Continuous Delivery for PE release notes

These are the new features, enhancements, resolved issues, and deprecations for the Continuous Delivery for Puppet Enterprise (PE) 4.x release series.

To upgrade to the Continuous Delivery for PE 4.x series from a version in the 3.x series, see Migrating 3.x data to 4.x.

Version 4.9.0

Released 8 September 2021

New in this release:
  • Impact analysis tasks run in parallel on multiple PE instances. When an impact analysis task is triggered to run on multiple PE instances, the task now runs simultaneously on each instance rather than waiting for one instance to finish before starting on the next.
  • Usability improvements. Version 4.9.0 introduces several improvements to the design and usability of Continuous Delivery for PE, including:
    • The Users page is updated with a cleaner, more streamlined design.
Resolved in this release:
  • Clicking Documentation in the web UI now correctly directs you to the 4.x documentation set.
  • When enabled, the HTTP health check for load balancers now operates as expected.

Version 4.8.2

Released 31 August 2021

Important: You must upgrade to version 4.8.2 before installing Puppet Enterprise 2021.3 or 2019.8.8. Version 4.8.2 resolves a PuppetDB issue that prevented the generation of new fact charts on the Nodes page.
Resolved in this release:
  • Issues with the query service and the interaction between the Nodes page and PuppetDB are now resolved.

Version 4.8.1

Released 24 August 2021

Resolved in this release:
  • An endpoint that was accidentally removed in version 4.8.0 is now restored.

Version 4.8.0

Released 10 August 2021

New in this release:
  • Configure snapshot timeouts. You can now configure the length of time that Puppet Application Manager spends attempting to back up Continuous Delivery for PE components when creating a snapshot. For more information, go to Adjusting the timeout period for snapshots.
Resolved in this release:
  • When impact analysis tasks are run on a compiler, the resulting report now shows the list of impacted nodes.
  • The installation preflight check now correctly requires 50 GB of storage for Ceph.
  • You can now successfully restore Continuous Delivery for PE from a snapshot on legacy installations of Puppet Application Manager.

Version 4.7.2

Released 26 July 2021

Resolved in this release:
  • The web UI no longer attempts to fetch remotely hosted fonts, and now loads correctly for installations in offline (airgapped) environments.
  • A bug caused database backups in new installations of versions 4.7.0. and 4.7.1 to silently fail. New installations of Continuous Delivery for PE now correctly back up and restore the contents of the PostgreSQL database.
  • Users running legacy installations of Puppet Application Manager version 1.44.1 can now successfully upgrade from Continuous Delivery for PE version 4.4.2 or older to the current version.

Version 4.7.1

Released 12 July 2021

Resolved in this release:
  • The LDAP group mappings list now displays up to 200 group mappings.
  • If multiple LDAP group mappings use the same LDAP group name and RBAC group name, you can now successfully delete one group mapping without deleting all group mappings that share these names.

Version 4.7.0

Released 8 July 2021

New in this release:
  • Fact charts. You can now see visual representations of Facter fact values on all nodes across the infrastructure you've integrated with Continuous Delivery for PE. The new Fact charts section of each view on the Nodes page displays the distribution of unique values across your inventory for your selected facts. We've included four fact charts to get you started, and you can build custom fact charts for the facts that are relevant to your business goals.
  • Usability improvements. Version 4.7.0 introduces several improvements to the design and usability of Continuous Delivery for PE, including:
    • Several web UI pages have been updated with a cleaner, more streamlined design.
    • The Users page now shows the complete list (up to 1,000 users) of users in a workspace.
Resolved in this release:
  • New Azure DevOps integrations can now be set up successfully.
  • If an empty (memberless) LDAP group map is added to Continuous Delivery for PE, other previously added LDAP group maps now sync correctly.
  • When a new workspace is created, jobs in that workspace now default to running on workspace hardware.
  • Node filter results are now correctly returned for fact names that use dot notation.
  • A change to a saved view created by removing a filter can now be saved.

Version 4.6.1

Released 16 June 2021

Resolved in this release:
  • Login attempts after upgrading to Continuous Delivery for PE 4.6.0+ with an older license no longer fail.
  • Setting up an external PostgreSQL database no longer requires a separate configuration for the estate reporting service. The estate reporting service now defaults to sharing the Continuous Delivery for PE database. For more information, see Set up external PostgreSQL.

Version 4.6.0

Released 3 June 2021

New in this release:
  • Promote permission. Previously, the permission to manually promote changes through pipeline stages was included in the Edit permission for control repos and modules. The Promote permission is now separate from the Edit permission, and you can grant or deny these permissions to groups as needed.
    Note: The new Promote permission has been automatically assigned to any group that was assigned the Edit permission on control repos or on modules in versions prior to 4.6.0.
  • Set group permissions on a subset of control repos. You can now create groups that have permissions on only a subset of the control repos in your workspace.
  • Export impact analysis data. You can now download the data generated by an impact analysis task. Click Export on the impact analysis report page to generate a CSV file of the data.
  • LDAP group login filtering. You now have the option to enable login filtering for your LDAP configuration. If login filtering is turned on, only those LDAP users who are included in mapped LDAP groups are able to log into Continuous Delivery for PE.
  • Increased default memory limits. In order to support higher out-of-the-box load, the default memory configuration for Continuous Delivery for PE now uses higher default memory limits while starting with the same base memory use.
  • Run multiple Puppet applications on the same cluster. You can now run multiple supported applications (currently Continuous Delivery for PE version 4.6.0 and newer, and Puppet Comply version 1.0.4 and newer) on a single instance of Puppet Application Manager. Find more information in the Working with Puppet applications section of the Puppet Application Manager documentation.
  • Usability improvements. Version 4.6.0 introduces several improvements to the design and usability of Continuous Delivery for PE, including:
    • Several web UI pages have been updated with a cleaner, more streamlined design.
    • Improved error messaging when a webhook cannot be automatically set up for a newly added control repo or module.
    • Support bundles now note whether services are unavailable because the We're migrating an existing Continuous Delivery for PE 3.x instance option is enabled.
    • The certificate preflight check now accepts a wildcard certificate as valid.
Resolved in this release:
  • Custom deployment policies no longer require environment branches.
  • If a workspace has no owner, the Workspaces page in the root console now loads correctly so that you can reassign the workspace to a new owner.
  • Information about global shared hardware is now correctly displayed when you navigate to the Hardware page in the root console from the individual workspace's Hardware page.

Version 4.5.2

Released 11 May 2021

Resolved in this release:
  • If SAML is enabled for your Continuous Delivery for PE installation, a Log in using single sign-on option is now shown on the login screen, and the pod no longer falls into a restart loop.
  • Docker runtime arguments are no longer passed if a job previously run on workspace hardware is updated to run on global shared hardware.

Version 4.5.1

Released 27 April 2021

Resolved in this release:
  • The links provided in deployment approval emails now resolve correctly.

Version 4.5.0

Released 22 April 2021

Important:
  • Continuous Delivery for PE version 4.5.0 includes architectural changes that alter the paths of some page URLs and might break previously generated links to pull requests and other pages in your source control.
  • If you use the Bolt tasks included in the puppetlabs-cd4pe module, upgrade the module to version 3.1.0 in your Bolt project.
  • Optional. A new version of the platform admin console is available with support for full (instance-level) snapshots. Learn more in the platform admin console release notes. If you'd like to use this feature to back up Continuous Delivery for PE, upgrade to the latest version of the platform admin console.
New in this release:
  • Configure the Bolt PCP read timeout period. To prevent job run timeouts caused by file sync delays, you can now adjust the Bolt Puppet Communications Protocol (PCP) timeout period. Learn more in Adjusting the timeout period for jobs.
  • Reduced resource requirements for high availability (HA) installations. Services that can run multiple replicas now default to running on two replicas in an HA cluster rather than three. This change maintains the former level of failure resistance while reducing resource requirements.
  • Usability improvements. Version 4.5.0 introduces several improvements to the design and usability of the web UI and platform admin console, including:
    • Display text on the Config page has been updated to clarify the purpose and operation of the optional and advanced configuration sections.
Resolved in this release:
  • The correct CA certificate is now passed to agents when switching between certificate generation methods and redeploying the application.
  • Graphs shown on the application dashboard in the platform admin console no longer double-count resource use for pods using containerd.

Version 4.4.2

Released 13 April 2021

Important: Version 4.4.2 includes several fixes that impact how Continuous Delivery for PE interacts with GitLab repositories that use nested groups (also called subgroups). In order to take advantage of these fixes, you must delete and re-add any control repos or modules in Continuous Delivery for PE created in version 4.4.1 or earlier that connect to GitLab repositories that use nested groups.
Resolved in this release:
  • Webhooks between Continuous Delivery for PE and GitLab repositories that use nested groups now correctly trigger pipeline runs.
  • Links on control repo and module details pages to GitLab repositories that use nested groups now resolve correctly.
  • When selecting a GitLab repository in the Continuous Delivery for PE web UI, the list of results is now correctly filtered by the selected organization or user.

Version 4.4.1

Released 29 March 2021

Resolved in this release:
  • The impact analysis details page for modules now appears as expected.
  • The deployment details page for modules now appears as expected.
  • Continuous Delivery for PE now interprets errors from Code Manager correctly, and impact analysis runs are no longer impacted by parsing errors.
  • The version 4.4.1 .airgap bundle includes an updated version of puppet-dev-tools.

Version 4.4.0

Released 11 March 2021

New in this release:
  • Save and share favorite node table views. You can now save the custom versions (views) of the node table that you create by using filters and columns to zero in on the data that's most relevant to your work. When you've created a view that you want to save and share with the members of your workspace, click Save view. You can see a list of all saved views for your workspace, mark your personal favorites for quick access, and switch between your favorite saved views from the Nodes page. For more information, see Save custom node table views.
    Note: If you're using an external PostgreSQL database with Continuous Delivery for PE, this new feature creates the need to configure an estate reporting database. Find more information in Set up external PostgreSQL.
  • Built-in user groups for new workspaces. Newly created workspaces now include three built-in user groups: Administrators, Operators, and Viewers. See the Permissions reference for details on the permissions included in each built-in user group.
  • Streamlined workflow for adding users to a workspace. As part of the process of adding a new user to a workspace, you are now prompted to assign the user to one or more user groups (either the new built-in user groups or those you've created).
  • Configure login attempt limits. You can now configure the number of unsuccessful login attempts that a user can make on Continuous Delivery for PE before their account is locked, as well as the length of time the account will be locked and the length of time before the login attempt counter resets. For more information, see Configuring login attempt limits.
  • OpenTelemetry. You now have the option to use OpenTelemetry to perform distributed tracing on your Continuous Delivery for PE installation. OpenTelemetry configuration options are available on the Config page in the platform admin console.
    Important: When using OpenTelemetry, you can choose to export the gathered data to your logs, to Jaeger over gRPC, or via OTLP. Be aware that if you choose the logging exporter option, the size of your Continuous Delivery for PE logs will significantly increase. No OpenTelemetry data you collect will be shared with Puppet, except in one specific case: if while using the logging exporter you generate and send a support bundle to Puppet, the support bundle will contain OpenTelemetry data for your installation.
  • Preflight check improvements. Preflight checks now verify that schedulable CPU and memory capacity are available for performing upgrades, and that the system is running Kubernetes version 1.17.0 or newer.
  • Usability improvements. Version 4.4.0 introduces several improvements to the design and usability of the web UI and platform admin console, including:
    • You'll no longer see an option to reset your password on the login screen if LDAP is enabled for your installation.
    • A logout option is now available on the 403 error screen.
    • The Config page in the platform admin console has been streamlined in order to help you locate the configuration settings relevant to your installation.
    • To improve readability, the dashboard charts in the platform admin console displaying CPU usage and memory usage now only show data for the top five pods.
Resolved in this release:
  • Clicking on the Modules breadcrumb at the top of a module's details page no longer results in a 404 error.
  • When you update your CA certificate in the platform admin console, the change now takes effect immediately.
  • The option to set a PuppetDB connection timeout period has been added back to the Config page in the platform admin console.

Version 4.3.3

Released 23 February 2021

Resolved in this release:
  • The integration between Azure DevOps and Continuous Delivery for PE now works as expected.
  • Continuous Delivery for PE now deploys correctly if the root account email address entered on the Config page in the platform admin console contains uppercase letters.
  • Ownership of a workspace can now be successfully transferred to a new owner whose username contains uppercase letters.

Version 4.3.2

Released 3 February 2021

Note: Based on the results of ongoing internal testing along with feedback from users, we have increased our recommended minimum system resource requirements for Continuous Delivery for PE 4.x. Please see system requirements for the current guidance.
New in this release:
  • List and filter your nodes by structured fact values. You can now add columns displaying structured fact values in dot notation format (such as docker.Architecture, ec2_metadata.hostname, or loadaverages.15m) to your node table. In addition, you now have the option to use the values within your structured facts when creating a fact value filter on the Nodes page.
Resolved in this release:
  • Webhooks for GitLab repositories that exist in nested groups now correctly trigger pipelines.
  • Webhooks for Bitbucket Cloud control repos and modules that were added to Continuous Delivery for PE versions 4.2.0 and later now correctly trigger pipelines.
  • Invalid characters are no longer present in the repository organization field for Bitbucket Cloud control repos, and jobs now clone these repositories correctly.
  • Unnecessary repeated The requested range is not satisfiable errors are no longer included in the application log.
  • Jobs included in pipeline stages no longer fail when attempting to download the control repo and job scripts.
Removed in this release:
  • Support for Puppet Enterprise version 2018.1. PE 2018.1 reached the end of its support lifecycle on 31 January 2021.

Version 4.3.1

Due to an issue discovered after release, version 4.3.0 was retracted. Version 4.3.1 is now the first version in the 4.3.x series.

Released 26 January 2021

Note: A new version of the platform admin console was released on 7 December 2020. Please review the release notes and upgrade to the latest version of the platform admin console before upgrading Continuous Delivery for PE to version 4.3.1.
New in this release:
  • Support for Red Hat Enterprise Linux (RHEL) 8 and CentOS 8. You can now run Continuous Delivery for PE on RHEL version 8 and CentOS version 8.
  • Ceph replaces MinIO for object storage. Continuous Delivery for PE 4.x now uses Ceph for object storage instead of MinIO. New 4.3.1 installations will use Ceph from the outset. For existing 4.x users, MinIO information will be migrated to Ceph for you as part of the upgrade to version 4.3.1. To support this change, Ceph replication status is now collected as part of the support bundle.
    Note: For existing 4.x users, the data migration to Ceph may cause the 4.3.1 upgrade process to take in excess of 15 minutes. Monitor the progress of the data export phase of the migration by running kubectl logs job/cd4pe-migrate-object-store-v2 -c export and watching the logs for a message similar to Done. Downloaded 12990574 bytes in 63.0 seconds, 201.22 KB/s. Next, monitor the data import phase of the migration by running kubectl logs job/cd4pe-migrate-object-store-v2 and watching for a message similar to Done. Uploaded 12990574 bytes in 267.8 seconds, 47.37 KB/s. When both the export and import phases are shown as done in the logs, the migration is complete.
  • Default job timeout period increased. The default job timeout period is now 30 minutes. This change reduces the chance that complex jobs will time out before completion. See Adjusting the timeout period for jobs to learn more.
  • Usability improvements. Version 4.3.1 introduces several improvements to the design and usability of the web UI, including:
    • The delete module icon is now correctly labeled.
    • Control repo icons are displayed when selecting a custom deployment policy for a deployment.
Resolved in this release:
  • When logging in, users are now correctly directed to the last workspace they visited.
  • Long branch names no longer overlap event status indicators in the Events area.
  • Users are now less likely to encounter Docker Hub rate limits.
  • The object storage migration process is now more robust and issues found in version 4.3.0 have been resolved.
  • If an impact analysis task is canceled in a pipeline stage with the "any completed" auto-promotion criteria set, the pipeline run now stops at the canceled stage and does not continue.
Security notice:
  • CVE-2020-7946. Source control tokens were displayed in plain text when trace-level logging was enabled. This issue has been resolved.
  • CVE-2020-27218. An Eclipse Jetty vulnerability has been resolved.
  • CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363. The version of PostgreSQL included in Continuous Delivery for PE has been upgraded to resolve CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363.

Version 4.2.4

Released 17 December 2020

Resolved in this release:
  • An issue with the webhooks for GitLab-based modules that were first added to Continuous Delivery for PE version 4.2.0 or newer has been resolved. Pipeline runs for these modules are now triggered correctly.

Version 4.2.3

Released 17 November 2020

Resolved in this release:
  • Webhooks now correctly trigger pipelines for GitLab repositories with names that include spaces or other unusual characters.
  • The platform admin console now rate limits authentication attempts to prevent brute force attacks.
    Note: Rate limiting does not currently apply to the Continuous Delivery for PE application web UI.
  • This version includes an upgrade of PostgreSQL to version 12.5.
    Note: The upgrade will cause PostgreSQL to restart. In most cases, the downtime is expected to last less than a minute.

Version 4.2.2

Released 12 November 2020

Resolved in this release:
  • Impact analysis tasks on modules now manage prefixed environments correctly.
  • This version includes an update to MinIO that addresses critical issues.
    Note: The upgrade will cause the MinIO service to be temporarily unavailable. In most cases, the downtime is expected to last only a few minutes.

Version 4.2.1

Released 5 November 2020

Resolved in this release:
  • Jobs no longer fail when triggered by pull requests from Bitbucket Cloud or Bitbucket Server repositories.
  • The Bolt tasks included in the puppetlabs-cd4pe module version 3.0.1 and newer no longer fail with a Connection reset by peer error when run against Continuous Delivery for PE version 4.x.
    Important: You must upgrade the puppetlabs-cd4pe module to version 3.0.1 or later in order to use its Bolt tasks.

Version 4.2.0

Released 3 November 2020

New in this release:
  • Available memory setting. A new setting on the Config page in the platform admin console lets you tune the total memory available to the Continuous Delivery for PE application. For more on the Memory available for CD4PE setting, see Adjusting available memory.
  • Removal of harmful terminology. Documentation for this release replaces the term “PE master” with “PE primary server," and the term "master branch" with "main branch". When adding a new control repo or module, Continuous Delivery for PE now looks for a "main" branch instead of a "master" branch. These changes are part of a company-wide effort to remove harmful terminology from our products.
Resolved in this release:
  • The eventual consistency deployment policy now runs more rapidly.
  • Code Manager deployments triggered by Continuous Delivery for PE are now automatically retried if certain transient failures occur.
  • PostgreSQL logs no longer include errors from health checks.
  • If your workspace is connected to multiple PE instances with identically named nodes on each instance, the Nodes page now correctly reports the details of all identically named nodes.
  • Impact analysis tasks are now case-insensitive when processing resource names.
  • The LDAP group user attribute setting is now correctly applied when querying LDAP groups that use a custom attribute to identify members.
    Important: If your installation previously used a group user attribute setting other than dn, you must set the group user attribute to dn in the root console after upgrading to version 4.2.0. Failure to do so will break your installation’s ability to correctly perform LDAP group lookups.
Security notice:
  • CVE-2020-25649. A jackson-databind vulnerability has been resolved.
  • CVE-2020-15250. A JUnit4 vulnerability has been resolved.
  • CVE-2020-13956. An Apache HTTPClient vulnerability has been resolved.
  • Sonatype-2020-0926. A security scanner may have detected a vulnerability in Continuous Delivery for PE version 4.1.x. However, Continuous Delivery for PE does not exercise the vulnerable code path and is not vulnerable.

Version 4.1.3

Released 15 October 2020

Resolved in this release:
  • Jobs now run successfully on pull requests opened from forked copies of source control repositories. This fix applies to all supported source control providers except Bitbucket Cloud and Bitbucket Server, which do not support pull requests from forks.
  • Job logs are now shown correctly for all jobs run in a high availability environment.
  • Continuous Delivery for PE no longer attempts to update webhooks on every startup if you have a backend URL that does not end with a trailing slash, or if you've used the webhook update tool in the root console. This fix means that GitHub and GitHub Enterprise no longer receive webhook payloads in an invalid format.
  • Network policies now no longer restrict egress, supporting deployment of Continuous Delivery for PE on clusters that use tools such as Calico as a container network interface.
  • You can now successfully enable TLS for the webhook proxy on port 8000. In offline installations, the local registry is now exposed on port 9001 for job hardware agents. Requests to these ports no longer time out.

Version 4.1.2

Note: To upgrade to version 4.1.2 from version 4.0.1 or 4.0.0, you must first upgrade Continuous Delivery for PE and then upgrade the platform admin console. Offline users, please see Upgrade in an offline environment.
Released 8 October 2020
Resolved in this release:
  • If your load balancer requires HTTP health checks, you can now opt into using Ingress settings that do not require Server Name Indication (SNI) for /status. Enable this setting in the Customize endpoints section of the Config tab in the platform admin console.
  • Preflight checks for offline installations no longer hang with an ImagePullBackoff error on initial setup.
  • Long-running deployments and jobs no longer fail with a 504 upstream request timeout error.

Version 4.1.1

Released 29 September 2020

Note: To upgrade to version 4.1.1, you must first upgrade Continuous Delivery for PE and then upgrade the platform admin console. Offline users, please see Upgrade in an offline environment.
New in this release:
  • Filter the Nodes page. You can now apply custom filter combinations to your nodes table and zero in on the node data that's most relevant to your work. Available filters include fact value, most recent node change status, operating system, PE server, node group, and no-op status.
  • Snapshots. Snapshots are point-in-time backups of your Continuous Delivery for PE deployment, which can be used to roll back to a previous state. You can create snapshots manually or set up a schedule to capture them automatically. To get started, see Configure rollback snapshots.
    CAUTION: Snapshots are a beta feature. As such, they may not be fully documented or work as expected; please explore them at your own risk.
  • Simplified port configuration for new installations. The webhook service now defaults to HTTP on port 8000 and can be switched to HTTPS on the same port. In new offline installations, the local registry is exposed on port 9001 for job hardware agents. No action is required for existing installations that use webhook or registry hostnames; existing configurations will work as previously.
Resolved in this release:
  • Snapshots now successfully save to Amazon S3. In order to save your snapshots to an Amazon S3 bucket, you must upgrade the platform admin console to the latest version after upgrading to Continuous Delivery for PE version 4.1.1. See Upgrade the platform admin console for instructions.
  • When exporting node table data, occasional failed queries to PuppetDB are now retried automatically, and no longer result in a failed export.

Version 4.0.1

Released 14 September 2020

Resolved in this release:
  • The export functionality on the 4.x Nodes page now works correctly.
  • The container no longer hangs indefinitely in some circumstances after the host is rebooted.
  • Network security rules now restrict inter-service communications.
  • Local registry credentials are now stored as secrets.
  • Certificate validation preflight checks now correctly refer to the local registry during offline installations.

Version 4.0.0

Released 25 August 2020

New in this release:
  • New installer and administration platform. The new Continuous Delivery for PE 4.x platform introduces a streamlined experience for installation, upgrades, license management, troubleshooting, and more. Use the new platform admin console to configure, monitor, upgrade to new versions in the 4.x series, back up, restore, and deploy your Continuous Delivery for PE installation.
  • Migrate your 3.x data to a 4.x installation. To upgrade to the Continuous Delivery for PE 4.x series from a version in the 3.x series, see Migrating 3.x data to 4.x.
  • Update webhooks. The new Webhooks tool in the root console updates your source control webhooks to point to the current installation. Use this tool as part of the 3.x to 4.x migration process, or any time you change the location of your Continuous Delivery for PE installation.
Removed in this release:
  • Continuous Delivery agent on job hardware. Support for the Continuous Delivery agent was deprecated in version 3.4.0. Puppet agent-based job hardware is still supported.
  • Support for external Amazon DynamoDB and MySQL databases. Support for external Amazon DynamoDB and MySQL databases was deprecated in version 3.1.0.
  • Support for external object storage. The 4.x series replaces external Artifactory and Amazon S3 object storage with a built-in highly available object storage system.