Skip to main content

SPIRL System Releases

Latest Assets​

AssetTypeLatest Release VersionLocation
SPIRL System Helm ChartHelm Chart0.30.0oci://ghcr.io/spirl/charts/spirl-system:0.30.0
SPIRL AgentContainer Imagev0.30.0ghcr.io/spirl/spirl-agent:v0.30.0
SPIRL ControllerContainer Imagev0.30.0ghcr.io/spirl/spirl-controller:v0.30.0
SPIRL BridgeContainer Imagev0.30.0ghcr.io/spirl/spirl-bridge:v0.30.0
SPIRL AgentAMD64 Debian Package0.30.0https://spirl-releases.s3.us-west-2.amazonaws.com/spirl-agent/0.30.0/spirl-agent_0.30.0_linux_amd64.deb
SPIRL AgentARM64 Debian Package0.30.0https://spirl-releases.s3.us-west-2.amazonaws.com/spirl-agent/0.30.0/spirl-agent_0.30.0_linux_arm64.deb
SPIRL AgentAMD64 RPM Package0.30.0https://spirl-releases.s3.us-west-2.amazonaws.com/spirl-agent/0.30.0/spirl-agent_0.30.0_linux_amd64.rpm
SPIRL AgentARM64 RPM Package0.30.0https://spirl-releases.s3.us-west-2.amazonaws.com/spirl-agent/0.30.0/spirl-agent_0.30.0_linux_arm64.rpm
SPIRL BridgeAMD64 Debian Package0.30.0https://spirl-releases.s3.us-west-2.amazonaws.com/spirl-bridge/0.30.0/spirl-bridge_0.30.0_linux_amd64.deb
SPIRL BridgeARM64 Debian Package0.30.0https://spirl-releases.s3.us-west-2.amazonaws.com/spirl-bridge/0.30.0/spirl-bridge_0.30.0_linux_arm64.deb
SPIRL BridgeAMD64 RPM Package0.30.0https://spirl-releases.s3.us-west-2.amazonaws.com/spirl-bridge/0.30.0/spirl-bridge_0.30.0_linux_amd64.rpm
SPIRL BridgeARM64 RPM Package0.30.0https://spirl-releases.s3.us-west-2.amazonaws.com/spirl-bridge/0.30.0/spirl-bridge_0.30.0_linux_arm64.rpm
ReflectorContainer Imagev0.30.0ghcr.io/spirl/reflector:v0.30.0

Additionally, the SPIRL Agent uses the SPIFFE CSI Driver and CSI Node Driver Registrar at the following pinned versions:

AssetTypeLatest Release VersionLocation
SPIFFE CSI DriverContainer Imagev0.2.3ghcr.io/spiffe/spiffe-csi-driver:v0.2.3
CSI Node Driver RegistrarContainer Imagev2.6.0registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.0

Release Notes​

spirl-system 0.30.0​

Enhancements​

  • Agent passes attesting workload PID to extensions.

spirl-system 0.29.0​

Enhancements​

  • Add POC support to custom workload attribute attestation through two complementary extension mechanisms: centralized webhook-based extensions in the Server, and distributed executable-based extensions in the Agent.
  • Validates that the SPIRL endpoint is not an http endpoint.
  • When available, adds x-forwarded-for header to span tags.
  • Add a logger in the agent that outputs current memory and CPU usage.

Security Fix​

  • Updates Golang to 1.25.5 to address CVE-2025-61729 and CVE-2025-61727

spirl-system 0.28.0​

Bug Fixes​

  • gRPC logger now logs "finished call" messages at INFO level when the request completes with OK status.

Documentation​

  • The region field in agent and server logs has been renamed to deploymentName to better reflect its meaning.

Enhancements​

  • spirlctl and SPIRL Go SDK now support filtering clusters by realm when listing
  • Add ability to configure Agent Attestation for new and existing clusters

Security Fix​

spirl-system 0.27.0​

Enhancements​

  • Logs related to the same request can be correlated across components using trace_id.
  • Agent: Adds a flag ---linux-attestation-discover-workload-path which will include the attribute linux.binary.path in the attested attributes. It should only be set when the agent is running on bare metal Linux nodes as root or with CAP_SYS_PTRACE capability.
  • gRPC client errors (NotFound, AlreadyExists, InvalidArgument, Unauthenticated) are now logged at Warn level instead of Info.
  • Fixed silent failures in the Linux attestor for blank usernames and group names - now returns proper errors instead of continuing without validation.
  • Enhanced logging across all attestors with PID and container context for better debugging visibility.
  • The spirl-agent binaries in Linux packages have CGO_ENABLED which makes it possible to attest Linux user names for LDAP users.

spirl-system 0.26.0​

Enhancements​

  • Add spirl-bridge sidecar
  • spirl-controller can inject spirl-bridge using annotations

spirl-system 0.25.0​

Security Fixes​

Enhancements​

  • td-server: Adds a flag --events-service-server-name to override the server name when connecting to the events service. This is useful when connecting via PrivateLink.
  • SVIDIssuedEvents requests support filtering by issuer type, issuer ID, agent ID, SVID type, and spiffe ID.

spirl-system 0.24.0​

Enhancements​

  • Adds new --realm flag to spirlctl cluster add to add a cluster within a realm.
  • Updated AWS EC2 instance certificates (added "ap-southeast-6" region)
  • Allow CSI driver and SPIRL Controller to be disabled when installing SPIRL System Helm chart.

spirl-system 0.23.0​

Breaking Changes​

  • Removes flags jwt-attestation-issuer,jwt-attestation-jwks-url, and supplemental-attestation. CI/CD Profiles can now be configured by linking a CI/CD Profile to a cluster using the LinkCICDProfile method.

Bug Fixes​

  • Fix version reporting in health events.
  • Agent heartbeats generated by the Reflector correctly include the agent version

Enhancements​

  • Add support for custom JWT claims in JWT-SVIDs via a JWT customization template.
  • Reduced Reflector error log noise
  • No longer log expected resource storage conflicts during sync as errors.
  • Adds x-forwarded-for and x-request-id to the logs when present in a gRPC connection
  • Reflectors now send their own heartbeats, at a low rate, in addition to agent heartbeats
  • No longer emit a misleading error log related to reloading metadata during normal shutdown
  • Added "cache_hit" to the spirl_reflector_mint_svid_total metric, allowing tracking of % of requests that could be served from cache
  • Added affinity to the Reflector chart (reflector.deployment.affinity)

spirl-system 0.22.3​

Enhancements​

  • Adds supplemental roots file for JWT Attestation to spirl-system helm chart

spirl-system 0.22.2​

Bug Fixes​

  • Fix reflector metrics port exposure when telemetry is enabled

Enhancements​

  • Improved error messages on invalid cluster key secret
  • Signers will now distinguish Reflectors and Agents if both use distinct authentication keys

spirl-system 0.22.1​

Enhancements​

  • Reflector credentials can now be be optionally omitted while enabling the Reflector which will use the Agent credentials if omitted

spirl-system 0.22.0​

Enhancements​

  • Improves service configuration change reactivity
  • TD Servers can now authenticate Reflectors separately from Agents
  • Added the spirl_reflector_mint_svid_total prometheus counter to the Reflector
  • Updated EC2 instance identity certificates
  • Install data CRD on Helm chart upgrades.
  • Added HPA support for the Reflector
  • Reflector returns better error codes when the upstream trust domain server rejects the login attempt
  • Reflectors now use their own credentials when connecting to the TD server instead of using the Agent credentials

spirl-system 0.21.0​

Bug Fixes​

  • Reflector now accepts startup arguments for ConnectionMaxAge and UseGRPCFastRedial and includes those when initializing its TD server client
  • spirl-system Helm chart configuration values for ConnectionMaxAge and UseGRPCFastRedial are copied from the agent.endpoint section when deploying the Reflector

Enhancements​

  • Reflector enabled clusters don't count reflectors as agents
  • Reflector enabled clusters correctly issue agent heartbeats
  • Reflector can now be configured with a Pod Distribution Budget to ensure health during maintenance activities

spirl-system 0.20.0​

Enhancements​

  • spirldbg: Adds identity-exchange-token flag to svid-jwt and svid-x509 commands to support OIDC JWT attestation for CI/CD clusters
  • Updated EC2 instance identity certificates
  • Reflector support multiple upstream endpoints in priority order
  • Reflector logs serving from cache at Info level

spirl-system 0.19.0​

Enhancements​

  • Azure Key Vault: a validation check during key wrapping initialization is now performed to verify that keys support the required 256-bit AES-GCM algorithm, failing fast when an incompatible keys is encountered.
  • Reflector replica count and resource requests/limits can now be customized in Helm chart

spirl-system 0.18.0​

Breaking Changes​

  • Removed deprecated GetTrustBundle API from trust domain server. SPIRL agent v0.3.0 (released Jul 19, 2023) and newer use a different API and therefore are unaffected by this change.

spirl-system 0.17.1​

All changes in this release are internal only

spirl-system 0.17.0​

Enhancements​

  • Attribute allow lists can now be configured through the chart.
  • Use the RSA-2048 instance verification method to attest AWS EC2 instances.
  • Reflector supports managing a self-signed CA
  • Make it possible to set additional labels for the agent pod in the spirl-system chart.

spirl-controller 0.6.1​

All changes in this release are internal only

spirl-system-helm-chart 0.9.0​

Enhancements​

  • SPIRL server now emits latency gRPC metrics by default if telemetry is enabled.
  • Prometheus scraping annotations are added as pod annotations if telemetry is enabled
  • Upgrades SPIFFE CSI driver to version 0.2.7.
  • Improves the spirl-agent daemonset update strategy to replace agent pods with less impact to the workload API

spirl-agent 0.16.0​

  • SPIRL agents will now generate app info prometheus metrics including trust domain and trust domain deployment as labels.
  • SPIRL server and agent now include three labels in the generated Prometheus metrics that can be used for filtering and dashboard building. gRPC metrics include spirl_component (agent | server), spirl_trust_domain (trust domain name), and spirl_trust_domain_deployment (trust domain deployment name) as labels. Besides that, a new metric (spirl_application_info) is generated during initialization, it also includes the aforementioned labels and the binary version as well.
  • Add a flag to have the agent test and wait for the kubelet pod list API to become available during startup

spirl-system-helm-chart 0.8.0​

Enhancements​

  • You can specify imagePullSecrets now for all pods in the helm chart.
  • Introduces a useGRPCFastRedial endpoint configuration option to spirl-agent that will trigger faster redialing of the endpoint when using DNS based load balancers.
  • Improves the spirl-agent daemonset update strategy to replace agent pods with less impact to the workload API
  • Annotation collection on Kubernetes collections is now supported using the includeAnnotations option

spirl-agent v0.15.1​

Enhancements​

  • Introduces a useGRPCFastRedial endpoint configuration option to spirl-agent that will trigger faster redialing of the endpoint when using DNS based load balancers.
  • Improves the spirl-agent daemonset update strategy to replace agent pods with less impact to the workload API
  • Annotation collection on Kubernetes collections is now supported using the includeAnnotations option