v2.22.1 Armory Release (OSS Spinnaker™ v1.22.2)

Release notes for Armory Enterprise v2.22.1

2020/10/15 Release Notes

Note: If you’re experiencing production issues after upgrading Spinnaker, rollback to a previous working version and please report issues to http://go.armory.io/support.

Required Halyard or Operator version

Armory Spinnaker 2.22.1 requires one of the following:

  • Armory Halyard 1.9.4 or later.
  • Armory Spinnaker Operator 1.0.3 or later.

Breaking changes

Kubernetes deployment namespace

Upgrading to 2.20x or later introduces a breaking change in the Kubernetes provider for Spinnaker. Spinnaker now correctly interprets the namespace declared in your kubeconfig file and uses that namespace. Previously, Spinnaker deployed to the default namespace called default because of an error in how Spinnaker interpreted the namespace in the Kubernetes context.

Solutions

Armory recommends using one of the following methods, which involve explicitly setting the namespace:

  • In your deployment manifests, declare the namespace you want to deploy to. Set to default if you want to maintain the previous behavior:

    apiVersion: batch/v1
    kind: Job
    metadata:
     generateName: <someName>
     # Set namespace to default if you want to maintain the previous behavior.
     namespace: <targetNamespace> 
    
  • In your kubeconfig, declare the namespace you want to deploy to. Set to default if you want to maintain the previous behavior:

    contexts:
    - context:
      cluster: <someCluster>
      # Set namespace to default if you want to maintain the previous behavior.
      namespace: <targetNamespace>
    

For more information, see the following links:

Introduced in: Armory 2.20

Suffix no longer added to jobs created by Kubernetes Run Job stage

Spinnaker no longer automatically appends a unique suffix to the name of jobs created by the Kubernetes Run Job stage. Prior to this release, if you specified metadata.name: my-job, Spinnaker updates the name to my-job-[random-string] before deploying the job to Kubernetes. As of this release, the job’s name will be passed through to Kubernetes exactly as supplied.

To continue having a random suffix added to the job name, set the metadata.generateName field instead of metadata.name, which causes the Kubernetes API to append a random suffix to the name.

This change is particularly important for users who are using the preconfigured job stage for Kubernetes or are sharing job stages among different pipelines. In these cases, jobs often running concurrently, and it is important that each job have a unique name. In order to retain the previous behavior, manually update your Kubernetes job manifests to use the generateName field.

Previously, this behavior was opt-in.

Impact

As of Armory 2.22, this behavior is the default. Users can still opt out of the new behavior by setting kubernetes.jobs.append-suffix: true in clouddriver-local.yml. This causes Spinnaker to continue to append a suffix to the name of jobs as in prior releases.

The ability to opt out of the new behavior will be removed in Armory 2.23 (OSS 1.23). The above setting will have no effect, and Spinnaker will no longer append a suffix to job names. We recommended that 2.22 users note which jobs are using the old behavior and prepare to remove the setting before upgrading to Armory 2.23 in the future.

Introduced in: Armory 2.22

Spinnaker metrics

Metrics data, specifically the metric names, for Spinnaker changed. These changes are not backwards compatible and may result in broken third-party dashboards, such as Grafana dashboards.

Workarounds:

  • Observability Plugin: Armory is working on updates to the Observability Plugin to remedy this issue. The plugin currently supports New Relic & Prometheus. Note that this resolution requires you to make updates to use the new metric names.

    For information about how to configure the Observability Plugin, see Monitoring Spinnaker with Prometheus.

    For information about how to install a plugin, see Plugin Users Guide.

  • Update existing dashboards: Change your dashboards and alerts to use the new metric names.

Although both workarounds involve updating your dashboards to use the new metric names, Armory recommends switching to the Observability plugin. Due to changes the Spinnaker project is making, the Observability plugin provides a long-term solution.

Affected versions: Armory 2.20.x or later (OSS 1.20.x)

Known issues

Orca Plugins using Plugin SDK

If you use or are developing a plugin that is deployed on Orca and injects the PluginSdks interface, do not upgrade to 2.22. There is a known issue where Orca cannot process messages in its queue, and the following error occurs:

com.fasterxml.jackson.databind.exc.InvalidTypeIdException: Could not resolve type id 'startExecution' as a subtype of `com.netflix.spinnaker.q.Message`: known type ids = []
...

This results in pipelines not starting.

No workaround exists for plugin consumers. The V2 Plugins Framework will address this issue and be available in a later Armory version.

Plugin developers targeting 2.22 have a few options. The PluginSdks interface allows developers to inject common utilities, like an HTTP client, into their plugins. Developers can supply their own implementations of these utilities instead of using PluginSdks. Alternatively, they can build a Spring-based plugin using Kork’s kork-plugins-spring-api package that relies on the parent Spinnaker service to inject these utilities.

Affected versions: 2.22.x

GCE predictive autoscaling exception

An exception occurs in the Spinnaker UI (Deck) if the GCE provider is enabled but predictive autoscaling is not enabled.

Workaround

Add the following property to your settings.js:

window.spinnakerSettings.providers.gce.feature = {};

For more information, see this OSS Pull Request: 8585.

Affected versions: 2.22.x

Security update

We continue to make Spinnaker’s security a top priority. Although several CVEs are resolved, the following still exist.

Multiple services

CVE-2020-5410 was resolved in a previous version of Armory Spinnaker; however, this CVE introduced a regression for users of Spring Cloud and has been rolled back. Armory will continue to monitor releases for a fix.

Clouddriver

The following CVE exists for Clouddriver:

  • CVE-2020-7014 deals with an Elasticsearch exploit related to token generation. Clouddriver only makes use of entity tags and does not allow for token generation or authentication.
Terraformer

Armory has identified and is triaging the following CVEs in Terraformer, the service for the Terraform integration:

  • CVE-2020-15778
  • CVE-2020-13757. This CVE was resolved in other services but still exists in the Terraformer service.

Highlighted updates

Deployment targets

AWS

Fixed an issue where fetching an AWS token might take longer than expected.

Manifest templating

Armory now includes version 3.8.1 of kustomize.

Security

This release resolves several CVEs in Clouddriver:

Spinnaker Community Contributions

There have also been numerous enhancements, fixes and features across all of Spinnaker’s other services. See their changes here: Spinnaker v1.22.2.

Detailed Updates

Bill of Materials

Here’s the bom for this version.

Expand
version: 2.22.1
timestamp: "2020-10-15 15:36:55"
services:
    clouddriver:
        commit: 57502e9a
        version: 2.22.10
    deck:
        commit: f3b0fa58
        version: 2.22.5
    dinghy:
        commit: ad5418ab
        version: 2.22.0
    echo:
        commit: 7cb7dbb4
        version: 2.22.1
    fiat:
        commit: b96e9905
        version: 2.22.2
    front50:
        commit: 7083c875
        version: 2.22.1
    gate:
        commit: fde8b76a
        version: 2.22.2
    igor:
        commit: ef536157
        version: 2.22.2
    kayenta:
        commit: b1aa5c56
        version: 2.22.2
    monitoring-daemon:
        version: 2.22.0
    monitoring-third-party:
        version: 2.22.0
    orca:
        commit: 89cad735
        version: 2.22.1
    rosco:
        commit: dd80635a
        version: 2.22.3
    terraformer:
        commit: e2d395ce
        version: 2.22.2
dependencies:
    redis:
        version: 2:2.8.4-2
artifactSources:
    dockerRegistry: docker.io/armory

Armory

Armory Deck - 2.22.5…2.22.5

Armory Kayenta - 2.22.2…2.22.2

Terraformer™ - 2.22.2…2.22.2

Armory Clouddriver - 2.22.3…2.22.10

  • fix(docker): downgrade aws-iam-authenticator (#205) (#207)
  • chore(build): resolve CVEs and reduce docker layers (#213)
  • chore(build): resolve CVEs and reduce docker layers (#213) (#218)

Armory Igor - 2.22.2…2.22.2

Armory Echo - 2.22.1…2.22.1

Armory Fiat - 2.22.2…2.22.2

Armory Front50 - 2.22.1…2.22.1

Armory Rosco - 2.22.2…2.22.3

  • feat(kustomize): update version of kustomize used (#108) (#110)

Armory Gate - 2.22.2…2.22.2

Armory Orca - 2.22.1…2.22.1

Dinghy™ - 2.22.0…2.22.0


Last modified March 4, 2021: (d84aa0d)