CloudBees CI on modern cloud platforms 2.277.1.2

Rolling release: 2021-03-11

Based on Jenkins LTS 2.277.1-cb-3

Critical issues

The setup wizard shows after updating an instance to 2.777.1.x

Issue

After updating an instance, the setup wizard is displayed.

Jenkins 2.277.1 removes the Upgrade Wizard that was no longer operational after Jenkins 2.0. This caused a regression for instances created before 2.4/2.7.1 LTS.

At the time of this writing, no fix is available for this issue.

Workaround

See the Jenkins upgrade guide for a workaround for this issue. On subsequent restarts, the setup wizard will no longer appear.

Important updates in the March release

The March release includes important updates. If you use Jenkins LTS plugins that are not in the CloudBees Assurance Program (CAP), you should update them before upgrading your CloudBees products to ensure compatibility with the March release. If your company uses its own proprietary (non-CloudBees) plugins, CloudBees recommends that you test them against Jenkins version 2.277.1 prior to updating your CloudBees products. And, as always, backing up your data before upgrading is strongly encouraged.

For details about changes in the March Jenkins LTS release, see:

New features

None

Feature enhancements

Migrate Helm chart metadata (CPLT2-6677)

The Helm chart metadata was migrated to the Helm 3 format. Helm 2 is no longer supported.

CloudBees CasC for masters now supports environment variables at folder level (FNDJEN-3142, FNDJEN-3188)

You can now define environment variables that can be passed to the builds within a folder in the items.yaml file, which is part of the CloudBees CasC configuration bundle. You can also export environment variables used in Folders Plus as a part of the CloudBees CasC configuration bundle.

For more information, see Folders Plus plugin - Other features.

Keep compatibility with reverse-proxy-auth-plugin (BEE-565)

Several open source plugins extend the Jenkins Security Realm. If the reverse-proxy-auth-plugin is installed, the header of CloudBees Software Delivery Automation CI will keep the compatibility.

Add metrics of Software Delivery Automation configuration (BEE-731)

Metrics are sent to Segment to track if the instance has CloudBees Software Delivery Automation configured.

table to divs transitions (BEE-354, BEE-337, NGPIPELINE-1520, NGPIPELINE-1523, NGPIPELINE-1524, NGPIPELINE-1525, FNDJEN-2751, FNDJEN-3341, FNDJEN-3262, FNDJEN-3268, FNDJEN-3274, FNDJEN-3312, FNDJEN-3266)

In this release Jenkin LTS has migrated configuration pages away from tables to divs to improve the responsiveness and usability of the forms. All plugins in the CloudBees Assurance Program (CAP) have been updated to support this change.

Reduced requests for rate limit in github-branch-source plugin (NGPIPELINE-1636)

The github-branch-source plugin requests the rate limit repeatedly during a normal operation, which can result in up to 50% of requests being for rate limit.

This functionality has now been updated to use library functionality that automatically calculates and checks rate limit information before each request to the GitHub server. Now it rarely needs to request rate limit information as a separate query.

Increased readability of the form navigation tabs (NGPIPELINE-957)

The contrast between the text and the body of form navigation tabs is low and makes it hard to read for some people.

The contrast of the text on form navigation tabs has been increased so that they are easier to read.

Resolved issues

Default service account name not being injected into pods (CPLT2-7007)

There was a known issue that prevented the default service account name from being injected into pods when you enabled the Agents.ImagePullSecrets chart option. It may have caused issues with functions that require agent service account capabilities, such as image pull secrets and role bindings.

This issue has been resolved and the service account is now automatically configured when you select the Agents.ImagePullSecrets option.

The enableServiceLinks field is configured during Helm chart installation, even if it is not supported by Kubernetes (CPLT2-6997)

During a Helm chart installation, the Master Provisioning plugin configures the enableServiceLinks field, even when the Kubernetes version does not support it. This could result in a validation error.

This issue has been resolved. The Master Provisioning plugin now checks the Kubernetes version to determine whether to configure the enableServiceLinks field.

Sidecar injector compatibility issues with kubectl diff command (CPLT2-7003)

An issue was preventing the sidecar injector webhook from using the kubectl diff command. Attempting to do so would result in the following error:

Error from server (BadRequest): admission webhook "com.cloudbees.sidecar-injector" does not support dry run.

This issue has been resolved, and the kubectl diff command can now be used with sidecar injector.

TLS termination attributes not supported for OpenShift (BEE-384)

The TLS termination attributes for private key, certificate, and CA certificate were not properly supported for OpenShift on CloudBees CI on modern cloud platforms.

The private key, certificate, and CA certificate attributes have been added to the Helm chart and are now supported for TLS termination in OpenShift.

Null pointer exception occurs when Jenkins starts up (BEE-340)

A runtime exception was occuring when Jenkins started up, if the SSHD service was enabled.

The issue was being caused by deprecated configuration scripts. These scripts have been removed, and the issue has been resolved.

Saving a folder failed when using cloudbees-cyberark-credentials (CTR-3143)

Saving a folder was failing due to a bad interaction with the cyberark-credentials provider under specific conditions. The issue occurred when a user without the cyberark.configure permission attempted to save a folder that existed before the CyberArk provider was enabled for folders. Additionally, if the folder was not previously saved by a user with cyberark.configure permissions, the failure occurred and the user was unable to save the folder.

This issue has been resolved. The folder can be saved by any user with the required permissions. The CyberArk configuration at the folder level is readable, but not editable unless the user has the cyberark.configure permission.

Administrative monitors do not include the Jenkins Crumb (BEE-848)

The buttons in the administrative monitors, such as the “More Info” button, do not included a valid crumb in the request when they are clicked from the header. Now the buttons are fixed.

Preparation for compatibility with the internal changes in forms of the next Jenkins LTS (CTR-2123, CTR-2861, CTR-2874, CTR-2958, CTR-3027, CTR-3035, CTR-3053)

No user-facing changes. Internal changes were made to fix compatibility issues caused by the changes to form layouts in the March Jenkins LTS release.

jQuery updates (BEE-359, BEE-356, BEE-342, FNDJEN-3143)

Jenkins LTS has been upgraded to use the latest version of jQuery. All plugins under the CloudBees Assurance Program (CAP) have been upgraded to use the same version of jQuery. For more information on CAP, see CloudBees Assurance Program. The unsafe plugins jquery and jquery-detached have now been removed from all CloudBees products and are no longer part of CAP. Please note that these two plugins are not automatically uninstalled in your instance because other plugins in your installation may still have dependencies on them. For instructions on how to check for dependencies in a particular plugin, see How to determine if a plugin is in use.

Refresh metadata for update centers synchronously at startup (BEE-585)

If an update center needs to be refreshed after startup, it is refreshed asynchronously. However, if a plugin was removed from the offline update center and you attempt to install a plugin that depends on the removed plugin, the plugin fails to install until the metadata has been refreshed.

With this change, any local (file-based) update centers are synchronously refreshed during startup.

Pipeline durability settings ignored for CpsScmFlowDefinition with lightweight checkout (NGPIPELINE-1636)

Durability settings for a Pipeline are ignored during lightweight checkout.

This change fixes the bug where lightweight checkout incorrectly checked the instance type of the executable, preventing durability setting to be properly looked up.

RBAC performance issue fix, release 2.277.1.2 revision 3 (2021-03-19)

An issue with the Role-Based Access Control plugin was causing a negative impact to user interface performance while accessing nested folders and jobs on connected masters that had an authorization strategy managed by Operations Center. This issue has been resolved in release 2.277.1.2 revision 3, the cache now functions properly, and there is no performance impact.

This fix resolves the RBAC performance issue that was introduced with the 2.277.1.2 revision 2 release on March 18, 2021.

Known issues

RBAC performance issue, release 2.277.1.2 revision 2 (2021-03-18)

An issue with the Role-Based Access Control plugin can cause a negative impact to user interface performance while accessing nested folders and jobs on connected masters that have an authorization strategy managed by Operations Center. The issue is known, and the fix was published as part of 2.277.1.2 revision 3 on March 19, 2021.

This issue only affects the 2.277.1.2 revision 2 release.

Upgrade notes

The March release includes important updates. If you use Jenkins LTS plugins that are not in the CloudBees Assurance Program (CAP), you should update them before upgrading your CloudBees products to ensure compatibility with the March release. If your company uses its own proprietary (non-CloudBees) plugins, CloudBees recommends that you test them against Jenkins version 2.277.1 prior to updating your CloudBees products. And, as always, backing up your data before upgrading is strongly encouraged.

For details about changes in the March Jenkins LTS release, see:

Revisions

Revision 3 (2021-03-19)
RBAC performance issue fix, release 2.277.1.2 revision 3 (2021-03-19)

An issue with the Role-Based Access Control plugin was causing a negative impact to user interface performance while accessing nested folders and jobs on connected masters that had an authorization strategy managed by Operations Center. This issue has been resolved, the cache now functions properly, and there is no performance impact.

This fix resolves the RBAC performance issue that was introduced with the 2.277.1.2 revision 2 release on March 18, 2021.

Revision 2 (2021-03-18)

This revision includes security updates to address vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform, and CloudBees CI.

RBAC performance issue, release 2.277.1.2 revision 2 (2021-03-18)

An issue with the Role-Based Access Control plugin can cause a negative impact to user interface performance while accessing nested folders and jobs on connected masters that have an authorization strategy managed by Operations Center. The issue is known, and the fix will be published as part of an incremental release on March 19, 2021.

This issue only affects the 2.277.1.2 revision 2 release.

RBAC permissions bypass (BEE-174)

An issue with the Role-Based Access Control plugin authorization made it possible for users to view nested resources, even if they did not have permission to view the parent resources.

This issue has been resolved, and permissions are now checked on the parent container, in addition to the target container. Additionally, a new caching mechanism improves performance while browsing system resources. For more information, please see Restricting access and delegating administration with Role-Based Access Control - Troubleshooting