Infrastructure Team Meeting - December 09, 2025

Attendees

• @dduportal (Damien Duportal)
• @MarkEWaite (Mark Waite)
• @poddingue (Bruno Verachten)
• @hlemeur (Hervé Le Meur)

Announcements

1. Jenkins Weekly Releases
   • Last Week: 2.540 - successful - You're invited to talk on Matrix
     • Tested staging + promotion with success
     • Fixed openSUSE instruction to ensure autorefresh is enabled
   • This Week: 2.541 - planned for tomorrow (Wed. 10 Dec.) as part of the security advisory
2. Announcements:
   • ci.jenkins.io is, again, DDoSSed by dummy script or LLM
     • It’s time to enable logging in
   • Weekly trigger time: What if we trigger weeklies 6 hours earlier to fit with Jay’s timezone?
     • => Mark have not asked Tim yet. No emergency
   • Team holidays (e.g. expect slower than usual):
     • Jay is off for 3 weeks. Back on the 29 Dec. 2025.
     • Mark, Herve and Damien off from 22 Dec. 2025 afor 2 weeks, back on 5th January 2026
   • Infra Roadmap: Jenkins Roadmap
     • Current Priority: pkg.origin.jenkins.io migration
     • Roadmap deserves an update for beginning December (Herve + Damien)
     • Upcoming things not tracked by issues yet:
       • PostgreSQL to be upgraded (current managed version in Azure unsupported). Caught by Tim while working on rating
       • Docker 29.x => need an issue, but since docker-plugin fails with this version let’s put it on hold until fixed
       • Terraform 1.13 => need an issue
   • Next week: timing issue for Damien next week
     • Keep the same time, Herve and Mark will lead

Upcoming Calendar

• Next Weekly:
  • 2.541 - 2025-12-10 (tomorrow)
  • 2.542 - 2025-12-16
• Next LTS:
  • 2.528.3 - 2025-12-10 (tomorrow) - (release lead?)
  • Baseline selection is tomorrow: most probably 2.541 (no sec. backport then)
    • 2026-01-07: release candidate
    • 2026-01-21: release
• Next Security Release as per jenkinsci-advisories:
  • 2025-12-10 (tomorrow) - Core weekly and Core LTS
  • https://groups.google.com/g/jenkinsci-advisories/c/PN3lF_72LfU
• Upcoming credentials expirations (~3 weeks):
  • 2025-12-07: [Terraform Credentials] Expirations of multiple credentials (backends, API) in jenkins-infra/terraform-states · Issue #4895 · jenkins-infra/helpdesk · GitHub (forgot it last week, not a production blocker)
  • 2025-12-23:
    • [infra.ci.jenkins.io] Azure Credential for updatecli (issue to create, automatic PR: Azure AD Application password for updatecli in `infra.ci.jenkins.io` expires on `2025-12-23T00:00:00Z` by jenkins-infra-updatecli[bot] · Pull Request #1261 · jenkins-infra/azure · GitHub)
    • [infra.ci.jenkins.io] Azure Credential to deploy docs.jenkins.io (issue to create, automatic PR: New end date for `docs.jenkins.io` File Share service principal writer on `infra.ci.jenkins.io` (current: "2025-12-23T00:00:00Z") by jenkins-infra-updatecli[bot] · Pull Request #1259 · jenkins-infra/azure · GitHub)
    • [trusted.ci.jenkins.io] Azure Credential to deploy javadoc.jenkins.io (issue to create, automatic PR: Azure File Share Principal `javadoc.jenkins.io` on `trusted.ci.jenkins.io` expires on `2025-12-23T00:00:00Z` by jenkins-infra-updatecli[bot] · Pull Request #1260 · jenkins-infra/azure · GitHub)
  • 2025-12-31: [trusted.ci] Artifactory Admin Token for RPU expires (issue to create, only an artifactory admin e.g. Damien, Daniel, Darin)
    • Last renewal: [trusted.ci.jenkins.io] RPU Artifactory API token expires the `2025-10-14` · Issue #4809 · jenkins-infra/helpdesk · GitHub
  • 2026-01-02: [infra.ci.jenkins.io] Azure Credential used by Packer Image builds expires (issue to create, automatic PR is expected in 2 weeks)
    • Previous issue for rotation was: [infra.ci.jenkins.io] Azure Credential used by Packer Image builds expires the 05 November 2025 · Issue #4850 · jenkins-infra/helpdesk · GitHub
  • 2026-01-06: repo.jenkins-ci.org TLS certificate expires
    • We already have the new 1 year certificate
    • Account on myJFrog to be created for Herve so he can proceed here
• Next major event:
  • Contributor Summit + FOSDEM in Brussels, 30/31 Jan and 1st Feb
    • We have a booth for Jenkins at FOSDEM
    • Agenda for Summit is still WiP. Bring ideas (in community.jenkins.io)
    • Jenkins Contributor Summit on Jan 30, 2026 - Call for topics and ideas
    • Mark is confirming with people based on the prioritized list from the Jenkins Board

Cloud Budgets

• Azure CDF - Remaining: ~$9.0k (30 Nov.) for 2025 - monthly threshold set at $6.0k

  • September: $5.8k (invoice)
  • October: $5.5k (invoice)
  • November: $5.7k (waiting for final invoice)
  • December: $1.5k (forecast at $5.6k)

• DigitalOcean - Remaining $11,122.37 until January 02, 2026 (12 months left at current rate)

  • September: $365 (invoice)
  • October: $788.81 (invoice)
  • November: $831.38 (invoice)
  • December: $145.54 (forecast at $565)

• AWS:

  • CloudBees:

    • September: $709
    • October: $580
    • November: $530
    • December: $112 (forecast at $452)

  • Sponsored account - $65,282.32 left (30 November 2025) until 2027 ($5,282.32 until 31 Jan. 2027 and $60,000 until 31 May 2027)=> ~11 months remaining at this rate (Nov.)

    • September: $5.4k
    • October: $6.9k
    • November: $5.9k
    • December: $2.4k (forecast at $7.0k way higher than usual)
      • ci.jenkins ddos
      • ec2 plugin (still visible)
      • opportunity for an EC2 GC? (if ssh key is ci.jio’s or packer and + 6 hours age, then delete it)

• Jfrog Artifactory Usage

  • Storage: 1.49TB - steady
  • Bandwidth:
    • September: 19.31 Tb
    • October: 16.67 Tb
    • November: 15.9 Tb (yay!)
    • December: 7.7Tb (forecast at 26.5 Tb but peak in the past 3 days, so it should be way lower)

Notes

• Done:

  • Support:
    • ci.jenkins.io pages are slow to respond
      • Of course, it went back (new issue, see below)
    • Getting 403 when deploying local plugin release to repo.jenkins-ci.org
      • Root cause is a bug in RPU.
      • Issue opened on RPU: Setting up `cd: enabled: false` fails silently to create Artifactory groups and permissions · Issue #4816 · jenkins-infra/repository-permissions-updater · GitHub
    • Issue tracker redirector service
      • GitHub - jenkins-infra/docker-issue-redirect: Redirects JENKINS Jira issues to GitHub if they are migrated else to Jira
    • Admin access for Jenkins GSoC org admins to GSoC SiG Gitter channel
  • Keep infrastructure sane and maintainable:
    • Review need to have toolenv plugin installed everywhere
  • Keep infrastructure up to date:
    • Check CasC configurations on infra.ci before weekly update of plugins

• Closed as not planned:

  • Jenkins update centre is redirecting to wrong version

• Work in Progress:

  • Keep infrastructure sane and maintainable:

    • Setup permissions for Herve and Jay:
      • Required permissions and access for lemeurherve and jayfranco999 to operate on Kubernetes upgrades
        • new permissions are effective, but need to be documented (@hervelemeur)
    • Required permissions and access for lemeurherve to update CloudFlare R2 tokens of updates.jenkins.io
      • Required to finish [trusted.ci.jenkins.io] Update Center credential for Cloudflare R2 expires on 2025-12-04 to have Herve rotating this credential autonomously
      • Already done: credential generation script (for trusted.ci crawler and UC jobs)
      • Todo this week: Cloudflare access for Herve, trusted.ci access for Herve

  • Keep infrastructure up to date:

    • [Terraform Credentials] Expirations of multiple credentials (backends, API) in jenkins-infra/terraform-states

      • Azure done to unblock AKS upgrade mentioned below
      • WiP on Cloudflare, then DigitalOcean (setting up Herve access, then he can renew credentials here autonomously)
      • Then we’ll have to plan the others

    • Upgrade to Kubernetes 1.33

      • EKS done
      • AKS: infra.ci.jenkins.io agents done yesterday
      • Next steps (privatek8s and then publick8s) after the security advisory

    • ci.jenkins.io is responding slowly

      • We closed previous issue last week. Result: we’ve been “ddos-ed” again Sunday.
      • Let’s revive the subject “enforce login on ci.jenkins.io”. @dduportal to create new issue in the new milestone, referencing this one, the old one (and others maybe) and reopen Hevre’PR on Puppet

    • Add support for Windows 2025 agents

      • Still random errors with 2022 on 2025 due to Docker CE on Windows, WiP

  • Delayed (waiting for LTS 2.528.3 to be published):

    • dnf5 update fails with gpgcheck=1
    • https://get.jenkins.io/war-stable/latest/ does not point to latest stable release
    • [pkg.jenkins.io] migrate the pkg.origin.jenkins.io service from AWS VM to Azure publick8s
    • Bunch of bad links on https://updates.jenkins.io/ and https://get.jenkins.io

  • Delayed (due to priority work on Core packaging/security release and Kube 1.33/Windows 2025/Permissions setup for SREs):

    • Set up 2.539+ CSP protection on weekly.ci.jenkins.io, remove csp plugin and associated configuration
    • Setup a job/set of jobs to allow performing maintenance operations (cron, GCs of resources, etc.)
      • [get.jenkins.io,mirrors.updates.jenkins.io] Resume GeoIP database weekly update
      • Ensure the BOM cache filler runs successfully and is easier to use and monitor
      • [staging.pkg.origin.jenkins.io/staging.get.jenkins.io] Garbage collect the inactive branches
    • [incrementals.jenkins.io/ci.jenkins.io] Outage of incrementals due to releasebot user’s API token reset
    • github-jenkinsci-permissions-report.json hasn’t been updated since Sep 12
    • [stats.jenkins.io/infra-statistics] Move “data for the usage stats site” generation (from anonymized data) out from Andrew machine

  • Jira to Github issues migration:

    • Migrate core components issues to GitHub
    • Migrate core issues to GitHub

  • [release.ci.jenkins.io/trusted.ci.jenkins.io] Ensure Core Package build only copy package indexes/websites to pkg.origin.jenkins.io VM

    • Staging has been tested and JenSec team is ok to use it. Of course we might run into some unknowns (concurent weekly/LTS, unified RPM on weekly but not on LTS, first security process with staging, first LTS with RPM generated on release.ci agent, etc.): there will be hiccups and room for improvements.
    • Once LTS is release, we’ll be able to close this issue (Definition of Done is only createrepo run on release.ci. Any issue/improvement on staging will be a subject for issues in jenkinsci/packaging and/or jenkins-infra/release).

• Issues staying in backlog/triage:

  • Inform of Ingress NGINX Retirement in March 2026
  • Automated process for a plugin maintainer to request migration from Jira to GitHub issues
  • [Azure Deprecation] Convert your OS disks to Standard SSD or Premium SSD before 8 September 2028
  • [Azure] Merge webservices data storage accounts into a single one with NFS v4.1
  • [updates.jenkins.io] set up mirrorbits to keep serving update-center from mirrors even if outdated
  • private docker image registry for staging core security releases
  • [Azure]: credentials less Service Principal
  • Tracking Issue for Groovy Script Conversion in RPU
  • Tombstone Puppet (and replace it by something else)
  • Chinese jenkins site incorrect site redirection
  • Add a real-world job to weekly.ci.jenkins.io
  • [ci.jenkins.io] Monitor and Garbage collect data volume of the DockerHub registry mirror and EC pull through cache
  • Move collection of stats out from Kohsuke’s home
  • Support [skip ci] on default branch
  • Create build for jenkinsci/winp on release ci server
  • [Update Center] HTTP/404 on /current/updates/*.json* links
  • Add monitoring for CD secrets updates
  • Add .war.asc to get.jenkins.io
  • Monitor builds on our private instances (trusted.ci.jenkins.io / infra.ci.jenkins.io / release.ci.jenkins.io)
  • [INFRA-3046] Monitor Jenkins mirrors Age

• Issues added to the next milestone:

  • [repo.jenkins-ci.org (Artifactory)] TLS certificates expires on 2026-01-24
    • Requires setting up access to Herve on the myjfrog backend and on godaddy
    • TLS certificate is already there, thanks @en3hD3iMRx6_6IXLNY0Rag!