Spinnaker Release 2026.1.0

Security

There are a number of fixes in this release. As always upgrading post validation in a sandbox account is highly recommended. For example, the project moved from spring boot 3.1.2 to 3.1.12.

Breaking Changes

Halyard is fully deprecated at this point and no longer supported. Please migrate to spinnaker kustomize or a similar implementation going forward, as halyard will no longer be patched, updated, nor addressed for work
GHCR is now the default location for all images going forward. We will no longer be publishing to GAR, and in a few releases, all GAR access will be removed for docker images (debians are still published to GAR).

Certificate map support for GCP load balancers

Spinnaker supports caching and migration to certificate maps from ssl certificate configurations for load balancers.

Kubernetes secret engine support

A new feature allows you to store and reference secrets from kubernetes. You can now save a secret and use it in a spinnaker configuration using the encrypted syntax similar to that for s3 or other services.

encrypted:k8s!n:somesecretName!k:secretKey

If you want to enable this, add to your spinnaker-local.yml (the default config file in spinnaker-kustomize) the following config:

spinnaker:
  secrets:
    kubernetes:
      enabled: true

This will use the local pod credentials for accessing secrets. You can also use a secret in a different namespace if your spinnaker is authorized to do so with an ns flag. See https://github.com/spinnaker/spinnaker/pull/7603/changes for more information.

Lambda Naming and performance fixes

Lambda had some issues around loading all lambdas into memory when enabled then filtering. The new release with some configuration changes this to operate similarly to ECS and Kubernetes with tags added to the lambda that enable filtering by tags. Further, this moves caching out of the shared application to a dedicated lambda application table. This should drastically improve lambda experience across the board. The tags behavior is enabled by default and all new deploys will automatically add these tags on deployment. You can disable this behavior by changing the following in clouddriver:

aws:
  lambda:
    setMonikerTags: false

Next, to allow arbitrary naming of functions without a default prefix on deployments, you can disable by a flag the spinnaker behavior of adding this. Note there are two configurations, one in orca and one in clouddriver.

Clouddriver:

aws:
  lambda:
    prefixApplicationNameToFunction: false

Orca:

lambda:
  prefixApplicationNameToFunction: false

This will allow you to using an expression edit the stage json and set any name you wish other than the UI generated function name.

ECS Fixes

ECS is receiving a number of performance fixes. The first is onDemand APIs for loading accounts via cache calls. This should drastically reduce memory, database throughput and impacts to spinnaker when a large number of accounts are deployed and deployments referencing an ECS deploy are in progress. Additional performance fixes for ECS caching is incoming in upcoming releases

Fiat performance fixes

A couple of PRs that fix some major performance issues in fiat.

The locking mechanism was restored but fixed the issues reported in https://github.com/spinnaker/spinnaker/issues/7339
The sync process does a parallel write and read of data. https://github.com/spinnaker/spinnaker/pull/7648

For configuration the parallel write when using redis, add the following to adjust this.

fiat:
  redis:
    repository:
      sync-threads: 16   # default: Runtime.getRuntime().availableProcessors()

For the lock behavior there are two places to configure the recommended settings:

Fiat:

# Fiat – enable cross-pod sync coordination
fiat:
  write-mode:
    enabled: true
    synchronization-config:
      enabled: true
      prefix: "spinnaker:fiat"
    sync-delay-ms: 600000
    sync-failure-delay-ms: 600000
    sync-delay-timeout-ms: 30000
    retry-interval-ms: 10000

Front50

# Front50 – avoid full sync (and locks) when saving service accounts
fiat:
  disableRoleSyncWhenSavingServiceAccounts: true

These in combination should help reduce the number of sync times and improve overall fiat performance. In some testing, we’ve seen this configuration reduce sync time from hours to minutes.

AWS pubsub support for cross-account / IaC-managed SQS queues

A new skipQueueBootstrap flag on each pubsub.amazon.subscriptions entry lets the SQS subscriber skip createQueue, setQueueAttributes, and SNS.Subscribe at startup, so it works with queues provisioned externally (e.g. Terraform) or owned by another AWS account.

pubsub:
  amazon:
    subscriptions:
      - name: my-subscription
        queueARN: arn:aws:sqs:eu-central-1:000000000000:my-queue
        topicARN: arn:aws:sns:eu-central-1:000000000000:my-topic
        skipQueueBootstrap: true

Default is false; existing same-account subscribers are unaffected

Features

ci/gcb: Add region in gcb account def for regional endpoints (#7504) ( 7b4a9f35 )
echo: add OTLP/gRPC transport for CDEvents notifications (#7554) ( 2bae6532 )
echo: add mTLS support for OTLP/gRPC CDEvents transport (#7561) ( 3a65ecdc )
igor: allow overriding artifact extensions in Artifactory monitors (#7535) ( ed1f4afd )
kork/artifact/artifactstore/s3: add context to artifact store exceptions (#7650) ( 85fb3911 )
lambda: Make application names work with Lambda (#7655) ( 2a3d2a91 )
provider/google, deck/google: Add certificateMap support for GCE HTTP(S) load balancers (#7475) ( 54aaef22 )
secrets: K8s secret engine support (#7603) ( 86a21d18 )
spin/iap: add token caching for IAP authentication (#7595) ( 3e7d4f38 )
webhooks: hide sensitive headers in custom webhook stages (#7421) ( e0c3c24f )

Configuration

Fixes

bom: Fix bom publishing to now reference GHCR (#7553) ( 0f872993 )
build/test: disable JVM class data sharing to remove warning on jvm startup (#7624) ( d4a42dc8 )
build: Fix bad merge from dependabot (#7508) ( 8aa48f90 )
build: Fix indentation when in a if block (#7621) ( 91c7367c )
build: Fix labels on containers (#7620) ( c1923555 )
builds: Fix bad character on gha publish breaking echo commands (#7619) ( 9adacf94 )
builds: Fix spinnaker.io publishing (#7549) (#7551) ( 45754bc9 )
builds: Fix spinnaker.io publishing (#7549) ( 095cdce7 )
builds: Fix spinnaker.io publishing when using a GitHub App for token (#7498) (#7499) ( 0b696139 )
builds: Fix spinnaker.io publishing when using a GitHub App for token (#7498) ( c4dbce60 )
builds: Fix testcontainer due to docker client upgrade issue (#7471) (#7476) ( f9be1e8a )
builds: Fix testcontainer due to docker client upgrade issue (#7471) ( b9814476 )
clouddriver/eureka: remove leading slashes from all the retrofit2 api interfaces (#7652) ( 183b6bd7 )
clouddriver: update kubectl download URL (#7470) (#7472) ( b39db13d )
clouddriver: update kubectl download URL (#7470) ( 330dd8f0 )
deck/pipeline: pass raw pipeline config to MetadataPageContent for V2 templated pipelines (#7537) ( e8324196 )
deck: Fix build all for deck/deck-kayenta (#7467) (#7468) ( cb5fe264 )
deck: Fix build all for deck/deck-kayenta (#7467) ( 88682cdb )
ecs: Fix ecs on demand perf loading issue (#7667) ( 2d39bc81 )
fiat/api: remove deprecation warnings (#7613) ( 9337025a )
fiat: Minor potential issue if groups return list ever was null (#7611) ( 5dc90a65 )
gate/api-tck/test: remove noisy startup errors from GateFixtureTest output (#7572) ( a320d63c )
gate/basic: replace deprecated Spring Security DSL with lambda-style configuration (#7589) ( be01ea3f )
gate/core: remove deprecation warnings in AnonymousConfig and ServiceAccountFilterConfigProps (#7587) ( 7416d029 )
gate/oauth2: remove deprecated tokenEndpoint() method call in OAuth2SsoConfig (#7588) ( 4e4430b2 )
gate/oauth2: restore /login endpoint behavior (#7567) ( 64251195 )
gate/plugins: make PluginsInstalledController conditional and DeckPluginService optional (#7563) ( 2269b5e3 )
gate/web/test: remove stale comments in AdminControllerTest (#7584) (#7585) ( 87a79d27 )
gate/web/test: remove stale comments in AdminControllerTest (#7584) ( 585b7106 )
gate/web/test: replace deprecated Spring Security DSL in AuthConfigTest (#7571) ( 209025fd )
gate/web: include additional exception message in AdminController.killZombie (#7575) (#7579) ( a0d688e0 )
gate/web: include additional exception message in AdminController.killZombie (#7575) ( 1f10a347 )
gate/web: remove BakeController.handleBakeOptionsException (#7511) ( 73950daa )
gate/web: return 200 instead of 500 for void orca endpoints (#7574) (#7578) ( 4b41bdf5 )
gate/web: return 200 instead of 500 for void orca endpoints (#7574) ( 7a62f750 )
gate: rename x509 SecurityFilterChain bean to prevent SAML override when both are enabled (#7539) ( e4a5016a )
gate: rename x509 SecurityFilterChain bean to prevent SAML override when both are enabled (backport #7539) (#7580) ( 60f45db4 )
gitrepo: Fix git repo with some odd character combinations (#7564) (#7568) ( 5468ff62 )
gitrepo: Fix git repo with some odd character combinations (#7564) ( 7997a14a )
gitrepo: Validate gitrepo hostname (#7541) ( 58641982 )
halyard-core: correct ‘occured’ -> ‘occurred’ in Problem javadoc (#7641) ( e08e21a7 )
iap: Fix iap auth post spring 3.0 upgrade (#7503) ( 195b36d9 )
iap: Fix iap auth post spring 3.0 upgrade (backport #7503) (#7547) ( 764558f1 )
igor/web: remove some deprecation warnings (#7615) ( 113494e3 )
kayenta: Send Authorization header proactively for Prometheus-compatible APIs (#7464) ( 39d3d272 )
kork/core: remove yaml-related deprecation warnings (#7635) ( 0f70a0b1 )
kork/moniker: fix unchecked warnings in FriggaReflectiveNamer (#7634) ( 74d99462 )
kork/plugins: remove warnings (#7637) ( e070e6af )
kork/retrofit: remove unchecked, deprecation warnings (#7626) ( cc4e08fc )
kork/secrets-k8s/test: allow KubernetesSecretsEngineTest to pass outside a k8s cluster (#7623) ( 2646a87c )
kork/sql-test: remove deprecation warnings (#7628) ( 1524b77d )
kork/sql: remove warnings (#7629) ( 78a095f6 )
kork/web: remove deprecation warnings (#7614) ( 943a78ae )
kustomize: Mariadb broken. Fix gate health check (#7606) ( 9220695c )
lambda: Lambda APIs when only account or region were still loading all data THEN filtering (#7644) ( ca659468 )
oauth2: spin cli oauth2 auth ctx (#7532) ( 256c3ec5 )
pubsub/aws: rename enableQueueCreationFallback -> skipQueueBootstrap and skip all bootstrap ops for cross-account queues (#7668) ( bd3df2e8 )
pubsub/aws: support cross-account SQS queue lookup and make queue creation fallback configurable (#7609) (#7633) ( e4a49e41 )
release: Fix release publishing notes to spinnaker.io (#7486) (#7491) ( aa0ea524 )
release: Fix release publishing notes to spinnaker.io (#7486) ( c90c4c55 )
saml: Fix wiring issue on saml. Add FULL end to end integration test using keycloak & htmlunitdriver (#7525) ( 943997b2 )
saml: Fix wiring issue on saml. Add FULL end to end integration test using keycloak & htmlunitdriver (backport #7525) (#7528) ( 1e230e28 )
security: restore AnonymousConfig after Spring Boot 3 / Security 6 upgrade (#7538) (#7594) ( 3d031ab6 )
security: restore AnonymousConfig after Spring Boot 3 / Security 6 upgrade (#7538) ( 4d0a82a0 )
spin-cli: update gateclient to always set Bearer token for oauth2 (#7612) ( f653d7dd )
spin/pipeline-template: prevent panic on non-string tag field (#7639) ( cf984859 )
spinnaker-gradle-project/publishing: replace deprecated JacksonFactory with GsonFactory (#7627) ( 39eb96f6 )
spotless: Update to 1.17 of spotless (#7479) (#7482) ( 6e1a6497 )
spotless: Update to 1.17 of spotless (#7479) ( f0dfe854 )
spring: remove LocalVariableTableParameterNameDiscoverer warnings from kork, fiat, and clouddriver (#7502) ( db214efa )
tests: Add tests for eureka so we dont hit issues in future (#7656) ( 6411e151 )
validation: Fixes some validation around user inputs (#7542) ( c4a5b4fd )

Other

build/protobuf: upgrade com.google.protobuf plugin 0.8.12 -> 0.9.6 (#7618) ( ac49be5d )
build: remove gradle warnings (#7625) ( 7e5fdfb3 )
change: Adopt latching for fiat role sync (#7647) ( 40706834 )
change: Improve parallelization of redis fiat get and put (#7648) ( c41d8622 )
change: Merge commit from fork ( 95829010 )
change: Merge commit from fork ( a14c26ef )
change: Merge commit from fork ( f69d7b53 )
clouddriver/aws: cleanup dependencies (#7590) ( db998010 )
clouddriver: bump json-flattener from 0.14.2 to 0.16.6 (#7598) ( 3b254970 )
clouddriver: centralize version of json-flattener (#7591) ( 6c096ec0 )
deck/build: update rollup to v4 (#7523) ( cf4a260a )
deck: upgrade webpack to 5.104.1, webpack-dev-server to 5.2.1 & eslint to 9.39.2 (#7516) ( 9980f156 )
dependencies: upgrade to Spring Boot 3.1.12 and align dependent libraries (#7338) ( 81f227f6 )
deps-dev: bump rollup from 2.79.2 to 2.80.0 in /deck-kayenta (#7514) ( 817dcc74 )
deps: bump actions/create-github-app-token from 2 to 3 (#7597) ( 42a085c7 )
deps: bump actions/github-script from 7 to 8 (#7520) ( 0ca720b6 )
deps: bump axios from 1.13.6 to 1.15.0 in /deck (#7631) ( 4c8a40d2 )
deps: bump bn.js from 4.12.2 to 4.12.3 in /deck (#7506) ( 9dc2b880 )
deps: bump docker/login-action from 3 to 4 (#7596) ( 4a75cb0d )
deps: bump express from 4.18.2 to 4.22.0 in /deck-kayenta (#7349) ( 90212867 )
deps: bump fast-xml-parser and @google-cloud/storage (#7483) ( aeb2a4cc )
deps: bump fast-xml-parser in /.github/actions/spinnaker-release (#7519) ( 5570ccd0 )
deps: bump fast-xml-parser in /.github/actions/spinnaker-release (#7540) ( 62e23c93 )
deps: bump fast-xml-parser in /.github/actions/spinnaker-release (#7546) ( 3fc2a7c6 )
deps: bump fast-xml-parser in /.github/actions/spinnaker-release (#7654) ( 3e75e3b3 )
deps: bump flatted from 3.3.4 to 3.4.2 in /deck (#7552) ( 52e65fba )
deps: bump follow-redirects from 1.15.11 to 1.16.0 in /deck (#7642) ( 1cd788ec )
deps: bump follow-redirects in /deck-kayenta (#7638) ( 71bbb66b )
deps: bump follow-redirects in /deck/test/functional (#7640) ( 2cbdca69 )
deps: bump handlebars from 4.7.8 to 4.7.9 in /deck (#7573) ( c4b81240 )
deps: bump js-yaml in /deck/packages/kubernetes (#7341) ( efeec340 )
deps: bump lodash from 4.17.21 to 4.17.23 in /deck (#7515) ( f667c9b4 )
deps: bump lodash from 4.17.23 to 4.18.1 in /deck (#7600) ( 24662152 )
deps: bump lodash in /.github/actions/spinnaker-release (#7513) ( d3ef1142 )
deps: bump lodash in /deck/packages/cloudrun (#7507) ( f5fde96e )
deps: bump lodash in /deck/packages/kubernetes (#7509) ( 401be8c5 )
deps: bump lodash-es from 4.17.21 to 4.18.1 in /deck-kayenta (#7599) ( 488c7116 )
deps: bump minimatch from 3.1.2 to 3.1.5 in /deck-kayenta (#7517) ( 7a624c52 )
deps: bump node-forge from 1.3.3 to 1.4.0 in /deck (#7582) ( d809a6e1 )
deps: bump path-to-regexp from 0.1.12 to 0.1.13 in /deck (#7583) ( 92609e78 )
deps: bump postcss from 8.5.3 to 8.5.12 in /deck/test/functional (#7659) ( 8ff0f9ef )
deps: bump postcss from 8.5.8 to 8.5.10 in /deck (#7664) ( caffebf8 )
deps: bump rollup from 3.29.5 to 3.30.0 in /deck/test/functional (#7512) ( 6497a1c3 )
deps: bump svgo from 2.8.0 to 2.8.2 in /deck (#7524) ( 25cb982b )
deps: bump uuid and @actions/core (#7653) ( c34013f6 )
deps: bump yaml in /.github/actions/spinnaker-release (#7566) ( 16281185 )
deps: bump yaml in /.github/actions/update-monorepo (#7565) ( 51ffb3f6 )
deps: update jinjava to 2.7.6 (#7536) ( 61787ec7 )
docs: add AGENTS.md, CLAUDE.md and copilot-instructions.md (#7559) ( a427629a )
gate/header: skip login of service account users when using header authentication (#7557) ( da35224f )
gate/web/test: mock ApplicationService to prevent noisy log output (#7562) ( f29d55e9 )
gate: parameterize raw types in OrcaService (#7586) ( b040c76f )
kork/sql-test: use postgres:16.13 to stay up to date (#7610) ( 4b1291af )
kork/sql/test: remove warnings + clean up test output (#7636) ( 07cc8180 )
kork/test: close the jedis pool before shutting down redis (#7558) ( 16db7d76 )
kustomize: Add auth to kustomize install and some defaults and an ingress (#7601) ( 678e231e )
lambda: Update UI lambda runtime defaults to match current releases (#7665) ( 1f25ba39 )
mergify: upgrade configuration to current format (#7645) ( 5f9a4afa )
oauth2: demonstrate that Bearer token is used to authenticate (#7545) ( 5282b204 )
publishing: Move to GHCR for image references (#7452) ( 79d8d240 )
wercker: Remove wercker as a dead product from spinnaker (#7622) ( 1c8205e9 )