Infrastructure Team Meeting - January 06, 2026

Attendees

• @dduportal (Damien Duportal)
• @jayfranco999 (Jay Reddy)
• @MarkEWaite (Mark Waite)
• @smerle33 (Stéphane Merle)
• @hervelemeur (Hervé Le Meur)

Announcements

1. Jenkins Weekly Releases
   • Two weeks ago: 2.543, using new GPG key
   • Last Week: 2.544, introducing JDK25 Docker images packaging
   • This Week: 2.545, with the Docker image packaging introducing Windows Server 2022 image replacing the 2019 one
2. Announcements:
   • Jenkins Digicert Code Signing Certificate expires in 4 months: [pkg.jenkins.io/release.jenkins.io] Certificate signing the MSI Jenkins package expires on 16 May 2026 · Issue #4923 · jenkins-infra/helpdesk · GitHub
     • New delivery system requires a physical token
     • Mark started investigation to use Microsoft’s GitHub action with a signing certificate instead
     • Try a GitHub project in packaging repository
     • Will need a different delivery process
   • New GPG signing key
     • Used since the 2.543 Weekly release, pending the 2.541.1 LTS for closure
     • [pkg.jenkins.io/release.ci.jenkins.io] Jenkins Packaging GPG key expires on the 26 March 2026 · Issue #4922 · jenkins-infra/helpdesk · GitHub
     • Jenkins 2.543 and 2.541.1: New Linux Repository Signing Keys
     • Changelog
   • pkg.origin.jenkins.io VM has been migrated from CloudBees AWS to Azure On December 21 2025
     • Details: https://github.com/jenkins-infra/helpdesk/issues/3705
     • No issues reported or detected
     • No additional costs detected on Azure (as we discovered, during the migration, and fixed 2 behaviors which were generating bandwidth)
     • Final step: cleaning up (keeping the data in our archive system)
   • Infra Roadmap: Jenkins Roadmap
     • New priorities:
       • Add support for Windows 2025 and deprecated 2019
       • Get rid of Puppet (in favor of Ansible)
       • JDK25 as runtime for our controllers
     • Roadmap deserves an update for beginning 2026 (Herve + Damien)
   • Team capacity:
     • Damien off for ~6 weeks on the first February, maybe earlier

Upcoming Calendar

• Next Weekly: 2.546
• Next LTS: 2.541.1-rc on 7th January 2026, 2.541.1 on 21th January 2026
  • Huge release with many change on infra/packaging part: unified RPM, packages staging, new GPG key
• Next Security Release as per jenkinsci-advisories: none announced
• Upcoming credentials expirations (~3 weeks):
  • 2026-01-24: repo.jenkins-ci.org TLS certificate expires
    • We already have the new 1 year certificate
    • Account on myJFrog created for Herve so he can proceed here
    • [repo.jenkins-ci.org (Artifactory)] TLS certificates expires on `2026-01-24` · Issue #4893 · jenkins-infra/helpdesk · GitHub
  • 2026-01-21: Update Center generation fails as the certificate is 30 days before expiration => Damien
    • Previous rotation: Update-center / crawler root certificate expires the 03th of April 2025 (failing job the 3th of March 2025) · Issue #4555 · jenkins-infra/helpdesk · GitHub
    • helpdesk issue to be created
    • Note: we can temporarily resume Update Center by decreasing the 30 days threshold in trusted.ci.jenkins.io freestyle job if we are stuck
  • 2026-01-27: VPN CRL expires => Herve
    • previous renewal: [private.vpn.jenkins.io] 2025-08-08 (August 2025) VPN CRL expires · Issue #4742 · jenkins-infra/helpdesk · GitHub
    • helpdesk issue to be created
  • 2026-01-28: Expiration of the Digital Oceans PATs used by Terraform on infra.ci.jenkins.io => Jay
    • previous renewal: [infra.ci.jenkins.io] 2025-10-30 Expiration of the Digital Oceans PATs used by Terraform · Issue #4849 · jenkins-infra/helpdesk · GitHub
    • helpdesk issue to be created
• Next major event:
  • Contributor Summit + FOSDEM in Brussels, 30/31 Jan and 1st Feb
    • We have a booth for Jenkins at FOSDEM
    • Agenda for Summit is still WiP. Bring ideas (in community.jenkins.io)
    • Jenkins Contributor Summit on Jan 30, 2026 - Call for topics and ideas
    • Mark is confirming with people based on the prioritized list from the Jenkins Board

Cloud Budgets

• Azure CDF - Remaining: $24.000k for 2026 - monthly threshold set at $6.0k (good until May)

  • September: $5.8k (invoice)
  • October: $5.5k (invoice)
  • November: $5.7k (invoice)
  • December: $5.4k (invoice, previously forecasted at $6k)
  • January: $0.9k (forecast at $4.2k)

• DigitalOcean - Remaining $10,633.61 until January 02, 2027 (12 months left at current rate)

  • September: $365 (invoice)
  • October: $788.81 (invoice)
  • November: $831.38 (invoice)
  • December: $454.60 (invoice, previously forecasted at $585)
  • January: $60.35 (forecast at ~$375)

• AWS:

  • CloudBees:

    • September: $709
    • October: $580
    • November: $530
    • December: $384
    • January: $47 (forecast at $296)

  • Sponsored account - $65,282.32 left (30 November 2025) until 2027 ($5,282.32 until 31 Jan.
    2027 and $60,000 until 31 May 2027)=> ~11 months remaining at this rate (Nov.)

    • September: $5.4k
    • October: $6.9k
    • November: $5.9k
    • December: $10.7 (previously forecasted at $9.5k way higher than usual)
      • Initial hypothesis (end of 2025)
        • ci.jenkins ddos
        • ec2 plugin (still visible)
        • opportunity for an EC2 GC? (if ssh key is ci.jio’s or packer and + 6 hours age, then delete it)
          • Issue to create and prioritize => Mark
      • Main increase related to ec2, from $1.4k in November vs $6.1k in December
        • All other resource type consumptions remained quite constant
        • Issue to create
    • January: $1.8k (forecast at $11.1k way higher than usual)

• Jfrog Artifactory Usage

  • Storage: 1.53TB - steady
  • Bandwidth:
    • September: 19.31 Tb
    • October: 16.67 Tb
    • November: 15.9 Tb (yay!)
    • December: 30.34Tb (almost doubled since November, previously forecasted at 24.5Tb)
      • A single IP address consumed 12Tb in December
      • JFrog didn’t block this address until this month (unless this consumer changed its IP?)
    • January: 2.64Tb (no forecast, not enough data yet)

Notes

• Done:

  • Support
    • Update ‘component’ description of issue creation form
    • [ci.jenkins.io] Ensure s390x permanent agent has every required tools to build docker images
      • Issue to improve our monitoring of this permanent agent to be created
    • [trusted.ci.jenkins.io] RPU fails due to expired Azure credential for reports.jenkins.io bucket
    • https://get.jenkins.io/war-stable/latest/ does not point to latest stable release
    • usage-in-plugins doesn’t run daily
    • Migrate core components issues to GitHub
    • Gradle plugin uses a proprietary dependency
  • Keep infrastructure sane and maintainable
    • [trusted.ci.jenkins.io] Remove the need for Azure credentials to publish javadoc.jenkins.io
      • Now running in credential-less
      • Next step: merge in common storage (we can now use rsync): [Azure] Merge webservices data storage accounts into a single one with NFS v4.1 · Issue #4767 · jenkins-infra/helpdesk · GitHub
    • Add back lemeurherve to @jenkins-infra/ci-maintainers team
    • Required permissions and access for lemeurherve and jayfranco999 to operate on Kubernetes upgrades
    • [release.ci.jenkins.io/trusted.ci.jenkins.io] Ensure Core Package build only copy package indexes/websites to pkg.origin.jenkins.io VM
    • Required permissions and access for lemeurherve to update CloudFlare R2 tokens of updates.jenkins.io
    • [Azure]: credentials less Service Principal
  • Keep infrastructure up to date
    • [release.ci.jenkins.io] Azure Credentials for Core Release (Vault access) expires the 2026-01-12
    • [infra.ci.jenkins.io] Azure Credential used by Packer Image builds expires the 01 February 2026
    • [trusted.ci.jenkins.io] RPU Artifactory API token expires the 2025-12-31
    • [trusted.ci.jenkins.io] Update Center credential for Cloudflare R2 expires on 2025-12-04

• Closed as not planned:

  • The mirrors.jenkins-ci.org is missing some necessary metadata files, which prevents it from being added as an apt/yum repo
    • Was for a user in Chine, they confirmed it works for them using another technique, no more constraint on our side anymore

• Work in Progress:

  • Waiting for LTS 2.541.1 release
    • [pkg.jenkins.io] Unify RPM Jenkins packages (RedHat/OpenSUSE)
    • [pkg.jenkins.io/release.ci.jenkins.io] Jenkins Packaging GPG key expires on the 26 March 2026
    • Add .war.asc to get.jenkins.io
  • Support
    • qualys-cs plugin bundles closed-source library
      • JenSec has some follow up tasks on this one before closing
    • Hosting of CSP compatibility “microsite” repo
      • Proposed a solution to Daniel, waiting for his reply (using reports.jio/xxx instead of GH Pages,anubis allowing later proper integration in jenkins.io doc)
    • Spot reclamation caused build failures in core build
      • Solution written in the issue, need to act
      • Was on hold due to pkg, we can resume
    • ci.jenkins.io is responding slowly
      • Was on hold, might be back
      • Let’s resume though process: Forcing login? Putting a protection front (Cloudflare, Anubis, etc.)
    • Set up 2.539+ CSP protection on weekly.ci.jenkins.io, remove csp plugin and associated configuration
      • On hold: let’s wait for 2.541.1 (but right before as it requires JCasC change)
    • Bunch of bad links on https://updates.jenkins.io/ and https://get.jenkins.io
      • Resuming brainstorming on this one (where is the HTML source and how is it delivered)
    • [incrementals.jenkins.io/ci.jenkins.io] Outage of incrementals due to releasebot user’s API token reset
      • One last minor task (storing password in SOPS)
    • github-jenkinsci-permissions-report.json hasn’t been updated since Sep 12
      • On hold
    • Github Copilot organisation space
      • On hold (no infra action required)
    • Migrate core issues to GitHub
      • On hold (no infra action required)
  • Keep infrastructure sane and maintainable
    • [pkg.jenkins.io] migrate the pkg.origin.jenkins.io service from AWS VM to Azure publick8s
      • [pkg.origin.jenkins.io] puppet agent keeps updating the GPG
    • [stats.jenkins.io/infra-statistics] Move “data for the usage stats site” generation (from anonymized data) out from Andrew machine
      • On hold: need to resume work
    • [docker-openvpn] Track OpenVPN User Certificate Expiration with updatecli
    • Required access for jayfranco999 and lemeurherve On Azure CDF
      • Closeable (all access are granted for now)
  • Keep infrastructure up to date
    • Add support for Windows 2025 agents
      • No (good) update since last time on the “Run 2022 container in 2025 host”
        • One last try: avoid using the local NVMe
      • Resuming work on the “add 2025 only” and then use them as latest
    • [infra.ci.jenkins.io] Azure Credential to allow writing to reports.jenkins.io expired on 2025-12-23
      • Closeable
    • Renew ci.jenkins.io API token for incremental-publisher service before 10 January 2026
      • Damien need to provide reproduction in the Core issue
    • [repo.jenkins-ci.org (Artifactory)] TLS certificates expires on 2026-01-24
      • To be worked by Herve and Damien in pair
    • [pkg.jenkins.io/release.jenkins.io] Certificate signing the MSI Jenkins package expires on 16 May 2026
      • See discussion above
  • “Infra Crons”: resuming work
    • [staging.pkg.origin.jenkins.io/staging.get.jenkins.io] Garbage collect the inactive branches
    • [get.jenkins.io,mirrors.updates.jenkins.io] Resume GeoIP database weekly update
    • Ensure the BOM cache filler runs successfully and is easier to use and monitor
    • Setup a job/set of jobs to allow performing maintenance operations (cron, GCs of resources, etc.)

• Issues staying in backlog/triage:

  • Upgrade to Kubernetes 1.34
  • Inform of Ingress NGINX Retirement in March 2026
  • Automated process for a plugin maintainer to request migration from Jira to GitHub issues
  • [Azure Deprecation] Convert your OS disks to Standard SSD or Premium SSD before 8 September 2028
  • [Azure] Merge webservices data storage accounts into a single one with NFS v4.1
  • [updates.jenkins.io] set up mirrorbits to keep serving update-center from mirrors even if outdated
  • private docker image registry for staging core security releases
  • Tombstone Puppet (and replace it by something else)
  • Chinese jenkins site incorrect site redirection
  • Add a real-world job to weekly.ci.jenkins.io
  • [ci.jenkins.io] Monitor and Garbage collect data volume of the DockerHub registry mirror and EC pull through cache
  • Move collection of stats out from Kohsuke’s home
  • Support [skip ci] on default branch
  • Create build for jenkinsci/winp on release ci server
  • [Update Center] HTTP/404 on /current/updates/*.json* links
  • Add monitoring for CD secrets updates
  • Monitor builds on our private instances (trusted.ci.jenkins.io / infra.ci.jenkins.io / release.ci.jenkins.io)
  • [INFRA-3046] Monitor Jenkins mirrors Age

• Issues added to the next milestone:

  • docs.jenkins.io nginx configuration leaks the nginx version
  • Add NotMyFault to uplink
  • Make Kris Stern an admin for all docs-related Jenkins repos
  • decomission (or rename) docs.jenkins.io?
  • [trusted.ci.jenkins.io] Add arm64 agent templates
  • Add new members to gsoc team
  • Internal Server Error when trying to log in to Uplink