Spinnaker Release 2025.3.0

Breaking Changes

Features

Security settings on http based artifacts.

Any http or similar artifacts can now set some limits on accessible accounts. It’s recommended to configure an allow list to restrict calls to aallowed known domains. There’s a whitelist of domains that can be set. Example of the configuration:

artifacts:
  http:
    enabled: true
    accounts:
      - name: http_account
        urlRestrictions:
          allowedDomains:
          - mydomain.com
          - raw.github.com
          - api.github.com
          rejectLocalhost: true #default value
          rejectLinkLocal: true #default value
          rejectVerbatimIps: true #default value
          rejectedIps: [] #default value

IF an allowedDomains pattern is set, it will take precedence even if other settings are allowed.

Account APIs.

Similar to prior verisons where you can manage k8s accounts via an API , you can now manage ECS, Azure and GCP accounts via APIs.

Long lived Lambda operations

Due to network constraints, most long lived connections will end after 5 minutes. AWS will let you use a TCP keep alive which in combination with operating system configurations allow requests to live longer with keep alive mechanisms. This new feature can be set via:

aws:
  lambda:
    tcpKeepAlive: true

For operating system configuration and information, see AWS Documentation

GRPC/HTTP2 support for GCP Load balancers

You can now setup and configure GRPC/HTTP2 configuration settings on GCP load balancers.

  • azure: Implement Azure dynamic account loading matching AWS/Goo… (#7269) ( 9788e7f8 )
  • clouddriver-artifacts/aws: upgrade clouddriver-artifacts module to aws sdk v2 (#7301) ( 97bb0434 )
  • clouddriver-lambda: Add configuration for tcpKeepAlive on the AWS Lambda client (#7308) ( 9f1313dc )
  • clouddriver/ecs: Implement the account API for ecs accounts (#7247) ( eea4599f )
  • docker: Start publishing to GHCR as well as GAR for future removal of GAR for docker (#7312) ( a8d0914a )
  • echo/aws: upgrade echo from aws sdk v1 to v2 (#7243) ( d7d65404 )
  • front50/aws: upgrade front50 to aws sdk v2 (#7250) ( 6f76e1f0 )
  • gate/executions: add a pipelineNameFilter query parameter when getting pipeline executions (#7315) ( 908bc11d )
  • gate/web: add GET /executions/failedStages endpoint (#7300) ( d219882d )
  • google: Add @JsonTypeName annotation and account definition source for dynamic loading (#7270) ( 0a1b7a32 )
  • healthcheck: Add GRPC and HTTP/2 support for GCP load balancers (#7253) ( b1893f0e )
  • igor/aws: upgrade igor to aws sdk v2 (#7283) ( 5ba06cd7 )
  • orca/echo: instrument code that sends events to echo before/after pipeline executions (#7297) ( a091d844 )

Configuration

Fixes

  • OAuth2, NPE: Map.copyOf is strict about nulls so use Collections.unmodifiableMap instead (#7246) (#7252) ( 63dcf960 )
  • OAuth2, NPE: Map.copyOf is strict about nulls so use Collections.unmodifiableMap instead (#7246) ( 10aa59bc )
  • clouddriver/cloudformation: fix an API failure caused by encoded colon char post retrofit2 upgrade (#7262) (#7275) ( be71bba3 )
  • clouddriver/cloudformation: fix an API failure caused by encoded colon char post retrofit2 upgrade (#7262) ( a74c9959 )
  • config: Defaults are not being set when only a few fields are set (#7285) (#7286) ( dd59e7f2 )
  • config: Defaults are not being set when only a few fields are set (#7285) ( ce3e4c5a )
  • echo: Fix rest event config to work with splunk style URLs or those without a trailing slash on the URL (#7330) (#7331) ( c6907c53 )
  • echo: Fix rest event config to work with splunk style URLs or those without a trailing slash on the URL (#7330) ( 74262cac )
  • front50/s3: always configure region in s3 client, when specified (#7268) ( c7966612 )
  • gate-web: Controller fix for RoleController & EcsCloudMetricController after retrofit updates (#7303) (#7306) ( 19d27f1c )
  • gate-web: Controller fix for RoleController & EcsCloudMetricController after retrofit updates (#7303) ( 9de5a1dc )
  • gate-web: EcsServerGroupEventsController & EcsSecretController retrofit calls to clouddriver (#7291) ( c306a00d )
  • gha: Another gha typo (#7323) ( a41df9f1 )
  • gha: Fix cleaner step (#7322) ( 99e72174 )
  • gha: Not a workflow so secret refs slightly different (#7325) ( ce27f216 )
  • images: Fix a few more places querying for images that had null parameters causing failures due to retrofit changes (#7321) (#7328) ( 3750eca6 )
  • images: Fix a few more places querying for images that had null parameters causing failures due to retrofit changes (#7321) ( 3a81d834 )
  • oauth2: move tokenResponseClient bean to static inner config to avoid circular dependency (#7254) (#7255) ( 02284135 )
  • oauth2: move tokenResponseClient bean to static inner config to avoid circular dependency (#7254) ( 54d246cb )
  • oracle: A few oracle operations call themselves google which can mess with class loading on class scans. Fix them to be Oracle (#7249) ( d5160c51 )
  • orca-applications: Retrofit calls on Front50 projects tasks (#7272) ( 1c35ff8d )
  • orca-clouddriver: Fix findImages oortService call query map (#7278) (#7317) ( cf4a7428 )
  • orca-clouddriver: Fix findImages oortService call query map (#7278) ( 0e76bc0b )
  • orca-queue: ignore unacked messages that fail retry to not block processing of other messages (#7290) ( 653ba1ed )
  • orca/clouddriver/retrofit: fix wildcard in the retrofit method parameter (#7264) (#7267) ( b91f789a )
  • orca/clouddriver/retrofit: fix wildcard in the retrofit method parameter (#7264) ( d0f0620a )
  • orca/clouddriver: fix log line in AbstractCheckIfApplicationExistsTask (#7298) ( de3de11d )
  • orca/queue: run kotlin tests in orca/orca-queue (#7333) ( 9721c0cb )
  • orca/redis: actually run the tests (#7292) (#7295) ( f9cf87cd )
  • orca/redis: actually run the tests (#7292) ( 8456bba6 )
  • orca/sql: Retrieve the newest pipeline executions (#7320) ( 2b12d309 )
  • orca/web/test: make the description of the test match reality (#7326) ( 7a3b1053 )
  • orca: set the status correctly when cancelling a pipeline execution (#7296) ( b281edf3 )
  • spin: Fix spin cli docker publishing to GHCR (#7335) (#7336) ( ed0023eb )
  • sql: only reference the compressed executions table (#7327) ( bf5738c1 )

Other

  • change: Merge commit from fork (#7279) ( dbabd821 )
  • change: Merge commit from fork ( 7aa9fabc )
  • change: Various kork updates (secrets, utilities, prereqs for credentials updates) (#7245) ( 77e5da97 )
  • deps: bump actions/checkout from 4 to 5 (#7259) ( c6ae6afb )
  • deps: bump actions/setup-go from 5 to 6 (#7257) ( df0e1300 )
  • deps: bump actions/setup-java from 4 to 5 (#7258) ( 9a3d91fa )
  • deps: bump github/codeql-action from 3 to 4 (#7311) ( 15c525e9 )
  • deps: bump google-github-actions/auth from 2 to 3 (#7260) ( 12779ea6 )
  • deps: bump google-github-actions/upload-cloud-storage from 2 to 3 (#7261) ( d2883614 )
  • execution: Add a retrieve method with requireLatestVersion (#7310) ( 003b1c2e )
  • executions: add pipelineLimit query parameter to gate’s GET /applications/{application}/pipelines and GET /applications/{application}/pipelineConfigs endpoints (#7319) ( 44dc2da4 )
  • front50: fetch pipeline by id in StartPipelineTask (#7273) ( 5334e0a2 )
  • gate/web: increase performance of the GET /{application}/pipelineConfigs/{pipelineName:.+} endpoint (#7314) ( a5210afe )
  • orca: add a test to verify clouddriver GET api to get CloudFormationStack (#7248) (#7276) ( 74192b53 )
  • orca: add a test to verify clouddriver GET api to get CloudFormationStack (#7248) ( 2ceb0bb1 )
  • orca: query for individual pipelines from front50 (#7302) ( 8ba587d2 )
  • roles: make fiat full role sync synchronized across fiat instances (#7115) ( a1195444 )
  • sql: Simplify sql query in retrievePipelineExecutionDetailsForApplication (#7309) ( 6dfb0fef )