v2.40.1 Armory Continuous Deployment Release Feature (Spinnaker™ v2026.2.2)
2026/07/15 release notes
Note: If you experience production issues after upgrading Armory Continuous Deployment, roll back to a previous working version and report issues to http://go.armory.io/support.
Required Armory Operator version
Important
Armory Operator has been deprecated and will is considered EOL. Please migrate to the Kustomize method of deployment.To install, upgrade, or configure Armory CD 2.40.1, use Armory Operator 1.8.6 or later.
Security
Armory scans the codebase as we develop and release software. Contact your Armory account representative for information about CVE scans for this release.
Breaking changes
Breaking changes are kept in this list for 3 minor versions from when the change is introduced. For example, a breaking change introduced in 2.21.0 appears in the list up to and including the 2.24.x releases. It would not appear on 2.25.x release notes.
Gate: Spring Security 5 Oauth2 Migration
Armory CD 2.38.0 removes deprecate Oauth2 annotations and uses Spring Security 5 DSL. In order to configure oauth2 in gate-local.yml have changed to:
Google Oauth configuration
spring:
security:
oauth2:
client:
registration:
google:
client-id: <client-id>
client-secret: <client-secret>
authorization-grant-type: authorization_code
redirect-uri: "https://<your-domain>/login/oauth2/code/google"
scope: profile,email,openid
client-name: google
provider:
google:
authorization-uri: https://accounts.google.com/o/oauth2/auth
token-uri: https://oauth2.googleapis.com/token
user-info-uri: https://www.googleapis.com/oauth2/v3/userinfo
user-name-attribute: sub
Github Oauth2 configuration
spring:
security:
oauth2:
client:
registration:
userInfoMapping:
email: email
firstName: ''
lastName: name
username: login
github:
client-id: <client-id>
client-secret: <client-secret>
authorization-grant-type: authorization_code
redirect-uri: "https://<your-domain>/login/oauth2/code/github"
scope: user,email
client-name: github
provider:
github:
authorization-uri: https://github.com/login/oauth/authorize
token-uri: https://github.com/login/oauth/access_token
user-info-uri: https://api.github.com/user
user-name-attribute: login
Orca: Tasks configuration changes
The following configuration properties have been restructured in orca-local.yml:
Previous Configuration:
tasks:
days-of-execution-history:
number-of-old-pipeline-executions-to-include:
New configuration format
tasks:
controller:
days-of-execution-history:
number-of-old-pipeline-executions-to-include:
optimize-execution-retrieval: <boolean>
max-execution-retrieval-threads:
max-number-of-pipeline-executions-to-process:
execution-retrieval-timeout-seconds:
These changes improve query performance and execution retrieval efficiency, particularly for large-scale pipeline applications.
Policy Engine (OPA) is now built into Armory CD
The Policy Engine is now built into the Armory CD distribution. The Armory.PolicyEngine plugin and the armory.opa configuration block are replaced by a native armory.policy-engine block. Remove the Armory.PolicyEngine plugin from spinnaker.extensibility.plugins in every service that had it configured and update the configuration block in clouddriver-local.yml, front50-local.yml, and any other service profile that references OPA:
Previous:
armory:
opa:
enabled: true
url: http://opa-server.opa:8181/v1
New:
armory:
policy-engine:
enabled: true
baseurl: http://opa-server.opa:8181/v1
The OPA server deployment and policies are unchanged.
Kubernetes Agent (Kubesvc) is now built into Armory CD
The Scale Agent plugin (Armory.Kubesvc) is now built into the Armory CD Clouddriver image. The plugin, its repository, and the top-level kubesvc: configuration block must be replaced by the native armory.kubesvc: block in clouddriver-local.yml:
Previous:
kubesvc:
cluster: kubernetes
spinnaker:
extensibility:
plugins:
Armory.Kubesvc:
enabled: true
version: 0.16.2
extensions:
armory.kubesvc:
enabled: true
repositories:
armory-agent:
url: https://raw.githubusercontent.com/armory-io/agent-k8s-spinplug-releases/master/repositories.json
New:
armory:
kubesvc:
enabled: true
cluster: kubernetes
All sub-properties (grpc, cache, heartbeat, operations, credentials) stay the same — only the parent key changes. Remove Armory.Kubesvc from spinnaker.extensibility.plugins and armory-agent from spinnaker.extensibility.repositories. The Armory Agent service deployed in target clusters is unchanged.
Spring Boot 3.5 upgrade
Armory CD 2.40.1 upgrades to Spring Boot 3.5, the latest supported release. This is a major upgrade from Spring Boot 3.0 introduced in Armory CD 2.39.0. Plugins built against earlier Spring Boot versions will need to be updated to be compatible with this release.
Actuator metrics export property changes (introduced in 2.39.0)
If upgrading from a version prior to 2.39.0, note that the metrics export properties have moved:
| Old Property Prefix | New Property Prefix |
|---|---|
management.metrics.export.<product> | management.<product>.metrics.export |
Gate session data cleanup (introduced in 2.39.0)
If upgrading from a version prior to 2.39.0, flush Gate’s Redis session cache before upgrading:
redis-cli keys "spring:session*" | xargs redis-cli del
YAML parsing limits now configurable
Starting with SnakeYAML 1.33, strict safety limits are enforced by default (maxAliasesForCollections = 50, codePointLimit = 3145728). These can cause large or alias-heavy YAML files such as Kubernetes manifests to fail. Two new properties allow operators to override these limits:
snakeyaml:
max-aliases-for-collections: 500 # default: 50
code-point-limit: 10485760 # default: 3145728
OSS Spinnaker images moved to GHCR
OSS Spinnaker images are no longer published to Google Artifact Registry (GAR) and now pull from GitHub Container Registry (GHCR) at ghcr.io/spinnaker/. Armory CD images continue to be published to Docker Hub (docker.io/armory) and are unaffected. If you consume any OSS Spinnaker images directly alongside your Armory CD deployment, update those image references to point to GHCR before upgrading.
Halyard fully deprecated
Halyard is no longer supported and will not receive patches or updates. Migrate to spinnaker-kustomize or a similar implementation.
MySQL 8+ now required
Due to recent SQL library upgrades, MySQL 5.7 is no longer supported and will fail on startup. You must be running MySQL 8.0+ or an equivalent MariaDB version before upgrading to Armory CD 2.40.1.
Redis/Valkey 7+ now required
Redis or Valkey 7.0+ is required for Armory CD 2.40.1. Older versions are not supported and may cause failures. Armory already deploys Redis 7+ by default — verify your Redis version before upgrading if you manage your own Redis instance.
AWS SDK v1 deprecated
AWS SDK v2 support has been introduced across Spinnaker services. AWS SDK v1 is expected to be removed in an upcoming release. If you have custom implementations using SDK v1, begin migrating to the v2 integrations now.
EDDA support removed
EDDA is no longer supported and will be removed once the AWS SDK v2 migration is complete. If you rely on EDDA, contact the Spinnaker Slack community before upgrading.
Armory Scale Agent (Kubesvc) deprecation notice
The Armory Scale Agent (Kubesvc) is planned for deprecation in the next major release of Armory CD.
URL trailing-slash handling changed
Due to Spring Boot changes, a new filter has been added that restores lenient handling of trailing slashes. If you have controllers (in plugins or custom code) that only register a trailing-slash route, those controllers may break. You can adjust or disable this filter per service:
url-handler:
trailing-slash:
enabled: true # set false to opt out
path-patterns:
- "/**" # narrow if desired
It is recommended to update any affected controllers to handle both paths with and without a trailing slash.
Known issues
No known issues at this time.
Highlighted updates
Gate: API token authentication
Spinnaker now supports first-class, revocable API tokens for authenticating programmatic requests against Gate. Tokens are minted, listed, and revoked through a new self-service UI in Deck, persisted in Redis by Gate, and resolved on every inbound request by a dedicated Spring Security chain.
The feature is off by default. To enable, add the following to your gate-local.yml:
api-tokens:
enabled: true
Key capabilities:
- Per-credential revocation — revoking one token does not affect other tokens for the same user or service account
- Bounded lifetime — user tokens always expire; admin-tunable max lifetimes (90 days for users, 365 days for service accounts by default)
- IAP-compatible — tokens use the
X-Spinnaker-Token: spk_…header, which flows cleanly through GCP IAP - Operator observability — a new
gate.requestscounter tagged withauthType,principalKind,method,statusCode, andstatus
ECS: Major performance improvements
ECS caching agents have been migrated to AWS SDK v2 and significantly optimized. Previously, several agents loaded all data for all accounts into memory before filtering. These agents now load only the data relevant to the requested account, significantly reducing memory footprint and database throughput for deployments with large numbers of ECS accounts.
Microsoft Teams: Jinja template support
The Microsoft Teams notification integration now uses configurable Jinja templates to determine notification payloads, replacing the previously hardcoded message format. Two templates are provided out of the box and can be overridden:
event-notification.jinjapipeline-notification.jinja
To override with custom templates, set the template path in your echo-local.yml:
microsoftteams:
enabled: true
templatePath: /opt/spinnaker/config/teams-templates
Note: status is now a required field on pipeline notification templates. Users on legacy Outlook webhook endpoints will receive deprecation warnings in logs — see the migration guide for details.
Igor: Jenkins job cancellation
When a Spinnaker pipeline is cancelled, any associated Jenkins job triggered by that pipeline is now also cancelled automatically.
Webhooks: Stage timeout support
Webhook stages now respect the overridden stageTimeoutMs value set on the stage configuration. Previously this value was ignored, causing webhook stages to run until the global timeout elapsed.
AWS SDK v2: Credentials bridge for non-AWS environments
The AWS SDK v2 credential path now bridges v1 credentials to v2, fixing credential discovery in non-AWS environments such as GKE pods using STS assume-role. Previously the v2 path used DefaultCredentialsProvider which could not discover credentials in these environments. All configured v1 AWSCredentialsProvider instances (including STS assume-role with token refresh) are now adapted for use by the v2 SDK.
Spinnaker community contributions
There have also been numerous enhancements, fixes, and features across all of Spinnaker’s other services. See the Spinnaker 2026.2.2 changelog for details.
Notable upstream changes included in this release span OSS versions 2026.2.0 through 2026.2.2:
- Spring Boot upgraded to 3.5 (latest supported release)
- Gradle 8 upgrade
- UI build system migrated from yarn/npm to pnpm
- ECS caching agents migrated to AWS SDK v2
- API token authentication support added to Gate
- Microsoft Teams Jinja template notifications
- Jenkins job cancellation on pipeline cancel
- Webhook stage timeout now respected
- CVE dependency upgrades (2026.2.2)
- Kayenta stage UI formatting fix (2026.2.2)
Detailed updates
Bill Of Materials (BOM)
Expand to see the BOM
artifactSources:
dockerRegistry: docker.io/armory
dependencies:
redis:
commit: null
version: 2:2.8.4-2
services:
clouddriver:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
deck:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
dinghy:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
echo:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
fiat:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
front50:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
gate:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
igor:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
kayenta:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
monitoring-daemon:
commit: null
version: 2.26.0
monitoring-third-party:
commit: null
version: 2.26.0
orca:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
rosco:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
terraformer:
commit: e099cb401ee08c956cd23ff1871e2d403263f479
version: 2.40.1
timestamp: "2026-07-15 12:34:36"
version: 2.40.1
Armory
Armory Clouddriver - 2.40.0…2.40.1
- fix(perf): ECS loaded ALL data for ALL accounts then filtered (#7672)
- feat(ecs): migrate ECS caching agents to AWS SDK v2 (#7742)
- fix(docker): Fixes an issue with RBAC around docker images (#7746)
- feat(aws): make AmazonClientProvider bilingual (v1 + v2 SDK) (#7705)
Armory Dinghy - 2.40.0…2.40.1
Armory Rosco - 2.40.0…2.40.1
Armory Deck - 2.40.0…2.40.1
- feat(api-tokens): add API token authentication support UI
Armory Echo - 2.40.0…2.40.1
- feat(teams): Allow adaptive and custom templates for MS Teams messages using Jinja (#7741)
- feat(echo): add trace hierarchy, stage names and customData promotion to OTLP CDEvents spans
Armory Fiat - 2.40.0…2.40.1
Armory Front50 - 2.40.0…2.40.1
Armory Gate - 2.40.0…2.40.1
- feat(api-tokens): add API token authentication support (#7683)
- fix(mvc): UrlHandlerFilter to trailing slash handle route matching (#7755)
Armory Terraformer - 2.40.0…2.40.1
Armory Igor - 2.40.0…2.40.1
- fix(jenkins): cancel Jenkins job when Spinnaker pipeline is cancelled (#7752)
Armory Kayenta - 2.40.0…2.40.1
- fix(kayenta): Fix kayenta stage UI formatting (#7779)
Armory Orca - 2.40.0…2.40.1
- fix(orca): Pipeline bulk save breaks with managed service accounts (#7688)
- chore(change): Fixes #7282: honor
stageTimeoutMsinCreateWebhookTask(#7689)
Spinnaker
Spinnaker Clouddriver - 2026.2.2
- fix(perf): ECS loaded ALL data for ALL accounts then filtered (#7672)
- feat(ecs): migrate ECS caching agents to AWS SDK v2 (#7742)
- fix(docker): Fixes an issue with RBAC around docker images (#7746)
- feat(aws): make AmazonClientProvider bilingual (v1 + v2 SDK) (#7705)
- fix(aws): bridge v1 credentials to v2 in AmazonCredentials.getV2CredentialsProvider() (#7766)
Spinnaker Deck - 2026.2.2
- feat(api-tokens): add API token authentication support UI
Spinnaker Echo - 2026.2.2
- feat(teams): Allow adaptive and custom templates for MS Teams messages using Jinja (#7741)
- feat(echo): add trace hierarchy, stage names and customData promotion to OTLP CDEvents spans
- fix(echo): Fix Microsoft Teams webhook URL doubling in Retrofit2 migration (#7718)
- fix(echo): GitHub status conversion exception (#7701)
Spinnaker Fiat - 2026.2.2
Spinnaker Front50 - 2026.2.2
Spinnaker Gate - 2026.2.2
- feat(api-tokens): add API token authentication support (#7683)
- fix(mvc): UrlHandlerFilter to trailing slash handle route matching (#7755)
Spinnaker Igor - 2026.2.2
- fix(jenkins): cancel Jenkins job when Spinnaker pipeline is cancelled (#7752)
Spinnaker Kayenta - 2026.2.2
- fix(kayenta): Fix kayenta stage UI formatting (#7779)
- chore(cves): Upgrade various deps based on security scans (#7775)
Spinnaker Orca - 2026.2.2
- fix(orca): Pipeline bulk save breaks with managed service accounts (#7688)
- chore(change): Fixes #7282: honor
stageTimeoutMsinCreateWebhookTask(#7689)
Spinnaker Rosco - 2026.2.2
Spinnaker Dinghy - 2026.2.2
Spinnaker Terraformer - 2026.2.2
Feedback
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified July 15, 2026: (6aacfcaf)