CloudBees CI on modern cloud platforms 2.426.2.2

Rolling release: 2023-12-13

Based on Jenkins LTS 2.426.2

CloudBees CI release highlights

Watch video

What’s new in CloudBees CI 2.426.2.2

Watch video

Security advisories

CloudBees Security Advisory 2023-12-13

New Features

None.

Feature Enhancements

High Availability (HA) Feature Enhancements

  • The High Availability (HA) footer changes appearance when in developer mode

    Jenkins changed the footer design to include buttons instead of a solid banner. The High Availability (HA) footer (that appears in development mode) displays as a colored button and when you click on it, takes you to the CloudBees CI High Availability page.

  • An administrative monitor is displayed if dashboard-view is installed when running High Availability (HA)

    Dashboard-view is not compatible with High Availability (HA) as the data displayed on the dashboard about builds/jobs is not accurate. Builds/jobs completed on other replicas are not shown. This plugin is not supported in HA mode, so an administrative monitor is displayed if dashboard-view is installed when running HA.

  • Warn users if the current replica is outdated

    When performing a rolling upgrade of a High Availability (HA) controller (typically on Kubernetes though potentially on traditional), it is recommended that you do not make configuration changes when the browser’s sticky session is still on the old replica; wait until the upgrade is complete and you are viewing a new replica. A warning message now appears on the controller’s page footer. If you click on it, it brings you to the HA management page that displays a list of all the replicas and their versions.

CloudBees Pipeline Explorer Search Experience

  • The overall log index size and/or the filtered log index size is now displayed to help determine how the search performs.

  • Added a search timeout limit of one minute to the CloudBees Pipeline Explorer.

  • Controller administrators can now define a maximum file size for searching. If a search is attempted on a log/filter that is too large, the search is blocked.

CloudBees Pipeline Explorer Enhancements

The following enhancements have been made to the CloudBees Pipeline Explorer:

  • The expand icon now opens in the same tab by default, improving the user experience.

  • Added many minor UI improvements including the icon, component, and alignment improvements.

  • The message that is displayed when there are no search results has been updated.

  • Added a minimum size functionality to the drawer in the CloudBees Pipeline Explorer so it cannot be resized smaller than the minimum size.

  • When a build is in progress, you can hover over the progress bar to display the estimated time (rounded) that remains.

  • Improved compatibility with HA/HS when saving preferences so that it persists across replicas.

Configuration as Code Feature Enhancements

  • A new endpoint and CLI command now provides a JSON object containing the whole list of validations, along with additional details regarding each validation.

  • Include the bundle version to the casc-bundle/check-out API and the casc-check-out-bundles command.

  • The single threaded retriever timeout is now configurable.

  • Logfiles from the CasC bundle retriever init-container and sidecar can now be included with support bundles.

Improved Cloud Management User Experience

The cloud management page has been separated into the following pages:

  • Extract pod templates from each cloud into its own pod templates tab

  • Create a new screen to list pod templates for a cloud

  • Management of one pod template at a time on a single pod template edit screen

  • Update the left navigation pane for cloud management to include new pages

Update the Pod template list and edit pod templates one at a time

You can now select a pod template to edit or delete on the Pod template list. Within the edit screen, the fields to edit are the current existing fields for pod templates. The user can edit only one template at a time.

HashiCorp Vault integration: Support for Custom AppRole Paths in Authentication Configuration

Introduced an enhancement that allows users to specify custom paths while creating an AppRole in the authentication process. If no path is provided, it will resort to the current default behavior.

New endpoint to gather bundle retriever configuration

The old status endpoint can now be accessed without authentication, as it acts as a health status endpoint (gives information about an instance being up and connected to CloudBees CI).

The new secured configuration endpoint provides all the configuration properties the bundle retriever is running with.

Resolved Issues

High Availability (HA) Resolved Issues

  • Make script security plugin behave properly in an HA/HS environment

    When running CloudBees CI in High Availability (HA) mode, the approved signatures and scripts were synced properly between different replicas, but this was not actually applied to the running build, leading to inconsistent results. This issue is now resolved, and the behavior is consistent with the current script approval configuration on all replicas.

  • Queue size per the High Availability (HA) replica may be incorrect

    The reported queue size per High Availability (HA) replica may be too high or too low if some operations failed. This issue has been resolved.

  • Print the High Availability (HA) owner of the outbound agent immediately

    When a High Availability (HA) controller replica launches an outbound agent, it should be recorded in the agent log immediately, instead of waiting when the connection is established.

  • The High Availability (HA) administrative monitor incorrectly warned about new remoting versions

    The open-source remoting (agent.jar) versions that begin with 3180 are compatible with CloudBees CI active/active High Availability (HA), so it is not required to use a CloudBees-specific version going forward.

  • Jenkins CLI authentication with username and password failed after 2.401.1.3

    Restored ability to use username/password authentication with Jenkins CLI on a connected controller when the operations center single sign on is in use. It is still recommended to create an API token on operations center instead.

  • Verbose log output about RBAC migration during clean startup

    The initial startups of the operations center or controller print a long series of messages about migration of RBAC settings, when there were no RBAC settings to migrate (but the flag noting that migration had been considered and completed was not yet present). Now, these messages are suppressed, and logging is limited to cases where settings actually were migrated (when starting for the first time after an upgrade from a version dating to 2020) or another error occurred.

  • Error during rolling upgrade of the High Availability (HA) controller

    If you upgrade a High Availability (HA) controller from the October to the November release, an error related to a newly defined type may prevent new replicas from starting.

Multiple builds run on the High Availability (HA) controller due to duplicated webhooks

If multiple deliveries of a single GitHub webhook were made to a single High Availability (HA) controller, an event such as push may result in more than one build (on different replicas). Now, GitHub webhooks are automatically deduplicated by the managed controller hibernation monitor (if that is configured as the endpoint), to prevent redundant builds. The same deduplication can also reduce overhead for non-High Availability (HA) controllers.

Configuration as Code Resolved Issues

The following issues have been resolved:

  • casc-validations-details CLI and endpoint were throwing an exception. Now the endpoint and CLI work as expected.

  • If several controller bundle locations have the same name, an incrementing index is added at the end of the name to avoid duplicate names. An error is also raised to avoid duplicate names.

  • There were missing icons in the item export page. These icons are now displayed in the export page.

  • When configuring the sources for CasC bundles for controllers in operations center the GitHub checks activated checkbox was incorrectly being shown for some entries even though they were not configured to use GitHub as their SCM source. This issue has been resolved.

  • Not all runtime validations were performed if the set of plugins differs from operations center and controller. Runtime validations are now performed on the controller.

  • The CloudBees CasC Client and Server plugins now uses Ionicons icons to match the Jenkins icons; replacing Font Awesome icons.

  • Previously, the ability to include CasC bundle retriever logs in a support bundle required the installation of the deprecated Master Provisioning Core plugin. This dependency has been removed and the checkbox is available without having to install additional plugins on CloudBees CI on modern cloud platforms.

Fix the SSH connections in the CasC Bundle Retriever

The SSH connections to SCM were broken in the last CasC Bundle Retriever update. This issue is resolved.

HashiCorp Vault plugin revokes client token correctly.

The HashiCorp Vault plugin did not revoke client tokens correctly. The issue is now fixed.

YAML file is not validated in the Default YAML field of the Configure Controller Provisioning page

If the YAML file content in the Default YAML field is very long, an HTTP error 431 Request Header Fields Too Large would occur when trying to validate it. This issue has been fixed.

Upgrade org.json:json from 20230227 to 20231013

Upgraded org.json:json from 20230227 to 20231013.

Remove call to hetero-list YUI button

Removed the call to the hetero-list YUI button that was removed from Jenkins core.

In the CloudBees Pipeline Explorer, a left menu horizontal scrollbar appears when using Firefox

The horizontal scrollbar displayed in the left menu when using Firefox has been removed. This issue has been resolved.

The scmBundlePath value should not begin with a forward slash (/)

When configuring the scmBundlePath value within a bundle, do not start the bundle path with a forward slash (/) otherwise it returns an error.

Upgrade All Plugins Cluster Operations step may upgrade plugins to the wrong versions

The Upgrade All Plugins Cluster Operations step may upgrade plugins to versions more recent than expected. This is known to happen in controllers defined with CasC. The Upgrade All Plugins is now looping through the plugin updates similarly to what is shown in the Plugin Manager in the UI.

Allow multiline PodSecurityContext in Helm chart

Defining a multiline YAML value for OperationsCenter.PodSecurityContext in the Helm chart was failing as the Helm chart was expecting a one line value. This has been fixed and a multiline YAML value will correctly be interpreted.

Support for Octal Notation in Kubernetes YAML Snippets Restored

Resolved an issue preventing octal notation in Kubernetes YAML snippets for controller provisioning. Users can now correctly specify permissions in the defaultMode field, preventing exceptions.

RBAC mistakenly reports invalid users on external groups

When a Security Realm cannot verify an external group (due to a limitation of the API or lack of support for the plugin that implements the Security Realm), the external group shows an invalid user icon that mentions that "This may or may not be a valid user/external group name" and a link to a user with that name. Although it is an external group. The issue has been fixed and the UI improved. The user/external groups that cannot be verified have a distinct icon, description, and link.

Known Issues

Unable to configure pod templates in the Operations center via the UI

A recent update to the way pod templates were managed caused issues upstream to where the operations center is unable to manage pod templates from the UI. A workaround making updates via the API is still available

Duplicate Pipeline Template Catalogs in the Configuration as Code for controllers jenkins.yaml file on each instance restart

If a Pipeline Template Catalog is configured in the Configuration as Code jenkins.yaml file and the id property is not defined, the catalog is duplicated on each instance restart and in the exported Configuration as Code configuration.

Inconsistencies between some Configuration as Code (CasC) features and High Availability (HA)

When using Configuration as Code in controllers that run in High Availability (HA) mode, the CloudBees Configuration as Code Export and Update screen may display inconsistent information about the bundle along with two buttons: Restart and Reload. This is caused by information not being properly synchronized between replicas. Furthermore, users may experience the following problems when trying to use one of the two buttons on that page:

  • Automatic reload bundle: clicking this button shows an error message.

  • Skip new bundle version: clicking this button forces a restart and the instance will not start again.

While the fix for this issue is being worked on, we recommend the following if you are using Configuration as Code in controllers that run High Availability (HA):

  • Controllers that have configured the automatic reload. Users must disable it and configure the automatic restart instead.

  • Controllers that do not have any automation (Bundle Update Timing). Users must stop using the Reload button and start using the Restart button instead.

Error when renaming an existing EC2 cloud

When the name of an existing cloud node is updated, the user receives a 404 error after selecting save. This is because the cloud page uses the cloud name as part of its URL. When the user saves the name, Jenkins sends the user to the URL with the old cloud name. Please note that all node changes are successfully saved.

Upgrade Notes

Jenkins 2.426 upgrade notes