Blog

Released on October 19, 2023

PSA (Privacy and Security Assessment) Compliance

• Read-only root file-systems are now used inside containers to improve operational security.

Improvements

• All Bitbucket git repositories have webhooks that notify Jenkins about new branches and commits. These webhooks had been readded using the new internal URL of Jenkins when the Rancher 2 migration was done. Now the webhooks with the old internal URL of Jenkins have been automatically deleted.
• Improved internal source code quality.

Bugfixes

• Unfortunately, the notification emails sent out concerning password expiration could contain the same time period that was written in a previous email. This was due to some unwanted caching effect and has been solved now.

Known Issues

• Unfortunately, the links to Agile Board and Backlog in the Jira tile of the DevOps Portal homepage do not work properly for users which have more than one project. In fact, the links will lead to the last visited agile board on Jira, independent to the project selection on the homepage of the DevOps Portal. This is caused by the fact, that agile boards are not part of a Jira project, but instead are independent entities. We are striving to find a solution for the problem in a future version.

Released on October 12, 2023

Improvements

• The RDMBS used by all DevOps Portal instances were updated from PostgreSQL v10 to v12. This included a well tested transformation of the database files to the new format.

Known Issues

• Unfortunately, the links to Agile Board and Backlog in the Jira tile of the DevOps Portal homepage do not work properly for users which have more than one project. In fact, the links will lead to the last visited agile board on Jira, independent to the project selection on the homepage of the DevOps Portal. This is caused by the fact, that agile boards are not part of a Jira project, but instead are independent entities. We are striving to find a solution for the problem in a future version.

Released on October 04, 2023

Improvements

• Since LOCKED users cannot reset their passwords, the notification emails about expired passwords which are sent on every Monday and Thursday morning are now only sent to ACTIVE users. In addition, when a user is unlocked, he or she is instantly informed by an email, if the password has expired and needs to be reset. Please note that users cannot log in with expired passwords. They need to reset them before using the forgotten password option on the login page.
• Updates of used software frameworks and libraries.
• The view button for pending syncs has been removed, since by clicking on the ID it can be already easily viewed.
• The success messages for bulk role assignments and unassignments has been improved to give more details about performed or skipped operations.
• For freshly retired projects, the selection box is now immediately disabled.

Bugfixes

• The project page wasn't properly working if the user selected for role assignment was deleted in the meantime. This has now been fixed.
• When a lot of success/error message were displayed on a page it could happen, that a message was hidden below the table header. Now the messages are always the topmost element.

Known Issues

• Unfortunately, the links to Agile Board and Backlog in the Jira tile of the DevOps Portal homepage do not work properly for users which have more than one project. In fact, the links will lead to the last visited agile board on Jira, independent to the project selection on the homepage of the DevOps Portal. This is caused by the fact, that agile boards are not part of a Jira project, but instead are independent entities. We are striving to find a solution for the problem in a future version.

Released on September 21, 2023

PSA (Privacy and Security Assessment) Compliance

• Passwords of users expire now after 12 months. The current implementation sends emails on every Monday and Thursday morning to users whose password will expire within the next 21 days (3 weeks). The normal procedure is to change the password when logged in to the DevOps Portal using the menu item Account/Password. If the password has already expired, the affected user needs to use the Did you forget your password? link on the login page to reset the password. Please note, that the login page in general does not reveal any information about why a login failed. This is done to not support potential password crackers with any feedback. Therefore, if you cannot log in, always check that the username and password are correct. If this doesn't help, a password reset can be tried, but please note that this will not work if you have been locked in the Portal by a Portal Admin. As a last resort, use the Contact link in the Portal footer to contact a Portal Admin.
• Passwords cannot be reused within 60 days. The current implementation disallows to change a password more than once within 24h (1 day). In addition, a history is kept of the last 60 passwords. At the end, we recommend using a reliable password manager like e.g. KeePassXC which can create strong random passwords that are stored encrypted on a local drive. Using this approach, there's no problem when a new password has to be set at the DevOps Portal.
• To improve the security, the account log of the Portal is now also stored in the central logging system of the DevOps-as-a-Service instance.
• Strict-Transport-Security has been implemented for HTTP response headers where missing.
• X-Content-Type-Options:  “nosniff” has been implemented for HTTP response headers where missing.
• Content Security Policy (CSP) implemented.

Enhancements

• The auto-provisioning backend has been redesigned for improved performance. The changes were also especially important for instances with more than 1000 users.
• The DevOps Portal is currently being prepared to allow downtime free updates in the future. One of the required changes was to drop the # sign used in deep links to certain pages. Please update browser bookmarks if necessary.

Improvements

• All user roles in Jenkins have been adapted to the new schema introduced by latest Jenkins versions.
• The contact email address available in the Portal footer is now also used in the footer of the login page. A shift-reload of the page in the browser will help to get the login page properly updated. As an alternative, the browser cache can be emptied.
• The number of entities, remaining licences etc. has been stream lined to look exactly the same on all pages.
• When a project admin has added additional roles to a project member in Jira, these excessive roles are automatically removed when a project sync is triggered. Therefore, each member will get just its well-defined single role as set in the Portal.
• Several problems for the auto-provisioning of the upcoming tools YouTrack and Gitea have been solved.
• Updates of used software frameworks.
• On the Portal Homepage now only active projects can be selected, but no retired ones. This is a preparation for the upcoming enhanced project retirement.

Bugfixes

• On large instances, it could happen that for locked users, the Confluence licence was not removed. This is fixed now.
• In the past, a problem could occur in LDAP when the Organization was changed for a user. This has been already fixed, but now some remaining wrong entries in LDAP have been repaired.
• The Portal allows up to 1024 characters for a project description. Since the text is propagated to the tools it's now automatically shortened to 255 characters for Bitbucket, Gitea and GitLab, since these tools don't support texts longer than this limit.
• A pending sync could show up on role assignments for users without a Confluence licence. It's been harmless, but will not occur any longer.
• A pending sync related to SonarQube could show up on role assignments for users in LOCKED or CREATED state. It's been harmless, but will not occur any longer.
• On a project resync, the project role column was emptied. Now it keeps its content. It was just a visual problem.
• A JavaScript error sometimes visible in the debug console of browsers has been fixed.

Known Issues

• Unfortunately, the links to Agile Board and Backlog in the Jira tile of the DevOps Portal homepage do not work properly for users which have more than one project. In fact, the links will lead to the last visited agile board on Jira, independent to the project selection on the homepage of the DevOps Portal. This is caused by the fact, that agile boards are not part of a Jira project, but instead are independent entities. We are striving to find a solution for the problem in a future version.

Released on August 03, 2023

Enhancements

• Upgraded SSO (single sign-on) to Keycloak v20 based on Quarkus, a new Kubernetes-native Java framework.
• The link to Blue Ocean in the Jenkins tile on the homepage will now apply a search on the currently selected project, and therefore was renamed to Project Pipelines.
• Adapted auto-provisioning for roles in Jenkins to changed API on latest Jenkins LTS.

Improvements

• When new tools have been added to a DevOps-as-a-Service instance, the tools can be added to the individual projects by calling Edit and Save or a Resync on the project. For the latter, it's now no longer required to reload the page to get the new tool links listed for the project.
• The links to Gitlab Runners and Jenkins Credentials are not reachable for all project roles. Therefore, they are now shown or hidden depending on the project role.

Securityfixes

• When a project role of a user was changed on Jenkins, the old role was not removed. Therefore, if a user was degraded from a project role with many permissions to a role with fewer permissions, he/she still kept the old permission set. This is fixed now for new role changes. It's recommend to run Resync on all projects to correctly update the permissions in Jenkins for all project members. Please note, unassigning project roles was not affected. Therefore, users which were removed from a project in the past, did lose permissions on the Project in Jenkins as expected.

Bugfixes

• For large customers with a high amount of users, it could happen that an Internal Server Error was shown due to the required increased loading time.
• Fixed a problem in Confluence role management that could lead under rare circumstances to a pending sync.

Known Issues

• Unfortunately, the links to Agile Board and Backlog in the Jira tile do not work properly for users which have more than one project. In fact, the links will lead to the last visited agile board on Jira, independent to the project selection on the homepage of the DevOps Portal. This is caused by the fact, that agile boards are not part of a Jira project, but instead are independent entities.

Released on July 27, 2023

New Features

DevOps Dashboard

The homepage of the DevOps Portal is now a real dashboard. Just select the project you want to work on and enjoy a list of deep links into the tools to get to the most important places. The chosen project is automatically remembered across sessions.

The availability of the tiles depends on the tools which are included in your DevOps-as-a-Service instance. If the logged-in user doesn't have a license assigned for one of the tools, the tile is still displayed, but the links will be not clickable.

Role Management on Projects page

On the Projects page, individual users can be selected to see their roles in the listed projects. Furthermore, bulk assignment of roles in multiple projects to the selected user is now supported.

To see only your own roles, simply select again your user, which is always at the very top of the list.

Set reasonable defaults on Bitbucket projects

The following defaults are used for freshly created projects, but can be also automatically set for existing projects by calling Resync on the project or by applying Edit and Save on the project.

The Reject Force Push workflow hook is enabled.

The merge checks No 'needs work' status and No incomplete tasks are enabled.

For permanent exceptions, Project Admins can still override the settings in one or multiple git repositories of the project by choosing explicitly disabled or enabled instead of inheriting from the Project settings.

For non-permanent exceptions, Project Admins can also change the settings globally for the project, but in this case they will be reset on the next Project Resync.

Automated enablement of safe Pull-request builds on Jenkins

In the previous release 1.3.2 enabling safe Pull-request builds was only available for freshly created projects. Now, the settings of existing projects are also automatically adjusted when a Resync is performed on the project or when Edit and Save are applied on the project.

• Pull-requests opened on Bitbucket are automatically discovered and built on Jenkins. Previously, only real branches were discovered and built.
• A Pull-request is simulating the merge from one branch to another, but takes place on Jenkins only. To really merge the Pull-request to the destination branch, one of the reviewers has to press the Merge button on Bitbucket when the review and Pull-request builds are fine.
• The Discover branches strategy is set to all branches to prevent losing build information of the source branch. Instead, the Jenkins Shared Library is avoiding building new commits to the source branch if a Pull-request was already opened. This reduces build work on Jenkins agents to 50%.
• In Scan Organization Folder Triggers the Interval for Periodically if not otherwise run is reduced from the Jenkins default of 1 day to 1 hour for quicker discovery of new git repositories. We don't recommend to use lower values since Jenkins will be otherwise busy the whole time scanning for new git repositories. If you have created a new git repository, you can at any time click on Scan Organization Folder Now in the Bitbucket Project Folder. This will trigger a manual scan for git repositories. All of this is not required to discover new branches or new commits. Both of these changes are automatically propagated from Bitbucket to Jenkins.

Automated password rotation for implicitly created technical users

DevOps Portal implicitly creates two technical users on each project creation. One is used by Jenkins to pull git repositories from the SCM and one is used by Jenkins to push built artifacts to Nexus. The mechanism was changed to use very strong passwords with 256 random bits. In addition, the passwords are now automatically changed in all 3 tools, every time when the Project is resynced or an Edit and Save is applied on the project. Due to the increased security, we recommend running now a Resync on all your projects and repeat it at least once per year.

Upcoming Features

• Prepared roll-out of the Competitive Toolchain featuring
  • YouTrack for Issue Tracking and Agile Boards
  • Gitea for Source Code Management
  • Jenkins for CI/CD
• Automated password rotation as mentioned above is also applied to tools of the Competitive Toolchain.
• Prepared roll-out of new Portal role Creator. Portal Creators will have more power than standard Portal Users, but less than Portal Admins. The feature will be enabled in a future release.

Enhancements

• For any pending synchronization, more detailed information was added. The available values are now: ID, Entity, Operation, JSON, URL, Message, Entity Id, timestamp of last attempt, timestamp of first attempt and number of retries. In addition, the process of informing the service desk of DevOps-as-a-Service was improved to allow faster diagnosis of complex problems.
• New icons have been created for the DevOps portal and the DevOps tools. Where possible, they are now used as favicons or on the new Dashboard as mentioned above.
• Due to security considerations, the possible uploads to Terms and Conditions has been limited. The only accepted format was set to PDF. The maximum file-size is set to 2MB. Invalid PDFs or PDFs which contain executables will not be accepted.
• The loading time for the User and Tech User page have been improved for large amounts of entries.

Improvements

• Project Admins can change roles or permissions for project members in the tools Jira, Confluence and Bitbucket. A Project Resync project will reset modified roles or permissions of project members to the exact roles like defined in the Portal. This was already working for Jira and Bitbucket and has been added now for Confluence, too.
• Role Management on Nexus is now faster.
• The T-Systems logo has been updated to the current corporate design
• Added automated testing for SonarQube
• Added backend unit tests for Jira
• Added earlier automated test runs on backend changes
• Unused library removed.
• All pop-up messages are now displayed near the bottom of the page.
• To increase security, some read-only API calls have been removed it not necessary for the operation of the portal.
• Removed support for old Rancher 1.6.
• The minimum project name length was set to 2 characters, since 1 character will not properly work with Jira.
• German texts for the password reset procedure have been improved.

Bugfixes

• When a user was moved to another organization, it was not correctly updated in the LDAP server. This could lead later to pending syncs.
• Even on wide windows, the Account menu was cut by some pixels on the right. The menu strip was adapted to fix the problem.
• Timestamps on some entity detail pages are no longer wrapped if not necessary.
• Clickboxes for radio buttons and checkboxes were too large on some detail pages and have been adjusted.
• When a user was locked, its position in the displayed list could change. This is now avoided by applying additional sort criteria.
• When a tech user was created or deleted, a possible active search filter was not correctly applied to the entries on the page.
• For some rare circumstances, getting a pending sync for Gitlab is now avoided.

Released on April 27, 2023

Enhancements

• The Bitbucket Project Folder in Jenkins which automatically discovers and builds all git repositories gets now an improved configuration for freshly created projects
  • Pull-requests opened on Bitbucket are automatically discovered and built on Jenkins. Previously, only real branches were discovered and built.
  • A Pull-request is simulating the merge from one branch to another, but takes place on Jenkins only. To really merge the Pull-request to the destination branch, one of the reviewers has to press the Merge button on Bitbucket when the review and Pull-request builds are fine.
  • The Discover branches strategy is set to all branches to prevent losing build information of the source branch. Instead, the Jenkins Shared Library is avoiding building new commits to the source branch if a Pull-requests was already opened. This reduces build work on Jenkins agents to 50%.
  • In Scan Organization Folder Triggers the Interval for Periodically if not otherwise run is reduced from the Jenkins default of 1 day to 1 hour for quicker discovery of new git repositories. We don't recommend to use lower values since Jenkins will be otherwise busy the whole time scanning for new git repositories. If you have created a new git repository, you can at any time click on Scan Organization Folder Now in the Bitbucket Project Folder. This will trigger a manual scan for git repositories. All of this is not required to discover new branches or new commits. Both of these changes are automatically propagated from Bitbucket to Jenkins.
• On the backend, a feature has been prepared which will offer in the future the possibility to find users inactive for a longer time period like e.g. 90 days
• The description field of a project is now also propagated to the Jenkins folder of the project.

Improvements

• Improved backend monitoring
• The metrics page for Portal Admins was removed since it was of limited value for end-users.
• Added more automated tests to backend development
• Moved success and error message more towards the bottom of the screen, so that it's always visible even when scrolling long lists.
• Error messages concerning the password entry field have been improved to give more exact information about minimum and maximum length.

Bugfixes

• Fixed the edit tech user dialog so that changing the description without changing the password works again.
• Fixed a problem when 2FA was switched off for a user.
• Fixed pending syncs which could happen when a project admin had assigned a role to a user without licenses for freshly added tools, like e.g. SonarQube. The roles were already assigned, so the pending sync could be ignored.
• Fixed problems in back-end when handling more than 1000 users in the LDAP server.
• Since no customers are remaining using Rancher 1.6, the user update/lock action can no longer be stuck when the user was assigned to another organization after the user's first project role assignment.

Around Easter, we are starting to roll-out the Jira-Jenkins Integration, as shown in our event Mastering DevOps Toolchain Showcase. Furthermore, we have documented for you how to use the Gravatar Support to get the most out of your DevOps toolchain.

Happy Easter!

Released on March 27, 2023

Enhancements

• The Technical Users page can now be used by all Portal users. In general, only these Tech Users will be listed which share a project with the user. In addition, the roles for these Tech Users can be changed, but of course limited to the Projects where the user has an Admin role. Creating, Deleting and Editing of Tech Users is still limited to Portal admins.
• Due to updated PSA statements of compliance, the minimum length for passwords of technical users has been increased to 32.
• Resync roles as found in a Project's more menu has been replaced by Resync. The new Project Resync combines saving a Project and resending the roles. Therefore, the Resync guarantees at any time that all Project details including defined member roles are properly set-up in all the tools. When you've ordered additional tools, like e.g. SonarQube, it's advised to call Resync on the Projects which should get support for the new tool.

• When a role is added to a locker user, the role is added only on the portal, but not inside the tools. If the user is later unlocked, all roles are automatically restored in the tools.

• Additional icons like shown in the example screenshot below now give a fast feed-back if the entered content was ok or not. Since the icons can be clearly distinguished from each other just by their shape, it's also an improvement for color-blind users.

Improvements

• Developed code that will be later used by the portal to allow removal of non-standard roles or individual permissions that have been set by Project admins directly in tools. This will allow in the future to improve the resync feature for projects in the portal.
• Improved display of timestamps and empty strings in pending syncs.
• Improved keyboard control as well as the contrast of the colors for all pages to improve accessability of the Portal.
• Improved support for screen readers.
• Two back-end components have been merged to simplify development.
• Base image and all dependencies used by the back-end have been updated to latest versions.
• Automated tests now run faster and don't unnecessarily block Jenkins agents when waiting for test environments.
• Shifted automated testing to new clusters based on the Rancher-Longhorn architecture.

Bugfixes

• Fixed problems in the LDAP server when handling more than 1000 users.
• Relaxed time-outs between the portal server and the auto-provisioning back-end to avoid pending syncs showing up with error message "I/O error clap-api:5000 failed to respond". This was necessary since some operations of the auto-provisioning can take longer since multiple tools have to be configured.
• Locking and deletion of users were not properly working on Rancher1.6, if the user had a personal default environment.
• In rare cases, e.g. after a timed-out session, the Portal can show its own login dialog instead of the SSO login page. That has been fixed for most cases. If it happens to you, simply reload the page to get to the correct login page.
• Vulnerability fixed which would have allowed an authenticated portal admin to change the userid/email of a user, leading to problems in the tools.
• For users that never logged in to SonarQube, a harmless pending sync could show up when a role was saved.
• A timeout was added to a query all projects call towards Jenkins to avoid hanging requests due to possible Jenkins malfunctions.
• Fixed a problem related to multi-threading in the back-end.

Known Issues

• User update/lock action can be stuck when the user was assigned to another organization after the user's first project role assignment. The ops team will automatically repair it for you. Problem is fixed for customers which have Rancher v2.6 in their toolchain as it happens only with Rancher 1.6.

Released on January 12, 2023

Enhancements

• Added full support for Rancher 2 auto-provisioning.
  • If Rancher 2.6 is available in your toolchain, all users which have the RANCHER2 tool assigned receive the global permission User-Base on Rancher. User-Base users have login-access only. But they can be added to clusters and namespaces.
  • All users who have at least one project admin role get the global permission Standard User on Rancher. These users can create new clusters and use them. Standard users can also assign other users access permissions to their clusters.
• The portal now automatically maintains a group on Jira named project-admins which contains all users which have at least one project admin role. This group will be used to manage the access permissions for the Jira Roadmap Feature of the Jira Data Center edition. More about this will be made public in a separate posting.
• The view and edit project pages have been unified. Therefore, the actions View and Edit have been removed from the More menu. Simply click on the project key of a project to view it. If you want to change any data, tick the checkbox Edit Details. This is only available if you have the admin permissions on the project and the project you want to edit is in ACTIVE state at the moment.

• When a new user is created or an existing user is changed and the new portal role or the old portal role is admin, all other admins are informed by mail who did the change and which user was made a portal admin or lost the role.

• All pages have been improved concerning accessibility.
  • Required fields now have an additional * symbol, so you know that you have to enter something in any case.
  • Status and error messages are now correctly marked for screen readers.
  • Error messages related to input fields have been moved to the label to support screen readers.
• Detail dialogs of projects, users, technical users, organizations and usage terms can now be opened using CTRL and left mouse button in a new browser window. This allows for fast processing of multiple entries.
• When multiple browser tabs are used to open the different tools, it was hard to distinguish which tab is for which tools. Therefore, our favicons as known from https://geschaeftskunden.telekom.de/digitale-loesungen/infrastructure-as-a-service/devops-as-a-service#leistungen are now used for Jira, Confluence, Bitbucket and gitlab. Since your browser caches favicons for a longer time, it's possible that you still see the old favicon. If this is the case, try holding the shift key while you press the reload button in the browser. That will force the reload of the favicon. Icons for the remaining tools will be added in the future.

Improvements

• The notification mails that users receive about changes in their licence assignments now contain a list of tools that is sorted like in the portal.

Bugfixes

• Changes in the description field of a project were not set on Bitbucket if the name of the project was not changed, too.
• Small bugfixes concerning auto-provisioning of Rancher 2 and SonarQube.

Known Issues

• User update/lock action can be stuck when the user was assigned to another organization after the user's first project role assignment. The ops team will automatically repair it for you. Problem is fixed for customers which have Rancher v2.6 in their toolchain as it happens only with Rancher 1.6.