New features

Shared agents/clouds over WebSocket (CPLT2-6090)

Shared agents, or clouds, required TCP port access to first Operations Center and then each connected master wishing to use the agent. This was particularly onerous for CloudBees Core on modern platforms, since it was necessary to manually open port 50000 mappings for each managed master by changing the Helm chart configuration for nginx-ingress.

CloudBees Core now supports using WebSocket transport to connect inbound agents, and this works as well for shared agents/clouds. Just select the WebSocket checkbox in agent/cloud configuration and ensure that the agent is launched with the -webSocket option. No special network configuration is needed, since the regular HTTP(S) port proxied by the CloudBees Core ingress is used for all communications.

Masters on multiple clouds

This feature allows users to run masters across cloud providers in support of multi-cloud strategies.

Masters on multiple Kubernetes clusters

This feature allows users to run Kubernetes from a main cluster which manages other Kubernetes clusters.

Kubernetes security hardening

This feature allows the product to take advantage of the Kubernetes Network Policy, which specifies how groups of pods are allowed to communicate with each other and other network endpoints. It limits what users can build by segmenting Operations Center and the masters. This has the added benefit of giving teams the ability to create team masters in separate namespaces.

Feature enhancements

Update Alpine Image to 3.11.5 (CPLT2-6390)

The CloudBees Alpine base image was updated from 3.10.x line to the 3.11.x line, which includes multiple updates and resolves security vulnerabilities.

Configuration to enable and disable the Segment events (FNDJEN-1817)

A new setting is available for disabling/enabling CloudBees-specific usage statistics gathering.

Users of the previous version of the CloudBees Analytics plugin who have turned off the Jenkins LTS setting will get the new setting turned off when upgrading.

Move security.xml to $JENKINS_HOME (CTR-1422)

The $JENKINS_HOME/jcasc-bundles-store/security.xml file was stored in an unappropriated folder that could have lead to accidental override issues.

With this update, the security.xml file has been moved into $JENKINS_HOME/core-casc-security.xml.

CloudBees Jenkins Enterprise License Entitlement Check new public API (CTR-1466)

We added a new public API to the CloudBees Jenkins Enterprise License Entitlement Check plugin that exposes the product name.

Add Matrix to directive generator (NGPIPELINE-624)

Matrix-related directives were not available in the Directive Generator.

We have added Matrix-related directives to the Directive Generator, including "matrix", "axes", "axis", "excludes", and "exclude".

Resolved issues

Sanitize input in the Kubernetes plugin (CPLT2-5696)

The GUI configuration for Kubernetes container templates accepted image names with leading whitespace that was hard to see, but would result in runtime errors.

Some incorrect values are now flagged as errors during form validation.

NumberFormatException: For input string: "443,443" (CPLT2-6459)

Under certain circumstances (upgraded nginx-ingress), some HTTP headers sent by the reverse proxy, such as X-Forwarded-Port, may have been duplicated. The managed master hibernation monitor did not consider this possibility and would crash when serving /hibernation/redirect/… URLs while trying to compute the correct redirect variant (typically replacing http with https protocol).

Duplicated headers are now tolerated as long as all the values are identical; and malformed values of these headers are generally handled more gracefully now.

Webhook not delivered; StatusResource too eager (CPLT2-6331)

A race condition introduced by the addition of readiness probes to managed master services caused webhooks to sometimes not be delivered to a hibernated master.

Webhook delivery is now delayed, not only until the master claims to be up and running, but also until the Kubernetes service is marked as ready and is actually handling traffic.

Set cpu/memory requests for default "jnlp" container (CPLT2-6254)

The default jnlp container definition in a pod template did not request any CPU or memory, potentially confusing the Kubernetes scheduler.

This container now defaults to requesting 100m of CPU and 256Mi of memory.

Analytics plugin was sending a wizard login even on regular login after restart (FNDJEN-1904)

The Analytics plugin was sending the "Admin password step displayed" event after the setup wizard was completed.

This issue has been fixed.

Adapt product link color in the refreshed Jenkins UI (FNDJEN-1989)

Some links were not being correctly displayed with the new UI. That is now fixed.

CloudBees SSH Build Agents Plugin intermittent SSH error since version 2.5 (CTR-1444)

The ChannelExec close without parameters was closing the underlying ssh channel connection synchronously in the CloudBees SSH Build Agents Plugin since version 2.5, making the connection unstable.

With this fix, ChannelExec is now closed asynchronously using close(false) instead of the closeable close method.

This update only affects installations that use the CloudBees SSH Build Agents Plugin.

Reduce lock contention in the CloudBees Role-Based Access Control (RBAC) plugin (CTR-1267)

To reduce UI blocking issues when using RBAC with large user groups or when the user database is slow, we reduced lock contention in the CloudBees Role-Based Access Control plugin.

Operations Center Client Plugin dependency upgrade (CTR-1427)

We now use the Snakeyaml Plugin instead of the artifact.

This update only affects installations that use the Operations Center Client Plugin.

NullPointerException on LicenseRootCAPeriodicWork (CTR-1553)

Internal API change, LicenseManager.getInstanceOrDie().getLicenseKeyData() now requires NullCheck.

The fix for JENKINS-59083 caused deadlocks (NGPIPELINE-951)

The Pipeline: Job Plugin versions 2.35, 2.36, and 2.37 could cause Jenkins to hang indefinitely in some cases due to deadlock.

With this fix, the Pipeline: Job Plugin version 2.38 no longer causes deadlocks.

This update only affects installations that use the Pipeline: Job plugin.

Checkouts of shared libraries should exclude contents of src/test (NGPIPELINE-1020)

The contents of the src/test/ folder in shared libraries was available to Pipelines, but this directory is commonly used to store tests for the library itself, and is not intended to be used by Pipelines.

With this fix, the contents of src/test/ in shared libraries are no longer available to Pipelines by default as a precaution for users who may not have realized that shared library test code should not be placed under src/test/.

To restore the previous behavior that allowed access to files in src/test/, pass -Dorg.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.INCLUDE_SRC_TEST_IN_LIBRARIES=true to the java command used to start Jenkins.

Parameter names for templates in Template Catalogs were not validated correctly (NGPIPELINE-1006)

If a parameter used in the template.yaml file for a template in a Pipeline Template Catalog was not a valid Java identifier, the template would silently fail to load.

With this fix, when a template is imported, the parameters are checked to make sure they are valid Java identifiers. If not, a validation error is displayed in the catalog import log and the import fails.

The Pipeline: Build Step Plugin incorrectly logged a warning when converting choice-like parameters (NGPIPELINE-1026)

Starting in version 2.10 of the Pipeline: Build Step Plugin, passing parameters to downstream jobs that use the Extended Choice Parameters Plugin or Active Choices Plugin caused an erroneous warning about parameter conversion to be printed to the build log.

With this fix, the warning about parameter conversion is no longer printed to the build log for parameters from the Extended Choice Parameters Plugin or Active Choices Plugin.

This update only affects installations that use the Pipeline: Build Step plugin.

Restart required to turn off polling for an SCM on a Pipeline job (NGPIPELINE-917)

When a Pipeline job was configured to poll an SCM for updates, it could not be configured to stop polling that SCM unless Jenkins was restarted.

With this fix, turning polling off for an SCM in a Pipeline job will now immediately disable polling for that SCM on that job.

Known issues

None.

Upgrade notes

End of life announcement

After assessing the viability of our supported plugins, CloudBees ended support for the CloudBees VMware Pool Autoscaling Plugin on April 30, 2020.

This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation as well as maintaining existing products that are actively used by customers.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.

End of life announcement

As of July 1, 2020, CloudBees will no longer support Alpine container images. Red Hat Universal Base Image (UBI) images will be the standard going forward.

For information about UBI, see the Red Hat documentation.

The decision to move from Alpine to UBI was made because OpenJDK no longer supports Alpine. CloudBees has been building and maintaining these images. However, CloudBees is aware of DNS issues with some Kubernetes clusters that span from the Alpine base using muslc libraries as well as other binary differences when using the muslc vs standard c libraries.

Customers moving from Alpine to UBI container images should not see any impact from this change and should not need to migrate data.

This affects CloudBees Core on modern platforms only. CloudBees will continue to release Alpine images for CloudBees Jenkins Enterprise 1.x customers who have purchased extended support.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.

License certificate expiration

On June 22nd, 2020, the certificate used to sign all existing CloudBees licenses for Jenkins-based products will expire. This certificate is used to verify the authenticity of the customer’s CloudBees license. Customers must install a new license (generated with the new certificate) before June 22, 2020. Existing licenses will become invalid as of June 22, 2020. See the following articles for instructions on how to upgrade your license: Preparing for the new CloudBees License Certificate Upgrading for the new CloudBees License Certificate

Revisions

Revision 2 (2020-05-06)

CloudBees Security Advisory 2020-05-06