These are the new features, enhancements, resolved issues, and deprecations for the Continuous Delivery for Puppet Enterprise (PE) 4.x release series.
To upgrade to the Continuous Delivery for PE 4.x series from a version in the 3.x series, see Migrating 3.x data to 4.x.
Released 3 June 2021
- Promote permission. Previously, the permission to manually promote
changes through pipeline stages was included in the Edit permission for
control repos and modules. The Promote permission is now separate from the
Edit permission, and you can grant or deny these permissions to groups as
needed. Note: The new Promote permission has been automatically assigned to any group that was assigned the Edit permission on control repos or on modules in versions prior to 4.6.0.
- Set group permissions on a subset of control repos. You can now create groups that have permissions on only a subset of the control repos in your workspace.
- Export impact analysis data. You can now download the data generated by an impact analysis task. Click Export on the impact analysis report page to generate a CSV file of the data.
- LDAP group login filtering. You now have the option to enable login filtering for your LDAP configuration. If login filtering is turned on, only those LDAP users who are included in mapped LDAP groups are able to log into Continuous Delivery for PE.
- Increased default memory limits. In order to support higher out-of-the-box load, the default memory configuration for Continuous Delivery for PE now uses higher default memory limits while starting with the same base memory use.
- Run multiple Puppet applications on the same cluster. You can now run multiple supported applications (currently Continuous Delivery for PE version 4.6.0 and newer, and Puppet Comply version 1.0.4 and newer) on a single instance of Puppet Application Manager. Find more information in the Working with Puppet applications section of the Puppet Application Manager documentation.
- Usability improvements. Version 4.6.0 introduces several improvements
to the design and usability of Continuous Delivery for PE, including:
- Several web UI pages have been updated with a cleaner, more streamlined design.
- Improved error messaging when a webhook cannot be automatically set up for a newly added control repo or module.
- Support bundles now note whether services are unavailable because the We're migrating an existing Continuous Delivery for PE 3.x instance option is enabled.
- The certificate preflight check now accepts a wildcard certificate as valid.
- Custom deployment policies no longer require environment branches.
- If a workspace has no owner, the Workspaces page in the root console now loads correctly so that you can reassign the workspace to a new owner.
- Information about global shared hardware is now correctly displayed when you navigate to the Hardware page in the root console from the individual workspace's Hardware page.
Released 11 May 2021
- If SAML is enabled for your Continuous Delivery for PE installation, a Log in using single sign-on option is now shown on the login screen, and the pod no longer falls into a restart loop.
- Docker runtime arguments are no longer passed if a job previously run on workspace hardware is updated to run on global shared hardware.
Released 27 April 2021
- The links provided in deployment approval emails now resolve correctly.
Released 22 April 2021
- Continuous Delivery for PE version 4.5.0 includes architectural changes that alter the paths of some page URLs and might break previously generated links to pull requests and other pages in your source control.
- If you use the Bolt tasks included in the
puppetlabs-cd4pemodule, upgrade the module to version 3.1.0 in your Bolt project.
- Optional. A new version of the platform admin console is available with support for full (instance-level) snapshots. Learn more in the platform admin console release notes. If you'd like to use this feature to back up Continuous Delivery for PE, upgrade to the latest version of the platform admin console.
- Configure the Bolt PCP read timeout period. To prevent job run timeouts caused by file sync delays, you can now adjust the Bolt Puppet Communications Protocol (PCP) timeout period. Learn more in Adjusting the timeout period for jobs.
- Reduced resource requirements for high availability (HA) installations. Services that can run multiple replicas now default to running on two replicas in an HA cluster rather than three. This change maintains the former level of failure resistance while reducing resource requirements.
- Usability improvements. Version 4.5.0 introduces several improvements
to the design and usability of the web UI and platform admin console,
- Display text on the Config page has been updated to clarify the purpose and operation of the optional and advanced configuration sections.
- The correct CA certificate is now passed to agents when switching between certificate generation methods and redeploying the application.
- Graphs shown on the application dashboard in the platform admin console no longer double-count resource use for pods using containerd.
Released 13 April 2021
- Webhooks between Continuous Delivery for PE and GitLab repositories that use nested groups now correctly trigger pipeline runs.
- Links on control repo and module details pages to GitLab repositories that use nested groups now resolve correctly.
- When selecting a GitLab repository in the Continuous Delivery for PE web UI, the list of results is now correctly filtered by the selected organization or user.
Released 29 March 2021
- The impact analysis details page for modules now appears as expected.
- The deployment details page for modules now appears as expected.
- Continuous Delivery for PE now interprets errors from Code Manager correctly, and impact analysis runs are no longer impacted by parsing errors.
- The version 4.4.1
.airgapbundle includes an updated version of
Released 11 March 2021
- Save and share favorite node table views. You can now save the custom
versions (views) of the node table that you create by using filters and
columns to zero in on the data that's most relevant to your work. When
you've created a view that you want to save and share with the members of
your workspace, click Save view. You can see a list
of all saved views for your workspace, mark your personal favorites for
quick access, and switch between your favorite saved views from the
Nodes page. For more information, see Save custom node table views.
Note: If you're using an external PostgreSQL database with Continuous Delivery for PE, this new feature creates the need to configure an estate reporting database. Find more information in Set up external PostgreSQL.
- Built-in user groups for new workspaces. Newly created workspaces now include three built-in user groups: Administrators, Operators, and Viewers. See the Permissions reference for details on the permissions included in each built-in user group.
- Streamlined workflow for adding users to a workspace. As part of the process of adding a new user to a workspace, you are now prompted to assign the user to one or more user groups (either the new built-in user groups or those you've created).
- Configure login attempt limits. You can now configure the number of unsuccessful login attempts that a user can make on Continuous Delivery for PE before their account is locked, as well as the length of time the account will be locked and the length of time before the login attempt counter resets. For more information, see Configuring login attempt limits.
- OpenTelemetry. You now have the option to use OpenTelemetry to
perform distributed tracing on your Continuous Delivery for PE
installation. OpenTelemetry configuration options are available on the
Config page in the platform admin console. Important: When using OpenTelemetry, you can choose to export the gathered data to your logs, to Jaeger over gRPC, or via OTLP. Be aware that if you choose the logging exporter option, the size of your Continuous Delivery for PE logs will significantly increase. No OpenTelemetry data you collect will be shared with Puppet, except in one specific case: if while using the logging exporter you generate and send a support bundle to Puppet, the support bundle will contain OpenTelemetry data for your installation.
- Preflight check improvements. Preflight checks now verify that schedulable CPU and memory capacity are available for performing upgrades, and that the system is running Kubernetes version 1.17.0 or newer.
- Usability improvements. Version 4.4.0 introduces several improvements
to the design and usability of the web UI and platform admin console,
- You'll no longer see an option to reset your password on the login screen if LDAP is enabled for your installation.
- A logout option is now available on the 403 error screen.
- The Config page in the platform admin console has been streamlined in order to help you locate the configuration settings relevant to your installation.
- To improve readability, the dashboard charts in the platform admin console displaying CPU usage and memory usage now only show data for the top five pods.
- Clicking on the Modules breadcrumb at the top of a module's details page no longer results in a 404 error.
- When you update your CA certificate in the platform admin console, the change now takes effect immediately.
- The option to set a PuppetDB connection timeout period has been added back to the Config page in the platform admin console.
Released 23 February 2021
- The integration between Azure DevOps and Continuous Delivery for PE now works as expected.
- Continuous Delivery for PE now deploys correctly if the root account email address entered on the Config page in the platform admin console contains uppercase letters.
Ownership of a workspace can now be successfully transferred to a new owner whose username contains uppercase letters.
Released 3 February 2021
- List and filter your nodes by structured fact values. You can now add columns displaying structured fact values in dot notation format (such as docker.Architecture, ec2_metadata.hostname, or loadaverages.15m) to your node table. In addition, you now have the option to use the values within your structured facts when creating a fact value filter on the Nodes page.
- Webhooks for GitLab repositories that exist in nested groups now correctly trigger pipelines.
- Webhooks for Bitbucket Cloud control repos and modules that were added to Continuous Delivery for PE versions 4.2.0 and later now correctly trigger pipelines.
- Invalid characters are no longer present in the repository organization field for Bitbucket Cloud control repos, and jobs now clone these repositories correctly.
- Unnecessary repeated
The requested range is not satisfiableerrors are no longer included in the application log.
- Jobs included in pipeline stages no longer fail when attempting to download the control repo and job scripts.
- Support for Puppet Enterprise version 2018.1. PE 2018.1 reached the end of its support lifecycle on 31 January 2021.
Due to an issue discovered after release, version 4.3.0 was retracted. Version 4.3.1 is now the first version in the 4.3.x series.
Released 26 January 2021
- Support for Red Hat Enterprise Linux (RHEL) 8 and CentOS 8. You can now run Continuous Delivery for PE on RHEL version 8 and CentOS version 8.
- Ceph replaces MinIO for object storage.
Continuous Delivery for PE 4.x now uses Ceph for object storage
instead of MinIO. New 4.3.1 installations will use Ceph from the outset. For
existing 4.x users, MinIO information will be migrated to Ceph for you as
part of the upgrade to version 4.3.1. To support this change, Ceph
replication status is now collected as part of the support bundle. Note: For existing 4.x users, the data migration to Ceph may cause the 4.3.1 upgrade process to take in excess of 15 minutes. Monitor the progress of the data export phase of the migration by running
kubectl logs job/cd4pe-migrate-object-store-v2 -c exportand watching the logs for a message similar to
Done. Downloaded 12990574 bytes in 63.0 seconds, 201.22 KB/s.Next, monitor the data import phase of the migration by running
kubectl logs job/cd4pe-migrate-object-store-v2and watching for a message similar to
Done. Uploaded 12990574 bytes in 267.8 seconds, 47.37 KB/s.When both the export and import phases are shown as done in the logs, the migration is complete.
- Default job timeout period increased. The default job timeout period is now 30 minutes. This change reduces the chance that complex jobs will time out before completion. See Adjusting the timeout period for jobs to learn more.
- Usability improvements. Version 4.3.1 introduces several improvements
to the design and usability of the web UI, including:
- The delete module icon is now correctly labeled.
- Control repo icons are displayed when selecting a custom deployment policy for a deployment.
- When logging in, users are now correctly directed to the last workspace they visited.
- Long branch names no longer overlap event status indicators in the Events area.
- Users are now less likely to encounter Docker Hub rate limits.
- The object storage migration process is now more robust and issues found in version 4.3.0 have been resolved.
- If an impact analysis task is canceled in a pipeline stage with the "any completed" auto-promotion criteria set, the pipeline run now stops at the canceled stage and does not continue.
- CVE-2020-7946. Source control tokens were displayed in plain text when trace-level logging was enabled. This issue has been resolved.
- CVE-2020-27218. An Eclipse Jetty vulnerability has been resolved.
- CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363. The version of PostgreSQL included in Continuous Delivery for PE has been upgraded to resolve CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363.
Released 17 December 2020
- An issue with the webhooks for GitLab-based modules that were first added to Continuous Delivery for PE version 4.2.0 or newer has been resolved. Pipeline runs for these modules are now triggered correctly.
Released 17 November 2020
- Webhooks now correctly trigger pipelines for GitLab repositories with names that include spaces or other unusual characters.
- The platform admin console now rate limits authentication attempts to
prevent brute force attacks. Note: Rate limiting does not currently apply to the Continuous Delivery for PE application web UI.
- This version includes an upgrade of PostgreSQL to version 12.5. Note: The upgrade will cause PostgreSQL to restart. In most cases, the downtime is expected to last less than a minute.
Released 12 November 2020
- Impact analysis tasks on modules now manage prefixed environments correctly.
- This version includes an update to MinIO that addresses critical issues.
Note: The upgrade will cause the MinIO service to be temporarily unavailable. In most cases, the downtime is expected to last only a few minutes.
Released 5 November 2020
- Jobs no longer fail when triggered by pull requests from Bitbucket Cloud or Bitbucket Server repositories.
- The Bolt tasks included in the
puppetlabs-cd4pemodule version 3.0.1 and newer no longer fail with a
Connection reset by peererror when run against Continuous Delivery for PE version 4.x.Important: You must upgrade the
puppetlabs-cd4pemodule to version 3.0.1 or later in order to use its Bolt tasks.
Released 3 November 2020
- Available memory setting. A new setting on the Config page in the platform admin console lets you tune the total memory available to the Continuous Delivery for PE application. For more on the Memory available for CD4PE setting, see Adjusting available memory.
- Removal of harmful terminology. Documentation for this release replaces the term “PE master” with “PE primary server," and the term "master branch" with "main branch". When adding a new control repo or module, Continuous Delivery for PE now looks for a "main" branch instead of a "master" branch. These changes are part of a company-wide effort to remove harmful terminology from our products.
- The eventual consistency deployment policy now runs more rapidly.
- Code Manager deployments triggered by Continuous Delivery for PE are now automatically retried if certain transient failures occur.
- PostgreSQL logs no longer include errors from health checks.
- If your workspace is connected to multiple PE instances with identically named nodes on each instance, the Nodes page now correctly reports the details of all identically named nodes.
- Impact analysis tasks are now case-insensitive when processing resource names.
- The LDAP group user attribute setting is now correctly applied when querying
LDAP groups that use a custom attribute to identify members.Important: If your installation previously used a group user attribute setting other than
dn, you must set the group user attribute to
dnin the root console after upgrading to version 4.2.0. Failure to do so will break your installation’s ability to correctly perform LDAP group lookups.
- CVE-2020-25649. A
jackson-databindvulnerability has been resolved.
- CVE-2020-15250. A JUnit4 vulnerability has been resolved.
- CVE-2020-13956. An Apache HTTPClient vulnerability has been resolved.
- Sonatype-2020-0926. A security scanner may have detected a vulnerability in Continuous Delivery for PE version 4.1.x. However, Continuous Delivery for PE does not exercise the vulnerable code path and is not vulnerable.
Released 15 October 2020
- Jobs now run successfully on pull requests opened from forked copies of source control repositories. This fix applies to all supported source control providers except Bitbucket Cloud and Bitbucket Server, which do not support pull requests from forks.
- Job logs are now shown correctly for all jobs run in a high availability environment.
- Continuous Delivery for PE no longer attempts to update webhooks on every startup if you have a backend URL that does not end with a trailing slash, or if you've used the webhook update tool in the root console. This fix means that GitHub and GitHub Enterprise no longer receive webhook payloads in an invalid format.
- Network policies now no longer restrict egress, supporting deployment of Continuous Delivery for PE on clusters that use tools such as Calico as a container network interface.
- You can now successfully enable TLS for the webhook proxy on port 8000. In offline installations, the local registry is now exposed on port 9001 for job hardware agents. Requests to these ports no longer time out.
- If your load balancer requires HTTP health checks, you can now opt into
using Ingress settings that do not require Server Name Indication (SNI) for
/status. Enable this setting in the Customize endpoints section of the Config tab in the platform admin console.
- Preflight checks for offline installations no longer hang with an
ImagePullBackofferror on initial setup.
- Long-running deployments and jobs no longer fail with a
504 upstream request timeouterror.
Released 29 September 2020
- Filter the Nodes page. You can now apply custom filter combinations to your nodes table and zero in on the node data that's most relevant to your work. Available filters include fact value, most recent node change status, operating system, PE server, node group, and no-op status.
- Snapshots. Snapshots are point-in-time backups of your Continuous Delivery for PE deployment, which can be used to roll back
to a previous state. You can create snapshots manually or set up a schedule
to capture them automatically. To get started, see Configure rollback snapshots. CAUTION: Snapshots are a beta feature. As such, they may not be fully documented or work as expected; please explore them at your own risk.
- Simplified port configuration for new installations. The webhook service now defaults to HTTP on port 8000 and can be switched to HTTPS on the same port. In new offline installations, the local registry is exposed on port 9001 for job hardware agents. No action is required for existing installations that use webhook or registry hostnames; existing configurations will work as previously.
- Snapshots now successfully save to Amazon S3. In order to save your snapshots to an Amazon S3 bucket, you must upgrade the platform admin console to the latest version after upgrading to Continuous Delivery for PE version 4.1.1. See Upgrade the platform admin console for instructions.
- When exporting node table data, occasional failed queries to PuppetDB are now retried automatically, and no longer result in a failed export.
Released 14 September 2020
- The export functionality on the 4.x Nodes page now works correctly.
- The container no longer hangs indefinitely in some circumstances after the host is rebooted.
- Network security rules now restrict inter-service communications.
- Local registry credentials are now stored as secrets.
- Certificate validation preflight checks now correctly refer to the local registry during offline installations.
Released 25 August 2020
- New installer and administration platform. The new Continuous Delivery for PE 4.x platform introduces a streamlined experience for installation, upgrades, license management, troubleshooting, and more. Use the new platform admin console to configure, monitor, upgrade to new versions in the 4.x series, back up, restore, and deploy your Continuous Delivery for PE installation.
- Migrate your 3.x data to a 4.x installation. To upgrade to the Continuous Delivery for PE 4.x series from a version in the 3.x series, see Migrating 3.x data to 4.x.
- Update webhooks. The new Webhooks tool in the root console updates your source control webhooks to point to the current installation. Use this tool as part of the 3.x to 4.x migration process, or any time you change the location of your Continuous Delivery for PE installation.
- Continuous Delivery agent on job hardware. Support for the Continuous Delivery agent was deprecated in version 3.4.0. Puppet agent-based job hardware is still supported.
- Support for external Amazon DynamoDB and MySQL databases. Support for external Amazon DynamoDB and MySQL databases was deprecated in version 3.1.0.
- Support for external object storage. The 4.x series replaces external Artifactory and Amazon S3 object storage with a built-in highly available object storage system.