v2.26.3 Armory Enterprise Release (Spinnaker™ v1.26.6)

Release notes for Armory Enterprise v2.26.3

2021/09/24 Release Notes

Note: If you’re experiencing production issues after upgrading Spinnaker, rollback to a previous working version and please report issues to http://go.armory.io/support.

Required Halyard or Operator version

To install, upgrade, or configure Armory 2.26.3, use one of the following tools:

  • Armory-extended Halyard 1.12 or later

    • 2.26.x is the last minor release that you can use Halyard to install or manage. Future releases require the Armory Operator. For more information, see Halyard Deprecation.
  • Armory Operator 1.2.6 or later

    For information about upgrading, Operator, see Upgrade the Operator.

Security

Armory scans the codebase as we develop and release software. For information about CVE scans for this release, see the Support Portal. Note that you must be logged in to the portal to see the information.

Breaking changes

Java 11.0.11+, TLS 1.1 communication failure

This is an issue between Java 11.0.11 and TLSv1.1. Only installations using TLSv1.1 will encounter communication failures between services when those services upgrade to Java 11.0.11+.

TLSv1.1 was deprecated in March of 2020 and reached end-of-life in March of 2021. You should no longer be using TLSv1.1 for secure communication.

Oracle released Java 11.0.11 in April of 2021. Java 11.0.11 dropped support for TLSv1.1. See the Java release notes for details.

Impact

Any services running under Java 11.0.11+ and using TLSv1.1 will encounter a communication failure. For example, you will see a communication failure between an Armory Enterprise service running under Java 11.0.1 and MySQL 5.7 if the MySQL driver is using TLSv1.1.

The version of Java depends on the version used by the Docker container’s OS. Most Armory Enterprise services are using Alpine 3.11 or 3.12, which does not use Java 11.0.11. However, Alpine 3.11 is end-of-life in November of 2021, and 3.12 is end-of-life in May of 2022. There is no guarantee that Java 11.0.11+ won’t be added to those container images by some other manner. You should modify your TLSv1.1 environment now so you don’t encounter communication failures.

Fix

Choose the option that best fits your environment.

  1. Disable TLSv1.1 and enable TLSv1.2 (preferred):

    See Knowledge Base articles Disabling TLS 1.1 in Spinnaker and Specifying the Protocols to be used and How to fix TLS error “Reason: extension (5) should not be presented in certificate_request”.

  2. Add a query parameter to the MySQL JDBC URIs:

    ?enabledTLSProtocols=TLSv1.2
    

    Note that this only fixes communication between Armory Enterprise and MySQL.

    See MySQL communication failure when using TSL1.1 for more information.

Kubernetes version for deployment targets

Armory Enterprise 2.26 no longer supports Kubernetes deployment targets prior to version 1.16.

Impact

Any Kubernetes deployment target must run version 1.16 or higher. If you try to deploy to clusters older than 1.16, you may see errors like the following in the UI:

The UI shows an Unexpected Task Failure error.

Additionally, errors like the following appear in the Clouddriver logs:

2021-05-04 21:17:16.032 WARN 1 --- [0.0-7002-exec-9] c.n.s.c.k.c.ManifestController : Failed to read manifest

com.netflix.spinnaker.clouddriver.kubernetes.op.handler.UnsupportedVersionException: No replicaSet is supported at api version extensions/v1beta1
at com.netflix.spinnaker.clouddriver.kubernetes.op.handler.KubernetesReplicaSetHandler.status(KubernetesReplicaSetHandler.java:98) ~[clouddriver-kubernetes.jar:na]
2021-05-05 14:29:09.653 WARN 1 --- [utionAction-538] c.n.s.c.k.c.a.KubernetesCachingAgent : kubernetes/KubernetesCoreCachingAgent[1/1]: Failure adding relationships for service

com.netflix.spinnaker.clouddriver.kubernetes.op.handler.UnsupportedVersionException: No replicaSet is supported at api version extensions/v1beta1
at com.netflix.spinnaker.clouddriver.kubernetes.op.handler.KubernetesReplicaSetHandler.getPodTemplateLabels(KubernetesReplicaSetHandler.java:167)

Workaround

If you are affected by this change, perform the following tasks to update your applications:

  • Upgrade the Kubernetes clusters that you are trying to deploy to. They must run version 1.16 or higher.
  • If you have manifest files using deprecated APIs, update them to use newer APIs. For more information on which APIs are deprecated in each Kubernetes version and how to migrate, see the Kubernetes Deprecated API Migration Guide.

Introduced in: Armory 2.26.0

Kubernetes infrastructure in the UI

Starting in 2.26, the UI has been updated to more closely follow immutable infrastructure principles.

When you navigate to the Infrastructure tab in the UI for an application that has the Kubernetes provider configured, actions that change the Kubernetes infrastructure (such as Create or Delete), including Clusters, Load Balancers, and Firewalls, are no longer available.

Impact

Users do not see these actions in the UI by default. You must configure the UI to display them if you want your users to be able to perform them through the UI.

Workaround

Whether or not these actions are available in the UI is controlled by the following property in settings-local.yml:

window.spinnakerSettings.kubernetesAdHocInfraWritesEnabled = <boolean>;

This setting does not completely prevent users from modifying Kubernetes infrastructure through Armory Enterprise. To do so, you must use the Policy Engine and write policies using the spinnaker.http.authz package.

If you use the Policy Engine to control which user roles can see the UI actions and be able to use them, you must set this property to true. Setting the value to false hides the buttons for all users regardless of whether you grant specific users access to the buttons through the Policy Engine.

This property affects Kubernetes infrastructure only. The behavior is slightly different depending on if the application has only the Kubernetes provider configured or Kubernetes and other providers, such as AWS.

If the application only has the Kubernetes provider configured, the following applies:

  • When set to true, this property causes the UI to function as it did in previous releases. This allows people to manually create and delete Kubernetes infrastructure from the UI.
  • When set to false, this property causes the actions to be unavailable to users. This prevents users from manually creating and deleting Kubernetes infrastructure from the UI. The users can still view the infrastructure but cannot make changes through the UI.

If the application includes Kubernetes and other providers, the following applies:

  • When set to true, this property causes the UI to function as it did in previous releases. This allows people to manually create and delete Kubernetes infrastructure from the UI. Users can continue to select whether they want to create Kubernetes or other infrastructure in the UI.
  • When set to false, this property causes Kubernetes to be unavailable as an option when trying to modify infrastructure from the UI. Users can still make changes to infrastructure for the application from cloud providers, such as AWS, but not Kubernetes.

Introduced in: Armory 2.26.0

Known issues

Bake failures

The Packer version included with Rosco disregards package overrides that use the -var-file= option. This may cause bakes to fail.

Affected versions: 2.22.2 and later

SpEL expressions and artifact binding

There is an issue where it appears that SpEL expressions are not being evaluated properly in artifact declarations (such as container images) for events such as the Deploy Manifest stage. What is actually happening is that an artifact binding is overriding the image value.

Workaround:

2.27.x or later: Disable artifact binding by adding the following parameter to the stage JSON: enableArtifactBinding: false.

2.26.x or later: Change the artifact binding behavior in spec.spinnakerConfig.profiles.clouddriver (Operator) or clouddriver-local.yml (Halyard) to the following, which causes artifacts to only bind the version when the tag is missing:

kubernetes:
  artifact-binding:
    docker-image: match-name-only

This setting only binds the version when the tag is missing, such as image: nginx without a version number.

Affected versions: 2.26.x and later

Pipelines as Code GitHub comments

There is a known issue where Pipelines as Code can generate hundreds of comments in a GitHub Pull Request (PR) when updates are made, such as when a module that is used by multiple dinghyfiles gets changed. These comments may prevent the GitHub UI from loading or related API calls may lead to rate limiting.

Affected versions: 2.26.x and later

Workaround:

You can either manually resolve the comments so that you can merge any PRs or turn the notifications that Pipelines as Code sends to GitHub.

For information about about how to disable this functionality, see GitHub Notifications.

Highlighted updates

AWS Lambda

  • Fixed an issue where infrastructure for Lambda functions was not being displayed in the UI. This was related to Lambda functions and their event source mappings.

Spinnaker Community Contributions

There have also been numerous enhancements, fixes, and features across all of Spinnaker’s other services. See the Spinnaker v1.26.6 changelog for details.

Detailed updates

Bill Of Materials (BOM)

Here’s the BOM for this version.

Expand
version: 2.26.3
timestamp: "2021-09-23 02:12:12"
services:
    clouddriver:
        commit: d361f7e62fe555fda9dd5682b64627f4703563a8
        version: 2.26.20
    deck:
        commit: 198d62eae2710dceed1f462e50a183abba613fef
        version: 2.26.10
    dinghy:
        commit: d1406fad85771d7f44a266d3302d6195c00d7ec2
        version: 2.26.11
    echo:
        commit: c1e9ced6759392159ee628e63cc5808a1c5d8fdd
        version: 2.26.11
    fiat:
        commit: ea4874e41748992d24e0a36a5534bc37d0aa0d31
        version: 2.26.12
    front50:
        commit: ba5b33e616e51dc0e655f40da18277c9434ca5fe
        version: 2.26.13
    gate:
        commit: a7242aa7506dff2f342c69562666308c653fae17
        version: 2.26.11
    igor:
        commit: d1ad3f87ee857a73f6e546ea4cc410286e87cea9
        version: 2.26.11
    kayenta:
        commit: 4f668d1297a5d205d516667c1af6902d0d9f380f
        version: 2.26.12
    monitoring-daemon:
        version: 2.26.0
    monitoring-third-party:
        version: 2.26.0
    orca:
        commit: a3463f61ff082502c1c6cb35ea7b01aeee5456a9
        version: 2.26.17
    rosco:
        commit: 1dfc60f1f70ccdadc2cc03ff9f27b5ca39bb9c39
        version: 2.26.15
    terraformer:
        commit: 2dc177734c1445252dfeb3b8353ce94596c8a4c3
        version: 2.26.13
dependencies:
    redis:
        version: 2:2.8.4-2
artifactSources:
    dockerRegistry: docker.io/armory

Armory

Armory Igor - 2.26.10…2.26.11

  • chore(build): remove platform build (#257)

Armory Clouddriver - 2.26.19…2.26.20

  • chore(cd): update base service version to clouddriver:2021.09.01.22.20.35.release-1.26.x (#412)
  • chore(cd): update base service version to clouddriver:2021.09.02.07.27.19.release-1.26.x (#413)
  • chore(cd): update base service version to clouddriver:2021.09.02.07.44.26.release-1.26.x (#414)
  • chore(cd): update base service version to clouddriver:2021.09.02.17.47.50.release-1.26.x (#416)
  • chore(build): remove platform build (#426)
  • chore(cd): update base service version to clouddriver:2021.09.09.21.52.53.release-1.26.x (#432)
  • chore(cd): update base service version to clouddriver:2021.09.09.23.19.30.release-1.26.x (#433)
  • chore(cd): update base service version to clouddriver:2021.09.10.19.35.46.release-1.26.x (#438)
  • chore(cd): update base service version to clouddriver:2021.09.17.17.07.10.release-1.26.x (#445)
  • chore(cd): update base service version to clouddriver:2021.09.17.18.53.46.release-1.26.x (#447)

Armory Fiat - 2.26.11…2.26.12

  • chore(build): remove platform build (#251)

Armory Kayenta - 2.26.11…2.26.12

Terraformer™ - 2.26.12…2.26.13

  • chore(build): remove platform build (#440)

Armory Deck - 2.26.9…2.26.10

  • chore(build): remove platform build (#1116)
  • fix(build): use same name than GHA (#1119)
  • chore(cd): update base deck version to 2021.0.0 20210922221550.release-1.26.x-166666656 (#1120)

Armory Gate - 2.26.10…2.26.11

  • chore(build): remove platform build (#326)

Armory Rosco - 2.26.14…2.26.15

Armory Front50 - 2.26.12…2.26.13

  • chore(cd): update base service version to front50:2021.06.25.20.05.12.release-1.26.x (#307)

Armory Orca - 2.26.16…2.26.17

  • fix(build): remove redhat publishing (#357)

Dinghy™ - 2.26.10…2.26.11

  • chore(build): remove platform build (#455)

Armory Echo - 2.26.10…2.26.11

  • chore(build): remove platform build (#368)

Last modified April 12, 2022: (24a04f9a)