SPIRL System Releases
Latest Assets
Asset | Type | Latest Release Version | Location |
---|---|---|---|
SPIRL System Helm Chart | Helm Chart | 0.21.0 | oci://ghcr.io/spirl/charts/spirl-system:0.21.0 |
SPIRL Agent | Container Image | 0.21.0 | ghcr.io/spirl/spirl-agent:v0.21.0 |
SPIRL Controller | Container Image | 0.21.0 | ghcr.io/spirl/spirl-controller:v0.21.0 |
SPIRL Agent | AMD64 Debian Package | 0.21.0 | https |
SPIRL Agent | ARM64 Debian Package | 0.21.0 | https |
Reflector | Container Image | 0.21.0 | ghcr.io/spirl/reflector:v0.21.0 |
Additionally, the SPIRL Agent uses the SPIFFE CSI Driver and CSI Node Driver Registrar at the following pinned versions:
Asset | Type | Latest Release Version | Location |
---|---|---|---|
SPIFFE CSI Driver | Container Image | v0.2.3 | ghcr.io/spiffe/spiffe-csi-driver:0.2.3 |
CSI Node Driver Registrar | Container Image | v2.6.0 | registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.0 |
Release Notes
spirl-system 0.21.0
Bug Fixes
- Reflector now accepts startup arguments for ConnectionMaxAge and UseGRPCFastRedial and includes those when initializing its TD server client
- spirl-system Helm chart configuration values for ConnectionMaxAge and UseGRPCFastRedial are copied from the agent.endpoint section when deploying the Reflector
Enhancements
- Reflector enabled clusters don't count reflectors as agents
- Reflector enabled clusters correctly issue agent heartbeats
- Reflector can now be configured with a Pod Distribution Budget to ensure health during maintenance activities
spirl-system 0.20.0
Enhancements
- spirldbg: Adds
identity-exchange-token
flag tosvid-jwt
andsvid-x509
commands to support OIDC JWT attestation for CI/CD clusters - Updated EC2 instance identity certificates
- Reflector support multiple upstream endpoints in priority order
- Reflector logs serving from cache at Info level
spirl-system 0.19.0
Enhancements
- Azure Key Vault: a validation check during key wrapping initialization is now performed to verify that keys support the required 256-bit AES-GCM algorithm, failing fast when an incompatible keys is encountered.
- Reflector replica count and resource requests/limits can now be customized in Helm chart
spirl-system 0.18.0
Breaking Changes
- Removed deprecated
GetTrustBundle
API from trust domain server. SPIRL agent v0.3.0 (released Jul 19, 2023) and newer use a different API and therefore are unaffected by this change.
spirl-system 0.17.1
All changes in this release are internal only
spirl-system 0.17.0
Enhancements
- Attribute allow lists can now be configured through the chart.
- Use the RSA-2048 instance verification method to attest AWS EC2 instances.
- Reflector supports managing a self-signed CA
- Make it possible to set additional labels for the agent pod in the spirl-system chart.
spirl-controller 0.6.1
All changes in this release are internal only
spirl-system-helm-chart 0.9.0
Enhancements
- SPIRL server now emits latency gRPC metrics by default if telemetry is enabled.
- Prometheus scraping annotations are added as pod annotations if telemetry is enabled
- Upgrades SPIFFE CSI driver to version 0.2.7.
- Improves the spirl-agent daemonset update strategy to replace agent pods with less impact to the workload API
spirl-agent 0.16.0
- SPIRL agents will now generate app info prometheus metrics including trust domain and trust domain deployment as labels.
- SPIRL server and agent now include three labels in the generated Prometheus metrics that can be used for filtering and dashboard building. gRPC metrics include spirl_component (agent | server), spirl_trust_domain (trust domain name), and spirl_trust_domain_deployment (trust domain deployment name) as labels. Besides that, a new metric (spirl_application_info) is generated during initialization, it also includes the aforementioned labels and the binary version as well.
- Add a flag to have the agent test and wait for the kubelet pod list API to become available during startup
spirl-system-helm-chart 0.8.0
Enhancements
- You can specify imagePullSecrets now for all pods in the helm chart.
- Introduces a useGRPCFastRedial endpoint configuration option to spirl-agent that will trigger faster redialing of the endpoint when using DNS based load balancers.
- Improves the spirl-agent daemonset update strategy to replace agent pods with less impact to the workload API
- Annotation collection on Kubernetes collections is now supported using the
includeAnnotations
option
spirl-agent v0.15.1
Enhancements
- Introduces a useGRPCFastRedial endpoint configuration option to spirl-agent that will trigger faster redialing of the endpoint when using DNS based load balancers.
- Improves the spirl-agent daemonset update strategy to replace agent pods with less impact to the workload API
- Annotation collection on Kubernetes collections is now supported using the
includeAnnotations
option