Spinnaker Release 2025.2.0

Changelog

Breaking Changes

Clouddriver

https://github.com/spinnaker/spinnaker/pull/7240 changes constructors in AmazonCredentials / AssumeRoleAmazonCredentials / NetflixAmazonCredentials / NetflixAssumeRoleAmazonCredentials. Plugins or custom code may need corresponding changes (e.g. pass null for AwsConfigurationProperties) to continue to build.

Gate

Spring Security 5 Oauth2 Migration

https://github.com/spinnaker/spinnaker/pull/7052 removes deprecated OAuth2 annotations, and uses Spring Security 5’s DSL. Various steps are required for this upgrade. The properties for configuring OAuth2 in Gate have changed:

OAuth2 Configuration Property Mapping

security.authn.oauth2.enabled
  -> spring.security.oauth2.client (auto-configured by Spring Security)

security.authn.oauth2.provider
  -> spring.security.oauth2.client.registration.<providerId> (if provider is not specified in the old configuration, it should be set to 'other' in the new configuration)

security.authn.oauth2.client.clientId
  -> spring.security.oauth2.client.registration.<providerId>.client-id

security.authn.oauth2.client.clientSecret
  -> spring.security.oauth2.client.registration.<providerId>.client-secret

security.authn.oauth2.client.scope
  -> spring.security.oauth2.client.registration.<providerId>.scope

security.authn.oauth2.client.clientAuthenticationScheme
  -> spring.security.oauth2.client.registration.<providerId>.clientAuthenticationScheme

security.authn.oauth2.client.preEstablishedRedirectUri
  -> spring.security.oauth2.client.registration.<providerId>.redirect-uri (url should be in this format https://<your-domain>/login/oauth2/code/<providerid>)

security.authn.oauth2.client.userAuthorizationUri
  -> spring.security.oauth2.client.provider.<providerId>.authorization-uri

security.authn.oauth2.client.accessTokenUri
  -> spring.security.oauth2.client.provider.<providerId>.token-uri

security.authn.oauth2.resource.userInfoUri
  -> spring.security.oauth2.client.provider.<providerId>.user-info-uri

security.authn.oauth2.userInfoMapping
  -> spring.security.oauth2.client.registration.userInfoMapping

security.authn.oauth2.userInfoRequirements
  -> spring.security.oauth2.client.registration.userInfoRequirements

Below are some example configurations built based on above mapping.

old (google):

security:
  authn:
    oauth2:
      enabled: true
      client:
        clientId: <client-id>
        clientSecret: <client-secret>
        accessTokenUri: https://www.googleapis.com/oauth2/v4/token
        userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
        scope: profile email
      userInfoRequirements:
        hd: <domain>
      resource:
        userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
      userInfoMapping:
        email: email
        firstName: given_name
        lastName: family_name
      provider: GOOGLE

new (google):

spring:
  security:
    oauth2:
      client:
        registration:
          userInfoMapping:
            email: email
            firstName: given_name
            lastName: family_name
          userInfoRequirements:
            hd: <domain>
          google:
            client-secret: <client-secret>
            scope: profile,email
            client-id: <client-id>
        provider:
          google:
            user-info-uri: https://www.googleapis.com/oauth2/v3/userinfo
            authorization-uri: https://accounts.google.com/o/oauth2/v2/auth
            token-uri: https://www.googleapis.com/oauth2/v4/token

old (github):

security:
  authn:
    oauth2:
      enabled: true
      client:
        clientId: client-id
        clientSecret: client-secret
        accessTokenUri: https://github.com/login/oauth/access_token
        userAuthorizationUri: https://github.com/login/oauth/authorize
        scope: user,email
      resource:
        userInfoUri: https://api.github.com/user
      userInfoMapping:
        email: email
        firstName: ''
        lastName: name
        username: login
      provider: GITHUB

new (github):

spring:
  security:
    oauth2:
      client:
        registration:
          userInfoMapping:
            email: email
            firstName: ''
            lastName: name
            username: login
          github:
            client-secret: client-secret
            scope: user,email
            client-id: client-id
        provider:
          github:
            user-info-uri: https://api.github.com/user
            authorization-uri: https://github.com/login/oauth/authorize
            token-uri: https://github.com/login/oauth/access_token

Notes:

The useCurrentUri property from spring-security-oauth is not supported in Spring Security and has been removed as part of the migration.

halyard has been updated to generate the new configuration, with the same command as before, e.g.:

hal config security authn oauth2 edit --provider google --client-id some_id --client-secret some_secret --user-info-requirements hd=company.io

Additionally, your OAuth2 resource needs to be updated to support the new redirect URI format. The previous format (https://<your-domain>/login) has changed to https://<your-domain>/login/oauth2/code/<provider>, where provider is one of github, google, or other. We recommend supporting both URL formats in your provider temporarily, to avoid issues in case of a need to rollback.

You will need to clear sessions in Redis after upgrading to avoid deserialization exceptions in Gate.

$ redis-cli keys "spring:session*" | xargs redis-cli del

Finally, spin-cli has been updated to support the new version. Post upgrade, users of spin-cli will need to download the latest version, and update their OAuth config by adding provider to their OAuth config block.

Features

Clouddriver

https://github.com/spinnaker/spinnaker/pull/7239 and https://github.com/spinnaker/spinnaker/pull/7240 add functionality to log the endpoints that the AWS sdk uses, controlled by two new config flags that default to false:

aws:
  client:
    logEndpoints: true

and

artifacts:
  s3:
    logEndpoints: true

aws.client.logEndpoints is for clients that AmazonClientBuilder creates, as well as NetflixSTSAssumeRoleSessionCredentialsProvider. artifacts.s3.logEndpoints is for clients that S3ArtifactCredentials creates.

Note: https://github.com/spinnaker/spinnaker/pull/7240 changes constructors in AmazonCredentials / AssumeRoleAmazonCredentials / NetflixAmazonCredentials / NetflixAssumeRoleAmazonCredentials. Plugins or custom code may need corresponding changes (e.g. pass null for AwsConfigurationProperties) to continue to build.

OAuth2: Current OAuth2 annotations are deprecated so using Java DSL way of configuring OAuth2 (#7052) ( c6a79fd0 )
clouddriver/aws: Implement the account API for aws accounts (#7238) ( d41da1e2 )
clouddriver/aws: log aws sdk endpoints (#7239) ( d19e1944 )
clouddriver/aws: log the endpoint that aws sdk sts clients use (#7240) ( c390e6fb )

Configuration

Fixes

clouddriver/aws: align CredentialsParser types in AmazonCredentialsInitializer (#7207) (#7208) ( 3c45b4c9 )
clouddriver/aws: align CredentialsParser types in AmazonCredentialsInitializer (#7207) ( 57b5928f )
deck: Fix RunJob external logs when component is not mounted and interpolation is needed (#7163) ( 9d86a95a )
echo/rest: make it possible to send events to URLs with no trailing slash (#7212) (#7215) ( 824acc94 )
echo/rest: make it possible to send events to URLs with no trailing slash (#7212) ( 0e8c45b4 )
gate/web: add Retrofit2SyncCall.execute to SubnetController.allByCloudProvider (#7219) (#7221) ( 9b5dcd7b )
gate/web: add Retrofit2SyncCall.execute to SubnetController.allByCloudProvider (#7219) ( 66b9ab01 )
gcp: Fix a number of potential NPEs around deploy handling for google builds. Tied to groovy to java migration (#7227) (#7233) ( 4ea0d508 )
gcp: Fix a number of potential NPEs around deploy handling for google builds. Tied to groovy to java migration (#7227) ( ffeaa35a )
gcp: More NPE handling on some input (#7236) (#7237) ( 347cfb20 )
gcp: More NPE handling on some input (#7236) ( 7177e163 )
google: Add retry and status polling logic (#7191) (#7217) ( b1243f81 )
google: Add retry and status polling logic (#7191) ( 5385827f )
halyard/retrofit2: fix DaemonService’s convertor factory (#7230) (#7232) ( 66ade3f8 )
halyard/retrofit2: fix DaemonService’s convertor factory (#7230) ( 1a83ac38 )
halyard/retrofit2: fix daemon service getTask API definition (#7206) (#7209) ( a75b383c )
halyard/retrofit2: fix daemon service getTask API definition (#7206) ( 4d991929 )
orca/clouddriver: correct parameter order for requestOperations to avoid invalid cloudProvider errors (#7201) (#7204) ( 7f6e3e2f )
orca/clouddriver: correct parameter order for requestOperations to avoid invalid cloudProvider errors (#7201) ( f45b7fd8 )
orca/retrofit2: fix orca bakeservice api (#7224) (#7225) ( e0a64b30 )
orca/retrofit2: fix orca bakeservice api (#7224) ( 6c47bbfa )
sql: Update account type column during upserts (#7242) ( ba06d158 )

Other

build: dynamic version indexing in tag name based on type (#7202) (#7203) ( e9d8ebc4 )
build: dynamic version indexing in tag name based on type (#7202) ( 18758e3a )
dependency: update bc version from 1.77 to 1.81 (#7211) ( c051f965 )
deps: bump sha.js from 2.4.11 to 2.4.12 in /deck (#7213) ( 0c97ecd1 )
deps: bump tmp from 0.2.3 to 0.2.5 in /deck/test/functional (#7231) ( de171bc4 )
deps: bump tmp in /.github/actions/spinnaker-release (#7229) ( da68ba66 )
graphql: Remove unused and legacy graphql libraries and sample endpoints (#7244) ( fe879f8b )
kubernetes: convert load balancer details component to react (#7222) ( c42106e7 )
kubernetes: convert manifest actions modal components to react (#7223) ( e0801020 )
kubernetes: de-angularize services, and components (#7228) ( e5a54ada )