CloudBees CI on modern cloud platforms

Rolling release: 2020-05-26

Based on Jenkins LTS 2.222.4-cb-1

New features

Support for Windows containers on Azure Kubernetes Service (AKS). (CLPT2-5594)

You can now set up CloudBees Core build agents in Windows containers on AKS.

Support for Windows containers on Google Container Engine (GKE). (CPLT2-5593)

You can now set up CloudBees Core build agents in Windows containers on GKE.

Initial release of the Configuration as Code (CasC) for Masters feature

Previously released as a Preview feature, Configuration as Code (CasC) for Masters is now fully supported.

Configuration as Code (CasC) for Masters simplifies the management of a CloudBees Core cluster by capturing the configuration of masters in human-readable declarative configuration files which can then be applied to a master in a reproducible way. By capturing the configuration in files, it can be treated as a first class revision-controlled artifact - versioned and then applied to masters while being centrally managed from CloudBees Core Operations Center.

Enhancements added for GA release:

  • Ability to view a list of CasC bundles in CJOC (CTR-402)

    A list of Configuration as Code (CasC) for Masters bundles is now displayed in the UI as a new option on Manage Jenkins.

    The Security access information is included in the information displayed for each bundle on the list.

  • Auto-generated security.xml bundle entries (CTR-1423)

    Access tokens are now autogenerated when a new Configuration as Code (CasC) for Masters bundle is detected under the bundles folder in Operations Center.

    Also, now users can invalidate and generate new access tokens and download the appropriate link file to use in Client Masters on the Configuration as Code (CasC) for Masters global configuration page.

  • Set Master on configuration bundle list (CTR-1654)

    Until now the way to create a Managed Master using a Configuration Bundle was via a naming convention. If the master name matched a bundle in the system, then it was applied during master provisioning.

    With this change, the association is now accomplished by entering a master’s full path name in a new field, Master Path, on the Configuration Bundles page in Operations Center. All bundles require the Master Path field be completed so they can be applied to masters. When a master is being provisioned, Operations Center checks for that field. If the master’s full name (in other words, the path inside Operations Center) matches a Master Path field for a bundle, then the bundle with that Master Path is applied to the master.

  • Add API version property to CasC bundle (CTR-1679)

    The apiVersion attribute is now required in the bundle.yaml file. Currently, the expected value is "1".

  • Fail fast during CasC bundle storage initialization in Operations Center (CTR-1448)

    Before this enhancement, Operations Center continued with the startup sequence even when there was an error creating the Configuration as Code (CasC) for Masters bundles storage (IO errors specifically).

    Now Operations Center stops the startup cycle and shows a clear exception in logs when there is an error creating CasC bundles storage.

Initial release of Pipeline Policies

Previously released as a Preview feature, Pipeline Policies is now fully supported.

While administrators would like to enable their developers to use pipelines freely, they still may need to set some restrictions based on industry-specific regulatory compliance or general best practice principles. Pipeline Policies provide a central way to enforce best practices across pipeline projects. The plugin uses runtime validation that works for both scripted and declarative pipelines, allowing administrators to include warnings or block the execution of pipelines if policy rules are violated. This initial release of Pipeline Policies is aimed at helping users avoid antipatterns that can damage the stability of their masters.

Documentation for this plugin is available at Using Pipeline Policies

Initial release of the CloudBees Core GitHub Reporting feature

Previously released as a Preview feature, CloudBees Core GitHub Reporting is now fully supported.

When using CloudBees GitHub Reporting, as the build runs, GitHub surfaces status information about the build directly in GitHub in real-time, alleviating the need to context switch over to Jenkins to get an overview. For example, if a PR fails, CloudBees GitHub Reporting posts pre-analyzed simple failures to GitHub, like “XXX” test is failing, SpotBugs violation, etc. Additionally, CloudBees GitHub Reporting posts automatic checks and status information inferred from Pipeline stages (no pipeline commands required).

Initial release of the CloudBees Core Personalized Slack Messaging feature

Previously released as a Preview feature, CloudBees Core Personalized Slack Messaging is now fully supported.

With CloudBees Core Personalized Slack Messaging, enabled with the CloudBees Slack Integration Plugin, you get relevant information proactively sent as a Slack Direct Message that provides the relevant build data so you know if the build was successful, and if not what action you need to take to troubleshoot a build. The Slack messages include links directly to the build, test, and error details where you can take immediate corrective action.

Tier 1 plugin support for Jenkins Configuration as Code (JCasC) (FNDJEN-1266)

CloudBees tier 1 plugins now support JCasC. This is available for CloudBees Core, CloudBees Jenkins Distribution, and CloudBees Jenkins Platform.

Go to the CloudBees supported platforms page for your product to see a list of the supported plugins.

Feature enhancements

Expose additional configuration options for Multibranch Pipelines in template.yaml (NGPIPELINE-1025)

Multibranch Pipeline Templates in Pipeline Template Catalogs are now able to configure a Branch Property Strategy in template.yaml. Documentation for configuring these options as well as SCM behaviors can be found in the newly published Multibranch Pipeline Template syntax guide.

As a CloudBees Core Administrator, I want to be able to configure SSL off-loading at the ingress controller and leverage Server Name Indication (SNI). (CTR-1650) (CPLT2-6395)

When setting up transport layer security (TLS) offloading at the Ingress Controller level, the Nginx Ingress Controller uses server name indication (SNI) to serve several hosts to clients. The Operations Center Agent did not support SNI when discovering Operations Center endpoints, and it wasn’t working in this kind of setup unless the certificate was configured as default, which was not always acceptable.

With this fix, we switched the HTTP client used to discover Operations Center endpoints to an implementation that supports SNI.

Analytics for the Declarative Pipeline Migration Assistant plugin (NGPIPELINE-757)

A new event was added to track the usage of the Declarative Pipeline Migration Assistant plugin.

Performance improvements to the Branch API Plugin WorkspaceLocatorImpl (NGPIPELINE-1071)

The Branch API Plugin made a remote call to an agent every time it looked up the workspace for a Multibranch Pipeline project.

The Branch API Plugin now caches workspace locations to avoid unnecessary remoting calls when looking up workspaces for Multibranch Pipeline projects.

WorkspaceLocatorImpl should not use Node instances as monitors (NGPIPELINE-1118)

The Branch API Plugin locked Node objects during workspace cleanup operations, which could lead to unnecessary lock contention.

The Branch API Plugin no longer locks Node objects during workspace cleanup operations.

Resolved issues

Operations Center resources can now be fully specified. (CPLT2-6522)

Existing limits were renamed and old limits were deprecated.

OperationsCenter.Cpu → OperationsCenter.Resources.Limits.Cpu

OperationsCenter.Memory → OperationsCenter.Resources.Limits.Memory

Requests can now be specified through values:



Migrate CloudBees Jenkins Enterprise dependencies to S3 (CPLT2-6291)

Third-party native dependencies are now retrieved from registries controlled by CloudBees to avoid potential failures.

Default namespace was only added for pod template from DSL, not from UI (CPLT2-6357)

When using the separate agents namespace option, the namespace was only set for pod templates defined through DSL, not for pod templates defined in the UI.

The agents namespace is now applied for any pod template, as expected.

Add annotation for "false" to masters created by master provisioning plugin. (CPLT2-5698)

When a node is getting retired for cluster scale-down, it can kill a running managed master causing it to become unavailable for some time.

An annotation has been added to managed masters in order to indicate to the cluster-autoscaler to avoid evicting them in case of scale-down.

UBI 8.2 upgrade (CPLT2-6528)

Operations Center, managed master, and agent images could no longer be built on UBI 8.1 after 8.2 was released.

These images now use the latest currently available version of UBI 8.

PatternSyntaxException from GitHubEventFilter.rejected blocks hibernation (CPLT2-6463)

Malformed organization or repository configuration values in a GitHub project could cause managed master hibernation to fail with an error.

Unusual characters are now handled in these names.

API fails on templatized job: NotExportableException: class GradleInstallation doesn’t have @ExportedBean (CPLT2-6466)

Using the Jenkins export feature (for example, …/api/json?depth=1) on a templatized job could cause an error in case certain special template attribute controls were used, such as tool installations.

The exported ‘values’ property of a templatized job now uses the persisted form of attribute controls, typically strings rather than the model objects they name, in cases where the live form would cause an export error. Note that the ‘depth’ query parameter is deprecated and should never be used; instead use ‘tree’ and specify those fields you wish to retrieve.

Issue in view-job-filters filtering by disabled (CPLT2-6274)

The View Job Filters plugin had a job status filter purporting to let you filter in/out disabled jobs, which did not work for Pipeline.

A generalized check was added to handle both traditional and Pipeline job types.

[JENKINS-61854] "Test Ldap Settings" button stopped functioning. (FNDJEN-2184)

The button "Test LDAP Settings" stopped working on Jenkins 2.14 and later.

The button has been fixed.

Multibranch Pipelines based on Pipeline Templates cannot enable "Suppress automatic SCM triggering" (NGPIPELINE-1025)

Multibranch Pipelines based on Pipeline Templates from Pipeline Template Catalogs could not enable "Suppress automatic SCM triggering" because a "Branch Property Strategy" could not be configured.

Multibranch Pipelines based on Pipeline Templates from Pipeline Template Catalogs are now able to configure a "Branch Property Strategy".

The Pipeline:Job plugin had a JavaScript error with IE11 (NGPIPELINE-1145)

The Pipeline console view did not work correctly in Internet Explorer 11 due to use of unsupported JavaScript functions.

The Pipeline console view now only uses JavaScript functions that are supported by Internet Explorer 11.

Parameter names for templates in Pipeline Template Catalogs are not validated correctly. (NGPIPELINE-1006)

If a parameter used in the template.yaml file for a Pipeline Template in a Pipeline Template Catalog was not a valid Java identifier, the template would silently fail to load.

When a template is imported, the parameters are checked to make sure they are valid Java identifiers. If not, a validation error is displayed in the catalog import log and the import fails.

Using a properties step with a Pipeline Template breaks the connection to the root template (NGPIPELINE-905)

Using the properties step inside of a non-Multibranch Pipeline created from a Pipeline Template in a Pipeline Template Catalog caused the Pipeline to become permanently detached from the Pipeline Template.

Using the properties step inside of a non-Multibranch Pipeline created from a Pipeline Template in a Pipeline Template Catalog no longer causes the Pipeline to become permanently detached from the Pipeline Template. Pipeline Template Catalogs must be reimported in order for the fix to take effect. Jobs that were already detached from their template will not be fixed automatically; they must be manually recreated from a Pipeline Template.

Library step cannot be used at top of Declarative Pipeline with entire Pipeline timeout rule (NGPIPELINE-1125)

In a Declarative Pipeline, use of the library step could cause validation of top-level timeout policies to show misleading validation failures.

A code change was made to allow the library step to be treated similarly to @Library when placed above the opening line of the plpeline { …​ } block.

[JENKINS-62063] BlueOcean UI is broken due to ClassCastException (NGPIPELINE-1169)

The BlueOcean UI is broken due to ClassCastException when using the CloudBees Pipeline: Templates Plugin and the Pipeline: Multibranch with defaults Plugin.

A check was added to ensure the Pipeline instance is castable to the appropriate type.

The CloudBees Fast Archiving Plugin used a check that was not thread safe (CTR-1660)

With this fix, the archiveArtifacts step can be used in parallel blocks and in filesystems that are not high performance filesystems.

Managed Master provisioning error (CTR-1716)

When provisioning a Managed Master using Configuration as Code (CasC) for Masters, an internal application programming interface (API) was returning the wrong value. This erroneous value caused the provisioning to fail.

With this fix, the API call now returns an appropriate value, and Configuration as Code (CasC) for Masters masters provisioning works as expected.

Masters provisioning in Configuration as Code (CasC) for Masters is broken if security.xml is deleted (CTR-1138)

When using Configuration as Code (CasC) for Masters, there was an issue provisioning masters when the security file,JENKINS_HOME/core-casc-security.xml, did not exist.

Now the provisioning process continues normally even when the security file is missing.

Check the availability of the Configuration as Code (CasC) for Masters bundle when the CM-OC connection is done (CTR-758)

If a warning was already enabled related to the unavailability of the configuration bundle because of Client Master-Operations Center connection issues, when the connection was restored the warning would persist until the periodic work task was executed.

With this fix, whenever a master is connected to the Operations Center, a request for the configuration bundle is completed to avoid delays in updating administrator warnings.

Known issues

Required update

The version release of CloudBees Core on modern cloud platforms may not run properly on some Kubernetes installations until the incremental update of has been applied to Operations Center and Managed Master instances.

Setting the system property cb.BeekeeperProp.autoInstallIncremental=true will cause that to happen automatically during update.

During installation of a new Operations Center or Managed Master it is only necessary to wait during the initial setup for the background update process to find the incremental update and present a UI button to apply the update.

To add this property to the Helm charts in the values.yaml provided to the Helm update or Helm install command, include:

OperationsCenter:   JavaOpts: "-Dcb.BeekeeperProp.autoInstallIncremental=true"
Master:   JavaOpts: "-Dcb.BeekeeperProp.autoInstallIncremental=true"

For existing masters the property -D{{cb.BeekeeperProp.autoInstallIncremental=true}} can be added to the master’s configuration in the Operations Center, located at <cjoc_url>/job/<master_name>/configure.

If a Managed Master does not offer the incremental update after being updated to, stopping and starting the Master from the Operations Center should enable the incremental update to appear.

Upgrade notes

End of life announcement

As of July 1, 2020, CloudBees will no longer support Alpine container images. Red Hat Universal Base Image (UBI) images will be the standard going forward.

For information about UBI, see the Red Hat documentation.

The decision to move from Alpine to UBI was made because OpenJDK no longer supports Alpine. CloudBees has been building and maintaining these images. However, CloudBees is aware of DNS issues with some Kubernetes clusters that span from the Alpine base using muslc libraries as well as other binary differences when using the muslc vs standard c libraries.

Customers moving from Alpine to UBI container images should not see any impact from this change and should not need to migrate data.

This affects CloudBees Core on modern platforms only. CloudBees will continue to release Alpine images for CloudBees Jenkins Enterprise 1.x customers who have purchased extended support.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.


Revision 3 (2020-06-03)

CloudBees Security Advisory 2020-06-03

Revision 2 (2020-05-27)

Plugin updates