Infrastructure Team Meeting - April 21, 2026

Name: 2026 04 21 Jenkins Infra Meeting
Uploaded: 2026-04-24T06:00:26Z
Description: [2026 04 21 Jenkins Infra Meeting] Attendees :busts_in_silhouette: @lemeurherve (Hervé Le Meur) @jayfranco999 (Jay Reddy) @MarkEWaite (Mark Waite) @dduportal (Damien Duportal) Chamod Pe...

dduportal · April 24, 2026, 6:00am

Attendees

@lemeurherve (Hervé Le Meur)
@jayfranco999 (Jay Reddy)
@MarkEWaite (Mark Waite)
@dduportal (Damien Duportal)
Chamod Perera

Announcements

Jenkins Weekly Releases
- Last Week: 2.559
  - Infrastructure issue, delayed the image of 2 hours (packer image)
- This Week: 2.560
  - Everything went fine
Announcements:
- Jenkins Digicert Code Signing Certificate expires in May: [pkg.jenkins.io/release.jenkins.io] Certificate signing the MSI Jenkins package expires on 16 May 2026 · Issue #4923 · jenkins-infra/helpdesk · GitHub
  - Mark successfully used LF’s signing system locally
  - Started to implement in our release process.
    - Short term: using Azure credential provided by LF.
      - WiP on Windows agent environment (tools: dotnet 8, etc.) dedicated for signing only (slower build, faster to test and implement)
    - Medium term: move Windows environment (build AND signing) to our all-in-one VM (faster build, less maintenance)
    - Long term: add OIDC on release.ci with a public issuer endpoint to allow credential-less signing with LF (safer for them)
  - Proposed calendar:
    - Targeting new signing for weekly 2.561 on 28 April
    - Then 2.552.2 LTS on 13 May
- Incoming updates:
  - (Critical) Incoming Java patch campaign
  - (Important) Node JS 24.x
    - packer image is on 22, need to be bumped
    - GHA are deprecating NodeJS 20 actions (security-scan, CD releases, and helpdesks)
  - (Important) Docker CE 29+
    - Should fix Windows issues
    - If it breaks plugins CI builds, then they must bump their docker-client API version
    - ATH is already using 29.x in their nested Docker engines
  - (Nice to have) Maven 3.9.15
    - 3.9.14 was delayed. let’s jump directly to 3.9.15.
  - (Nice to have) Helm v4
- Team capacity:
  - Herve is off this Friday and next week
- Priorities:
  - Infra Roadmap: Jenkins Roadmap
    - Damien to update for Feb/March/April/May
  - Current topics:
    - MSI signing renewal
      - Absolute top priority
    - Azure Sponsored Subscription 2026: utilizes the 100k$ credits for the Jenkins Infrastructure
    - Windows 2025/2022/2019
    - Maven 4 RC/GA
    - (add to roadmap): weekly.ci.jenkins.io as public live demo
      - add real-world job on weekly.ci.jenkins.io
    - Proposed priorities:
      - stats.jenkins.io stale data
      - Get rid of puppet

Upcoming Calendar

Next infra meeting: 2026-04-28
Next Weekly: 2026-04-28 - 2.561
- Targeting new MSI signing
- Hoping release-drafter fixed (as per Herve’s feedback in Elements jenkinsci/release)
Next LTS: 2026-05-13 - 2.555.2 - Release Lead: Mark Waite
- RC: 2026-04-29
- Targeting new MSI signing
- Note: Infra team to update the release checklist as per their feedbacks. 2 focus points: timing and release.ci build (parsing/failing/parent/child)
Next Security Release as per jenkinsci-advisories: N/A
Upcoming credentials expirations (~3 weeks):
- 2026-05-01: Azure Credential used by Packer Image builds (issue to be created) => Damien + Jay
- 2026-05-13: NPM token used by infra.ci.jenkins.io (issue to be created)
- 2026-05-14: Netlify token used by infra.ci.jenkins.io (issue to be created)
- 2026-05-15: Azure File Share Credentials for (contributors|stats|plugins).jenkins.io websites used by infra.ci.jenkins.io (issue to be created)
Next major event:
- cdCon May 18-20 in Minesota, Mark will be controller of ceremonies!

Cloud Budgets

Azure (CDF paid)
- February: $6.4k (invoice)
- March: $5.6k (invoice)
- April: $2.5k (forecasted at $3.7k)
  - Cost reduction effort is paying
  - Additional cost reductions are still ongoing
Azure Sponsored subscription (Microsoft Credits): $94,534 credits left
- March: $1847 (invoice)
- April: $3.6k (forecasted at $5.2k)
- TODO: expiration date? (Damien)
DigitalOcean - Remaining $8,761.11 until January 02, 2027 (~11 months left at current rate)
- February: $565.03 (invoice)
- March: $423.63 (invoice)
- April: $558.89 (forecasted at $798)
AWS:
- Sponsored account, credits left: $13,880.67 until 05/31/2027, and $60k until 01/31/2028
  - February: $11.1k (invoice)
  - March: $14.0k (invoice)
  - April: $9.8k (forecasted at $15.0k)
    - Still high (EC2 plugin bug, BOM, non spots, old instance family, bandwidth)
JFrog Artifactory Usage
- Storage: 1.83 Tb
  - Slight increase, no need to check (too small)
- Bandwidth:
  - February: 17.46 Tb
  - March: 27.24 Tb
  - April: 30.23 Tb (forecasted at ~44 Tb)
    - Mark/Damien needs to warn JFrog about the heavy use in March and April
    - Mark needs to review the recent log analysis

Notes

Done:
- Keep infrastructure up-to-date
- Keep infrastructure sane and maintainable:
  - [trusted.ci.jenkins.io] Set up a “common” Resource Group and subnet with shared resources in the sponsored subscription
- Support:
  - Permission to merge approved blogposts for Jenkins.io
Closed as not planned:
- Add automated releases for jenkinsci/label-linked-jobs-plugin
Work in Progress:
- Keep infrastructure sane and maintainable:
  - Azure Sponsored Subscription 2026: utilizes the 100k$ credits for the Jenkins Infrastructure
    - [trusted.ci.jenkins.io] Run permanent agent in the sponsored subscription
      - We can’t move existing VM and datadisk across subscription as it may change their zone, making our setup non functional once moved.
      - We are back to the plain old migration style: new VM, new disk, then we do rsyncs between old and new VM (with snashpot/disk to avoid network)
      - WiP on the new VM creation (terraform, then puppet, then initial rsync)
      - Handover on Thursday morning if needed
  - Monitor builds on our private instances (trusted.ci.jenkins.io / infra.ci.jenkins.io / release.ci.jenkins.io)
    - Issue reported by Adrien, wip on the fix. Caused by ci.jenkins.io should not report build status to build.reports.jenkins.io (it is a public controller)
      - ci.jenkins.io is not scoped in this issue
    - trusted.ci jobs:
      - update-center is a freestyle job, eg. no library. Set up to use a post build shell calling directly the publication script. Works well.
    - release.ci:
      - infra-agent-health job is now publishing its build status report
    - next steps:
      - report build status for kubernetes-management (PR opened) => team
      - then add builds in datadog to add them to the monitor => Jay
  - [Uplink,Rating,PHS,Keycloak] Postgres version 13 will lose standard Azure support on March 31, 2026. Upgrade now to avoid extended support charges starting August 1, 2026.
    - Server side: Damien to prepare upgrade
    - Client side (requirement):
      - rating and uplink are ok
      - PHS: waiting for a PR to verify postgres client version, but current production version should work with recent versions
        
        Update postgres to 17.9 by lemeurherve · Pull Request #833 · jenkins-infra/plugin-health-scoring · GitHub
      - Last one: Keycloak. Should be a quick one.
  - [ci.jenkins.io] Require authentication for read access
    - No work done
    - WiP on the Badge status (need view permission)
  - Move docker controller images publication job from trusted.ci.jenkins.io to release.ci.jenkins.io
    - No work done
    - On hold, back to backlog
  - Add Datadog tags to our instance agents and controllers to improve alerting
    - Closeable, work finished
  - [release.ci.jenkins.io] Avoid filling the JENKINS_HOME
    - No work done
  - [(status|contributors|stats|docs|stories|cn|jenkins-io-components).jenkins.io, Websites PR previews] Netlify billing plan changed: evaluate and act
    - Damien need to resume work on this
  - Optimise cost and maintainance by merging Windows 2022 and Windows 2025 templates
    - No work done
    - On hold, back to backlog
- Support
  - Search fails on the plugins site
    - Algolia unblocked our application
    - We are way passed our thredhold (109%) => Damien needs to check billing
    - search is back to work since 4 days
    - Index is updated again since yesterday
    - Short term: use API key rate limit and see what Algolia can do to us
    - Long term: should we host the index ourselves (see Herve’s comment)? Alternative?
  - Checks pending for gatsby-plugin-jenkins-layout
    - No work done
  - Provide Managing access to Plugin spotinst-plugin)
    - Most probably closing as “not planned”
  - Spot instance failure not retried - ci.jenkins.io - core build
    - No work done
  - Stop mirroring incrementals from ACP
    - No work done
  - Tests stuck for new contributors of Contributor Spotlight repo
    - No work done
- Keep infrastructure up-to-date:
  - [pkg.jenkins.io/release.jenkins.io] Certificate signing the MSI Jenkins package expires on 16 May 2026
  - Update Jira LTS from 10.3.x to 11.3.x
    - Infra team to add operation on status.jenkins.io
  - Drop Windows 2019 support
    - On hold, back to backlog
Issues staying in backlog/triage:
Next milestone: GitHub · Where software is built
Azure login fails during plugin-health-scoring build
- main branch Jenkins build status is in progress but not build was triggered
- msbuild not available on ci.jenkins.io Windows agent for winp build process

Topic	Replies	Views
Infrastructure Team Meeting - April 28, 2026 Infrastructure meeting , sig-infra	23	April 28, 2026
Infrastructure Team Meeting - January 06, 2026 Infrastructure meeting , sig-infra	44	January 8, 2026
Infrastructure Team Meeting - December 16, 2025 Infrastructure meeting , sig-infra	37	December 16, 2025
Infrastructure Team Meeting - April 14, 2026 Infrastructure meeting , sig-infra	25	April 14, 2026
Infrastructure Team Meeting - January 13, 2026 Infrastructure meeting , sig-infra	24	January 19, 2026