SPIRL Server Releases
Latest Assetsβ
| Asset | Type | Latest Release Version | Location | 
|---|---|---|---|
| SPIRL Server Helm Chart | Helm Chart | 0.24.0 | oci://ghcr.io/spirl/charts/spirl-server:0.24.0 | 
| SPIRL Server | Container Image | v0.24.0 | ghcr.io/spirl/spirl-server:v0.24.0 | 
Release Notesβ
spirl-server 0.24.0β
Security Fixesβ
- Updates Golang to 1.25.2 to address CVEs (see Advisory 1 and Advisory 2)
Enhancementsβ
- Adds a flag --events-service-server-nameto override the server name when connecting to the events service. This is useful when connecting via PrivateLink.
- Adds an optional flag --relay-server-nameand corresponding helm chart value to set the server name in the TLS connection to the signer-relay. This is helpful when connecting over PrivateLink.
spirl-server 0.23.0β
Enhancementsβ
- Add full HTTP proxy support to spirl-serverconfigurable throughHTTP_PROXY,HTTPS_PROXYandNOPROXYenvironment variables.
- Reduced Signer-made Agent heartbeat interval to 1m
spirl-server 0.22.5β
Enhancementsβ
- Adds support for using provider attributes with JWT claims customization
- Signers now prefer using their internal events buffer, if possible, to forward Reflector events
- Reflectors now send their own heartbeats, at a low rate, in addition to agent heartbeats
spirl-server 0.22.4β
Bug Fixesβ
- Fix version reporting in health events.
Enhancementsβ
- No longer emit a misleading error log related to reloading metadata during normal shutdown
- Add support for custom JWT claims in JWT-SVIDs via a JWT customization template.
- No longer log expected resource storage conflicts during sync as errors.
- Adds helm value for Job annotations
spirl-server 0.22.3β
Bug Fixesβ
- Fix reflector metrics port exposure when telemetry is enabled
Enhancementsβ
- Adds x-forwarded-forandx-request-idto the logs when present in a gRPC connection
- Signers will now distinguish Reflectors and Agents if both use distinct authentication keys
- Improved error messages on invalid cluster key secret
spirl-server 0.22.2β
Enhancementsβ
- Improves service configuration change reactivity
- Reflector returns better error codes when the upstream trust domain server rejects the login attempt
- TD Servers can now authenticate Reflectors separately from Agents
- Added the spirl_reflector_mint_svid_total prometheus counter to the Reflector
- Updated EC2 instance identity certificates
- Reflector enabled clusters don't count reflectors as agents
- Reflector enabled clusters correctly issue agent heartbeats
- Updated EC2 instance identity certificates
- Azure Key Vault: a validation check during key wrapping initialization is now performed to verify that keys support the required 256-bit AES-GCM algorithm, failing fast when an incompatible keys is encountered.
- Adds a field in the values file to allow additional annotations for the service account
spirl-server 0.21.0β
Breaking Changesβ
- Removed deprecated GetTrustBundleAPI from trust domain server. SPIRL agent v0.3.0 (released Jul 19, 2023) and newer use a different API and therefore are unaffected by this change.
- signer: CraftGlobalBundle accepts cached up-to-date bundle from CP in case the TDD was offline for a long time
Enhancementsβ
- Event system may choose to flush events in a shorter interval in the case of a full buffer
spirl-server 0.20.0β
Bug Fixesβ
- Fixed a bug where the TD server was not properly filling in the ExpiresAt field when minting JWT SVIDs. This only impacts the API between Agent and Signer and the JWTs themselves had proper expiration fields present.
Enhancementsβ
- Attribute allow lists can now be configured through the chart.
- Adds an API that reflectors will use to obtain cluster configuration.
- Use the RSA-2048 instance verification method to attest AWS EC2 instances.
- Rename AWS IMDSv2 provider attribute names. E.g. provider.aws.account_id->aws.account.id,provider.aws.instance_id->aws.ec2.instance.id
spirl-server-helm-chart 0.15.0β
Enhancementsβ
- SPIRL server now emits latency gRPC metrics by default if telemetry is enabled.
- Prometheus scraping annotations are added as pod annotations if telemetry is enabled
- SPIRL server and agent now include three labels in the generated Prometheus metrics that can be used for filtering and dashboard building. gRPC metrics include spirl_component(agent | server),spirl_trust_domain(trust domain name), andspirl_trust_domain_deployment(trust domain deployment name) as labels. Besides that, a new metric (spirl_application_info) is generated during initialization, it also includes the aforementioned labels and the binary version as well.
- Add the ability to configure horizontal pod autoscaler in the server chart
spirl-server v0.19.1β
Enhancementsβ
- SPIRL server now emits latency gRPC metrics by default if telemetry is enabled.
- Prometheus scraping annotations are added as pod annotations if telemetry is enabled
- SPIRL agents will now generate app info prometheus metrics including trust domain and trust domain deployment as labels.
- td-server: add a self-refreshing cache that bundles the aws requests to save aws API quota
spirl-server-helm-chart 0.14.0β
Bug Fixesβ
- Fix issue where imagePullSecrets resulted in invalid Kubernetes objects.
Enhancementsβ
- Add Pod Disruption Budget to the server deployment.
- You can now specify resources for the venafi firefly integration sidecar.
spirl-server v0.18.0β
Bug Fixesβ
- Fixed a bug loading data CR encryption keys generated before the 0.17.1 release.
- Improved data CR garbage collection accuracy
- Improved data CR resiliency under CPU throttled conditions
Enhancementsβ
- Improved reporting and recovery when data CRs are missing
spirl-server-helm-chart 0.13.0β
Enhancementsβ
- Add GCP KMS integration into spirl-server allowing it to use GCP KMS encryption for locally stored, sensitive data.
- Trust domain server metrics collection and telemetry server can now be toggled and configured with new helm chart values. Refer to https://d.spirl.com/configuration/spirl-system-telemetry for more information.
- Add Azure KeyVault integration into spirl-server allowing it to use Azure KeyVault encryption for locally stored, sensitive data.
- Use the latest spirl-server image release, version 0.17.1, by default when installing via Helm chart.
spirl-server 0.17.1β
Bug Fixesβ
- Add a dedicated timeout during startup for how long to wait for initial x509source to initialize
- Avoids use of cached attestation if we're missing required attributes
- Fix a bug which can in some conditions lead to high CPU usage when an unrecoverable error occurs.
Enhancementsβ
- Update to go 1.24
- Add Azure KeyVault integration into spirl-server allowing it to use Azure KeyVault encryption for locally stored, sensitive data.
- Add GCP KMS integration into spirl-server allowing it to use GCP KMS encryption for locally stored, sensitive data.
- Trust domain server metrics collection and telemetry server can now be toggled and configured with new helm chart values. Refer to https://d.spirl.com/configuration/spirl-system-telemetry for more information.
- spirl-agent and td-server: the td-server will challenge the agent with the type of provider attestation and the agent will respond to that (overrides the agent flag)
- td-server: support attesting agents running in aws ec2 instances in multi regions
spirl-server-helm-chart 0.12.0β
- Adds support for Kubernetes topologySpreadConstraints.
- Improves graceful shutdown behavior.
- Adds βcreateRolesβ property to allow giving an existing service account the necessary roles.
spirl-server v0.16.0β
- Added a back-off mechanism to the cache of the SPIRL server improving resiliency.
- Federated bundles are now synced during unified-access operations.
- Improved the way we build multi-arch production images.
- Improved graceful shutdown behavior.