of a GitHub multibranch project.

With this fix, users who are assigned the default Browsers role will now be granted the View/Read permission.

This only affects installations that use the CloudBees Role-Based Access Control Plugin.

RBAC group configured on View disappears after editing the View (CTR-1029)

When an RBAC group configured on a View was modified, the group configuration was removed.

With this fix, the RBAC group related to the View remains after the View is modified.

This only affects installations that use the CloudBees Role-Based Access Control Plugin.

Finish adding logging on SFTP with infradna-backup plugin (CTR-1042)

There was not enough information on job logging when using SFTP backup. With this fix, meaningful information has been added.

This only affects installations that use the CloudBees Backup Plugin.

Checkpoint step prints a warning (NGPIPELINE-676)

Using the checkpoint step in a Pipeline incorrectly caused the following warning to be written to the build log: "expected to call WorkflowScript.checkpoint but wound up catching suspend?; see: https://www.jenkins.io/redirect/pipeline-cps-method-mismatches/".

A warning is no longer displayed when using the checkpoint step.

This only affects installations that use the CloudBees Pipeline: Groovy Checkpoint Plugin.

Performance improvement of Display URL API plugin (NGPIPELINE-970,586)

The Display URL API plugin adds environment variables to builds containing the URL of the build in Jenkins. In order to compute the value of these variables, the plugin previously needed to load a large number of classes for each build, which could lead to performance issues. With this fix, the plugin no longer needs to perform significant class loading when contributing environment variables to builds.

This only affects installations that use the Display URL API plugin.

Blue Ocean View failed in IE and Edge (NGPIPELINE-955)

Opening the Blue Ocean View with a Microsoft Edge or Internet Explorer browser failed. With this fix, the packaging of the Server Sent Events (SSE) Gateway Plugin no longer causes the Blue Ocean View to fail in IE and Microsoft Edge browsers.

This only affects installations that use the Server Sent Events (SSE) Gateway Plugin.

Known issues

None.

Upgrade notes

End of life announcement

After assessing the viability of our supported plugins, CloudBees ended support for the CloudBees VMware Pool Autoscaling Plugin on April 30, 2020.

This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation as well as maintaining existing products that are actively used by customers.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.

End of life announcement

As of July 1, 2020, CloudBees will no longer support Alpine container images. Red Hat Universal Base Image (UBI) images will be the standard going forward.

For information about UBI, see the Red Hat documentation.

The decision to move from Alpine to UBI was made because OpenJDK no longer supports Alpine. CloudBees has been building and maintaining these images. However, CloudBees is aware of DNS issues with some Kubernetes clusters that span from the Alpine base using muslc libraries as well as other binary differences when using the muslc vs standard c libraries.

Customers moving from Alpine to UBI container images should not see any impact from this change and should not need to migrate data.

This affects CloudBees Core on modern platforms only. CloudBees will continue to release Alpine images for CloudBees Jenkins Enterprise 1.x customers who have purchased extended support.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.

Revisions

Revision 3 (2020-03-19)

Plugin updates

Revision 2 (2020-03-09)

CloudBees Security Advisory 2020-03-09