CloudBees CI on modern cloud platforms 2.528.3.35200

The operations center no longer supports SSO connections from connected controllers running versions earlier than 2.401.2.3 (released in June 2023).

Compatibility code for Role-Based Access Control (RBAC) format migrations from 2020 and 2021 has been removed from CloudBees CI. This streamlines the codebase and ends support for legacy RBAC migration formats.

Since 2020, the -Dnectar.plugins.rbac.groups.ViewProxyGroupContainer.enabled=true system property could be used to allow RBAC groups to be defined on a view. This option was disabled by default because it is inherently insecure. This capability has now been removed.

The following plugins have been added to the operations center CloudBees Assurance Program since 2.528.2.34846:

The following plugins have been added to the controller CloudBees Assurance Program since 2.528.2.34846:

An updated administrative monitor is now displayed when plugins installed in your environment are not included in the CloudBees Assurance Program (CAP). These non-CAP plugins are not verified by CloudBees and receive only commercially-reasonable support, which does not include bug or security fixes, new features, or verified compatibility and upgrades. These plugins should be used with caution, as their stability is unknown, and they are not covered by the CloudBees Support SLA. If you choose to ignore these warnings, CloudBees recommends that you review non-CAP plugins, consider alternatives, and monitor their usage to maintain a secure and supported environment. For more information, refer to Manage plugins removed from the CloudBees Assurance Program.

If you use OperationsCenter.ContainerPortName to specify a port name through the Helm custom values file, it is now applied to both operations center and controllers.

You can now install the SSO Relay in secondary clusters by using subdomains that follow the same controller URL pattern as the primary cluster. If you would like to try this enhancement, please contact CloudBees Support for instructions.

Previously, a very high rate of build triggering in an HA controller environment could slow down operations while saving nextBuildNumber files to disk. This process is now performed asynchronously.

A new administrative monitor now detects problematic configurations for Kubernetes cloud agents in High Availability (HA) environments when certain settings are used on the Pod Template settings screen. The monitor identifies:

A new administrative monitor now detects when the Number of executors on the Built-in Node in HA controllers is set to more than 0. In an HA controller setup, builds must not run on the Built-in Node, as this configuration is not supported and prevents build adoption. The monitor alerts administrators when this condition is detected.

Previously, Jenkins forcibly loaded the most recent completed build of a job when triggering a new one. In some cases, this occurred while holding the queue lock. These actions were unnecessary, and in an HA controller environment, this sometimes forced replicas to load builds run by other replicas.

A new branch build strategy, Do not build old commits, is now available for Multibranch Pipelines and Organization Folders. This strategy prevents builds for branches, pull requests, or tags during indexing if the corresponding SCM commit is older than the specified age (by default, seven days). If the commit timestamp cannot be determined, a build is permitted, and details may be logged during branch indexing. For more information, refer to Create Multibranch Projects and Organization Folders with large repositories.

Credential retrieval failed with a 404 error if the object was not found in the first CyberArk safe. The CloudBees CyberArk Credentials Provider plugin (cloudbees-cyberark-credentials) now searches all configured CyberArk safes in order, allowing credentials to be retrieved from any safe.

Installing or updating the CloudBees CI Helm chart failed if OperationsCenter.ContainerSecurityContext was configured without also defining OperationsCenter.PodSecurityContext, resulting in an error similar to the following:

Error: YAML parse error on cloudbees-core/templates/cjoc-statefulset.yaml: error converting YAML to JSON: yaml: line 70: mapping values are not allowed in this context
▼

When an API Server URL was specified in the controller provisioning configuration without credentials and namespace, managed controllers were provisioned in the {{default}} namespace instead of the intended controller namespace.

When configuring a Multibranch Pipeline folder, an SCM source (such as Git or GitHub) is required. Multiple sources are permitted, though rare. To differentiate between multiple sources in one folder, each has an id property, which is hidden from the UI but saved to disk and may be specified in the CasC items.yaml file. Previously, if a Multibranch folder was created from XML or CasC without an explicit id, a random UUID was assigned. In an HA controller, the value could differ between replicas until the folder was saved, potentially causing inconsistent behavior. Now, the first source is assigned an id of 1, the second 2, and so on. Explicit or previously persisted id values remain unchanged.

When multiple managed controllers in different clusters shared the same domain and namespace, their Ready status was not unique and could reflect the last recorded state of any controller. The cluster endpoint is now considered when recording managed controller statuses, ensuring accurate status reporting for each controller.

The Node Owners property generated invalid URLs in email content when the node name contained characters requiring URL encoding. The URLs included double-encoded characters, resulting in a 404 error when accessed.

Email addresses now automatically resolve to Slack IDs in CasC, eliminating the need to manually specify Slack IDs in the YAML file or re-add the Slack token through the UI.

The responsiveness of an HA controller was degraded because the Jenkins core spent CPU resources computing estimated build durations, even when this information could not have been used constructively, such as when a new build was already scheduled to run on a cloud agent.

The New Quick Group button has been removed from the Groups page because it was not properly updated to support disambiguated user and group membership.

In an HA controller environment, using the open source SSH launcher on a permanent agent does not work when you select multiple executors.

When you search for a specific plugin under the Available tab in the Operations center Plugin Manager, the search results show duplicate entries for the plugin.