Security fixes
- Fixed vulnerabilities in the Jenkins remote communication protocol (SECURITY-2455)
-
Multiple security vulnerabilities have been identified in the Jenkins protocol that is used for communication between controllers and agents, as well as between the operations center and any connected controllers.
These issues have been resolved in this release. CloudBees recommends that you upgrade as soon as possible or apply a workaround. Please refer to the following knowledge base article for more information:
- Improved required role check (SECURITY-2458)
-
Messages (“Callables”) in the Jenkins protocol that are used for communication between agents, controllers, and the operations center check the role of the current side of the communication channel to determine whether they are allowed to be executed there.
To prevent exploitation of vulnerabilities caused by no-op implementations of this role check, which allow running anywhere in previous releases, any implementation performing a no-op role check will now be rejected.
Please refer to the following knowledge base article for more information:
- Non-constant time checking was performed for the controller CasC bundle access token (BEE-8344)
-
The CasC bundle access token that is used to authenticate the request between the controller and the operations center server was checked in non-constant time, resulting in a potential security vulnerability.
This issue has been resolved. The controller CasC bundle access token is now checked using a constant time comparison.
New features
- Added support for exporting individual Configuration as Code (CasC) items (BEE-8231)
-
A new Export CasC item option has been added to the left pane of the operations center and controller dashboards, allowing you to export individual Configuration as Code (CasC) items in YAML format. The Export CasC item for the operations center is a Preview feature. For more information, refer to Creating items with CasC for controllers and Creating items with CasC for the operations center.
Folders cannot be exported as a CasC item. To export a folder, you can export the entire items.yaml
from the Configuration as Code export and update screen. - CasC for the operations center now supports the creation and exportation of Cluster Operations items (BEE-3770)
-
When a Cluster Operation is created in an operations center instance, it is now possible to export its configuration in a YAML format that can be used to create and configure Cluster Operations items using CasC. Cluster Operations items for the operations center is a Preview feature. For more information, refer to Creating items with CasC for the operations center.
- CasC now supports the creation and exportation of Backup and Restore items (BEE-6174)
-
For controllers, it is now possible to create Backup and Restore items using CasC. You can also export an existing Backup and Restore item configuration in YAML format, and this can be used to create and configure a Backup and Restore item using CasC. For more information, refer to Creating items with CasC for controllers.
For the operations center, it is now possible to create Backup items using CasC. You can also export an existing Backup item configuration in YAML format, and this can be used to create and configure a Backup item using CasC. Backup items for the operations center is a Preview feature. For more information, refer to Creating items with CasC for the operations center.
- Added support for a new optional
root
property that can be defined in the controller CasCitems.yaml
file (BEE-8454) -
A new optional
root
property can be added to theitems.yaml
file to define the root path for controller item creation. This allows you to create items using the defined root path instead of the root of the operations center. For more information, refer to items.yaml. - The availability pattern for controller CasC bundles can now be defined in the
bundle.yaml
file (BEE-6172) -
-
A new optional
availabilityPattern
property can be added to the controller CasCbundle.yaml
file to define the availability pattern. -
New elements have been added to the CloudBees Configuration as Code bundles screen:
-
Two new icons have been added that identify the source of the availability pattern; either the
bundle.yaml
file or the UI. -
A new Clear button has been added, to clear the availability pattern in the UI and use the availability pattern defined in the
bundle.yaml
file.
-
-
A new
casc-bundle-clear-availability-pattern
CLI command has been added to use the availability pattern defined in thebundle.yaml
file and clear the availability pattern for the controller CasC bundle, if previously defined. -
A new
/casc-bundle/clear-availability-pattern
HTTP API endpoint has been added to use the availability pattern defined in thebundle.yaml
file and clear the availability pattern for the controller CasC bundle, if previously defined. -
A new
availabilityPatternFromYaml
response has been added to existing CLI commands and HTTP API endpoints to indicate if the availability pattern is defined in thebundle.yaml
file.
-
For more information, refer to Configuring bundle availability for controllers, Configuration as Code (CasC) CLI, and Configuration as Code (CasC) HTTP API.
- Added support for a new CLI command and HTTP API endpoint to create jobs based on a CasC
items.yaml
file (BEE-8455) -
A new
casc-items-create-items
CLI command has been added to create items based on a CasCitems.yaml
file. For more information, refer to Configuration as Code (CasC) CLI.A new
/casc-items/create-items
HTTP API endpoint has been added to create items based on a CasCitems.yaml
file. For more information, refer to Configuration as Code (CasC) HTTP API. - Preview release of the Restricted Credentials plugin (BEE-5228, BEE-3699)
-
The CloudBees Restricted Credentials plugin enables an additional Jenkins credentials store that lets you define restricted credentials with built-in access control using the full item names.
This feature is a Preview feature.
Feature enhancements
- Amazon Web Services SDK plugin was split into multiple plugins (BEE-8703)
-
The Amazon Web Services (AWS) SDK plugin was very large because of the number of services AWS provides. However, CloudBees CI doesn’t require all of the modules in the Amazon Web Services SDK.
The plugin has been split into multiple fine-grained plugins, reducing the size of the CloudBees CI packages.
- The CasC bundle now supports multiple levels of subfolders (BEE-8260)
-
The CasC
bundle.yaml
file now allows you to include a folder or subfolder in any section, without requiring that you list each individual YAML file contained within the subfolder. Previously, if a YAML file was added or removed from the bundle, it also had to be added or removed from thebundle.yaml
file descriptor. - Support for additional CasC CLI commands (BEE-237)
-
The following CLI commands have been added for CasC, to correspond with functionality previously implemented in the user interface.
-
casc-bundle-check-bundle-update
to check if CasC bundle updates are available. -
casc-bundle-reload-bundle
to apply the updated bundle without restarting the instance.
-
For more information, refer to Configuration as Code (CasC) CLI.
- Support for additional CasC HTTP API endpoints (BEE-237)
-
The following HTTP API endpoints have been added for CasC, to correspond with functionality previously implemented in the user interface.
-
/casc-bundle-mgnt/check-bundle-update
to check if CasC bundle updates are available. -
/casc-bundle-mgnt/reload-bundle
to apply the updated bundle without restarting the instance.
-
For more information, refer to Configuration as Code (CasC) HTTP API.
- Exported plugins are now sorted alphabetically in the CasC
plugins.yaml
andplugin-catalog.yaml
files (BEE-6171) -
When exporting the current CasC configuration, plugins are now sorted alphabetically in the
plugins.yaml
andplugin-catalog.yaml
files. - Migrated the Nectar License plugin from
async-http-client
tookhttp
(BEE-8907) -
Previously, HTTP communication was managed by an old version of
async-http-client
.In this release, the underlying HTTP library has been updated to use
okhttp
to provide better performance and support for Server Name Indication (SNI). - Migrated the CloudBees License plugin from
async-http-client
tookhttp
(BEE-2597) -
Previously, HTTP communication was managed by an old version of
async-http-client
.In this release, the underlying HTTP library has been updated to use
okhttp
to provide better performance and support for Server Name Indication (SNI).
Resolved issues
- Invalid Kubernetes routes were created when hibernation was enabled in multiple namespaces (BEE-4156)
-
When you enabled hibernation in multiple namespaces, the routes that were created shared the same host and path. This could cause conflicts in Kubernetes.
Now, when you enable hibernation in multiple namespaces, only namespaced routes are created.
- CasC HTTP API endpoint error message returned a stack trace exception (BEE-8494)
-
When sending a CasC HTTP API endpoint and an error message was returned, it included a stack trace exception.
This issue has been resolved. A stack trace exception is no longer returned and the error messages have been improved.
- Exported CasC configurations that contained an empty environment variable generated an invalid property (BEE-8571)
-
If the CasC ‘items.yaml’ file contained an empty environment variable for a Folder, Multibranch Pipeline job, GitHub Organization, or a Bitbucket Team/Project item and the current CasC configuration was exported, the environment variable was exported as
- {}
, and the YAML could not be used to create a new item.This issue has been resolved.
- Folder and Pipeline job properties defined in the operations center CasC
items.yaml
file were duplicated (BEE-8679) -
If Reload Configuration was selected from the CloudBees Configuration as Code export and update screen or if the operations center instance was restarted, Folder and Pipeline job properties defined in the operations center CasC
items.yaml
file were duplicated.This issue has been resolved.
- The
apiUri
field was not included in the exported CasC configuration for GitHub repositories (BEE-8821) -
When the controller’s current configuration was exported, the
apiUri
field was not included in the exporteditems.yaml
file.When an SCM repository is hosted in GitHub, the
apiUri
field can be ignored. However, it is a required field when the CloudBees CI GitHub Organization project is used to configure a repository from a GitHub Enterprise server. TheapiUri
field is now properly exported with the current CasC configuration. - When exporting the current CasC controller configuration, folders were only exported if allowed items were restricted (BEE-8945)
-
This issue has been resolved. When exporting the current CasC controller configuration, folders are included in the exported
items.yaml
file and allowed items do not have to be restricted. - CasC bundle events were processed before the instance initialization ended (BEE-9025)
-
If there was any update in the internal CasC bundle storage during the instance initialization process, an event was sent but was not processed, and an error was returned.
The issue has been resolved. If there is an update, the event is not sent until instance initialization is complete.
- When exporting the current CasC configuration for the operations center, a
NullPointerException
was returned (BEE-9123) -
When exporting the current CasC configuration for the operations center from the Configuration as Code export and update screen, a
NullPointerException
was returned.This issue has been resolved. The current operations center CasC configuration can be now exported as a single YAML file without returning a
NullPointerException
. - Non-anonymized data collected (BEE-9458)
-
Some data, such as job names, was collected without being anonymized.
This issue has been resolved.
- Move/Copy/Promote error (BEE-9464)
-
Some Move/Copy/Promote operations failed with an error when you attempted to use them between two non-local controllers.
This issue has been resolved. Move/Copy/Promote can now be used normally on non-local controllers.
- User permissions were not correctly resolving on the controller when using single sign-on (SSO) (BEE-8867)
-
In some situations, user permissions were not resolving properly when operations center SSO was enabled and impersonation was performed on a controller. Some plugins use impersonation to check whether a user other than the one who is signed in has certain permissions. This issue was observed with the Email Extension plugin, for example, when it would not send emails to a user because the user incorrectly appeared to not have permissions to view the item.
This issue has been resolved. User permissions are now correctly processed on the controller when you use SSO.
- Fixed a root certificate loading issue (BEE-9044)
-
The CloudBees Jenkins Enterprise License Entitlement Check plugin was loading certificates from the wrong location. This could have resulted in signature validation problems in a future release.
This issue has been resolved, certificates are now loaded from the expected location.
- Updated authorization strategy to distinguish between users and groups (BEE-5584)
-
Users were not distinguished from groups in the role-based access control (RBAC) configuration, leading to some potential misconfigurations when a user has the same name as a group. Proper credentials may not have been applied.
This issue has been resolved, users and groups are now properly distinguished and validated.
- CloudBees Backup plugin incorrectly backed up in-progress builds when the build result was already set (BEE-8871)
-
Occasionally, builds that are still in progress have a build result. This can be due to a modification to
currentBuild.result
in a Pipeline, a Pipeline step likejunit
, or a Freestyle builder. Once the build result was set, the CloudBees Backup plugin considered these builds to be complete and could attempt to back them up, even though they were not yet completed.This issue has been resolved. The CloudBees Backup plugin now uses different criteria to determine if a build is still running to ensure that only completed builds can be backed up.
- Terminology updates (BEE-8311, BEE-8313)
-
CloudBees is updating terminology to remove offensive text. During this initiative, "controller" replaces "master," "agent" replaces "slave," "allowlist" replaces "whitelist," and "denylist" replaces "blacklist."
- Made the timeout waiting period for a GitHub PR merge request status configurable (BEE-8917)
-
If GitHub does not generate a merge commit SHA for a pull request within four seconds, then pull request builds may not be created.
To resolve this, users can now configure the number of retries via the following System property:
org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.mergeableStatusRetries
.
Known issues
- Regression identified in the tar extraction functionality when working with symbolic links
-
A regression has been identified in the tar extraction functionality that is built into Jenkins when working with symbolic links. For Pipeline jobs, the
unstash
step is known to be affected. This is being tracked as JENKINS-67063. Further details will be provided once available.
Upgrade notes
- Safely upgrading the Amazon Web Services SDK plugin
-
The Amazon Web Services (AWS) SDK plugin (aws-java-sdk) was split into multiple fine-grained plugins to reduce the size of the CloudBees CI packages. As a result, it is no longer a part of the CloudBees Assurance Program. The plugin is not automatically uninstalled from your CloudBees CI instance and it could lead to an inconsistent state when you upgrade.
If you perform the installation using CasC and the plugins.yaml file contains aws-java-sdk, the installation will fail. To resolve the failed installation, you must add any plugins that are dependent upon the AWS SDK plugin to the plugins.yaml and the plugin-catalog.yaml files. To avoid upgrade issues, you should use the Plugin Manager to safely upgrade the AWS SDK plugin.