CloudBees CI release highlights

What’s new in CloudBees CI 2.452.2.3

Watch video

New Features

Configuration as Code Permissions

Up until now, only Administrators were able to create, update, and do anything with Configuration as Code bundles. With this new feature, Administrators can grant different permissions to their team members to allow them to perform different tasks with Configuration as Code.

The following five new permissions have been added to the CloudBees permissions:

  • CasC Administer: This permission grants overall Configuration as Code permissions to a user/group without granting them overall cluster permissions. Users and groups with this permission will be able to perform actions such as: seeing the update log, seeing which branch/bundle is in use, exporting the bundle, and many others.

  • CasC Item: This permission grants users the ability to perform certain actions on a Configuration as Code controller such as: create an item using the endpoint/CLI, create a group that is attached to that item, and manage RBAC for that item.

  • CasC Checkout: This permission grants users the ability to checkout bundles.

  • CasC Read: This permission grants users the ability to see which branch or bundle is in use in the operations center or in a Configuration as Code controller.

  • CasC Read Checkout: This permission grants users the ability to see which bundle was checked out by the operations center.

Refer to CasC permissions for more information.

Feature Enhancements

CloudBees Pipeline Explorer improvements related to traversing the log
  • The CloudBees Pipeline Explorer shows all build causes

    Previously, the CloudBees Pipeline Explorer only showed build causes if there was an upstream build trigger. Now, the CloudBees Pipeline Explorer shows all types of build causes. They are shown in the map view and the related builds panel.

  • In the CloudBees Pipeline Explorer Map, add a message when a Pipeline does not contain stages

    In the CloudBees Pipeline Explorer Map, a message is now displayed when a Pipeline does not contain stages.

  • CloudBees Pipeline Explorer no longer shows a redundant duration for in progress builds

    The CloudBees Pipeline Explorer previously showed both a duration and a relative start time for incomplete builds that were always identical. Now, only the relative start time is shown for in progress builds.

Configuration as Code Plugin Management - New customization mechanism for download URL

Configuration as Code Plugin Management (apiVersion: 2) now includes a new repository layout that allows users to configure a download URL that accepts parameters such as the plugin ID.

Any plugin using this new layout will configure the parameter values. For example:

plugins: - id: "beer" parameters: env: "staging" tier: "customization" repositoryId: test-repo - id: "chucknorris" parameters: env: "staging" tier: "customization" repositoryId: test-repo repositories: - id: test-repo layout: parameters url: http://my-web-server/$env/$tier/$pluginId.hpi

Improvement of log entries

The Configuration as Code bundle now suppresses the log file strings that read No items.yaml in configuration bundle or No rbac.yaml in configuration bundle when not applicable.

Sticky sessions automatically enabled on ALB for use with High Availability (HA) controllers

When there is a CloudBees CI installation on EKS using ALB, the annotation stickiness.enabled=true is now predefined automatically on High Availability (HA) managed controllers to ensure that browser sessions consistently display a single replica.

Previously, it was required to manually add this attribute to manager controller ingresses when using ALB.

Users who manage the already; for example, with the chart attribute .OperationsCenter.Ingress.Annotations, or the Ingress Annotations in Controller Provisioning Configuration or custom YAML, then the annotation value is preserved.

The stickiness.enabled=true needs to be added explicitly.

Anonymous web traffic could prevent hibernation

A hibernated managed controller could previously be kept awake by anonymous HTTP requests. Now, only authenticated web traffic is considered “activity”.

New option to protect the hibernation monitor

If CloudBees CI is installed on a public-facing network with hibernation enabled, there was previously nothing to prevent malicious actors from visiting the hibernation redirect, queue, or proxy URL endpoints and forcing the managed controller to wake up gratuitously. Now, there is a Helm chart option to generate a random token that must be included in these URLs.

The token will remain stable across upgrades, and can be rotated by editing the Kubernetes secret, or even deleting it and running a Helm upgrade to regenerate it.

New Pipeline policy rule for use of agents without retry

The new Pipeline policy rule Agent without Retry can be used to guide Pipeline authors to make sure agent usages are retried automatically if there is an infrastructure outage.

Bookmarkable link for hibernation redirect

When a managed controller is set to hibernate, a new sidebar link now appears on the dashboard and on items (such as jobs) that offer the hibernation redirect link.

While the controller is awake, you can click the link to refresh the page and you can bookmark the link for later use when the controller is hibernated.

New full caching capability to CyberArk Credentials Provider

The CyberArk Credentials Provider plugin already caches details of the GetPassword request to CyberArk, but not the password itself. Additionally, the plugin always makes a call to retrieve the credentials password.

Now a new option, Cache Password, when enabled, caches the encrypted value of the password, that saves in API calls and cache writes.

Resolved Issues

Failed parsing of data in the User Activity Monitoring plugin leads to incomplete data

Failed parsing of data from the User Activity Monitoring plugin resets the user activity database that leads to incomplete data. If you cannot update to a version that includes the fix, please open a new ticket with the CloudBees Support team. There is a new version of the UAM (v 1.50) that can be provided by our support team.

This issue has been resolved.

HTTP Client used for Operations Center to Controllers connection leads to performance issues

Because of known issues in the Java HTTP Client, there could be performance issues in the Operations Center to Controllers interactions in heavily loaded environments.

This is now resolved after switching to OkHttp client instead.

CloudBees HashiCorp Vault plugin is leaking HTTP clients

The CloudBees HashiCorp Vault plugin is leaking HTTP clients when calling Vault and this could cause performance issues over time.

The issue has been fixed.

CloudBees SCM Reporting Plugin causes frequent credentials lookup

The CloudBees SCM Reporting Plugin was causing unwanted and frequent credentials lookup from controllers that defined GitHub Multibranch and Organization items. This could lead to further performance problems and delays on credentials related operations.

The issue has been fixed.

Hibernation Monitor deployment resources are not configurable

The resources of the Hibernation Monitor pod container are not configurable via the Helm Chart. The issue has been fixed. The resources are now configurable under the Hibernation.Resources object.

Hibernation redirect did not work in a cluster using subdomains

When you enable subdomains in a cluster (Subdomain=true) and hibernation (Hibernation.Enabled=true), the redirect page on the hibernation monitor (/hibernation/ns/extra-namespace/redirect/) wakes the controller, but it used an invalid liveness check URL and the web page stated that it was still waiting for the controller to finish starting, even after it had already started.

Now, a functional liveness check URL is used, and it assumes that the managed controller is also updated to the matching version.

Kubernetes node retry sometimes fails to retry on Java 17 after agent disconnections

The Pipeline idiom retry(count: …, conditions: [kubernetesAgent()…]) or Declarative retries with agent Kubernetes is intended to detect cases when the agent was disconnected and retry the block (creating a fresh pod from the same template).

In some situations when the controller runs on Java 17, the logic to detect the source of the error in the Pipeline step structure would fail to identify the source of the error and cause the build to abort immediately without retry.

This issue is resolved.

Reverse proxy broken in High Availability (HA) controllers when network policy enabled

If a High Availability (HA) managed controller was created in a cluster using network policies, the reverse proxy used to forward connections between replicas did not work. This has been fixed.

Prevent possible thread leak in ReverseProxy

Addressed a code path where a thread could be leaked on reverse proxying failure.

This issue has been fixed.

In the CloudBees Pipeline Explorer, the "Go to line number" feature erroneously triggered when the input box was clicked

In CloudBees Pipeline Explorer, when you click on the input box for the "Go to line number" feature, it immediately caused the page to load the last entered number. This behavior has been fixed to only trigger when you press the Enter key after you type in a line number or click on the arrow icon to the right of the input box.

In the CloudBees Pipeline Explorer Map, the node display breaks when it collapses a parallel stage

When a parallel stage collapses in the CloudBees Pipeline Explorer Map, the node display breaks.

This issue has been fixed.

Fixed a red herring IllegalArgumentException in controller provisioning

Fixed occurrences of java.lang.IllegalArgumentException: Expecting yaml to be parseable as a map in the operations center in CloudBees CI on modern cloud platforms when the Ingress Annotations field is blank in the controller Provisioning configuration. The exception is a red herring.

Non-CAP plugins defined in the Configuration as Code bundle are compatible with the CloudBees CI release

The CloudBees Update Centers offer the latest compatible version with the CBCI release of non-CAP plugins. If the latest release of one of them is not compatible, that version was not offered by the Update Center, being provided the latest compatible one.

With Configuration as Code, however, the latest version was always offered even if it was not compatible, and it had to use the Plugin Catalog to fix the compatible version.

Now, the issue is fixed and the Configuration as Code bundle installs the latest compatible version.

Migrate from MapDB to Caffeine Cache

The Cyberark Credentials Provider used an outdated version of MapDB for on-disk caching layer.

It now uses Caffeine as its in-memory cache.

Operations center sublicense signature uses SHA512 instead of SHA1

The operations center generates sublicenses for controllers. The sublicense signature used the deprecated SHA1 algorithm. It now uses the SHA512 algorithm.

Known Issues

Validating Kubernetes Cluster Endpoint leads to NPE

When using credentials in the Kubernetes Cluster Endpoints configuration, the Validate functionality shows an Angry Jenkins in the UI and a null pointer exception in Jenkins logs.

Duplicate Pipeline Template Catalogs in the Configuration as Code for controllers jenkins.yaml file on each instance restart

If a Pipeline Template Catalog is configured in the Configuration as Code jenkins.yaml file and the id property is not defined, the catalog is duplicated on each instance restart and in the exported Configuration as Code configuration.

Pod templates page is read only for NonConfigurableKubernetesCloud

The NonConfigurableKubernetesCloud setting on the pod template page appeared to be editable. However, it is read-only.

Clouds do not disappear after the Folder configuration update by a user without Administer permissions

Clouds deselect after a user without Administer permissions edit the Folder configuration.