Skip to main content

SPIRL Server Releases

Latest Assets​

AssetTypeLatest Release VersionLocation
SPIRL Server Helm ChartHelm Chart0.29.0oci://ghcr.io/spirl/charts/spirl-server:0.29.0
SPIRL ServerContainer Imagev0.29.0ghcr.io/spirl/spirl-server:v0.29.0

Release Notes​

spirl-server 0.29.0​

warning

There is a bug in the Kubernetes SDK version used in spirl-server v0.29.0 where it assumes an internal client supports a feature that isn't available in Kubernetes versions before v0.35.0 As a result you may see warning logs like:

Warning: event bookmark expired" err="external/gazelle++go_deps+io_k8s_client_go/tools/cache/reflector.go:289: hasn't received required bookmark event marking the end of initial events stream, received last event 25m58.807068771s ago

There is no impact to the server's functionality from this warning since the server falls back to using an older feature that works. To remove the warning you can set the following environment variable in the Helm Chart:

trustDomainDeployment:
  deployment:
    env:
      KUBE_FEATURE_WatchListClient: "false"

Bug Fixes​

  • Bugfix: In the multiple services, "RST_STREAM" errors were logged at a high rate when streams routinely disconnected and reconnected; now those logs are at the "warn" level

Enhancements​

  • Add workload attester extension information to SVID Issued event
  • Adds a helm chart parameter image.pullCredentials to specify a raw username and password to login to a registry. The username and password must be provided in the form base64("<username>:<password>").
  • Allow DevID path template to be configurable in policy
  • Workload attestation webhooks (server side) now support HTTPS with TLS certificate validation
  • Added bearer token authentication for webhook endpoints using Kubernetes service account tokens
  • Added metrics tracking for X.509 and JWT SVID minting operations
  • SVID minting success/failure rates now exported via Prometheus
  • SVID minting duration metrics available for performance monitoring
  • Added dedicated health server on port 8086 (configurable via --health-listen-addr)
  • Health check endpoints moved to /live (liveness) and /ready (readiness) on the new health server
  • Deprecated health endpoints on metrics server (port 9090) remain for backwards compatibility
  • Updated Kubernetes readiness and liveness probes to use the new health server

spirl-server 0.28.0​

Bug Fixes​

  • Increase the ttlSecondsAfterFinished to 5 minutes on the jobs triggered during helm install of the server.
  • Bugfix: In the agent, "context canceled" errors were logged at a high rate during gRPC connection swaps when connections reached maximum age or during failover; connection swaps now happen transparently without logging errors
  • Fix an issue where agents/reflectors/servers emit invalid spirl_application_info metrics with empty values, out of date values, or the invalid value spirl.public.

Enhancements​

  • SPIFFE ID templates now support forward slashes in attribute tags, enabling Kubernetes label names with slashes (e.g., kubernetes.pod.label[app.kubernetes.io/name]).

spirl-server 0.27.1​

All changes in this release are internal only.

spirl-server 0.27.0​

Enhancements​

  • Add POC support to custom workload attribute attestation through two complementary extension mechanisms: centralized webhook-based extensions in the Server, and distributed executable-based extensions in the Agent.
  • When available, adds x-forwarded-for header to span tags.

Security Fix​

  • Updates Golang to 1.25.5 to address CVE-2025-61729 and CVE-2025-61727

spirl-server 0.26.0​

Bug Fixes​

  • gRPC logger now logs "finished call" messages at INFO level when the request completes with OK status.

Documentation​

  • The region field in agent and server logs has been renamed to deploymentName to better reflect its meaning.

Enhancements​

  • spirlctl and SPIRL Go SDK now support filtering clusters by realm when listing
  • Add ability to configure Agent Attestation for new and existing clusters

Security Fix​

spirl-server 0.25.0​

Enhancements​

  • Logs related to the same request can be correlated across components using trace_id
  • gRPC client errors (NotFound, AlreadyExists, InvalidArgument, Unauthenticated) are now logged at Warn level instead of Info

spirl-server 0.24.0​

Security Fixes​

Enhancements​

  • Adds a flag --events-service-server-name to override the server name when connecting to the events service. This is useful when connecting via PrivateLink.
  • Adds an optional flag --relay-server-name and corresponding helm chart value to set the server name in the TLS connection to the signer-relay. This is helpful when connecting over PrivateLink.

spirl-server 0.23.0​

Enhancements​

  • Add full HTTP proxy support to spirl-server configurable through HTTP_PROXY, HTTPS_PROXY and NOPROXY environment variables.
  • Reduced Signer-made Agent heartbeat interval to 1m

spirl-server 0.22.5​

Enhancements​

  • Adds support for using provider attributes with JWT claims customization
  • Signers now prefer using their internal events buffer, if possible, to forward Reflector events
  • Reflectors now send their own heartbeats, at a low rate, in addition to agent heartbeats

spirl-server 0.22.4​

Bug Fixes​

  • Fix version reporting in health events.

Enhancements​

  • No longer emit a misleading error log related to reloading metadata during normal shutdown
  • Add support for custom JWT claims in JWT-SVIDs via a JWT customization template.
  • No longer log expected resource storage conflicts during sync as errors.
  • Adds helm value for Job annotations

spirl-server 0.22.3​

Bug Fixes​

  • Fix reflector metrics port exposure when telemetry is enabled

Enhancements​

  • Adds x-forwarded-for and x-request-id to the logs when present in a gRPC connection
  • Signers will now distinguish Reflectors and Agents if both use distinct authentication keys
  • Improved error messages on invalid cluster key secret

spirl-server 0.22.2​

Enhancements​

  • Improves service configuration change reactivity
  • Reflector returns better error codes when the upstream trust domain server rejects the login attempt
  • TD Servers can now authenticate Reflectors separately from Agents
  • Added the spirl_reflector_mint_svid_total prometheus counter to the Reflector
  • Updated EC2 instance identity certificates
  • Reflector enabled clusters don't count reflectors as agents
  • Reflector enabled clusters correctly issue agent heartbeats
  • Updated EC2 instance identity certificates
  • Azure Key Vault: a validation check during key wrapping initialization is now performed to verify that keys support the required 256-bit AES-GCM algorithm, failing fast when an incompatible keys is encountered.
  • Adds a field in the values file to allow additional annotations for the service account

spirl-server 0.21.0​

Breaking Changes​

  • Removed deprecated GetTrustBundle API from trust domain server. SPIRL agent v0.3.0 (released Jul 19, 2023) and newer use a different API and therefore are unaffected by this change.
  • signer: CraftGlobalBundle accepts cached up-to-date bundle from CP in case the TDD was offline for a long time

Enhancements​

  • Event system may choose to flush events in a shorter interval in the case of a full buffer

spirl-server 0.20.0​

Bug Fixes​

  • Fixed a bug where the TD server was not properly filling in the ExpiresAt field when minting JWT SVIDs. This only impacts the API between Agent and Signer and the JWTs themselves had proper expiration fields present.

Enhancements​

  • Attribute allow lists can now be configured through the chart.
  • Adds an API that reflectors will use to obtain cluster configuration.
  • Use the RSA-2048 instance verification method to attest AWS EC2 instances.
  • Rename AWS IMDSv2 provider attribute names. E.g. provider.aws.account_id->aws.account.id, provider.aws.instance_id->aws.ec2.instance.id

spirl-server-helm-chart 0.15.0​

Enhancements​

  • SPIRL server now emits latency gRPC metrics by default if telemetry is enabled.
  • Prometheus scraping annotations are added as pod annotations if telemetry is enabled
  • SPIRL server and agent now include three labels in the generated Prometheus metrics that can be used for filtering and dashboard building. gRPC metrics include spirl_component (agent | server), spirl_trust_domain (trust domain name), and spirl_trust_domain_deployment (trust domain deployment name) as labels. Besides that, a new metric (spirl_application_info) is generated during initialization, it also includes the aforementioned labels and the binary version as well.
  • Add the ability to configure horizontal pod autoscaler in the server chart

spirl-server v0.19.1​

Enhancements​

  • SPIRL server now emits latency gRPC metrics by default if telemetry is enabled.
  • Prometheus scraping annotations are added as pod annotations if telemetry is enabled
  • SPIRL agents will now generate app info prometheus metrics including trust domain and trust domain deployment as labels.
  • td-server: add a self-refreshing cache that bundles the aws requests to save aws API quota

spirl-server-helm-chart 0.14.0​

Bug Fixes​

  • Fix issue where imagePullSecrets resulted in invalid Kubernetes objects.

Enhancements​

  • Add Pod Disruption Budget to the server deployment.
  • You can now specify resources for the venafi firefly integration sidecar.

spirl-server v0.18.0​

Bug Fixes​

  • Fixed a bug loading data CR encryption keys generated before the 0.17.1 release.
  • Improved data CR garbage collection accuracy
  • Improved data CR resiliency under CPU throttled conditions

Enhancements​

  • Improved reporting and recovery when data CRs are missing

spirl-server-helm-chart 0.13.0​

Enhancements​

  • Add GCP KMS integration into spirl-server allowing it to use GCP KMS encryption for locally stored, sensitive data.
  • Trust domain server metrics collection and telemetry server can now be toggled and configured with new helm chart values. Refer to https://d.spirl.com/configuration/spirl-system-telemetry for more information.
  • Add Azure KeyVault integration into spirl-server allowing it to use Azure KeyVault encryption for locally stored, sensitive data.
  • Use the latest spirl-server image release, version 0.17.1, by default when installing via Helm chart.

spirl-server 0.17.1​

Bug Fixes​

  • Add a dedicated timeout during startup for how long to wait for initial x509source to initialize
  • Avoids use of cached attestation if we're missing required attributes
  • Fix a bug which can in some conditions lead to high CPU usage when an unrecoverable error occurs.

Enhancements​

  • Update to go 1.24
  • Add Azure KeyVault integration into spirl-server allowing it to use Azure KeyVault encryption for locally stored, sensitive data.
  • Add GCP KMS integration into spirl-server allowing it to use GCP KMS encryption for locally stored, sensitive data.
  • Trust domain server metrics collection and telemetry server can now be toggled and configured with new helm chart values. Refer to https://d.spirl.com/configuration/spirl-system-telemetry for more information.
  • spirl-agent and td-server: the td-server will challenge the agent with the type of provider attestation and the agent will respond to that (overrides the agent flag)
  • td-server: support attesting agents running in aws ec2 instances in multi regions

spirl-server-helm-chart 0.12.0​

  • Adds support for Kubernetes topologySpreadConstraints.
  • Improves graceful shutdown behavior.
  • Adds β€˜createRoles’ property to allow giving an existing service account the necessary roles.

spirl-server v0.16.0​

  • Added a back-off mechanism to the cache of the SPIRL server improving resiliency.
  • Federated bundles are now synced during unified-access operations.
  • Improved the way we build multi-arch production images.
  • Improved graceful shutdown behavior.