Release Manual 9.8.x

Upgrade instructions

For upgrade instructions, refer to Upgrade Deploy.

Digital.ai Deploy 9.8.0

Digitalai Deploy 9.8.0 is a short-term support (STS) version that will be supported until it is superseded by the next STS or long-term support (LTS) version. For more information, refer to Short-term support/Long-term support policy.

Digital.ai Deploy 9.8.0 new features

Improved OpenID Connect (OIDC) authentication

OpenId Connect (OIDC) authentication integration now comes with lot of new security enhancements. nonce parameter has been added now to prevent replay attacks. Also, Proof Key for Code Exchange (PKCE) support has been added.

keyRetrievalSchedule is not required anymore. Customer can safely remove this from their xl-deploy.conf file.

A new postLogoutRedirectUri has been added for post-logout URL which will replace post_logout_redirect_uri query parameter. If you have added post_logout_redirect_uri query parameter in your redirectUri uri, remove query parameter and set it as postLogoutRedirectUri.

xl {
  security {
    auth {
      providers {
        oidc {
          ...
          logoutUri="https://oidc.example.com/auth/realms/xl-deploy/protocol/openid-connect/logout"
          redirectUri="https://xl-deploy.example.com/login/external-login"
          postLogoutRedirectUri="https://xl-deploy.example.com/login/external-login"
        }
      }
    }
  }
}

Customers can now customise ID Token signature algorithm using new idTokenJWSAlg parameter as described below. The default algorithm for signature verification is RS256.

xl {
  security {
    auth {
      providers {
        oidc {
          ...
          idTokenJWSAlg="<The ID token signature verification algorithm>"      
        }
      }
    }
  }
}

Below JSON Web Algorithms (JWA) are currently supported:

Value Digital Signature or MAC Algorithm
RS256 RSASSA-PKCS1-v1_5 using SHA-256
RS384 RSASSA-PKCS1-v1_5 using SHA-384
RS512 RSASSA-PKCS1-v1_5 using SHA-512
ES256 ECDSA using P-256 and SHA-256
ES384 ECDSA using P-384 and SHA-384
ES512 ECDSA using P-521 and SHA-512
PS256 RSASSA-PSS using SHA-256 and MGF1 with SHA-256
PS384 RSASSA-PSS using SHA-384 and MGF1 with SHA-384
PS512 RSASSA-PSS using SHA-512 and MGF1 with SHA-512
HS256 HMAC using SHA-256
HS384 HMAC using SHA-384
HS512 HMAC using SHA-512

Note: For MAC based algorithms such as HS256, HS384 or HS512, the clientSecret corresponding to the clientId is used as the symmetric key for signature verification.

High Availability

Digital.ai Deploy now supports high availability. This will allow users to setup a Active/ Hot standby mode. Where when the primary node goes down the standby system can be brought up immediately. Also, now openshift/kubernetes has support to add multiple nodes as workers to split load across resources.

Support for Helm charts

Digital.ai Deploy now integrates with Helm charts via plugins. Now you users will be able to deploy Helm charts as part of their deployments. Both Helm version 2 and 3 are supported. User can customize the registry from which these charts can be retrieved.

Support for Openshift

Digital.ai Deploy now integrates with Openshift via plugins. Users will be able to add/remove/update pods, services, etc. Both openshift 3.x and 4.x is supported.

Tasks enhancements

Digital.ai Deploy now would be able to better handle tasks when it stops abruptly. Also reports now have a filtering mechanism based on task ID, status, etc.

Deploy Stitch (BETA)

Stitch is a new capability of digital.ai Deploy that provides a declarative way to customize configuration files for deployments of bespoke applications and commercial of the shelf components (COTS). It is designed for the world of cloud and containers, and builds on top of Deploy concepts of UDM model, types, rules engine and plugins.

Using Stitch, teams can:

  • Create modular configuration customizations by DevOps experts, and store their vetted version in a git repository
  • Share and reuse vetted customizations, so that everyone can benefit from the knowledge of cloud and container experts
  • Take advantage of declarative rules system to specify when and how customizations should be applied to deployments, in a way that scales for future use
  • Use Deploy’s GUI to preview how specific deployments configurations will be customized

This current release of Stitch capability is strictly a Beta release and has not been certified for production use. Customers must not use the Beta version of Stitch in a production context. Beta software are offered in an “as-is” basis, and Digital.ai disclaims any liability, warranties, indemnities, and conditions, whether express, implied, statutory or otherwise.

Password upgrader

Digital.ai Deploy now re-encrypts the AES-128 encrypted legacy passwords, with the new and more secure AES-256 encryption.

Lock plugin

The XLD Lock plugin is an XL Deploy plugin that adds capabilities for preventing simultaneous deployments. This plugin is now part of the product from the community. Moving forward you can file any bugs via support for this plugin.

Contact XebiaLabs Support if you have hotfixes

If you have hotfixes installed, contact the XebiaLabs support team before upgrading.

Digital.ai Deploy 9.8.0 release notes

New features

  • [DEPL-16117] - Roles & Permissions Report (Global and Folder Level) - Generate and make available for download (Additional Filtering)
  • [DEPL-16265] - Show stitch invocations when preparing a deployment in stitch preview
  • [DEPL-16290] - Show text diff for each invocation
  • [DEPL-16302] - Show processors and rules on stitch preview screen that affected the deployment
  • [DEPL-16328] - Show stitch diff per individual processor
  • [DEPL-16329] - Show metadata of processor invocation
  • [DEPL-16331] - Link from processor metadata to rule definition in workbench
  • [DEPL-16337] - Rename “Stitch Source” to “Sources” and also on the page rename “source” to “sources”
  • [DEPL-16340] - Have conditions that evaluate based on the content of the stitch invocation
  • [DEPL-16352] - Document stitch preview
  • [DEPL-16353] - Display macro or processor definition in case it was in external file
  • [ENG-1382] - Patch Jython library - XLD
  • [ENG-1500] - Remove deprecated spring-security-oauth library
  • [ENG-1501] - Add nonce to prevent replay attacks in OpenID Connect
  • [ENG-1502] - Add PKCE Support for OpenID Connect
  • [ENG-1503] - Add configuration to select id token signature algorithm with OpenID Connect
  • [ENG-1506] - Fix and Test New OpenID Connect Implementation with XL Deploy
  • [ENG-2082] - Make it possible to switch off “active users” page
  • [ENG-2128] - File copy step should be able to retry connection on failure

Improvements

  • [DEPL-16224] - Indicate which worker is executing the plan on the deployment screen
  • [DEPL-16294] - SpEL expressions should be evaluated in processors
  • [DEPL-16300] - Enhance logging of source sync control task
  • [DEPL-16351] - Consider improving generator properties for stitch generated YAMLs
  • [ENG-1744] - Keep keystore and truststore configuration when ssl and mutualssl flag value are toggled off
  • [ENG-1746] - Add an upgrader to update legacy password values in XL Deploy
  • [ENG-2034] - Improve Rule details popup

Bug fixes

  • [DEPL-14656] - Disallow assigning same dictionary to an environment multiple times
  • [DEPL-15982] - Focus isn’t set on the Name during creation of the infrastructure CI
  • [DEPL-16146] - Upgrade jQuery to >= 3.5.0
  • [DEPL-16220] - Fix OIDC plugin
  • [DEPL-16267] - Unable to rollback the failed deployment of successive application versions
  • [DEPL-16319] - Task state becomes “Queued” even if master didn’t manage to send a message to JMS
  • [ENG-1036] - Update third party component with known vulnerabilities
  • [ENG-1374] - Security fixes for docker images
  • [ENG-1585] - Improvise External worker documentation to accommodate prerequisites
  • [ENG-1655] - [Fix] taskWorkerAuthenticationProvider should work for non admin users with LDAP configuration
  • [ENG-1771] - Remove zone index from IPv6
  • [ENG-1983] - Windows sequential tests not running.
  • [ENG-2196] - Export report button is disabled for Audit report(non admin user)
  • [ENG-838] - Cannot run wsadmin with daemon via Telnet because of “IOException: Read end dead”

Known issues

  • [ENG-1483] - Unable to connect XL-deploy and Artemis cluster with UDP address
  • [ENG-1960] - Web Sockets do not work on master worker setup for deployment/undeployment