Spinnaker Release 2025.2.0

Changelog

Breaking Changes

Clouddriver

https://github.com/spinnaker/spinnaker/pull/7240 changes constructors in AmazonCredentials / AssumeRoleAmazonCredentials / NetflixAmazonCredentials / NetflixAssumeRoleAmazonCredentials. Plugins or custom code may need corresponding changes (e.g. pass null for AwsConfigurationProperties) to continue to build.

Gate

Spring Security 5 Oauth2 Migration

https://github.com/spinnaker/spinnaker/pull/7052 removes deprecated OAuth2 annotations, and uses Spring Security 5’s DSL. As a result, the properties for configuring oauth2 in gate have changed.

old:

security:
  authn:
    oauth2:
      enabled: true
      client:
        clientId: <client-id>
        clientSecret: <client-secret>
        accessTokenUri: https://www.googleapis.com/oauth2/v4/token
        userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
        scope: profile email
      userInfoRequirements:
        hd: <domain>
      resource:
        userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
      userInfoMapping:
        email: email
        firstName: given_name
        lastName: family_name
      provider: GOOGLE

new (google):

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: <client-id>
            client-secret: <client-secret>
            authorization-grant-type: authorization_code
            redirect-uri: "https://<your-domain>/login/oauth2/code/google"
            scope: profile,email,openid
            client-name: google
        provider:
          google:
            authorization-uri: https://accounts.google.com/o/oauth2/auth
            token-uri: https://oauth2.googleapis.com/token
            user-info-uri: https://www.googleapis.com/oauth2/v3/userinfo
            user-name-attribute: sub

new (github):

spring:
  security:
    oauth2:
      client:
        registration:
          userInfoMapping:
            email: email
            firstName: ''
            lastName: name
            username: login
          github:
            client-id: <client-id>
            client-secret: <client-secret>
            authorization-grant-type: authorization_code
            redirect-uri: "https://<your-domain>/login/oauth2/code/github"
            scope: user,email
            client-name: github
        provider:
          github:
            authorization-uri: https://github.com/login/oauth/authorize
            token-uri: https://github.com/login/oauth/access_token
            user-info-uri: https://api.github.com/user
            user-name-attribute: login

halyard has been updated to generate the new configuration, with the same command as before, e.g.:

hal config security authn oauth2 edit --provider google --client-id some_id --client-secret some_secret --user-info-requirements hd=company.io

Features

Clouddriver

https://github.com/spinnaker/spinnaker/pull/7239 and https://github.com/spinnaker/spinnaker/pull/7240 add functionality to log the endpoints that the AWS sdk uses, controlled by two new config flags that default to false:

aws:
  client:
    logEndpoints: true

and

artifacts:
  s3:
    logEndpoints: true

aws.client.logEndpoints is for clients that AmazonClientBuilder creates, as well as NetflixSTSAssumeRoleSessionCredentialsProvider. artifacts.s3.logEndpoints is for clients that S3ArtifactCredentials creates.

Note: https://github.com/spinnaker/spinnaker/pull/7240 changes constructors in AmazonCredentials / AssumeRoleAmazonCredentials / NetflixAmazonCredentials / NetflixAssumeRoleAmazonCredentials. Plugins or custom code may need corresponding changes (e.g. pass null for AwsConfigurationProperties) to continue to build.

  • OAuth2: Current OAuth2 annotations are deprecated so using Java DSL way of configuring OAuth2 (#7052) ( c6a79fd0 )
  • clouddriver/aws: Implement the account API for aws accounts (#7238) ( d41da1e2 )
  • clouddriver/aws: log aws sdk endpoints (#7239) ( d19e1944 )
  • clouddriver/aws: log the endpoint that aws sdk sts clients use (#7240) ( c390e6fb )

Configuration

Fixes

  • clouddriver/aws: align CredentialsParser types in AmazonCredentialsInitializer (#7207) (#7208) ( 3c45b4c9 )
  • clouddriver/aws: align CredentialsParser types in AmazonCredentialsInitializer (#7207) ( 57b5928f )
  • deck: Fix RunJob external logs when component is not mounted and interpolation is needed (#7163) ( 9d86a95a )
  • echo/rest: make it possible to send events to URLs with no trailing slash (#7212) (#7215) ( 824acc94 )
  • echo/rest: make it possible to send events to URLs with no trailing slash (#7212) ( 0e8c45b4 )
  • gate/web: add Retrofit2SyncCall.execute to SubnetController.allByCloudProvider (#7219) (#7221) ( 9b5dcd7b )
  • gate/web: add Retrofit2SyncCall.execute to SubnetController.allByCloudProvider (#7219) ( 66b9ab01 )
  • gcp: Fix a number of potential NPEs around deploy handling for google builds. Tied to groovy to java migration (#7227) (#7233) ( 4ea0d508 )
  • gcp: Fix a number of potential NPEs around deploy handling for google builds. Tied to groovy to java migration (#7227) ( ffeaa35a )
  • gcp: More NPE handling on some input (#7236) (#7237) ( 347cfb20 )
  • gcp: More NPE handling on some input (#7236) ( 7177e163 )
  • google: Add retry and status polling logic (#7191) (#7217) ( b1243f81 )
  • google: Add retry and status polling logic (#7191) ( 5385827f )
  • halyard/retrofit2: fix DaemonService’s convertor factory (#7230) (#7232) ( 66ade3f8 )
  • halyard/retrofit2: fix DaemonService’s convertor factory (#7230) ( 1a83ac38 )
  • halyard/retrofit2: fix daemon service getTask API definition (#7206) (#7209) ( a75b383c )
  • halyard/retrofit2: fix daemon service getTask API definition (#7206) ( 4d991929 )
  • orca/clouddriver: correct parameter order for requestOperations to avoid invalid cloudProvider errors (#7201) (#7204) ( 7f6e3e2f )
  • orca/clouddriver: correct parameter order for requestOperations to avoid invalid cloudProvider errors (#7201) ( f45b7fd8 )
  • orca/retrofit2: fix orca bakeservice api (#7224) (#7225) ( e0a64b30 )
  • orca/retrofit2: fix orca bakeservice api (#7224) ( 6c47bbfa )
  • sql: Update account type column during upserts (#7242) ( ba06d158 )

Other

  • build: dynamic version indexing in tag name based on type (#7202) (#7203) ( e9d8ebc4 )
  • build: dynamic version indexing in tag name based on type (#7202) ( 18758e3a )
  • dependency: update bc version from 1.77 to 1.81 (#7211) ( c051f965 )
  • deps: bump sha.js from 2.4.11 to 2.4.12 in /deck (#7213) ( 0c97ecd1 )
  • deps: bump tmp from 0.2.3 to 0.2.5 in /deck/test/functional (#7231) ( de171bc4 )
  • deps: bump tmp in /.github/actions/spinnaker-release (#7229) ( da68ba66 )
  • graphql: Remove unused and legacy graphql libraries and sample endpoints (#7244) ( fe879f8b )
  • kubernetes: convert load balancer details component to react (#7222) ( c42106e7 )
  • kubernetes: convert manifest actions modal components to react (#7223) ( e0801020 )
  • kubernetes: de-angularize services, and components (#7228) ( e5a54ada )