SPIRL System Releases
Latest Assets
| Asset | Type | Latest Release Version | Location |
|---|---|---|---|
| SPIRL System Helm Chart | Helm Chart | 0.25.0 | oci://ghcr.io/spirl/charts/spirl-system:0.25.0 |
| SPIRL Agent | Container Image | v0.25.0 | ghcr.io/spirl/spirl-agent:v0.25.0 |
| SPIRL Controller | Container Image | v0.25.0 | ghcr.io/spirl/spirl-controller:v0.25.0 |
| SPIRL Agent | AMD64 Debian Package | 0.25.0 | https |
| SPIRL Agent | ARM64 Debian Package | 0.25.0 | https |
| SPIRL Agent | AMD64 RPM Package | 0.25.0 | https |
| SPIRL Agent | ARM64 RPM Package | 0.25.0 | https |
| Reflector | Container Image | v0.25.0 | ghcr.io/spirl/reflector:v0.25.0 |
Additionally, the SPIRL Agent uses the SPIFFE CSI Driver and CSI Node Driver Registrar at the following pinned versions:
| Asset | Type | Latest Release Version | Location |
|---|---|---|---|
| SPIFFE CSI Driver | Container Image | v0.2.3 | ghcr.io/spiffe/spiffe-csi-driver:v0.2.3 |
| CSI Node Driver Registrar | Container Image | v2.6.0 | registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.0 |
Release Notes
spirl-system 0.25.0
Security Fixes
- Updates Golang to 1.25.2 to address CVEs (see Advisory 1 and Advisory 2)
Enhancements
- td-server: Adds a flag
--events-service-server-nameto override the server name when connecting to the events service. This is useful when connecting via PrivateLink. SVIDIssuedEventsrequests support filtering by issuer type, issuer ID, agent ID, SVID type, and spiffe ID.
spirl-system 0.24.0
Enhancements
- Adds new
--realmflag tospirlctl cluster addto add a cluster within a realm. - Updated AWS EC2 instance certificates (added "ap-southeast-6" region)
- Allow CSI driver and SPIRL Controller to be disabled when installing SPIRL System Helm chart.
spirl-system 0.23.0
Breaking Changes
- Removes flags
jwt-attestation-issuer,jwt-attestation-jwks-url, andsupplemental-attestation. CI/CD Profiles can now be configured by linking a CI/CD Profile to a cluster using theLinkCICDProfilemethod.
Bug Fixes
- Fix version reporting in health events.
- Agent heartbeats generated by the Reflector correctly include the agent version
Enhancements
- Add support for custom JWT claims in JWT-SVIDs via a JWT customization template.
- Reduced Reflector error log noise
- No longer log expected resource storage conflicts during sync as errors.
- Adds
x-forwarded-forandx-request-idto the logs when present in a gRPC connection - Reflectors now send their own heartbeats, at a low rate, in addition to agent heartbeats
- No longer emit a misleading error log related to reloading metadata during normal shutdown
- Added "cache_hit" to the spirl_reflector_mint_svid_total metric, allowing tracking of % of requests that could be served from cache
- Added affinity to the Reflector chart (reflector.deployment.affinity)
spirl-system 0.22.3
Enhancements
- Adds supplemental roots file for JWT Attestation to spirl-system helm chart
spirl-system 0.22.2
Bug Fixes
- Fix reflector metrics port exposure when telemetry is enabled
Enhancements
- Improved error messages on invalid cluster key secret
- Signers will now distinguish Reflectors and Agents if both use distinct authentication keys
spirl-system 0.22.1
Enhancements
- Reflector credentials can now be be optionally omitted while enabling the Reflector which will use the Agent credentials if omitted
spirl-system 0.22.0
Enhancements
- Improves service configuration change reactivity
- TD Servers can now authenticate Reflectors separately from Agents
- Added the spirl_reflector_mint_svid_total prometheus counter to the Reflector
- Updated EC2 instance identity certificates
- Install data CRD on Helm chart upgrades.
- Added HPA support for the Reflector
- Reflector returns better error codes when the upstream trust domain server rejects the login attempt
- Reflectors now use their own credentials when connecting to the TD server instead of using the Agent credentials
spirl-system 0.21.0
Bug Fixes
- Reflector now accepts startup arguments for ConnectionMaxAge and UseGRPCFastRedial and includes those when initializing its TD server client
- spirl-system Helm chart configuration values for ConnectionMaxAge and UseGRPCFastRedial are copied from the agent.endpoint section when deploying the Reflector
Enhancements
- Reflector enabled clusters don't count reflectors as agents
- Reflector enabled clusters correctly issue agent heartbeats
- Reflector can now be configured with a Pod Distribution Budget to ensure health during maintenance activities
spirl-system 0.20.0
Enhancements
- spirldbg: Adds
identity-exchange-tokenflag tosvid-jwtandsvid-x509commands to support OIDC JWT attestation for CI/CD clusters - Updated EC2 instance identity certificates
- Reflector support multiple upstream endpoints in priority order
- Reflector logs serving from cache at Info level
spirl-system 0.19.0
Enhancements
- Azure Key Vault: a validation check during key wrapping initialization is now performed to verify that keys support the required 256-bit AES-GCM algorithm, failing fast when an incompatible keys is encountered.
- Reflector replica count and resource requests/limits can now be customized in Helm chart
spirl-system 0.18.0
Breaking Changes
- Removed deprecated
GetTrustBundleAPI from trust domain server. SPIRL agent v0.3.0 (released Jul 19, 2023) and newer use a different API and therefore are unaffected by this change.
spirl-system 0.17.1
All changes in this release are internal only
spirl-system 0.17.0
Enhancements
- Attribute allow lists can now be configured through the chart.
- Use the RSA-2048 instance verification method to attest AWS EC2 instances.
- Reflector supports managing a self-signed CA
- Make it possible to set additional labels for the agent pod in the spirl-system chart.
spirl-controller 0.6.1
All changes in this release are internal only
spirl-system-helm-chart 0.9.0
Enhancements
- SPIRL server now emits latency gRPC metrics by default if telemetry is enabled.
- Prometheus scraping annotations are added as pod annotations if telemetry is enabled
- Upgrades SPIFFE CSI driver to version 0.2.7.
- Improves the spirl-agent daemonset update strategy to replace agent pods with less impact to the workload API
spirl-agent 0.16.0
- SPIRL agents will now generate app info prometheus metrics including trust domain and trust domain deployment as labels.
- SPIRL server and agent now include three labels in the generated Prometheus metrics that can be used for filtering and dashboard building. gRPC metrics include spirl_component (agent | server), spirl_trust_domain (trust domain name), and spirl_trust_domain_deployment (trust domain deployment name) as labels. Besides that, a new metric (spirl_application_info) is generated during initialization, it also includes the aforementioned labels and the binary version as well.
- Add a flag to have the agent test and wait for the kubelet pod list API to become available during startup
spirl-system-helm-chart 0.8.0
Enhancements
- You can specify imagePullSecrets now for all pods in the helm chart.
- Introduces a useGRPCFastRedial endpoint configuration option to spirl-agent that will trigger faster redialing of the endpoint when using DNS based load balancers.
- Improves the spirl-agent daemonset update strategy to replace agent pods with less impact to the workload API
- Annotation collection on Kubernetes collections is now supported using the
includeAnnotationsoption
spirl-agent v0.15.1
Enhancements
- Introduces a useGRPCFastRedial endpoint configuration option to spirl-agent that will trigger faster redialing of the endpoint when using DNS based load balancers.
- Improves the spirl-agent daemonset update strategy to replace agent pods with less impact to the workload API
- Annotation collection on Kubernetes collections is now supported using the
includeAnnotationsoption