Release highlights video

Select to watch a video describing the highlights of this release

Security fixes

Fixed vulnerabilities in the Jenkins remote communication protocol (SECURITY-2455)

Multiple security vulnerabilities have been identified in the Jenkins protocol that is used for communication between controllers and agents, as well as between the operations center and any connected controllers.

These issues have been resolved in this release. CloudBees recommends that you upgrade as soon as possible or apply a workaround. Please refer to the following knowledge base article for more information:

Improved required role check (SECURITY-2458)

Messages (“Callables”) in the Jenkins protocol that are used for communication between agents, controllers, and the operations center check the role of the current side of the communication channel to determine whether they are allowed to be executed there.

To prevent exploitation of vulnerabilities caused by no-op implementations of this role check, which allow running anywhere in previous releases, any implementation performing a no-op role check will now be rejected.

Please refer to the following knowledge base article for more information:

Non-constant time checking was performed for the controller CasC bundle access token (BEE-8344)

The CasC bundle access token that is used to authenticate the request between the controller and the operations center server was checked in non-constant time, resulting in a potential security vulnerability.

This issue has been resolved. The controller CasC bundle access token is now checked using a constant time comparison.

New features

Added support for exporting individual Configuration as Code (CasC) items (BEE-8231)

A new Export CasC item option has been added to the left pane of the operations center and controller dashboards, allowing you to export individual Configuration as Code (CasC) items in YAML format. The Export CasC item for the operations center is a Preview feature. For more information, refer to Creating items with CasC for controllers and Creating items with CasC for the operations center.

Folders cannot be exported as a CasC item. To export a folder, you can export the entire items.yaml from the Configuration as Code export and update screen.
CasC for the operations center now supports the creation and exportation of Cluster Operations items (BEE-3770)

When a Cluster Operation is created in an operations center instance, it is now possible to export its configuration in a YAML format that can be used to create and configure Cluster Operations items using CasC. Cluster Operations items for the operations center is a Preview feature. For more information, refer to Creating items with CasC for the operations center.

CasC now supports the creation and exportation of Backup and Restore items (BEE-6174)

For controllers, it is now possible to create Backup and Restore items using CasC. You can also export an existing Backup and Restore item configuration in YAML format, and this can be used to create and configure a Backup and Restore item using CasC. For more information, refer to Creating items with CasC for controllers.

For the operations center, it is now possible to create Backup items using CasC. You can also export an existing Backup item configuration in YAML format, and this can be used to create and configure a Backup item using CasC. Backup items for the operations center is a Preview feature. For more information, refer to Creating items with CasC for the operations center.

Added support for a new optional root property that can be defined in the controller CasC items.yaml file (BEE-8454)

A new optional root property can be added to the items.yaml file to define the root path for controller item creation. This allows you to create items using the defined root path instead of the root of the operations center. For more information, refer to items.yaml.

The availability pattern for controller CasC bundles can now be defined in the bundle.yaml file (BEE-6172)
  • A new optional availabilityPattern property can be added to the controller CasC bundle.yaml file to define the availability pattern.

  • New elements have been added to the CloudBees Configuration as Code bundles screen:

    • Two new icons have been added that identify the source of the availability pattern; either the bundle.yaml file or the UI.

    • A new Clear button has been added, to clear the availability pattern in the UI and use the availability pattern defined in the bundle.yaml file.

  • A new casc-bundle-clear-availability-pattern CLI command has been added to use the availability pattern defined in the bundle.yaml file and clear the availability pattern for the controller CasC bundle, if previously defined.

  • A new /casc-bundle/clear-availability-pattern HTTP API endpoint has been added to use the availability pattern defined in the bundle.yaml file and clear the availability pattern for the controller CasC bundle, if previously defined.

  • A new availabilityPatternFromYaml response has been added to existing CLI commands and HTTP API endpoints to indicate if the availability pattern is defined in the bundle.yaml file.

Added support for a new CLI command and HTTP API endpoint to create jobs based on a CasC items.yaml file (BEE-8455)

A new casc-items-create-items CLI command has been added to create items based on a CasC items.yaml file. For more information, refer to Configuration as Code (CasC) CLI.

A new /casc-items/create-items HTTP API endpoint has been added to create items based on a CasC items.yaml file. For more information, refer to Configuration as Code (CasC) HTTP API.

Preview release of the Restricted Credentials plugin (BEE-5228, BEE-3699)

The CloudBees Restricted Credentials plugin enables an additional Jenkins credentials store that lets you define restricted credentials with built-in access control using the full item names.

This feature is a Preview feature.

Feature enhancements

Amazon Web Services SDK plugin was split into multiple plugins (BEE-8703)

The Amazon Web Services (AWS) SDK plugin was very large because of the number of services AWS provides. However, CloudBees CI doesn’t require all of the modules in the Amazon Web Services SDK.

The plugin has been split into multiple fine-grained plugins, reducing the size of the CloudBees CI packages.

The CasC bundle now supports multiple levels of subfolders (BEE-8260)

The CasC bundle.yaml file now allows you to include a folder or subfolder in any section, without requiring that you list each individual YAML file contained within the subfolder. Previously, if a YAML file was added or removed from the bundle, it also had to be added or removed from the bundle.yaml file descriptor.

Support for additional CasC CLI commands (BEE-237)

The following CLI commands have been added for CasC, to correspond with functionality previously implemented in the user interface.

  • casc-bundle-check-bundle-update to check if CasC bundle updates are available.

  • casc-bundle-reload-bundle to apply the updated bundle without restarting the instance.

For more information, refer to Configuration as Code (CasC) CLI.

Support for additional CasC HTTP API endpoints (BEE-237)

The following HTTP API endpoints have been added for CasC, to correspond with functionality previously implemented in the user interface.

  • /casc-bundle-mgnt/check-bundle-update to check if CasC bundle updates are available.

  • /casc-bundle-mgnt/reload-bundle to apply the updated bundle without restarting the instance.

For more information, refer to Configuration as Code (CasC) HTTP API.

Exported plugins are now sorted alphabetically in the CasC plugins.yaml and plugin-catalog.yaml files (BEE-6171)

When exporting the current CasC configuration, plugins are now sorted alphabetically in the plugins.yaml and plugin-catalog.yaml files.

Migrated the Nectar License plugin from async-http-client to okhttp (BEE-8907)

Previously, HTTP communication was managed by an old version of async-http-client.

In this release, the underlying HTTP library has been updated to use okhttp to provide better performance and support for Server Name Indication (SNI).

Migrated the CloudBees License plugin from async-http-client to okhttp (BEE-2597)

Previously, HTTP communication was managed by an old version of async-http-client.

In this release, the underlying HTTP library has been updated to use okhttp to provide better performance and support for Server Name Indication (SNI).

Resolved issues

Invalid Kubernetes routes were created when hibernation was enabled in multiple namespaces (BEE-4156)

When you enabled hibernation in multiple namespaces, the routes that were created shared the same host and path. This could cause conflicts in Kubernetes.

Now, when you enable hibernation in multiple namespaces, only namespaced routes are created.

CasC HTTP API endpoint error message returned a stack trace exception (BEE-8494)

When sending a CasC HTTP API endpoint and an error message was returned, it included a stack trace exception.

This issue has been resolved. A stack trace exception is no longer returned and the error messages have been improved.

Exported CasC configurations that contained an empty environment variable generated an invalid property (BEE-8571)

If the CasC ‘items.yaml’ file contained an empty environment variable for a Folder, Multibranch Pipeline job, GitHub Organization, or a Bitbucket Team/Project item and the current CasC configuration was exported, the environment variable was exported as - {}, and the YAML could not be used to create a new item.

This issue has been resolved.

Folder and Pipeline job properties defined in the operations center CasC items.yaml file were duplicated (BEE-8679)

If Reload Configuration was selected from the CloudBees Configuration as Code export and update screen or if the operations center instance was restarted, Folder and Pipeline job properties defined in the operations center CasC items.yaml file were duplicated.

This issue has been resolved.

The apiUri field was not included in the exported CasC configuration for GitHub repositories (BEE-8821)

When the controller’s current configuration was exported, the apiUri field was not included in the exported items.yaml file.

When an SCM repository is hosted in GitHub, the apiUri field can be ignored. However, it is a required field when the CloudBees CI GitHub Organization project is used to configure a repository from a GitHub Enterprise server. The apiUri field is now properly exported with the current CasC configuration.

When exporting the current CasC controller configuration, folders were only exported if allowed items were restricted (BEE-8945)

This issue has been resolved. When exporting the current CasC controller configuration, folders are included in the exported items.yaml file and allowed items do not have to be restricted.

CasC bundle events were processed before the instance initialization ended (BEE-9025)

If there was any update in the internal CasC bundle storage during the instance initialization process, an event was sent but was not processed, and an error was returned.

The issue has been resolved. If there is an update, the event is not sent until instance initialization is complete.

When exporting the current CasC configuration for the operations center, a NullPointerException was returned (BEE-9123)

When exporting the current CasC configuration for the operations center from the Configuration as Code export and update screen, a NullPointerException was returned.

This issue has been resolved. The current operations center CasC configuration can be now exported as a single YAML file without returning a NullPointerException.

Non-anonymized data collected (BEE-9458)

Some data, such as job names, was collected without being anonymized.

This issue has been resolved.

Move/Copy/Promote error (BEE-9464)

Some Move/Copy/Promote operations failed with an error when you attempted to use them between two non-local controllers.

This issue has been resolved. Move/Copy/Promote can now be used normally on non-local controllers.

User permissions were not correctly resolving on the controller when using single sign-on (SSO) (BEE-8867)

In some situations, user permissions were not resolving properly when operations center SSO was enabled and impersonation was performed on a controller. Some plugins use impersonation to check whether a user other than the one who is signed in has certain permissions. This issue was observed with the Email Extension plugin, for example, when it would not send emails to a user because the user incorrectly appeared to not have permissions to view the item.

This issue has been resolved. User permissions are now correctly processed on the controller when you use SSO.

Fixed a root certificate loading issue (BEE-9044)

The CloudBees Jenkins Enterprise License Entitlement Check plugin was loading certificates from the wrong location. This could have resulted in signature validation problems in a future release.

This issue has been resolved, certificates are now loaded from the expected location.

Updated authorization strategy to distinguish between users and groups (BEE-5584)

Users were not distinguished from groups in the role-based access control (RBAC) configuration, leading to some potential misconfigurations when a user has the same name as a group. Proper credentials may not have been applied.

This issue has been resolved, users and groups are now properly distinguished and validated.

CloudBees Backup plugin incorrectly backed up in-progress builds when the build result was already set (BEE-8871)

Occasionally, builds that are still in progress have a build result. This can be due to a modification to currentBuild.result in a Pipeline, a Pipeline step like junit, or a Freestyle builder. Once the build result was set, the CloudBees Backup plugin considered these builds to be complete and could attempt to back them up, even though they were not yet completed.

This issue has been resolved. The CloudBees Backup plugin now uses different criteria to determine if a build is still running to ensure that only completed builds can be backed up.

Terminology updates (BEE-8311, BEE-8313)

CloudBees is updating terminology to remove offensive text. During this initiative, "controller" replaces "master," "agent" replaces "slave," "allowlist" replaces "whitelist," and "denylist" replaces "blacklist."

Made the timeout waiting period for a GitHub PR merge request status configurable (BEE-8917)

If GitHub does not generate a merge commit SHA for a pull request within four seconds, then pull request builds may not be created.

To resolve this, users can now configure the number of retries via the following System property:

org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.mergeableStatusRetries.

Known issues

Regression identified in the tar extraction functionality when working with symbolic links

A regression has been identified in the tar extraction functionality that is built into Jenkins when working with symbolic links. For Pipeline jobs, the unstash step is known to be affected. This is being tracked as JENKINS-67063. Further details will be provided once available.

Upgrade notes

Safely upgrading the Amazon Web Services SDK plugin

The Amazon Web Services (AWS) SDK plugin (aws-java-sdk) was split into multiple fine-grained plugins to reduce the size of the CloudBees CI packages. As a result, it is no longer a part of the CloudBees Assurance Program. The plugin is not automatically uninstalled from your CloudBees CI instance and it could lead to an inconsistent state when you upgrade.

If you perform the installation using CasC and the plugins.yaml file contains aws-java-sdk, the installation will fail. To resolve the failed installation, you must add any plugins that are dependent upon the AWS SDK plugin to the plugins.yaml and the plugin-catalog.yaml files. To avoid upgrade issues, you should use the Plugin Manager to safely upgrade the AWS SDK plugin.