(bug 1585135) The fix in 18.0.2 is updated to replace all escaped newlines in the GITHUB_PRIVATE_PEM config, not just the first.
(bug 1585135) The github.private_pem configuration in GITHUB_PRIVATE_PEM can now be specified with "regular" newlines or with encoded newlines (\ \n).
This works around a bug in the generation of multiline secrets present in the Mozilla deployment pipeline.
No changes
[MAJOR] (bug 1583935) Administrative scopes for worker pools are now worker-manager:manage-worker-pool:<workerPoolId>.
Existing worker-manager:{create,update}-worker-type:<workerPoolId> scopes are no longer recognized.
[minor] (bug 1323871) Taskcluster now issues scopes based on repo access for Github logins. Static clients need to be updated in deployments.
(bug 1582376) Taskcluster now uses the AMQP server's value for frame_max, rather than enforcing its own limit of 4k.
The server level should be configured to 128k.
This is the default for RabbitMQ, so in most cases no change is required.
[MAJOR] (bug 1561905) 1. Static clients need to be updated in deployments.
2. The web-server service now requires azure credentials configured for login to work properly, namely
AZURE_ACCOUNT_ID, AZURE_SIGNING_KEY, and AZURE_CRYPTO_KEY.
3. For a third party to get TC credentials, it first needs to have a client registered in the deployment of the
web-server service. This is governed by the REGISTERED_CLIENTS configuration.
See https://docs.taskcluster.net/docs/manual/deploying/third-party for the shape of a client.
[MAJOR] (#1260) Google provider in worker-manager now requires you to manually set up
a service account for your workers to run under. If you are migrating
from a previously deployed worker-runner, you can just use the account
we created for you automatically before. It always had the name
taskcluster-workers.
Your config will changein the following way:
# Old
providers:
google-project:
providerType: google
project: ...
creds: ...
instancePermissions:
- ...
- ...
# New
providers:
google-project:
providerType: google
project: ...
creds: ...
workerServiceAccountId: ...(#778) User-created clients are regularly scanned, and disabled if the owning user no longer has the relevant scopes. Such users are now also disabled if the owning user has been removed from the identity provider.
(#1216) Users of taskcluster-ui are now logged out if they are not logged-in in the eyes of web-server. This would avoid having web-server be out-of-sync when restarted for example.
[minor] (bug 1561320) Taskcluster deployments now support sentry error reporting. You can configure this option by setting
an errorConfig at the top-level of your config:
rootUrl: ...
errorConfig:
reporter: SentryReporter
dsn: <your sentry dsn>
Errors will be reported to this project and tagged with service/process names in addition to taskcluster release version.
(bug 1574656) Worker-pool configurations for google-based providers now accept a workerConfig property, which is passed to new workers.
The existing userData property is deprecated.
[minor] (bug 1572775) * All lib-loader setup functions now get passed their own
name to allow logging more usefully.
- There is now a document in dev-docs explaining recommended monitoring practices.
[minor] (bug 1553953) The workerType identifier now has a more restrictive pattern:
- consisting of lower-case alphanumeric plus dash (
-) - from 1 to 38 characters long
- beginning with a lower-case alphabetic character
- ending with a lower-case alphanumeric character (not a dash) Any worker types not matching this pattern will no longer function as of this version.
This is considered a minor change because no known workerTypes (aside from some internal testing workerTypes) violate this pattern.
[minor] (bug 1572764) The go client doesn't log the full request in case of an error anymore.
It logs only the method, hostname, port and response body. It logs the
full request when the environment variable TASKCLUSTER_DEBUG is
defined.
[minor] (#1190) Updates a number of config variables including:
- Setting
pulse-namespaceper service is no longer supported - Services that no longer use aws directly no longer take credentials
- Setting table names for secrets, notify, and hooks services is no longer supported
The name of the hooks last fires table has changed so you must update your static
client scopes in your deployment from including auth:azure-table:read-write:${azureAccountId}/LastFire
to auth:azure-table:read-write:${azureAccountId}/LastFire3.
[MAJOR] (bug 1552970) The auth.gcpCredentials method no longer modifies the granting service account.
Instead, that service account must be configured with the "Service Account Token Creator" role prior to deployment of Taskcluster.
The format of configuration for these credentials has changed as well, now taking GCP_CREDENTIALS_ALLOWED_PROJECTS.
See the deployment documentation for more information.
[MAJOR] (bug 1570723) The deployment configuration value ui.ui_login_strategy_names is now required.
It should be a space-separated list of the names of the strategies in web_server.ui_login_strategies.
[minor] (#1140) Add Chain of Trust documentation for taskcluster worker implementations and maintenance.
[minor] (#1062) The taskcluster cli rerun action now takes a --force option. It will refuse to rerun non-exception, non-failed tasks without --force.
(#1108) The development process has been improved to use kubectl directly instead of helm. Helm is still used to render templates because we need to support it.
[MAJOR] The web-server application no longer generates a JWT when logging in. It uses sessions to keep track of users.
The JWT_KEY configuration variable in web-server should be replaced with SESSION_SECRET which is used to compute
the session hash.
[MAJOR] (#1005) There is now a checked-in helm chart in infrastructure/k8s. Using this anyone should
be able to deploy taskcluster by just setting up the configuration.
To facilitate this, some environment variables for configuring services have changed:
- All services now take
AZURE_ACCOUNT_IDinstead ofAZURE_ACCOUNTorAZURE_ACCOUNT_NAME - Hooks takes
AZURE_CRYPTO_KEYandAZURE_SIGNING_KEYinstead ofTABLE_CRYPTO_KEYandTABLE_SIGNING_KEY
[minor] (#1084) The Dockerfile for the Taskcluster services is now checked-in rather than generated at build time. It has been reordered so that changes to things other than package.json won't re-install packages.
Include generated APIs in python package.
[minor] Pulse messages now include a task's tags for better classification of the messages that are received.
[minor] (bug 1563545) The apiMethod log structure has been updated so that it now splits out query params into their own field and only logs the useful part of paths for resources.
[minor] (bug 1558345) The experimental workerManager.credentialsGoogle API method has been removed and replaced with a similar but more provider-agnostic workerManager.registerWorker method.
[minor] (bug 1523807) The taskcluster command-line interface (taskcluster-cli) has been incorporated into the main repository and will be relased with the same version numbers as the Taskcluster services.
[minor] The web-server application now uses CORS headers to limit access to the /graphql and /subscription endpoints to requests from the root URL origin.
An additional, optional configuration value, ADDITIONAL_ALLOWED_CORS_ORIGIN, provides a way to allow additional origins.
If it begins and ends with /, it is treated as a regular expression, allowing matching e.g., pull-request draft deployments.
[minor] What was previously the /worker-pools-errors/:workerPoolId API route is now spelled /worker-pool-errors/:workerPoolId.
This endpoint is still experimental so while this might someday be a breaking change, it is currently considered minor.
[minor] (bug 1563341) Worker-manager now allows getting workers by worker group and singly by worker ID, and creating and removing workers (for some providers). The static provider uses this capability to manage static workers, each authoritatively identified by a shared secret.
(bug 1547077) Emails now use the modern Taskcluster logo
The GRAPHQL_SUBSCRIPTION_ENDPOINT config for taskcluster-ui can now have scheme http or https instead of ws/wss.
This allows easier generation of this configuration as ${TASKCLUSTER_ROOT_URL}/subscription.
The existing schemas are still accepted so no configuration change is required.
With the proper scopes, github repositories can now override the default scheduler. Adding custom schedulerId to the task definition while using github's Statuses API might break the status reporting functionality of tc-github in the case of successful build. Therefore, this only works with experimental checks status reporting.
[minor] The AWS Provisioner and Provisioner views are no longer available, as the AWS provisioner itself will be removed in favor of the worker manager service.
[minor] (bug 1560649) The Go client is now hosted in the repository together with the services and other clients, and co-versioned with them. See the docs.
[minor] (bug 1559471) The web-server configuration for sign-in now requires a single JWT HS256 key (JWT_KEY) instead of a public/private key (JWT_PRIVATE_KEY/JWT_PUBLIC_KEY).
Changes are now recorded in the CHANGELOG.md file.
(bug 1547729) Hook fire attempts are now logged using structured logging, including when a hook "declines" to create a task.
(bug 1556526) The workerManager.updateWorkerType API method now allows extra fields such as lastModified, making read-modify-write usages easier to implement.
The search box in the log viewer now searches on enter.
The task group inspector now shows the full task name.
(bug 1558346) Workers can now report errors directly to the worker manager for display in the worker-manager UI.
Changes were not tracked for older releases of Taskcluster