Release Notes 1.4

Release 1.4.6 /​​​​​​​ 🗓 09 Nov 2023

PSA (Privacy and Security Assessment) Compliance

• The password reset procedure is now protected against automated use or misuse. After entering the email address, the user is now asked for his 2nd factor. This ensures, that it's not possible to spam users with password reset mails. Of course, it requires that 2FA has been enabled for the user. In general, it's recommend to enable 2FA for all your users. Therefore, 2FA has always been enabled by default when you create a new user on the DevOps Portal.

Enhancements

• Starting with Bitbucket 8.2, a new Create repository permission has been added by the vendor. This new permission is now granted to all users with a MASTER role. To enable it for existing projects, simply initiate a Resync of the project in the DevOps Portal. Please note, that users automatically get admin permissions in the repositories they create.
• In some tools (currently Jira, Confluence and Bitbucket) Project ADMINs can directly add individual users to their project choosing from one of the available roles or permissions. This is now cleaned-up when a Project Resync is initiated. To be more precise, a Project Resync removes any Project roles or permissions for users which don't have a role assigned in the DevOps portal.

Improvements

• Prepared the DevOps Portal for configuring tool specific project settings in the future.
• Updates of used software frameworks and libraries.
• When a Technical User is deleted, the sort order of the table is now preserved.

Bugfixes

• On the Projects page, assigning a role to a user which he already has, obviously has no effect. But unfortunately, after such an action the Assign button was disabled, even when another user was selected. This is fixed now.

Known Issues

• Unfortunately, the links to Agile Board and Backlog in the Jira tile of the DevOps Portal homepage do not work properly for users which have more than one project. In fact, the links will lead to the last visited agile board on Jira, independent to the project selection on the homepage of the DevOps Portal. This is caused by the fact, that agile boards are not part of a Jira project, but instead are independent entities. We are striving to find a solution for the problem in a future version.

Release 1.4.5 /​​​​​​​ 🗓 19 Oct 2023

PSA (Privacy and Security Assessment) Compliance

• Read-only root file-systems are now used inside containers to improve operational security.

Improvements

• All Bitbucket git repositories have webhooks that notify Jenkins about new branches and commits. These webhooks had been readded using the new internal URL of Jenkins when the Rancher 2 migration was done. Now the webhooks with the old internal URL of Jenkins have been automatically deleted.
• Improved internal source code quality.

Bugfixes

• Unfortunately, the notification emails sent out concerning password expiration could contain the same time period that was written in a previous email. This was due to some unwanted caching effect and has been solved now.

Known Issues

• Unfortunately, the links to Agile Board and Backlog in the Jira tile of the DevOps Portal homepage do not work properly for users which have more than one project. In fact, the links will lead to the last visited agile board on Jira, independent to the project selection on the homepage of the DevOps Portal. This is caused by the fact, that agile boards are not part of a Jira project, but instead are independent entities. We are striving to find a solution for the problem in a future version.

Release 1.4.4 /​​​​​​​ 🗓 12 Oct 2023

Improvements

• The RDMBS used by all DevOps Portal instances were updated from PostgreSQL v10 to v12. This included a well tested transformation of the database files to the new format.

Known Issues

• Unfortunately, the links to Agile Board and Backlog in the Jira tile of the DevOps Portal homepage do not work properly for users which have more than one project. In fact, the links will lead to the last visited agile board on Jira, independent to the project selection on the homepage of the DevOps Portal. This is caused by the fact, that agile boards are not part of a Jira project, but instead are independent entities. We are striving to find a solution for the problem in a future version.

Release 1.4.3 /​​​​​​​ 🗓 04 Oct 2023

Improvements

• Since LOCKED users cannot reset their passwords, the notification emails about expired passwords which are sent on every Monday and Thursday morning are now only sent to ACTIVE users. In addition, when a user is unlocked, he or she is instantly informed by an email, if the password has expired and needs to be reset. Please note that users cannot log in with expired passwords. They need to reset them before using the forgotten password option on the login page.
• Updates of used software frameworks and libraries.
• The view button for pending syncs has been removed, since by clicking on the ID it can be already easily viewed.
• The success messages for bulk role assignments and unassignments has been improved to give more details about performed or skipped operations.
• For freshly retired projects, the selection box is now immediately disabled.

Bugfixes

• The project page wasn't properly working if the user selected for role assignment was deleted in the meantime. This has now been fixed.
• When a lot of success/error message were displayed on a page it could happen, that a message was hidden below the table header. Now the messages are always the topmost element.

Known Issues

• Unfortunately, the links to Agile Board and Backlog in the Jira tile of the DevOps Portal homepage do not work properly for users which have more than one project. In fact, the links will lead to the last visited agile board on Jira, independent to the project selection on the homepage of the DevOps Portal. This is caused by the fact, that agile boards are not part of a Jira project, but instead are independent entities. We are striving to find a solution for the problem in a future version.

Release 1.4.2 / 🗓 21 Sep 2023

PSA (Privacy and Security Assessment) Compliance

• Passwords of users expire now after 12 months. The current implementation sends emails on every Monday and Thursday morning to users whose password will expire within the next 21 days (3 weeks). The normal procedure is to change the password when logged in to the DevOps Portal using the menu item Account/Password. If the password has already expired, the affected user needs to use the Did you forget your password? link on the login page to reset the password. Please note, that the login page in general does not reveal any information about why a login failed. This is done to not support potential password crackers with any feedback. Therefore, if you cannot log in, always check that the username and password are correct. If this doesn't help, a password reset can be tried, but please note that this will not work if you have been locked in the Portal by a Portal Admin. As a last resort, use the Contact link in the Portal footer to contact a Portal Admin.
• Passwords cannot be reused within 60 days. The current implementation disallows to change a password more than once within 24h (1 day). In addition, a history is kept of the last 60 passwords. At the end, we recommend using a reliable password manager like e.g. KeePassXC which can create strong random passwords that are stored encrypted on a local drive. Using this approach, there's no problem when a new password has to be set at the DevOps Portal.
• To improve the security, the account log of the Portal is now also stored in the central logging system of the DevOps-as-a-Service instance.
• Strict-Transport-Security has been implemented for HTTP response headers where missing.
• X-Content-Type-Options:  “nosniff” has been implemented for HTTP response headers where missing.
• Content Security Policy (CSP) implemented.

Enhancements

• The auto-provisioning backend has been redesigned for improved performance. The changes were also especially important for instances with more than 1000 users.
• The DevOps Portal is currently being prepared to allow downtime free updates in the future. One of the required changes was to drop the # sign used in deep links to certain pages. Please update browser bookmarks if necessary.

Improvements

• All user roles in Jenkins have been adapted to the new schema introduced by latest Jenkins versions.
• The contact email address available in the Portal footer is now also used in the footer of the login page. A shift-reload of the page in the browser will help to get the login page properly updated. As an alternative, the browser cache can be emptied.
• The number of entities, remaining licences etc. has been stream lined to look exactly the same on all pages.
• When a project admin has added additional roles to a project member in Jira, these excessive roles are automatically removed when a project sync is triggered. Therefore, each member will get just its well-defined single role as set in the Portal.
• Several problems for the auto-provisioning of the upcoming tools YouTrack and Gitea have been solved.
• Updates of used software frameworks.
• On the Portal Homepage now only active projects can be selected, but no retired ones. This is a preparation for the upcoming enhanced project retirement.

Bugfixes

• On large instances, it could happen that for locked users, the Confluence licence was not removed. This is fixed now.
• In the past, a problem could occur in LDAP when the Organization was changed for a user. This has been already fixed, but now some remaining wrong entries in LDAP have been repaired.
• The Portal allows up to 1024 characters for a project description. Since the text is propagated to the tools it's now automatically shortened to 255 characters for Bitbucket, Gitea and GitLab, since these tools don't support texts longer than this limit.
• A pending sync could show up on role assignments for users without a Confluence licence. It's been harmless, but will not occur any longer.
• A pending sync related to SonarQube could show up on role assignments for users in LOCKED or CREATED state. It's been harmless, but will not occur any longer.
• On a project resync, the project role column was emptied. Now it keeps its content. It was just a visual problem.
• A JavaScript error sometimes visible in the debug console of browsers has been fixed.

Known Issues

• Unfortunately, the links to Agile Board and Backlog in the Jira tile of the DevOps Portal homepage do not work properly for users which have more than one project. In fact, the links will lead to the last visited agile board on Jira, independent to the project selection on the homepage of the DevOps Portal. This is caused by the fact, that agile boards are not part of a Jira project, but instead are independent entities. We are striving to find a solution for the problem in a future version.

Release 1.4.1 /​​​​​​​ 🗓 03 Aug 2023

Enhancements

• Upgraded SSO (single sign-on) to Keycloak v20 based on Quarkus, a new Kubernetes-native Java framework.
• The link to Blue Ocean in the Jenkins tile on the homepage will now apply a search on the currently selected project, and therefore was renamed to Project Pipelines.
• Adapted auto-provisioning for roles in Jenkins to changed API on latest Jenkins LTS.

Improvements

• When new tools have been added to a DevOps-as-a-Service instance, the tools can be added to the individual projects by calling Edit and Save or a Resync on the project. For the latter, it's now no longer required to reload the page to get the new tool links listed for the project.
• The links to Gitlab Runners and Jenkins Credentials are not reachable for all project roles. Therefore, they are now shown or hidden depending on the project role.

Securityfixes

• When a project role of a user was changed on Jenkins, the old role was not removed. Therefore, if a user was degraded from a project role with many permissions to a role with fewer permissions, he/she still kept the old permission set. This is fixed now for new role changes. It's recommend to run Resync on all projects to correctly update the permissions in Jenkins for all project members. Please note, unassigning project roles was not affected. Therefore, users which were removed from a project in the past, did lose permissions on the Project in Jenkins as expected.

Bugfixes

• For large customers with a high amount of users, it could happen that an Internal Server Error was shown due to the required increased loading time.
• Fixed a problem in Confluence role management that could lead under rare circumstances to a pending sync.

Known Issues

• Unfortunately, the links to Agile Board and Backlog in the Jira tile do not work properly for users which have more than one project. In fact, the links will lead to the last visited agile board on Jira, independent to the project selection on the homepage of the DevOps Portal. This is caused by the fact, that agile boards are not part of a Jira project, but instead are independent entities.

Release 1.4.0 / ​​​​​​​🗓 27 Jul 2023

New Features

DevOps Dashboard

The homepage of the DevOps Portal is now a real dashboard. Just select the project you want to work on and enjoy a list of deep links into the tools to get to the most important places. The chosen project is automatically remembered across sessions.

The availability of the tiles depends on the tools which are included in your DevOps-as-a-Service instance. If the logged-in user doesn't have a license assigned for one of the tools, the tile is still displayed, but the links will be not clickable.

Role Management on Projects page

On the Projects page, individual users can be selected to see their roles in the listed projects. Furthermore, bulk assignment of roles in multiple projects to the selected user is now supported.

To see only your own roles, simply select again your user, which is always at the very top of the list.

Set reasonable defaults on Bitbucket projects

The following defaults are used for freshly created projects, but can be also automatically set for existing projects by calling Resync on the project or by applying Edit and Save on the project.

The Reject Force Push workflow hook is enabled.

The merge checks No 'needs work' status and No incomplete tasks are enabled.

For permanent exceptions, Project Admins can still override the settings in one or multiple git repositories of the project by choosing explicitly disabled or enabled instead of inheriting from the Project settings.

For non-permanent exceptions, Project Admins can also change the settings globally for the project, but in this case they will be reset on the next Project Resync.

Automated enablement of safe Pull-request builds on Jenkins

In the previous release 1.3.2 enabling safe Pull-request builds was only available for freshly created projects. Now, the settings of existing projects are also automatically adjusted when a Resync is performed on the project or when Edit and Save are applied on the project.

• Pull-requests opened on Bitbucket are automatically discovered and built on Jenkins. Previously, only real branches were discovered and built.
• A Pull-request is simulating the merge from one branch to another, but takes place on Jenkins only. To really merge the Pull-request to the destination branch, one of the reviewers has to press the Merge button on Bitbucket when the review and Pull-request builds are fine.
• The Discover branches strategy is set to all branches to prevent losing build information of the source branch. Instead, the Jenkins Shared Library is avoiding building new commits to the source branch if a Pull-request was already opened. This reduces build work on Jenkins agents to 50%.
• In Scan Organization Folder Triggers the Interval for Periodically if not otherwise run is reduced from the Jenkins default of 1 day to 1 hour for quicker discovery of new git repositories. We don't recommend to use lower values since Jenkins will be otherwise busy the whole time scanning for new git repositories. If you have created a new git repository, you can at any time click on Scan Organization Folder Now in the Bitbucket Project Folder. This will trigger a manual scan for git repositories. All of this is not required to discover new branches or new commits. Both of these changes are automatically propagated from Bitbucket to Jenkins.

Automated password rotation for implicitly created technical users

DevOps Portal implicitly creates two technical users on each project creation. One is used by Jenkins to pull git repositories from the SCM and one is used by Jenkins to push built artifacts to Nexus OSS (if available). The mechanism was changed to use very strong passwords with 256 random bits. In addition, the passwords are now automatically changed in all 3 tools, every time when the Project is resynced or an Edit and Save is applied on the project. Due to the increased security, we recommend running now a Resync on all your projects and repeat it at least once per year.

Upcoming Features

• Prepared roll-out of the Competitive Toolchain featuring
  • YouTrack for Issue Tracking and Agile Boards
  • Gitea for Source Code Management
  • Jenkins for CI/CD
• Automated password rotation as mentioned above is also applied to tools of the Competitive Toolchain.
• Prepared roll-out of new Portal role Creator. Portal Creators will have more power than standard Portal Users, but less than Portal Admins. The feature will be enabled in a future release.

Enhancements

• For any pending synchronization, more detailed information was added. The available values are now: ID, Entity, Operation, JSON, URL, Message, Entity Id, timestamp of last attempt, timestamp of first attempt and number of retries. In addition, the process of informing the service desk of DevOps-as-a-Service was improved to allow faster diagnosis of complex problems.
• New icons have been created for the DevOps portal and the DevOps tools. Where possible, they are now used as favicons or on the new Dashboard as mentioned above.
• Due to security considerations, the possible uploads to Terms and Conditions has been limited. The only accepted format was set to PDF. The maximum file-size is set to 2MB. Invalid PDFs or PDFs which contain executables will not be accepted.
• The loading time for the User and Tech User page have been improved for large amounts of entries.

Improvements

• Project Admins can change roles or permissions for project members in the tools Jira, Confluence and Bitbucket. A Project Resync project will reset modified roles or permissions of project members to the exact roles like defined in the Portal. This was already working for Jira and Bitbucket and has been added now for Confluence, too.
• Role Management on Nexus is now faster.
• The T-Systems logo has been updated to the current corporate design
• Added automated testing for SonarQube
• Added backend unit tests for Jira
• Added earlier automated test runs on backend changes
• Unused library removed.
• All pop-up messages are now displayed near the bottom of the page.
• To increase security, some read-only API calls have been removed it not necessary for the operation of the portal.
• Removed support for old Rancher 1.6.
• The minimum project name length was set to 2 characters, since 1 character will not properly work with Jira.
• German texts for the password reset procedure have been improved.

Bugfixes

• When a user was moved to another organization, it was not correctly updated in the LDAP server. This could lead later to pending syncs.
• Even on wide windows, the Account menu was cut by some pixels on the right. The menu strip was adapted to fix the problem.
• Timestamps on some entity detail pages are no longer wrapped if not necessary.
• Clickboxes for radio buttons and checkboxes were too large on some detail pages and have been adjusted.
• When a user was locked, its position in the displayed list could change. This is now avoided by applying additional sort criteria.
• When a tech user was created or deleted, a possible active search filter was not correctly applied to the entries on the page.
• For some rare circumstances, getting a pending sync for Gitlab is now avoided.