v2.22.1 Armory Release (OSS Spinnaker™ v1.22.2)
2020/10/15 Release Notes
Note: If you’re experiencing production issues after upgrading Spinnaker, rollback to a previous working version and please report issues to http://go.armory.io/support.
Required Halyard or Operator version
Armory Spinnaker 2.22.1 requires one of the following:
- Armory Halyard 1.9.4 or later.
- Armory Spinnaker Operator 1.0.3 or later.
Breaking changes
Kubernetes deployment namespace
Upgrading to 2.20x or later introduces a breaking change in the Kubernetes provider for Spinnaker. Spinnaker now correctly interprets the namespace declared in your kubeconfig file and uses that namespace. Previously, Spinnaker deployed to the default namespace called default
because of an error in how Spinnaker interpreted the namespace in the Kubernetes context.
Solutions
Armory recommends using one of the following methods, which involve explicitly setting the namespace:
-
In your deployment manifests, declare the namespace you want to deploy to. Set to
default
if you want to maintain the previous behavior:apiVersion: batch/v1 kind: Job metadata: generateName: <someName> # Set namespace to default if you want to maintain the previous behavior. namespace: <targetNamespace>
-
In your kubeconfig, declare the namespace you want to deploy to. Set to
default
if you want to maintain the previous behavior:contexts: - context: cluster: <someCluster> # Set namespace to default if you want to maintain the previous behavior. namespace: <targetNamespace>
For more information, see the following links:
Introduced in: Armory 2.20
Suffix no longer added to jobs created by Kubernetes Run Job stage
Spinnaker no longer automatically appends a unique suffix to the name of jobs created by the Kubernetes Run Job stage. Prior to this release, if you specified metadata.name: my-job
, Spinnaker updates the name to my-job-[random-string]
before deploying the job to Kubernetes. As of this release, the job’s name will be passed through to Kubernetes exactly as supplied.
To continue having a random suffix added to the job name, set the metadata.generateName
field instead of metadata.name
, which causes the Kubernetes API to append a random suffix to the name.
This change is particularly important for users who are using the preconfigured job stage for Kubernetes or are sharing job stages among different pipelines. In these cases, jobs often running concurrently, and it is important that each job have a unique name. In order to retain the previous behavior, manually update your Kubernetes job manifests to use the generateName
field.
Previously, this behavior was opt-in.
Impact
As of Armory 2.22, this behavior is the default. Users can still opt out of the new behavior by setting kubernetes.jobs.append-suffix: true
in clouddriver-local.yml
. This causes Spinnaker to continue to append a suffix to the name of jobs as in prior releases.
The ability to opt out of the new behavior will be removed in Armory 2.23 (OSS 1.23). The above setting will have no effect, and Spinnaker will no longer append a suffix to job names. We recommended that 2.22 users note which jobs are using the old behavior and prepare to remove the setting before upgrading to Armory 2.23 in the future.
Introduced in: Armory 2.22
Spinnaker metrics
Metrics data, specifically the metric names, for Spinnaker changed. These changes are not backwards compatible and may result in broken third-party dashboards, such as Grafana dashboards.
Workarounds:
-
Observability Plugin: Armory is working on updates to the Observability Plugin to remedy this issue. The plugin currently supports New Relic & Prometheus. Note that this resolution requires you to make updates to use the new metric names.
For information about how to configure the Observability Plugin, see Monitoring Spinnaker with Prometheus.
For information about how to install a plugin, see Plugin Users Guide.
-
Update existing dashboards: Change your dashboards and alerts to use the new metric names.
Although both workarounds involve updating your dashboards to use the new metric names, Armory recommends switching to the Observability plugin. Due to changes the Spinnaker project is making, the Observability plugin provides a long-term solution.
Affected versions: Armory 2.20.x or later (OSS 1.20.x)
Known issues
Orca Plugins using Plugin SDK
If you use or are developing a plugin that is deployed on Orca and injects the PluginSdks
interface, do not upgrade to 2.22. There is a known issue where Orca cannot process messages in its queue, and the following error occurs:
com.fasterxml.jackson.databind.exc.InvalidTypeIdException: Could not resolve type id 'startExecution' as a subtype of `com.netflix.spinnaker.q.Message`: known type ids = []
...
This results in pipelines not starting.
No workaround exists for plugin consumers. The V2 Plugins Framework will address this issue and be available in a later Armory version.
Plugin developers targeting 2.22 have a few options. The PluginSdks
interface allows developers to inject common utilities, like an HTTP client, into their plugins.
Developers can supply their own implementations of these utilities instead of
using PluginSdks
. Alternatively, they can build a Spring-based plugin using Kork’s kork-plugins-spring-api
package that relies
on the parent Spinnaker service to inject these utilities.
Affected versions: 2.22.x
GCE predictive autoscaling exception
An exception occurs in the Spinnaker UI (Deck) if the GCE provider is enabled but predictive autoscaling is not enabled.
Workaround
Add the following property to your settings.js
:
window.spinnakerSettings.providers.gce.feature = {};
For more information, see this OSS Pull Request: 8585.
Affected versions: 2.22.x
Security update
We continue to make Spinnaker’s security a top priority. Although several CVEs are resolved, the following still exist.
Multiple services
CVE-2020-5410
was resolved in a previous version of Armory Spinnaker; however, this CVE introduced a regression for users of Spring Cloud and has been rolled back. Armory will continue to monitor releases for a fix.
Clouddriver
The following CVE exists for Clouddriver:
- CVE-2020-7014 deals with an Elasticsearch exploit related to token generation. Clouddriver only makes use of entity tags and does not allow for token generation or authentication.
Terraformer
Armory has identified and is triaging the following CVEs in Terraformer, the service for the Terraform integration:
- CVE-2020-15778
- CVE-2020-13757. This CVE was resolved in other services but still exists in the Terraformer service.
Highlighted updates
Deployment targets
AWS
Fixed an issue where fetching an AWS token might take longer than expected.
Manifest templating
Armory now includes version 3.8.1 of kustomize.
Security
This release resolves several CVEs in Clouddriver:
- CVE-2017-18342
- CVE-2019-17638
- CVE-2020-1747
- CVE-2016-10745
- CVE-2020-7009
- CVE-2020-13757
- CVE-2015-9251
- CVE-2020-8927
- CVE-2014-0012
- CVE-2014-1402
- CVE-2011-4969
- CVE-2016-10516
- CVE-2020-7656
- CVE-2020-7019
Spinnaker Community Contributions
There have also been numerous enhancements, fixes and features across all of Spinnaker’s other services. See their changes here: Spinnaker v1.22.2.
Detailed Updates
Bill of Materials
Here’s the bom for this version.
Expand
version: 2.22.1
timestamp: "2020-10-15 15:36:55"
services:
clouddriver:
commit: 57502e9a
version: 2.22.10
deck:
commit: f3b0fa58
version: 2.22.5
dinghy:
commit: ad5418ab
version: 2.22.0
echo:
commit: 7cb7dbb4
version: 2.22.1
fiat:
commit: b96e9905
version: 2.22.2
front50:
commit: 7083c875
version: 2.22.1
gate:
commit: fde8b76a
version: 2.22.2
igor:
commit: ef536157
version: 2.22.2
kayenta:
commit: b1aa5c56
version: 2.22.2
monitoring-daemon:
version: 2.22.0
monitoring-third-party:
version: 2.22.0
orca:
commit: 89cad735
version: 2.22.1
rosco:
commit: dd80635a
version: 2.22.3
terraformer:
commit: e2d395ce
version: 2.22.2
dependencies:
redis:
version: 2:2.8.4-2
artifactSources:
dockerRegistry: docker.io/armory
Armory
Armory Deck - 2.22.5…2.22.5
Armory Kayenta - 2.22.2…2.22.2
Terraformer™ - 2.22.2…2.22.2
Armory Clouddriver - 2.22.3…2.22.10
- fix(docker): downgrade aws-iam-authenticator (#205) (#207)
- chore(build): resolve CVEs and reduce docker layers (#213)
- chore(build): resolve CVEs and reduce docker layers (#213) (#218)
Armory Igor - 2.22.2…2.22.2
Armory Echo - 2.22.1…2.22.1
Armory Fiat - 2.22.2…2.22.2
Armory Front50 - 2.22.1…2.22.1
Armory Rosco - 2.22.2…2.22.3
- feat(kustomize): update version of kustomize used (#108) (#110)
Armory Gate - 2.22.2…2.22.2
Armory Orca - 2.22.1…2.22.1
Dinghy™ - 2.22.0…2.22.0
Feedback
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified March 4, 2021: (d84aa0d)