New features
- Initial release of Configuration as Code (CasC) for the operations center
-
Previously released as a Preview feature, CasC for the operations center is now fully supported. This allows you to capture the configuration of the operations center in human-readable declarative files that can be used in a reproducible way and eliminates the need for additional tools or custom scripts that must be manually maintained.
For more information, refer to Configuration as Code for the operations center.
- Initial release of Configuration as Code bundle location
-
Previously released as a Preview feature, the Configuration as Code bundle location setting is now fully supported. It allows you to configure a local folder on the operations center server or an SCM repository for adding controller CasC bundles to the operations center’s internal storage.
Once you have added your controller CasC bundles to the operations center, you can configure how the bundles are synchronized with the operations center’s internal storage. This ensures any changes to the bundles are available to controllers using the CasC bundle.
For more information, refer to Adding controller CasC bundles to the operations center.
- Initial release of CasC item creation for the operations center and controllers
-
Previously released as a Preview feature, the creation of various items using the operations center or controller `items.yaml' file is now fully supported. When these items are created in an instance, it is possible to export their configuration in a YAML format that can be used to create and configure the items using CasC.
For more information, refer to Creating items with CasC for controllers.
- Added an HTTP endpoint to validate the bundles in the operations center (BEE-10532)
-
When a bundle is added to the operations center using the Configuration as Code bundle location, it can be validated using a new HTTP endpoint.
The output provides the following information:
-
General validation messages in the files and folders of the bundle.
-
Specific validation messages on every online controller where the bundle is applied.
-
A list of the offline controllers where the bundle is applied, but the validation did not occur because of the controller’s status.
For more information, refer to Configuration as Code (CasC) HTTP API.
-
- Added the CLI command to validate the bundles in the operations center (BEE-10530)
-
When a bundle is added to the operations center using the Configuration as Code bundle location, it can be validated by using a new CLI command.
The CLI output provides the following information:
-
General validation messages in the files and folders of the bundle.
-
Specific validation messages on every online controller where the bundle is applied.
-
A list of the offline controllers where the bundle is applied, but the validation did not occur because of the controller’s status.
For more information, refer to Configuration as Code (CasC) CLI.
-
Feature enhancements
- Allow defining
ServiceAccount
annotations to support using Workload Identity (BEE-15147) -
In order to use Workload Identity to mange Kubernetes workloads (for example in GKE or AWS), you must define annotations on
ServiceAccounts
. Previously, this was not supported by the CloudBees CI Helm chart.You can now define
ServiceAccount
annotations for the operations center, controllers, and agents, by providing them as values during installation via the Helm chart. With this update, you can now use Workload Identity to manage your CloudBees CI Kubernetes workloads. - Improve validation messages (BEE-15892)
-
There have been improvements made to the validation error and warning messages.
For more information, refer to Creating a CasC bundle for controllers and Troubleshooting CasC for the operations center.
- Credentials are supported as part of the folders definition in the
items.yaml
files (BEE-15846) -
Credentials can now be exported and defined as part of the folder-based items in the
items.yaml
files of the CasC bundles.For more information, refer to Creating a CasC bundle for controllers and Creating a CasC bundle for the operations center.
- Configuration Bundle variable support is now available for the
jenkins.yaml
,items.yaml
, andrbac.yaml
files (BEE-15842) -
The variables that are defined in the configuration bundles are now exposed in the
jenkins.yaml
,items.yaml
, andrbac.yaml
files.For more information, refer to Creating a CasC bundle for controllers and Creating a CasC bundle for the operations center.
- Added variable support for the
items.yaml
files and therbac.yaml
files (BEE-15839) -
The JCasC variables format is now supported in the
items
andrbac
sections of the configuration bundles.For more information, refer to Creating a CasC bundle for controllers and Creating a CasC bundle for the operations center.
- Allow CasC bundles to accept only one entry for a plugin catalog (BEE-14831)
-
When multiple plugin catalog files are in a bundle, a log message is generated to identify which file is effectively used.
For more information, refer to Troubleshooting CasC for controllers.
- Validation is now performed on the CasC
rbac.yaml
file (BEE-10523) -
The
rbac.yaml file
in the CasC bundle is now validated to verify the following:-
The YAML format is correct.
-
The authorization strategy must be
RoleMatrixAuthorizationStrategy
("CloudBeesRoleBasedAccessControl" in thejenkins.yaml
file). -
All of the permissions defined for a role must exist in the instance.
-
Resolved issues
- YAML configuration was not being properly applied to managed controllers (BEE-15296)
-
Restarting a managed controller was not applying any updates to the managed controller’s YAML configuration. As a workaround, you may have had to stop and start the managed controller to apply the changes.
This issue has been resolved. The YAML configuration is now properly applied to managed controllers when you restart them.
- Kubernetes agent pods were not terminated properly (BEE-15657)
-
In some cases, if an invalid Kubernetes agent pod or container is specified for cleanup, the corresponding build was not being properly cancelled.
This issue has been resolved. If you specify an invalid Kubernetes agent pod or container in a job, the build is aborted.
- Deprecated APIs prevent Ingress annotations from being detected on Kubernetes version 1.22. (BEE-15850)
-
The deprecated APIs,
extensions/v1beta
andnetworking/v1beta
, are sometimes used in CloudBees CI on modern cloud platforms. This prevents thecjoc
Ingress annotations from being detected when you run Kubernetes version 1.22. It also causes exceptions in the logs when you generate a support bundle.This issue has been resolved. The
cjoc
Ingress annotations now work as expected in version 1.22. - Removed remaining support for Ingress
v1beta
(BEE-15941) -
In this release, the remaining references to deprecated Ingress versions were removed since they are no longer necessary.
- Upgraded Woodstox in the SAML plugin (BEE-9264)
-
The version of Woodstox that was used in the SAML plugin contained an injection flaw that could cause issues during the parsing of XML data.
To resolve the issue, Woodstox 5.2.1 was upgraded to version 6.2.7.
- Fixed Check now button in the CloudBees Update Center (BEE-9981)
-
The last update date function was not working when you clicked the Check now button in the controller plugin management options.
This issue has been resolved. The date is now correctly displayed when the check is finished.
- Log displays "A connection to
https://beekeeper-server.cloudbees.com/
was leaked" message (BEE-14484) -
The connection was not closing properly when querying for security warnings.
The issue was resolved and the connection is now closed correctly when querying for security warnings.
- Fixed RBAC groups autocompletion (BEE-14968)
-
When adding groups as members of an RBAC group, the autocompletion feature only worked for groups that were defined in the root of the current controller.
Now, autocompletion applies to groups from parent folders as well as from the operations center, if applicable. This issue has been resolved.
- Reduced number of calls to
Queue.maintain()
(BEE-15022) -
Frequent calls to the Jenkins method
Queue.maintain()
could have a negative impact on performance. Occasionally, the number of calls resulted in poor instance health and connection issues that could only be resolved by restarting the controller.The number of calls made to
Queue.maintain()
has been reduced, since the call already occurs periodically in the background. This fix should improve instance health and resolve some connection issues. - Terminology updates (BEE-15058, BEE-15634)
-
CloudBees is updating terminology to remove offensive text. During this ongoing initiative, “controller” replaces “master,” “agent” replaces “slave,” “allowlist” replaces “whitelist,” and “denylist” replaces “blacklist.”
Starting with this release, the Docker images were renamed to remove offensive text.
- Fixed file locking issues for Windows (BEE-15841)
-
There were instances of file locks that could cause failures in certain use cases when you run a controller in a Windows environment.
This issue has been resolved.
- Removed duplicate code as maintenance (BEE-15942)
-
Some code was duplicated from Jenkins core into the proprietary plugin.
This duplicate code was removed for better maintenance of the plugin.
- Created shaded Jenkins High Availability libraries (BEE-16798)
-
To avoid version conflicts with other components in CloudBees CI, the High Availability plugin now shades its dependencies.
- Prevented a` NullPointerException` when the
items.yaml
file was exported, if a property expected by the constructor is missing (BEE-16664) -
In the definition of an item in the
items.yaml
file, if a property that was expected by the constructor was missing, aNullPointerException
was returned. For example, there is a missing scope in a credential definition.This issue has been resolved.
- The
DescriptorValidator
invocation was missing on the bundle synchronization (BEE-16142) -
When bundles were loaded, the bundle synchronization was missing the bundle descriptor validator that checks the mandatory fields and sections information.
This issue was resolved and the validation is now properly performed.
- Some enumerations were not handled properly by item creation with CasC (BEE-16140)
-
Some anonymous classes were not considered as enumerations during the items creation with CasC.
The issue was resolved.
- A
ClassCastException
was returned when an item with an enumeration in its constructor was created (BEE-16075) -
When an item in the
items.yaml
file has a property that receives an enumeration class in its constructor, the value was not cast to the proper type, and an exception was returned.This issue was resolved.
- Validate bundles when they are checked out using the build step (BEE-16005)
-
If controller bundles are synchronized in the operations center using a Freestyle job with the Synchronize bundles from workspace with internal storage build step, the bundles were not validated.
Now, it uses the same validations as when you select the Configuration as Code bundle location.
- A warning message was displayed when you referenced a folder with files (BEE-15925)
-
In the
bundle.yaml
file, when a folder was referenced with files instead of the list of files, a warning message was displayed that states the files in that folder are not referenced.This issue has been resolved.
- Changes to the CasC bundle subfolders were not propagated (BEE-15492)
-
If the CasC
bundle.yaml
file specified a subfolder instead of the list of files within the subfolder and one of those files within the folder was changed, the change was not propagated and the new version of the bundle was not available to the controllers.This issue was resolved.
- The SCMSources array was incorrectly exported with the Organization Folder (BEE-15130)
-
The SCMSources array was incorrectly being exported with the Organization Folder during a CasC export.
This issue has been resolved, the array will no longer be exported.
- If the CasC
rbac.yaml
file did not include aroles
section, the current roles were not synchronized (BEE-15036) -
If the CasC
rbac.yaml
file did not include aroles
section, theauthenticated
role was incorrectly initialized with the Overall/Read permission granted.This issue was resolved.
- Prevented the property
ParametersDefinitionProperty#parameterDefinitionNames
from being exported (BEE-14427) -
When you exported a parameterized Pipeline, the
parameterDefinitionNames
property was exported as part of the parameter definitions. If the exported item was imported later, an error occurred.This property is no longer exported, so it is able to be imported. This issue is resolved.
- The Promoted Builds plugin contain broken icons due to the icon paths being removed in the Jenkins core (BEE-160452)
-
The icon paths have been updated and the issue has been resolved.
- The
withEnv
step does not document keys that are case insensitive (BEE-15944) -
The inline help for the
withEnv
step was updated to show that the environment variable keys are case insensitive, but they do preserve the case. - Fixed the incorrect display for disabled plugins in the CloudBees Plugin Usage Analyzer report (BEE-7063)
-
Plugins that were disabled were displayed as blank lines in the CloudBees Plugin Usage Analyzer report.
This issue has been resolved. Disabled plugins now display with a strikethrough.
Known issues
- Require Kubernetes 1.19 or later (BEE-1208)
-
The minimum version of Kubernetes required to run CloudBees CI on modern cloud platforms is now 1.19. Support for older versions of Kubernetes has been dropped. Refer to the Supported platforms for CloudBees CI on modern cloud platforms for more information.
- Duplicate Pipeline Template Catalogs in the Configuration as Code jenkins.yaml file on each instance restart (BEE-12722)
-
If a Pipeline Template Catalog is configured in the CasC
jenkins.yaml
file and theid
property is not defined, the catalog is duplicated on each instance restart and in the exported CasC configuration.
Upgrade notes
- Helm template installations require the
--api-versions flag
(BEE-15986) -
Kubernetes 1.19+ is now required when installing CloudBees CI on modern cloud platforms. The
helm template
command does not interact with the Kubernetes cluster to determine the cluster’s version or capabilities. If you run thehelm template
command without the--api-versions network.k8s.io/v1/ingress
flag, you will receive an error message.When you install or upgrade CloudBees CI on modern cloud platforms using the
helm template
command, make sure that you are running Kubernetes 1.19 or higher and that you use the--api-versions network.k8s.io/v1/ingress
flag to properly generate the YAML file. - Migration to Java 11 will soon be required for new releases (BEE-42)
-
The Jenkins community will begin supporting Java 11-specific features soon (Java 11 byte code), at which point it will no longer be possible to use a Java 8 runtime environment. Because CloudBees CI on modern cloud platforms is based on the Jenkins LTS, future releases of CloudBees CI on modern cloud platforms will have the same requirement.
CloudBees strongly recommends upgrading your CloudBees CI on modern cloud platforms environment to run Java 11 as soon as possible. Some of the Java 11 updates may require action on your part, and there may be a specific order in which you should upgrade components in your environment. For more information, refer to Migrating to Java 11.
- Updated minimum Jenkins version to LTS 2.332.1 (BEE-10651)
-
The minimum required Jenkins version was updated to the latest LTS, version 2.332.1.
- When upgrading to Java 11, you must update your Java garbage collection arguments (BEE-16018)
-
Garbage collection has been updated in Java 11. Many of the previously recommended arguments are no longer supported. When you upgrade your JDK to Java 11, you must also update your garbage collection configuration. Using unsupported Java arguments will result in startup failure.
For more information, refer to Adding Java arguments to the Jenkins service configuration file.
- Jenkins agent-to-controller security changes affect several plugins
-
Jenkins 2.326 removes the ability to disable or customize the agent-to-controller-security system. The following plugins are known to be affected by this change:
-
Cobertura Plugin
-
Code Coverage API Plugin
-
Log Parser Plugin
-
Maven Integration Plugin
-
XUnit Plugin After upgrading to Jenkins 2.326, you must update these plugins.
-
Other plugins may be affected as well. Refer to Agent → Controller Security Changes in 2.326 for more information.
- Matrix Authorization Strategy plugin version 3.0 upgrade
-
Version 3.0 of the Matrix Authorization Strategy plugin extends the formats for permission assignments both internally and when used with the Job DSL and Configuration as Code plugins. With the upgrade to version 3.0, all past permission assignments are now considered ambiguous. While existing configurations can still be read, if the permission assignment configurations contain ambiguous entries, warnings will appear in the UI and in logs.
Downgrading to an earlier release of the plugin may cause problems once you have used version 3.0 or later to assign new permissions or migrate existing permission assignments. Earlier releases will not be able to load the updated, version 3.0 permission assignments.
Further, the Matrix Authorization Strategy plugin’s APIs have changed significantly. While some compatibility is retained, other plugins that depend on the Matrix Authorization Strategy plugin will likely need to be adapted to the changes, or they may behave in unexpected ways.
If you use any plugins that have a dependency on the Matrix Authorization Strategy plugin, you should make sure they are compatible with version 3.0 before you upgrade. For example, the Role-based Authorization Strategy plugin has been reported to be incompatible with version 3.0.
Customers that use the CloudBees Role-Based Access Control plugin for authorization are not affected by this change in behavior. If you configured the Matrix Authorization Strategy plugin’s job level permissions using the Job DSL plugin’s special syntax (
authorization
top-level element), you will not be able to assign unambiguous permissions in current releases of the Job DSL plugin, version 1.78.3 and earlier. Instead, you should use the syntax documented here using theauthorizationMatrix
child of theproperties
element.