CloudBees CI on modern cloud platforms 2.235.2.3

Rolling release: 2020-07-05

Based on Jenkins LTS 2.235.2-cb-3

New features

CloudBees Core is now CloudBees CI

CloudBees is introducing new, self-describing product names across our entire product line that make them easier for anyone in our target market to find, and to understand intuitively what they do.

With the release of version 2.235.2.3, what you’ve known previously as CloudBees Core, is now called CloudBees CI. CloudBees CI on modern cloud platforms is designed to run on Kubernetes. CloudBees CI on traditional platforms has been developed for on-premise installations. It is still a fully-featured, cloud native solution that can be hosted on-premise or in the public cloud used to deliver CI at scale. The only thing that’s changed is the name—​and all the new features listed below.

Feature enhancements

ServiceNow Plugin enhancements (CPLT2-6278)

The ServiceNow Plugin is now certified on Orlando, New York, and Madrid versions of ServiceNow.

The plugin includes the following enhancements:

Pipeline Snippet Generator All Pipeline steps provided by this plugin are visible in the Pipeline Snippet Generator. You can use the Snippet Generator UI to configure your Pipeline step and generate the Groovy code to copy and paste into your Pipeline.

New Pipeline steps Two new steps were added: serviceNowCreate and serviceNowUpdate. The syntax for each one is available in the Snippet Generator. All four existing steps have moved to the "Advanced/Deprecated" section in Snippet Generator, but remain functionally the same.

Credentials Plugin integration ServiceNow instance credentials are now managed using the Credentials Plugin.

ElasticSearch 7 support for elasticsearch-reporter-plugin (CPLT2-6525)

Support for ElasticSearch 7 was added. Support for ElasticSearch 5 was dropped because it its end-of-life status.

Updated Kubernetes plugin to 1.26.2 (CPLT2-6643)

The Kubernetes plugin was updated to version 1.26.2.

Updated sidecar injector to 2.0.4 (CPLT2-6637)

Sidecar injector was updated to 2.0.4.

The update removed the use of an attribute that is not supported by OpenShift 3.11. In addition, Docker images are now published with the OS/Arch attribute, which is mandatory to run in OpenShift.

CloudBees Slack Integration plugin: Developer experience improvements (STICKY-332)

To improve the user experience for users configuring their Slack and GitHub settings, we made various updates to the Personalized Slack Messaging feature, including adding a separate page for a user to configure themselves.

This update only affects installations that include the CloudBees Slack Integration Plugin.

GitHub/Slack integration complete analytics metrics (STICKY-344)

To make more informed improvements to the Personalized Slack Messaging feature, we are now collecting data on the following:

  • Clicks on Slack message content (STICKY-163)

  • Each time a Slack message is sent to a user (STICKY-161)

  • Configuration of the CloudBees Slack Integration plugin: valid token, number of registered users, number of opted in users and number of opted out users (STICKY-160)

    To make more informed improvements to the CloudBees SCM Reporting feature, we are now collecting data on the following:

  • Bitbucket builds including anonymous details of configurations analogous to that sent for GitHub (STICKY-553)

  • Clicks on links from GitHub to CI (STICKY-188)

  • How often notifications are being sent to GitHub and what kinds of notifications are being sent (STICKY-201)

  • How the CloudBees SCM Reporting plugin is configured and which optional features are in use (STICKY-294)

    No identifying information is included in the data we collect. Data is only sent to CloudBees if you are opted in to statistics collection.
SCM/Slack integration optional plugin dependencies added into CAP (STICKY-344)

We added a couple of plugins to CAP that were dependencies for the Slack/SCM app integrations including:

Personalized Slack Messaging uses hibernation friendly URLs (STICKY-546)

Before, if a Managed Master was using hibernation, then it could happen that after a build the links to CloudBees CI shown in the GitHub pull request (PR) could point to a master which had since hibernated, leading to 503 errors.

Slack messages linking to CloudBees CI now check for a master with hibernation enabled and automatically select an alternate redirect URL which will automatically wake the master if needed and then open the desired page once it is ready.

Update only affects installations that include the CloudBees Slack Integration Plugin.

CloudBees SCM Reporting uses hibernation friendly URLs (STICKY-170)

Before, if a Managed Master was using hibernation, then it could happen that after a build the links to CloudBees CI shown in the GitHub pull request (PR) could point to a master which had since hibernated, leading to 503 errors.

GitHub reporting links to CloudBees CI now check for a master with hibernation enabled and automatically select an alternate redirect URL which will automatically wake the master if needed and then open the desired page once it is ready.

Update only affects installations with the CloudBees SCM Reporting Plugin.

Enable GitHub App wizard for CloudBees SCM Reporting (STICKY-541)

Before, to enable GitHub Checks, users had to create a GitHub App manually, which was tedious and error-prone.

Repository or organization folders associated with github.com using a personal access token can now be converted to use GitHub App authentication using a wizard. See Enabling GitHub App authentication for more information.

Currently this option is not offered for GitHub Enterprise due to an outstanding bug in that product’s implementation of app creation.
Bitbucket support added to CloudBees SCM Reporting plugin (STICKY-564)

The CloudBees GitHub Reporting feature now supports Bitbucket as an SCM option and has been renamed to CloudBees SCM Reporting.

Update only affects installations with the CloudBees SCM Reporting Plugin.

Enable use of multiple webhook secrets when using GitHub App wizard (STICKY-329)

When using the GitHub App creation wizard to configure CloudBees SCM Reporting, even if CloudBees CI already has a webhook secret registered, the wizard can add another secret.

Update only affects installations with the CloudBees SCM Reporting Plugin.

Plugin version mention in Checks feedback link (STICKY-458)

Before, it was hard to tell from feedback messages what version of the CloudBees SCM Reporting plugin was being run.

We now include the plugin version number in the feedback link displayed in the Checks tabs.

Update only affects installations with the CloudBees SCM Reporting Plugin.

Manage Jenkins page layout update (CTR-1468)

With this release we have moved management links to the correct category under Manage Jenkins.

Upgrade GitHub API and GitHub Branch Source plugins to OkHttp3 (NGPIPELINE-374)

The outdated OkHttp3 v2.7.5 library does not support modern features including TLS 1.3.

The GitHub API and GitHub Branch Source plugins have been updated to use newer OkHttp3 APIs with v3.12.12.

Resolved issues

Switch from beta.kubernetes.io/os to kubernetes.io/os (CPLT2-6532)

In Kubernetes 1.14+, the "OS" node label changed from beta.kubernetes.io/os to kubernetes.io/os. The Kubernetes Plugin tries to ensure that default Pod Templates run on Linux by applying a nodeSelector with the Linux OS label. If the label applied by the Kubernetes Plugin does not match the label in the Kubernetes cluster, the Pod will not be scheduled due to a nodeSelector label mismatch.

To resolve this issue, the Kubernetes Plugin now uses the kubernetes.io/os label as the default nodeSelector label.

Pod Templates that do not specify a nodeSelector will not be scheduled properly on Kubernetes clusters older than 1.14. Upgrade to Kubernetes 1.14+ to resolve the issue. To work around the issue on older versions of Kubernetes, manually apply the beta.kubernetes.io/os=linux node selector to pod templates, or manually apply the kubernetes.io/os=linux label to worker nodes.

Sidecar should handle Certificate Signing Request (CSR) renewal automatically (CPLT2-6615)

When the certificate used to secure the communications to sidecar injector expired, there was no mechanism to renew it and the sidecar injector was no longer usable.

To resolve this, a regular job has been added to the sidecar-injector chart so that the certificate is automatically renewed, if needed. When using rbac.autoApproveCSR=false, a new CSR will need to be approved one month before certificate expiration.

Helm template evaluation error on OperationsCenter.RunAsUser (CPLT2-6622)

When using the OperationsCenter.RunAsUser attribute in a values.yaml file, the template evaluation fails with an error about incompatible types.

Additional type checks have been added to ensure successful template evaluation whether the attribute is passed through command or through values.yaml

Sidecar injector is missing Service CA bundle in OpenShift Container Platform (OCP) 4 (CPLT2-6647)

The Service CA bundle is now included. It enhances security when accessing sidecar injector on OpenShift by relying on the Service CA available in the platform.

Missing update/patch permissions for secrets (CPLT2-6628)

When recreating a master with the same name as before, the configuration-as-code bundle needs to be updated, but Operations Center is missing the corresponding permissions.

Operations Center now has the permission to update and patch secrets.

Master restart logic can lead to missing Ingress/Service (CPLT2-6520)

When restarting a master, sometimes the associated service and/or ingress disappears.

The restart procedure now ensures service and ingress are in place after the restart.

KubectlBuildWrapper is broken (CPLT2-6641)

A regression in KubectlBuildWrapper prevented its usage.

The regression has been fixed so that KubectlBuildWrapper can now be used.

CVE-2019-15847 Correct the vulnerability (CPLT2-5958)

The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified.

To resolve this, GCC was updated to 9.3.0 in the Alpine 3.12 base image. GCC was backported from trunk to 9.3.0.

Add permission check for CloudBees ServiceNow Plugin(CPLT2-6369)

A potential security leak existed due to the HTTP method not being required.

To fix this, the POST HTTP method is required on calls to validate.

Remove mock-security-realm from envelope (CPLT2-6613)

CloudBees CI on modern cloud platforms and CloudBees Jenkins Enterprise operations center images included the Mock Security Realm plugin, which is not intended for production usage, only exploration.

This plugin has been removed from the product. It may still be installed from the update center, if desired.

Error when creating Slack message if Root URL is not configured (STICKY-573)

We now prevent errors with Personalized Slack Messaging if the Jenkins Root URL is not configured when the a Slack message is created.

Update only affects installations with the CloudBees Slack Integration Plugin.

Check Sender object is initialized before sending an event (STICKY-548)

We created a safety check for the metrics we collect on SCM/Slack app integrations to be sent only if the queue and sender are initialized and ready.

CloudBees SCM Reporting length limit of 64Kb for GitHub Checks (STICKY-535)

Before, when using the GitHub Checks tab, lengthy submissions such as from verbose test runs could exceed a GitHub limit and fail to notify anything at all (seen as an error in the system log).

With this fix, the reported text is truncated to fit within the limit as needed.

Update only affects installations with the CloudBees SCM Reporting Plugin.

NoAppsNoChecks can fail to send notification for long EndBuildError in CloudBees SCM Reporting (STICKY-378)

When not using a GitHub App and the Checks tab, certain notifications could attempt to use a long description text that GitHub would reject, leading to a warning in the CloudBees CI system log and a missing notification.

Now, descriptions are truncated to 140 characters; GitHub Apps/Checks tab notifications are not affected.

Update only affects installations with the CloudBees SCM Reporting Plugin.

Prevent emojis from appearing in code blocks on GitHub Checks tab (STICKY-462)

Before, code blocks in the Checks tab coming from build results could have rendered emojis.

With this fix, the colon in an emoji-like sequence is now replaced with a similar-looking character which will not be misinterpreted.

Update only affects installations with the CloudBees SCM Reporting Plugin.

Use random state for GitHub App installation flow (STICKY-495)

Before, when creating a new GitHub App by wizard, the state passed between CloudBees CI and GitHub used encrypted information about CloudBees CI, which was unnecessary.

With this fix, the state is now random and can be used only once.

Update only affects installations with the CloudBees SCM Reporting Plugin.

End-build-error step arguments could be multiline strings (STICKY-457)

Before, when a Pipeline step which failed a build had a multiline argument, which is common for example for sh steps, the summary in the Checks tab would be improperly formatted.

With this fix, the step arguments are now elided if they do not fit on one line.

Update only affects installations with the CloudBees SCM Reporting Plugin.

Security enforcer does not disable elements in the master UI (CTR-1780)

Since 2.222.1.1, the security settings enforced by Operations Center to Client Masters appeared as editable in the masters (Global Security configuration), but any change on them was not saved.

Now those settings are displayed as disabled again.

Configuration as Code (CasC) for Masters export is not JSON (CTR-1854)

Configuration as Code (CasC) for Masters bundle export was returning "application/json" as the media type; however, the content is YAML syntax. As there is no official IETF media type for YAML, this endpoint now returns "text/plain".

[JENKINS-62545] Infinite loop in FlowGraphTable.addTreeSibling for corrupted flow graphs (NGPIPELINE-1222)

Traversing a Pipeline execution using the FlowGraphTable API (used primarily for the Pipeline Steps view) could cause infinite loops for corrupted Pipelines in rare cases.

With this fix, the FlowGraphTable API now returns an error if it detects that a Pipeline is corrupted in a way that would have previously caused an infinite loop.

Plugin Catalog and CloudBees Configuration as Code should provide a way of specifying a proxy (FNDJEN-2078)

Configuration as Code for Masters cannot download plugins if they are under a proxy.

CloudBees Installation Manager now configures the proxy established in the jenkins.yaml file of the configuration bundle before attempting to download any plugin.

Known issues

None.

Upgrade notes

End of life announcement

As of July 1, 2020, CloudBees will no longer support Alpine container images. Red Hat Universal Base Image (UBI) images will be the standard going forward.

For information about UBI, see the Red Hat documentation.

The decision to move from Alpine to UBI was made because OpenJDK no longer supports Alpine. CloudBees has been building and maintaining these images. However, CloudBees is aware of DNS issues with some Kubernetes clusters that span from the Alpine base using muslc libraries as well as other binary differences when using the muslc vs standard c libraries.

Customers moving from Alpine to UBI container images should not see any impact from this change and should not need to migrate data.

This affects CloudBees Core on modern platforms only. CloudBees will continue to release Alpine images for CloudBees Jenkins Enterprise 1.x customers who have purchased extended support.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.

End-of-life announcement

After assessing the viability of our supported plugins, CloudBees will no longer support the CloudBees Secure Copy Plugin after September 1, 2018.

This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation as well as maintaining existing products that are actively used by customers.

After September 1, 2018 the plugin will lose functionality when upgraded. CloudBees recommends replacing it with Cluster-wide copy artifacts.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.