Continuous Delivery release notes

These are the new features, enhancements, resolved issues, and deprecations for the Continuous Delivery 5.x release series.

Important information:

  • Migration. To upgrade to the Continuous Delivery 5.x series from a version in the 4.x series, see Migrate 4.x data to 5.x.

Version 5.6.1

Released 10 September 2024.

Resolved in this release:

  • 500 Internal Server Error responses from webhook requests. Fixed an issue causing webhook traffic to be redirected to itself in some cases.

Version 5.6.0

Released 29 August 2024.

New in this release:

  • API Token Management. Added a feature that allows administrators to revoke another users personal access token.

  • Added Podman support for job hardware. Upgrading to the 1.7.0 release of the cd4pe_jobs module allows users to use either Docker or Podman as the runtime on their job hardware nodes.

    To accommodate the new support for Podman:

    • New workspaces have a default job hardware capability called Containerized rather than Docker
    • The UI now generalizes Docker to Containerized to reflect that either can be used for job hardware
  • Postgres repack schedule is now configurable. The schedule used to run the Postgres repack is now configurable. You can configure this using the new repack_schedule setting in common.yaml.

  • Added API endpoint to retrieve list of users. Added a new API endpoint, /v1/users/, to retrieve a list of users.

  • Added API endpoint to retrieve user details. Added a new API endpoint, /v1/users/{userId}, to retrieve details about users.

  • Added a parameter to uninstall plan and changed the default behavior. Added a new parameter, remove_backups, to cd4peadm::uninstall. The uninstall plan no longer removes the backups directory unless you use the new parameter.

Resolved in this release:

  • Security vulnerability with the username and password in URL path. Fixed an issue with a security vulnerability that involved an API sending sensitive information as part of the URL path. We have replaced this call with a new endpoint that passes sensitive information as part of a request body in a more secure manner.
  • Prevent regex pipelines having impact analysis stages. Fixed an issue where you could set an impact analysis stage on a regex pipeline when constructing the pipeline as code. Impact analysis stages are properly prevented on regex pipelines now.
  • Support bundle should collect 'inspect' data even on containers that aren't currently running. The support_bundle plan now gathers container inspect data even on containers that are not in a running state at the time the bundle is gathered.
  • Removed the runtime network. Continuous Delivery no longer uses a custom runtime network for connectivity between containers. All networking is now done using the default bridge network using the host system's IP address.

Security notices:

  • Cross Origin Resource Sharing (CORS): Arbitrary Origin Trusted. Resolved a security vulnerability related to Cross-Origin Resource Sharing (CORS). An Access-Control-Allow-Origin header is no longer set to the request's origin header on API calls, preventing any unintended exposure of resources to untrusted origins.

Version 5.5.0

Released 9 July 2024.

New in this release:

  • Added nginx_proxy_timeout_secs configuration option. Added a new setting that allows you to set how long NGINX waits for requests to the Continuous Delivery backend service to complete. Increasing this timeout can help avoid 504 Gateway Time-out errors when running jobs.
  • Noninteractive installation. Documented how to install Continuous Delivery silently.
  • Disaster recovery. Documented how to back up your data and make it easier to restore your system if disaster recovery is needed.
  • Data retention configuration options. Added two new configuration options, pipelines_data_retention_period_days and value_reporting_data_retention_period_days, for data retention that allow you to set a retention period for historical pipeline and value reporting data.
  • Added support for an external CA cert. Users can now add trusted CA certs for Continuous Delivery to use when connecting to external services that present their own certificates, such as a proxy.
  • Added a new PostgreSQL image. Added a new PostgreSQL image which includes pg_repack for database maintenance. pg_repack runs daily to maintain the database.

Resolved in this release:

  • 504 Gateway Time-out errors sometimes occur when running jobs. Exposed the nginx_proxy_timeout_secsconfiguration option and changed the default to 300 seconds. This option allows you to set how long NGINX waits for requests to the Continuous Delivery backend service to complete. Increasing this timeout can help avoid 504 Gateway Time-out errors when running jobs.
  • UI container fails to start. Fixed an issue where running an IPv6 listener on port 8000 when IPv6 was not available caused the UI container to fail to start. The IPv6 listener is now properly disabled on port 8000 when IPv6 is not available.
  • Nodes section is blank and has errors after restart. Fixed an issue where the query service token was not properly rotated, causing the Nodes section to be blank and have errors. The query service token is now properly rotated even if Continuous Delivery for PEƧ is not running when the rotation was scheduled, ensuring that node data is fetched properly.
  • Redeliver Webhook fails when using user provided TLS certs. Fixed an issue where using the Redeliver Webhook button on a pipeline run when SSL is enabled for webhooks would fail.
  • Activity reporting screen shows labels instead of strings after upgrading. Fixed an issue where the Activity report screen would display incorrect labels after an upgrade.
  • Direct Deployment Policy MAX_NODE_FAILURE value is being passed to the API from the UI as a string instead of an integer. Fixed an issue where triggering a deployment with the Direct Deployment Policy option selected would fail when a MAX_NODE_FAILURE value is set.
  • Update default facts displayed on Estate Reporting Node Table. Updated Estate Reporting Node table on the Nodes screen to change the default facts displayed. Previously the table displayed the ipaddress and operatingsystem fact values in the two rightmost columns. These are legacy facts and those two columns have been updated to show the modern networking.ip and os.name facts instead.
  • License would not be accepted if it contained Windows line endings. Fixed an issue where the license file would not be accepted if it contained Windows line endings. License files with Windows-style line endings or extra white spaces in them are now handled correctly.

Security notices:

  • CVE-2024-29857. Updated bouncycastle to 1.78 to address this vulnerability.

Version 5.4.0

Released 7 May 2024.

New in this release:

  • Puppet Enterprise and Puppet Enterprise Advance. The Puppet Enterprise (PE) license now includes Continuous Delivery and Security Compliance Management (formerly Puppet Comply). The Puppet Enterprise Advanced license gives you access to the premium features: Continuous Delivery's Impact Analysis and Security Compliance Enforcement. Please refer to Add or update a license key for instructions on how to add a license to Continuous Delivery.
  • Automatically create a heap dump on OutOfMemory JVM errors. The pipelinesinfra backend service now automatically generates a JVM heap dump when an out-of-memory error is encountered. Download this heap dump by running:
       bolt plan run cd4peadm::heap_dump
  • Added an API endpoint to provide information about the Continuous Delivery license. Added an API endpoint to Continuous Delivery's implementation of the OpenAPI specification that allows you to view the currently installed license. You can find this information at v1/license.

Updated in this release:

  • Update existing Continuous Delivery roles to include the enterprise_tasks::register_application permission. Updated the Tasks permission to include enterprise_tasks::register_application. This is required to inform Puppet Enterprise (PE) where Continuous Delivery is installed. You need to modify any existing roles to ensure this permission is included.
  • Removed authtokens API from OpenAPI specification. The /v1/authtokens API has been replaced by /v1/tokens, which requires an authentication token in the header.

Resolved in this release:

  • Unable to clone via SSH from ADO Cloud. Upgraded Continuous Delivery's SSH client to support RSA SHA256 and RSA SHA512 handshake algorithms. This was necessary to support SSH connections with ADO Cloud after Microsoft began phasing out support for SHA1 handshakes. Any other providers that also need the newer algorithms (such as GitLab deployed on Red Hat Enterprise Linux (RHEL) 9) are also now supported.
  • Duplicate GitLab integration causing a blank screen. Fixed an issue loading the source control integrations screen caused by accidentally adding duplicate VCS providers.
  • After upgrading to 4.29.2 the commit link on Continuous Delivery redirects to an invalid URL. Fixed invalid commit links when using Azure DevOps as a source control provider.
  • Impact Analysis job link for a module goes to job for a control repo. Fixed an issue navigating between the main control repo view and the Impact Analysis/Deployment screens.
  • Can create an invalid deployment stage. Fixed an issue where it was possible to create a deployment stage pointing at an environment node group with the same name as the branch the pipeline runs from.
  • Module feature branch deployment stages are failing to deploy. Fixed an issue where the module feature branch deployment stages failed to deploy. The missing control repo and branch fields have been added to the module deployment dialog for a regex pipeline.
  • HTTP 403 error when upgrading to Continuous Delivery 4.29.2. Fixed an issue in 4.29.x versions of Continuous Delivery that required the user triggering a manual deployment to be either the owner of the workspace or a root user.
  • UI container on RHEL 9 does not start. Fixed an SELinux error when installing or upgrading to Continuous Delivery 5.3.2 on RHEL 9.
  • CD4PE_JOB_CONTEXT is unavailable unless a secret is added. Fixed an issue where the output of pipeline job tasks were not displaying the value of the CD4PE_JOB_CONTEXT environment variable unless the job had a secret added. The value of CD4PE_JOB_CONTEXT now displays regardless of whether a secret is set or not.
  • 4.x to 5.x migration is failing due to missing directory under /tmp on Continuous Delivery version 5 host. Fixed an issue where localhost migrations from 4.x to 5.x would fail trying to write to a non-existent /tmp directory.
  • Running the Bolt plan to migrate from 4.x to 5.x fails without a configuration file, common.yaml, already present. Fixed an issue where the cd4peadm::install_from_v4 plan would fail if a configuration file was not already present.

Security notices:

  • CVE-2023-49569. Updated go-git to address this vulnerability.
  • CVE-2023-1732. Updated Cloudflare/circl to address this vulnerability.
  • CVE-2024-27304, CVE-2024-27289, CVE-2023-39325. Updated Query Service to 1.8.16 to address these vulnerabilities.

Version 5.3.2

Released 21 March 2024.

New in this release:

  • Created a separate migration plan. Added a new plan, cd4peadm::install_from_v4, to migrate from 4.x to 5.x.

Resolved in this release:

  • Missing Impact analysis (IA) report. Fixed an issue with Impact Analysis and Azure DevOps where Continuous Delivery falsely reports no impacted nodes.
  • Error trying to run an Impact Analysis for a Module. Fixed an issue where users who created a deployment stage on a pipeline may see the Impact Analysis pipeline stage fail with the following error: Cannot invoke "com.distelli.models.ControlRepoId.getDomain()" because "controlRepoId" is null
  • Error in Continuous Delivery Feature branch policy UI. Fixed an error when editing a regex pipeline's deployment stage for a Bitbucket or GitHub control repo.
  • Pull request from Bitbucket Cloud not triggering Continuous Delivery pipeline with pull request trigger. Fixed an issue where pull requests to a Bitbucket cloud repository would not trigger a pipeline.
  • Triggering a regex pipeline against a branch with an existing pipeline runs that pipeline instead. Fixed an issue where manually triggering a regex pipeline against a branch with an existing pipeline would cause the branch pipeline to run rather than the expected regex pipeline.
  • Pressing <TAB> after entering user/email changes focus to Show/hide password instead of Input password. Fixed a minor UI issue in the login screen where pressing <TAB> after entering the user name or email address would focus on the Show/hide password icon instead of the password input field.

Security notice:

  • CVE-2023-49569. Updated go-git to address this vulnerability.
  • CVE-2023-1732. Updated Cloudflare/circl to address this vulnerability.

Version 5.3.1

Released 21 February 2024.

New in this release:

  • Updating a pipeline now requires a new query parameter. The projectType (MODULE or CONTROL_REPO) is now a required query parameter when updating pipelines with /api/v1/pipelines-spec.

Resolved in this release:

  • Unable to run deployments after creating or editing a pipeline. Fixed an issue where deployments were not run for new or edited pipelines.
  • Unable to update a deployment on a regex pipeline. Fixed an issue that prevented updates to a deployment on a regex pipeline.
  • Option to select an environment prefix in the Deployment dialog box. Added the SELECT AN ENVIRONMENT PREFIX option to select a Puppet Enterprise environment prefix when creating a manual deployment or adding a deployment stage to a pipeline.
  • Unable to manually trigger a regex pipeline. Fixed an issue where manually triggering a regex pipeline caused a "branch not found" error. Regex pipelines can now be triggered against branches matching the regex.
  • New Impact Analysis jobs cause list errors. Manual Impact Analysis runs can now be triggered on code projects with custom names without causing an error with the tables on the Control Repos and Modules pages.
  • Unable to select a different view on the Nodes page. Fixed an issue where selecting a different view on the Nodes page resulted in an error.
  • Continuous Delivery approval emails not being sent after changing Bitbucket to GitLab. Fixed an issue where approval notifications were not sent for deployments from GitLab projects in subgroups.

Security notice:

  • CVE-2024-0567. Updated the Debian Docker image to address this vulnerability.

Version 5.3.0

Released 8 February 2024.

New in this release:

  • Personal access token management. You can now create authentication tokens to allow a user to enter their credentials once, then receive an alphanumeric token to access different services or parts of the system infrastructure. To manage personal access tokens, see Manage personal access tokens.
  • OpenAPI support. You can now fetch data and automate your workflows with the Continuous Delivery REST API. To get started using Continuous Delivery public APIs, see REST API.
  • Value reporting. You can now view activity values across all the Puppet Enterprise (PE) instances integrated within a workspace in the Activity report. To view your activity in Continuous Delivery, see Activity reporting.
  • Refreshed Continuous Delivery pipelines UI. The Continuous Delivery pipelines pages have a refreshed appearance.
  • Generate new SSL certificates. Added a cd4peadm::regen_certificates plan to generate new SSL certificates for the app, using the current configuration. After running this plan, use cd4peadm::apply_configuration to upload the new certificates to Continuous Delivery.

Security notice:

  • CVE-2023-39325. Updated several direct and indirect dependencies to address this vulnerability.

Version 5.2.1

Released 5 December 2023.

Resolved in this release:

  • Upgrading to 5.2.0 fails because version file is missing. Fixed an issue where upgrading to 5.2.0 would fail because the version file was missing.

Version 5.2.0

Released 30 November 2023.

New in this release:

  • New node filter feature added to impact analysis. A new node filter feature for Impact Analysis can be configured to run the analysis on a subset of impacted nodes. Nodes can be filtered by percentage of the number of nodes impacted by the change. See the adding Impact Analysis step for your pipelines-as-code to learn how to add this setting to your pipeline. Currently this setting is only available in pipelines-as-code. To enable pipelines-as-code, see Construct pipelines from code.
  • Support for Red Hat Enterprise Linux (RHEL) 9 and Ubuntu 22.04. You can now run Continuous Delivery on RHEL version 9 and Ubuntu version 22.04.
  • Send webhooks to a dedicated port. Continuous Delivery 5.x now supports SSL verification on webhooks. To enable SSL webhooks, set the enable_ssl_webhooksHiera setting to true.
  • Migration improvements. The install plan now checks to ensure the 4.x instance provided during a migration has an up-to-date version of Continuous Delivery.
  • Simplified installation and migration. The install plan now automatically creates a hiera.yaml file and encryption keys when installing 5.x or migrating from 4.x to 5.x.

Resolved in this release:

  • Installation cannot complete on local installs. Fixed an issue where Continuous Delivery installation failed to complete on local installs because /etc/puppetlabs did not exist on the Continuous Delivery host.
  • Fact charts do not always show the correct number of nodes when switching filters. Fixed an issue in the node table so that the fact charts reflect the selected filters.

Security notice:

  • CVE-2023-36478. Continuous Delivery is not vulnerable, but we are now running the updated version of Jetty that addresses this vulnerability.

Version 5.1.2

Released 11 October 2023.

Resolved in this release:

  • Jobs fail with Null pointer exception on trigger events. Fixed an issue where jobs in the first stage of a pipeline would occasionally fail due to a synchronization issue on the backend.

Version 5.1.1

Released 5 October 2023.

Resolved in this release:

  • Escape characters in the 4.x migration causing warnings. Fixed an issue where some escape characters in the 4.x migration generate_config code were causing incomplete migrations.

Version 5.1.0

Released 4 October 2023.

New in this release:

  • Migration improvements. You can now specify which Kubernetes namespace Continuous Delivery 4.x is installed in when migrating to 5.x.
  • Display logs for the Continuous Delivery components from the Bolt runner. Added the logs plan to display the logs for the Continuous Delivery components from the Bolt runner.
  • curl no longer needs to be installed on the Bolt runner host. The Continuous Delivery 5.x installer no longer requires curl be installed on the Bolt runner host.
  • Starting, stopping, and restarting Continuous Delivery component services improvements. Added the ctl plan to start, stop, or restart the Continuous Delivery component services. This plan can also get the status for the Continuous Delivery component services.

Version 5.0.0

Released 7 September 2023.

New in this release:

  • New installer and administration platform. The new Continuous Delivery 5.x platform introduces a streamlined experience for installation, upgrades, license management, troubleshooting, and more.
  • Migrate your 4.x data to a 5.x installation. To upgrade to the Continuous Delivery 5.x series from a version in the 4.x series, see Migrate 4.x data to 5.x.

Removed in this release:

  • Puppet Application Manager. Deprecated support for Puppet Application Manager in version 5.0.0.