From f4bc3ec79347ebe49e4918dd01a48677ce807593 Mon Sep 17 00:00:00 2001 From: armory-astrolabe Date: Thu, 16 Oct 2025 11:31:01 +0000 Subject: [PATCH 1/3] chore(release): add release notes for 2.38.0-rc2 --- .../armoryspinnaker_v2-38-0-rc2.md | 203 ++++++++++++++++++ payload.json | 200 +++++++++-------- 2 files changed, 308 insertions(+), 95 deletions(-) create mode 100644 content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md diff --git a/content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md b/content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md new file mode 100644 index 0000000000..4432fe9be1 --- /dev/null +++ b/content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md @@ -0,0 +1,203 @@ +--- +title: v2.38.0-rc2 Armory Continuous Deployment Release (Spinnaker™ v1.38.0) +toc_hide: true +date: 2025-10-16 +version: +description: > + Release notes for Armory Continuous Deployment v2.38.0-rc2. A beta release is not meant for installation in production environments. + +--- + +## 2025/10/16 release notes + +## Disclaimer + +This pre-release software is to allow limited access to test or beta versions of the Armory services (“Services”) and to provide feedback and comments to Armory regarding the use of such Services. By using Services, you agree to be bound by the terms and conditions set forth herein. + +Your Feedback is important and we welcome any feedback, analysis, suggestions and comments (including, but not limited to, bug reports and test results) (collectively, “Feedback”) regarding the Services. Any Feedback you provide will become the property of Armory and you agree that Armory may use or otherwise exploit all or part of your feedback or any derivative thereof in any manner without any further remuneration, compensation or credit to you. You represent and warrant that any Feedback which is provided by you hereunder is original work made solely by you and does not infringe any third party intellectual property rights. + +Any Feedback provided to Armory shall be considered Armory Confidential Information and shall be covered by any confidentiality agreements between you and Armory. + +You acknowledge that you are using the Services on a purely voluntary basis, as a means of assisting, and in consideration of the opportunity to assist Armory to use, implement, and understand various facets of the Services. You acknowledge and agree that nothing herein or in your voluntary submission of Feedback creates any employment relationship between you and Armory. + +Armory may, in its sole discretion, at any time, terminate or discontinue all or your access to the Services. You acknowledge and agree that all such decisions by Armory are final and Armory will have no liability with respect to such decisions. + +YOUR USE OF THE SERVICES IS AT YOUR OWN RISK. THE SERVICES, THE ARMORY TOOLS AND THE CONTENT ARE PROVIDED ON AN “AS IS” BASIS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. ARMORY AND ITS LICENSORS MAKE NO REPRESENTATION, WARRANTY, OR GUARANTY AS TO THE RELIABILITY, TIMELINESS, QUALITY, SUITABILITY, TRUTH, AVAILABILITY, ACCURACY OR COMPLETENESS OF THE SERVICES, THE ARMORY TOOLS OR ANY CONTENT. ARMORY EXPRESSLY DISCLAIMS ON ITS OWN BEHALF AND ON BEHALF OF ITS EMPLOYEES, AGENTS, ATTORNEYS, CONSULTANTS, OR CONTRACTORS ANY AND ALL WARRANTIES INCLUDING, WITHOUT LIMITATION (A) THE USE OF THE SERVICES OR THE ARMORY TOOLS WILL BE TIMELY, UNINTERRUPTED OR ERROR-FREE OR OPERATE IN COMBINATION WITH ANY OTHER HARDWARE, SOFTWARE, SYSTEM OR DATA, (B) THE SERVICES AND THE ARMORY TOOLS AND/OR THEIR QUALITY WILL MEET CUSTOMER”S REQUIREMENTS OR EXPECTATIONS, (C) ANY CONTENT WILL BE ACCURATE OR RELIABLE, (D) ERRORS OR DEFECTS WILL BE CORRECTED, OR (E) THE SERVICES, THE ARMORY TOOLS OR THE SERVER(S) THAT MAKE THE SERVICES AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. CUSTOMER AGREES THAT ARMORY SHALL NOT BE RESPONSIBLE FOR THE AVAILABILITY OR ACTS OR OMISSIONS OF ANY THIRD PARTY, INCLUDING ANY THIRD-PARTY APPLICATION OR PRODUCT, AND ARMORY HEREBY DISCLAIMS ANY AND ALL LIABILITY IN CONNECTION WITH SUCH THIRD PARTIES. + +IN NO EVENT SHALL ARMORY, ITS EMPLOYEES, AGENTS, ATTORNEYS, CONSULTANTS, OR CONTRACTORS BE LIABLE UNDER THIS AGREEMENT FOR ANY CONSEQUENTIAL, SPECIAL, LOST PROFITS, INDIRECT OR OTHER DAMAGES, INCLUDING BUT NOT LIMITED TO LOST PROFITS, LOSS OF BUSINESS, COST OF COVER WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF ARMORY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. IN ANY EVENT, ARMORY, ITS EMPLOYEES’, AGENTS’, ATTORNEYS’, CONSULTANTS’ OR CONTRACTORS’ AGGREGATE LIABILITY UNDER THIS AGREEMENT FOR ANY CLAIM SHALL BE STRICTLY LIMITED TO $100.00. SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. + +You acknowledge that Armory has provided the Services in reliance upon the limitations of liability set forth herein and that the same is an essential basis of the bargain between the parties. + + +## Required Armory Operator version + +To install, upgrade, or configure Armory CD 2.38.0-rc2, use Armory Operator 1.70 or later. + +## Security + +Armory scans the codebase as we develop and release software. Contact your Armory account representative for information about CVE scans for this release. + +## Breaking changes + + +> Breaking changes are kept in this list for 3 minor versions from when the change is introduced. For example, a breaking change introduced in 2.21.0 appears in the list up to and including the 2.24.x releases. It would not appear on 2.25.x release notes. + +## Known issues + + +## Highlighted updates + + + + + + +### Spinnaker community contributions + +There have also been numerous enhancements, fixes, and features across all of Spinnaker's other services. See the +[Spinnaker v1.38.0](https://www.spinnaker.io/changelogs/1.38.0-changelog/) changelog for details. + +## Detailed updates + +### Bill Of Materials (BOM) + +
Expand to see the BOM +
+artifactSources:
+  dockerRegistry: docker.io/armory
+dependencies:
+  redis:
+    commit: null
+    version: 2:2.8.4-2
+services:
+  clouddriver:
+    commit: 84dd609c94a99524dd30604d3cd10b24a08a9bfa
+    version: 2.38.0-rc2
+  deck:
+    commit: 84dd609c94a99524dd30604d3cd10b24a08a9bfa
+    version: 2.38.0-rc2
+  dinghy:
+    commit: babaa4704f1df8a6f6b42e533716396c8a0f529b
+    version: 2.38.0-rc2
+  echo:
+    commit: 84dd609c94a99524dd30604d3cd10b24a08a9bfa
+    version: 2.38.0-rc2
+  fiat:
+    commit: 84dd609c94a99524dd30604d3cd10b24a08a9bfa
+    version: 2.38.0-rc2
+  front50:
+    commit: 84dd609c94a99524dd30604d3cd10b24a08a9bfa
+    version: 2.38.0-rc2
+  gate:
+    commit: 84dd609c94a99524dd30604d3cd10b24a08a9bfa
+    version: 2.38.0-rc2
+  igor:
+    commit: 84dd609c94a99524dd30604d3cd10b24a08a9bfa
+    version: 2.38.0-rc2
+  kayenta:
+    commit: 84dd609c94a99524dd30604d3cd10b24a08a9bfa
+    version: 2.38.0-rc2
+  monitoring-daemon:
+    commit: null
+    version: 2.26.0
+  monitoring-third-party:
+    commit: null
+    version: 2.26.0
+  orca:
+    commit: 84dd609c94a99524dd30604d3cd10b24a08a9bfa
+    version: 2.38.0-rc2
+  rosco:
+    commit: 84dd609c94a99524dd30604d3cd10b24a08a9bfa
+    version: 2.38.0-rc2
+  terraformer:
+    commit: babaa4704f1df8a6f6b42e533716396c8a0f529b
+    version: 2.38.0-rc2
+timestamp: "2025-10-16 11:21:28"
+version: 2.38.0-rc2
+
+
+
+ +### Armory + + +#### Armory Kayenta - 2.38.0-rc1...2.38.0-rc2 + + +#### Armory Dinghy - 2.38.0-rc1...2.38.0-rc2 + + +#### Armory Orca - 2.38.0-rc1...2.38.0-rc2 + + +#### Armory Echo - 2.38.0-rc1...2.38.0-rc2 + + +#### Armory Igor - 2.38.0-rc1...2.38.0-rc2 + + +#### Armory Rosco - 2.38.0-rc1...2.38.0-rc2 + + +#### Armory Fiat - 2.38.0-rc1...2.38.0-rc2 + + +#### Armory Front50 - 2.38.0-rc1...2.38.0-rc2 + + +#### Armory Clouddriver - 2.38.0-rc1...2.38.0-rc2 + + +#### Armory Deck - 2.38.0-rc1...2.38.0-rc2 + + +#### Armory Gate - 2.38.0-rc1...2.38.0-rc2 + + +#### Armory Terraformer - 2.38.0-rc1...2.38.0-rc2 + + + +### Spinnaker + + +#### Spinnaker Kayenta - 1.38.0 + + +#### Spinnaker Dinghy - 1.38.0 + + +#### Spinnaker Orca - 1.38.0 + + +#### Spinnaker Echo - 1.38.0 + + +#### Spinnaker Igor - 1.38.0 + + +#### Spinnaker Rosco - 1.38.0 + + +#### Spinnaker Fiat - 1.38.0 + + +#### Spinnaker Front50 - 1.38.0 + + +#### Spinnaker Clouddriver - 1.38.0 + + +#### Spinnaker Deck - 1.38.0 + + +#### Spinnaker Gate - 1.38.0 + + +#### Spinnaker Terraformer - 1.38.0 + + diff --git a/payload.json b/payload.json index 033ec32558..496a4db3a6 100644 --- a/payload.json +++ b/payload.json @@ -2,144 +2,154 @@ "armoryServices": [ { "commitMessages": [], - "currentVersion": "2.36.1", - "name": "Armory Igor", - "previousVersion": "2.36.0" + "currentVersion": "2.38.0-rc2", + "name": "Armory Kayenta", + "previousVersion": "2.38.0-rc1" }, { "commitMessages": [], - "currentVersion": "2.36.1", - "name": "Terraformer™", - "previousVersion": "2.36.0" + "currentVersion": "2.38.0-rc2", + "name": "Armory Dinghy", + "previousVersion": "2.38.0-rc1" }, { "commitMessages": [], - "currentVersion": "2.36.1", - "name": "Armory Rosco", - "previousVersion": "2.36.0" + "currentVersion": "2.38.0-rc2", + "name": "Armory Orca", + "previousVersion": "2.38.0-rc1" }, { "commitMessages": [], - "currentVersion": "2.36.1", - "name": "Armory Gate", - "previousVersion": "2.36.0" + "currentVersion": "2.38.0-rc2", + "name": "Armory Echo", + "previousVersion": "2.38.0-rc1" }, { "commitMessages": [], - "currentVersion": "2.36.1", - "name": "Armory Echo", - "previousVersion": "2.36.0" + "currentVersion": "2.38.0-rc2", + "name": "Armory Igor", + "previousVersion": "2.38.0-rc1" }, { - "commitMessages": [ - "fix(metadata): Reverting MetadataFilterOverride (#1450) (#1451)" - ], - "currentVersion": "2.36.1", - "name": "Armory Deck", - "previousVersion": "2.36.0" + "commitMessages": [], + "currentVersion": "2.38.0-rc2", + "name": "Armory Rosco", + "previousVersion": "2.38.0-rc1" }, { "commitMessages": [], - "currentVersion": "2.36.1", - "name": "Armory Orca", - "previousVersion": "2.36.0" + "currentVersion": "2.38.0-rc2", + "name": "Armory Fiat", + "previousVersion": "2.38.0-rc1" }, { "commitMessages": [], - "currentVersion": "2.36.1", - "name": "Armory Kayenta", - "previousVersion": "2.36.0" + "currentVersion": "2.38.0-rc2", + "name": "Armory Front50", + "previousVersion": "2.38.0-rc1" }, { "commitMessages": [], - "currentVersion": "2.36.1", - "name": "Dinghy™", - "previousVersion": "2.36.0" + "currentVersion": "2.38.0-rc2", + "name": "Armory Clouddriver", + "previousVersion": "2.38.0-rc1" }, { "commitMessages": [], - "currentVersion": "2.36.1", - "name": "Armory Front50", - "previousVersion": "2.36.0" + "currentVersion": "2.38.0-rc2", + "name": "Armory Deck", + "previousVersion": "2.38.0-rc1" }, { "commitMessages": [], - "currentVersion": "2.36.1", - "name": "Armory Clouddriver", - "previousVersion": "2.36.0" + "currentVersion": "2.38.0-rc2", + "name": "Armory Gate", + "previousVersion": "2.38.0-rc1" }, { "commitMessages": [], - "currentVersion": "2.36.1", - "name": "Armory Fiat", - "previousVersion": "2.36.0" + "currentVersion": "2.38.0-rc2", + "name": "Armory Terraformer", + "previousVersion": "2.38.0-rc1" } ], - "armoryVersion": "2.36.1", + "armoryVersion": "2.38.0-rc2", "ossServices": [ { "commitMessages": [], - "currentVersion": "1.36.1", - "name": "Spinnaker Igor", - "previousVersion": "1.36.0" + "currentVersion": "1.38.0", + "name": "Spinnaker Kayenta", + "previousVersion": "1.38.0" }, { "commitMessages": [], - "currentVersion": "1.36.1", - "name": "Spinnaker Rosco", - "previousVersion": "1.36.0" + "currentVersion": "1.38.0", + "name": "Spinnaker Dinghy", + "previousVersion": "1.38.0" }, { "commitMessages": [], - "currentVersion": "1.36.1", - "name": "Spinnaker Gate", - "previousVersion": "1.36.0" + "currentVersion": "1.38.0", + "name": "Spinnaker Orca", + "previousVersion": "1.38.0" }, { "commitMessages": [], - "currentVersion": "1.36.1", + "currentVersion": "1.38.0", "name": "Spinnaker Echo", - "previousVersion": "1.36.0" + "previousVersion": "1.38.0" }, { "commitMessages": [], - "currentVersion": "1.36.1", - "name": "Spinnaker Deck", - "previousVersion": "1.36.0" + "currentVersion": "1.38.0", + "name": "Spinnaker Igor", + "previousVersion": "1.38.0" }, { "commitMessages": [], - "currentVersion": "1.36.1", - "name": "Spinnaker Orca", - "previousVersion": "1.36.0" + "currentVersion": "1.38.0", + "name": "Spinnaker Rosco", + "previousVersion": "1.38.0" }, { "commitMessages": [], - "currentVersion": "1.36.1", - "name": "Spinnaker Kayenta", - "previousVersion": "1.36.0" + "currentVersion": "1.38.0", + "name": "Spinnaker Fiat", + "previousVersion": "1.38.0" }, { "commitMessages": [], - "currentVersion": "1.36.1", + "currentVersion": "1.38.0", "name": "Spinnaker Front50", - "previousVersion": "1.36.0" + "previousVersion": "1.38.0" }, { "commitMessages": [], - "currentVersion": "1.36.1", + "currentVersion": "1.38.0", "name": "Spinnaker Clouddriver", - "previousVersion": "1.36.0" + "previousVersion": "1.38.0" }, { "commitMessages": [], - "currentVersion": "1.36.1", - "name": "Spinnaker Fiat", - "previousVersion": "1.36.0" + "currentVersion": "1.38.0", + "name": "Spinnaker Deck", + "previousVersion": "1.38.0" + }, + { + "commitMessages": [], + "currentVersion": "1.38.0", + "name": "Spinnaker Gate", + "previousVersion": "1.38.0" + }, + { + "commitMessages": [], + "currentVersion": "1.38.0", + "name": "Spinnaker Terraformer", + "previousVersion": "1.38.0" } ], - "ossVersion": "1.36.1", - "prerelease": false, + "ossVersion": "1.38.0", + "prerelease": true, "stack": { "artifactSources": { "dockerRegistry": "docker.io/armory" @@ -152,40 +162,40 @@ }, "services": { "clouddriver": { - "commit": "e52a253da499f54ea951d46472ee20ada1326d1a", - "version": "2.36.1" + "commit": "84dd609c94a99524dd30604d3cd10b24a08a9bfa", + "version": "2.38.0-rc2" }, "deck": { - "commit": "1c97b782e123ee219673c245878aeb59e87b0a06", - "version": "2.36.1" + "commit": "84dd609c94a99524dd30604d3cd10b24a08a9bfa", + "version": "2.38.0-rc2" }, "dinghy": { - "commit": "50041173d1a043493409059e7fa5d7a1a80fb553", - "version": "2.36.1" + "commit": "babaa4704f1df8a6f6b42e533716396c8a0f529b", + "version": "2.38.0-rc2" }, "echo": { - "commit": "4c2efbbb9e57b64a1a4fa85aef8eeccc8aaa80a7", - "version": "2.36.1" + "commit": "84dd609c94a99524dd30604d3cd10b24a08a9bfa", + "version": "2.38.0-rc2" }, "fiat": { - "commit": "bd424d60f055e6694aeaf74af5b92862932b09c3", - "version": "2.36.1" + "commit": "84dd609c94a99524dd30604d3cd10b24a08a9bfa", + "version": "2.38.0-rc2" }, "front50": { - "commit": "9e2606c2d386d00b18b76104564b6467ea2010d3", - "version": "2.36.1" + "commit": "84dd609c94a99524dd30604d3cd10b24a08a9bfa", + "version": "2.38.0-rc2" }, "gate": { - "commit": "cc3f1b3059533feb0bc770eebde4f2c0714c7800", - "version": "2.36.1" + "commit": "84dd609c94a99524dd30604d3cd10b24a08a9bfa", + "version": "2.38.0-rc2" }, "igor": { - "commit": "c5540e0bfe83bb87fa8896c7c7924113c17453b4", - "version": "2.36.1" + "commit": "84dd609c94a99524dd30604d3cd10b24a08a9bfa", + "version": "2.38.0-rc2" }, "kayenta": { - "commit": "1dab7bb6f4156bdf7f15ef74722139e07ceb4581", - "version": "2.36.1" + "commit": "84dd609c94a99524dd30604d3cd10b24a08a9bfa", + "version": "2.38.0-rc2" }, "monitoring-daemon": { "commit": null, @@ -196,19 +206,19 @@ "version": "2.26.0" }, "orca": { - "commit": "9fa8bf04e3b5882c0b03d0309684ef0cd00a64c0", - "version": "2.36.1" + "commit": "84dd609c94a99524dd30604d3cd10b24a08a9bfa", + "version": "2.38.0-rc2" }, "rosco": { - "commit": "80f1885bcd93da023fdb858d563cc24ccadce276", - "version": "2.36.1" + "commit": "84dd609c94a99524dd30604d3cd10b24a08a9bfa", + "version": "2.38.0-rc2" }, "terraformer": { - "commit": "9756bee07eaabbb25b54812996314c22554ec1c0", - "version": "2.36.1" + "commit": "babaa4704f1df8a6f6b42e533716396c8a0f529b", + "version": "2.38.0-rc2" } }, - "timestamp": "2025-02-20 12:49:12", - "version": "2.36.1" + "timestamp": "2025-10-16 11:21:28", + "version": "2.38.0-rc2" } } \ No newline at end of file From 45f3f27117330d872ecaa4e61a0bcae37cb885ef Mon Sep 17 00:00:00 2001 From: christosarvanitis Date: Thu, 16 Oct 2025 17:41:41 +0300 Subject: [PATCH 2/3] chore(docs): WIP for the 2.38.0-rc release notes --- .../armoryspinnaker_v2-38-0-rc2.md | 349 +++++++++++++++++- .../spinnaker-prerelease-release-notes.tmpl | 2 +- templates/spinnaker-release-notes.tmpl | 8 +- 3 files changed, 350 insertions(+), 9 deletions(-) diff --git a/content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md b/content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md index 4432fe9be1..0232f2c931 100644 --- a/content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md +++ b/content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md @@ -42,6 +42,85 @@ Armory scans the codebase as we develop and release software. Contact your Armor > Breaking changes are kept in this list for 3 minor versions from when the change is introduced. For example, a breaking change introduced in 2.21.0 appears in the list up to and including the 2.24.x releases. It would not appear on 2.25.x release notes. +### Gate: Spring Security 5 Oauth2 Migration +Armory CD 2.38.0 removes deprecate Oauth2 annotations and uses Spring Security 5 DSL. In order to configure oauth2 in gate have changed to: + +## Google Oauth configuration +```yaml +spring: + security: + oauth2: + client: + registration: + google: + client-id: + client-secret: + authorization-grant-type: authorization_code + redirect-uri: "https:///login/oauth2/code/google" + scope: profile,email,openid + client-name: google + provider: + google: + authorization-uri: https://accounts.google.com/o/oauth2/auth + token-uri: https://oauth2.googleapis.com/token + user-info-uri: https://www.googleapis.com/oauth2/v3/userinfo + user-name-attribute: sub +``` +## Github Oauth2 configuration +```yaml +spring: + security: + oauth2: + client: + registration: + userInfoMapping: + email: email + firstName: '' + lastName: name + username: login + github: + client-id: + client-secret: + authorization-grant-type: authorization_code + redirect-uri: "https:///login/oauth2/code/github" + scope: user,email + client-name: github + provider: + github: + authorization-uri: https://github.com/login/oauth/authorize + token-uri: https://github.com/login/oauth/access_token + user-info-uri: https://api.github.com/user + user-name-attribute: login +``` + +### Orca: Tasks configuration changes +The following configuration properties have been restructured: + +Previous Configuration: + +```yaml +tasks: + days-of-execution-history: + number-of-old-pipeline-executions-to-include: +``` + +New configuration format + +```yaml +tasks: + controller: + days-of-execution-history: + number-of-old-pipeline-executions-to-include: + optimize-execution-retrieval: + max-execution-retrieval-threads: + max-number-of-pipeline-executions-to-process: + execution-retrieval-timeout-seconds: +``` + +These changes improve query performance and execution retrieval efficiency, particularly for large-scale pipeline applications. + +[Orca: Performance Improvements for SQL Backend](#orca-performance-improvements-for-sql-backend) + ## Known issues @@ -53,15 +132,277 @@ Each item category (such as UI) under here should be an h3 (###). List the follo - Fixes to any known issues from previous versions that we have in release notes. These can all be grouped under a Fixed issues H3. --> +### Security enhancement: Url Filtering/Restriction capabilities on Artifact accounts +Starting in Armory Continuous Deployment 2.36.5, we have enabled to capability to filter/restrict urls that can be accessed per artifact accounts. +This feature provides a safeguard around user input of remote urls when artifact accounts are in used in the context of a pipeline execution. + +An example configuration for clouddriver-local.yml can be found below which can be added per artifact account (http, github, helm): +```yaml +artifacts: + http: + enabled: true + accounts: + - name: http_account + urlRestrictions: + allowedDomains: + - mydomain.com + - raw.github.com + - api.github.com + rejectLocalhost: true #default value + rejectLinkLocal: true #default value + rejectVerbatimIps: true #default value + rejectedIps: [] #default value +``` + +By default the configuration blocks any local CIDR ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost, link local and raw IPs. +For full configuration details please refer to this [configuration class](https://github.com/spinnaker/spinnaker/blob/main/clouddriver/clouddriver-artifacts/src/main/java/com/netflix/spinnaker/clouddriver/artifacts/config/HttpUrlRestrictions.java) + +### Clouddriver: Account management API enhancement for ECS and GCP accounts + + +### Clouddriver AWS accounts assume-role enhancement +Introduce in OSS Spinnaker 1.37.0 a configurable retry and backoff logic for AWS credentials parsing has been added. +Additionally a configurable per account (or default) sessionDurationSeconds property has been added. +```yaml +aws: + loadAccounts: + maxRetries: 10 + backOffInMs: 5000 + exponentialBackoff: false + exponentialBackoffMultiplier: 2 + exponentialBackOffIntervalMs: 10000 + defaultSessionDurationSeconds: (no default value) +``` + +[PR6342](https://github.com/spinnaker/clouddriver/pull/6342) +[PR6344](https://github.com/spinnaker/clouddriver/pull/6344) + +### Orca: Webhook stage improvements and security features + + +```yaml +orca: + webhooks: + allowList: ["https://hooks.company.com"] + maxRequestSizeBytes: 1048576 + maxResponseSizeBytes: 1048576 + followRedirects: false + timeoutSeconds: 60 + audit: + enabled: true + +``` + +### Helm OCI Registry Chart Support +Docker registry provider now supports adding OCI-based registries hosting Helm repositories. This feature allows +users to download and bake Helm charts hosted in OCI-compliant registries (such as Docker Hub). + +Related PRs: +- https://github.com/spinnaker/spinnaker/pull/7069 +- https://github.com/spinnaker/spinnaker/pull/7089 +- https://github.com/spinnaker/spinnaker/pull/7113 + +To enable the Helm OCI support in a Docker Registry account set a list of OCI repositories in the `helmOciRepositories` +of the Docker Registry account configuration. The `helmOciRepositories` is a list of repository names in the format `/`. For example: +```yaml +dockerRegistry: + enabled: true + primaryAccount: dockerhub # Must be one of the configured docker accounts + accounts: + - name: dockerhub + requiredGroupMembership: [] + providerVersion: V1 + permissions: {} + address: https://index.docker.io # (Required). The registry address you want to pull and deploy images from; e.g. https://index.docker.io + username: # Your docker registry email (often this only needs to be well-formed, rather than be a real address) + password: + cacheIntervalSeconds: 30 # (Default: 30). How many seconds elapse between polling your docker registry. + clientTimeoutMillis: 60000 # (Default: 60000). Timeout time in milliseconds for this repository. + cacheThreads: 1 # (Default: 1). How many threads to cache all provided repos on. Really only useful if you have a ton of repos. + paginateSize: 100 # (Default: 100). Paginate size for the docker repository _catalog endpoint. + sortTagsByDate: false # (Default: false). Sort tags by creation date. + trackDigests: false # (Default: false). Track digest changes. This is not recommended as it consumes a high QPM, and most registries are flaky. + insecureRegistry: false # (Default: false). Treat the docker registry as insecure (don’t validate the ssl cert). + repositories: + - "registry/repository" # (Default: []). An optional list of repositories to cache Docker images from. If not provided, Spinnaker will attempt to read accessible repositories from the registries _catalog endpoint + helmOciRepositories: + - "registry/HelmOciRepository" # (Default: []). An optional list of Helm OCI-Based repositories to cache helm charts from. +``` + +For every account with non-empty `helmOciRepositories` list, Clouddriver will cache the Helm charts from the specified OCI repositories. + +The cached Helm OCI charts are defined as a new Artifact type named `helm/image` and can be used to bake Helm OCI-based charts in Spinnaker pipelines. + +#### Defining retention policy for downloaded helm/image charts in Clouddriver +Optionally, users can define a retention policy for Helm OCI charts downloaded in a Clouddriver instance. This functionality +is disabled by default and it is useful for users that want to keep a local copy of a Helm OCI based chart without the need +to download it every time it is used in a pipeline. The retention policy is defined in the `clouddriver-local.yml` configuration file: +``` +artifacts: + helm-oci: + clone-retention-minutes: 60 + clone-retention-max-bytes: 104857600 # 100MB +``` + +* `clone-retention-minutes:` Default: 0. How much time to keep the downloaded helm/image chart. Values are: + * 0: no retention. + * -1: retain forever. + * any whole number of minutes, such as `60`. +* `clone-retention-max-bytes:` Default: 104857600 (100 MB). Maximum amount of disk space to use for downloaded helm/image charts. When the + maximum amount of space is reached, Clouddriver deletes the clones after returning the artifact to the pipeline, just as if retention were disabled. + +#### Defining Triggers for helm/image artifacts in Spinnaker pipelines +To trigger a Spinnaker pipeline on a new version of a Helm OCI-based chart, users will need to enable the Igor poller for the `helm/image` artifact type. +This can be done by adding the following configuration to the `igor-local.yml` file: +``` +helm-oci-docker-registry: + enabled: true +``` + +Additionally, a new trigger type (named `helm/oci`) has been implemented to allow pipelines to be triggered by new versions of `helm/image` artifacts. +``` + "triggers": [ + { + "account": "", + "enabled": true, + "organization": "", + "registry": "index.docker.io", + "repository": "org/repositoryName", + "type": "helm/oci" + } + ], +``` + + +### Orca: Limit the execution retrieval of Disabled pipelines +A new configuration has been added to exclude execution retrieval for disabled pipelines in Front50. This can be enabled with: +```yaml +tasks: + controller: + excludeExecutionsOfDisabledPipelines: false|true # Defaults to false +``` +When enabled, Orca will call Front50 with the `enabledPipelines=true` query parameter, which returns only the +enabled pipelines for an application (Front50 [PR1520](https://github.com/spinnaker/front50/pull/1520)). This helps reduce +load for applications with numerous pipelines, especially when obsolete, disabled pipelines are retained for historical reasons. + +*Orca [PR4819](https://github.com/spinnaker/orca/pull/4819)* +### Front50: Scheduled agent for Disabling unused pipelines +An agent has been introduced to detect and disable unused or unexecuted pipelines within an application. +This agent checks pipelines that have not been executed for the past `thresholdDays` days and disables them in Front50. +This feature is only available for SQL execution repositories and is configurable as bellow: +```yaml +pollers: + unused-pipelines-disable: + enabled: false | true # default: false + intervalSec: 3600 # default: 3600 + thresholdDays: 365 # default: 365 + dryRun: false | true # default: true. When true an info is logged about the intention to disable a pipelineConfigId in the application evaluated +``` +*Front50 [PR1520](https://github.com/spinnaker/front50/pull/1520)* + +### Orca: New Pipeline stage configuration `backOffPeriodMs` +A new configuration option `backOffPeriodMs` has been added to the pipeline stage configuration. This option allows users +to specify a back-off period in milliseconds for stages that may need to retry operations after a failure. Before this, +pipeline authors had no control over the backoff period. It came from either spinnaker configuration properties or +implementations of RetryableTask.getDynamicBackoffPeriod. + +Additionally, the following configuration options have been added that allow admins to specify globablly the backoff period: +{{< highlight yaml "linenos=table,hl_lines=9-11" >}} +apiVersion: spinnaker.armory.io/v1alpha2 +kind: SpinnakerService +metadata: + name: spinnaker +spec: + spinnakerConfig: + profiles: + orca: + tasks.global.backOffPeriod: + tasks..backOffPeriod: + tasks...backOffPeriod: +{{< /highlight >}} + +*Orca [PR 4841](https://github.com/spinnaker/orca/pull/4841)* + + +### Orca: Performance Improvements for Pipeline Executions + +This release includes several optimizations to improve pipeline execution times, particularly for complex pipeline structures. + +Key Improvements + +1. Memorize the `anyUpstreamStagesFailed` extension function to improve time complexity from exponential to linear +2. Optimize `getAncestorsImpl` to reduce time complexity by a factor of N, where N is the number of stages in a pipeline +3. Optimize `StartStageHandler` to only call withAuth (which calls getAncestorsImpl) when + +These enhancements significantly reduce pipeline execution time, with the most notable gains observed in dense pipeline graphs. For example, in the `ComplexPipeline.kt` test scenario, execution time improved from not completing at all to approximately `160ms`. + +*Orca [PR 4824](https://github.com/spinnaker/orca/pull/4824)* + +### Orca: Performance Improvements for SQL Backend + +This release enhances the performance of SQL-backed pipeline queries by optimizing database operations, particularly for the API call: + +``` +/applications/{application}/pipelines?expand=false&limit=2 +``` + +which is frequently initiated by Deck and forwarded through Gate to Orca. + +Key Improvements + +- Improved Query Efficiency: Optimized the retrieval of pipeline execution data, significantly reducing database query times. +- Refactored `TaskController`: Externalized configuration properties to allow better flexibility and tuning. +- Enhanced `getPipelinesForApplication()` + - Limits the number of pipeline config IDs queried. + - Processes multiple pipeline config IDs simultaneously. + - Introduces multi-threading to handle batches efficiently. + +*Orca [PR 4804](https://github.com/spinnaker/orca/pull/4804)* + +### Orca: Read Connection Pool for SQL Execution Repository + +This release introduces support for a dedicated read connection pool for specific read-only database queries in `SqlExecutionRepository` + +Key Improvements + +1. New "read" Connection Pool: Allows read operations to be routed to a separate connection pool. +2. Configurable Read Pool: Users can define an additional read connection pool in the SQL configuration. +3. Ensures Data Consistency: Some read queries still rely on recently written data and are not yet converted to use a read replica due to potential replication lag. +Configuration Example +To enable the read connection pool, add the following configuration: +```yaml +sql: + connectionPools: + default: + <...> + read: + jdbcUrl: jdbc:... + user: orca_service + password: + connectionTimeoutMs: + validationTimeoutMs: + maxPoolSize: + minIdle: + maxLifetimeMs: + idleTimeoutMs: +``` + +*Orca [PR 4803](https://github.com/spinnaker/orca/pull/4803)* -### Spinnaker community contributions -There have also been numerous enhancements, fixes, and features across all of Spinnaker's other services. See the -[Spinnaker v1.38.0](https://www.spinnaker.io/changelogs/1.38.0-changelog/) changelog for details. +### Migration of Retrofit1 to Retrofit2 for all services + + +### Spinnaker community contributions -## Detailed updates +There have also been numerous enhancements, fixes, and features across all of Spinnaker's other services. See the following changelogs for details: +- [Spinnaker v1.37.0](https://spinnaker.io/changelogs/1.37.0-changelog/) +- [Spinnaker v1.38.0](https://spinnaker.io/changelogs/1.38.0-changelog/) +- [Spinnaker v1.38.0/2025.0.0](https://spinnaker.io/changelogs/1.38.0-changelog/) +- [Spinnaker 2025.1.0](https://spinnaker.io/changelogs/2025.1.0-changelog/) +- [Spinnaker 2025.2.0](https://spinnaker.io/changelogs/2025.2.0-changelog/) ### Bill Of Materials (BOM) diff --git a/templates/spinnaker-prerelease-release-notes.tmpl b/templates/spinnaker-prerelease-release-notes.tmpl index eb6291672d..fe9a2ba35c 100644 --- a/templates/spinnaker-prerelease-release-notes.tmpl +++ b/templates/spinnaker-prerelease-release-notes.tmpl @@ -31,7 +31,7 @@ You acknowledge that Armory has provided the Services in reliance upon the limit ## Required Armory Operator version -To install, upgrade, or configure Armory CD {{ (ds "payload").armoryVersion }}, use Armory Operator 1.70 or later. +To install, upgrade, or configure Armory CD {{ (ds "payload").armoryVersion }}, use Armory Operator 1.8.6 or later. ## Security diff --git a/templates/spinnaker-release-notes.tmpl b/templates/spinnaker-release-notes.tmpl index 8c17a79245..53c1e718aa 100644 --- a/templates/spinnaker-release-notes.tmpl +++ b/templates/spinnaker-release-notes.tmpl @@ -7,9 +7,9 @@ description: > Release notes for Armory Continuous Deployment v{{ (ds "payload").armoryVersion }}. --- - ## {{ (time.Now).Format "2006/01/02" }} release notes @@ -18,7 +18,7 @@ FOR EXAMPLE, "Armory Continuous Deployment Release LTS" or "Armory Continuous De ## Required Armory Operator version -To install, upgrade, or configure Armory CD {{ (ds "payload").armoryVersion }}, use Armory Operator 1.70 or later. +To install, upgrade, or configure Armory CD {{ (ds "payload").armoryVersion }}, use Armory Operator 1.8.6 or later. ## Security From 0c626fe3ad13ddb5d51719afb280844468a3afc6 Mon Sep 17 00:00:00 2001 From: christosarvanitis Date: Mon, 20 Oct 2025 17:02:11 +0300 Subject: [PATCH 3/3] Adding notes for armory operator --- content/en/continuous-deployment/_index.md | 3 + .../installation/armory-operator/_index.md | 5 + .../armoryspinnaker_v2-38-0-rc2.md | 98 ++++--- .../armory-operator-to-kustomize-migration.md | 262 ++++++++++++++++++ 4 files changed, 328 insertions(+), 40 deletions(-) create mode 100644 content/en/continuous-deployment/spinnaker-user-guides/armory-operator-to-kustomize-migration.md diff --git a/content/en/continuous-deployment/_index.md b/content/en/continuous-deployment/_index.md index c9b236b838..df5d11e018 100755 --- a/content/en/continuous-deployment/_index.md +++ b/content/en/continuous-deployment/_index.md @@ -19,6 +19,9 @@ description: > ## Additional Armory products ### Kubernetes Operators for installation +{{% alert color="warning" title="Important" %}} +[Armory Operator]({{< ref "armory-operator" >}}) has been deprecated and will is considered EOL. Please migrate to the [Kustomize]({{< ref "armory-operator-to-kustomize-migration" >}}) method of deployment. +{{% /alert %}} The [Armory Operator]({{< ref "armory-operator" >}}) is a Kubernetes Operator that helps you configure, deploy, and update Armory Continuous Deployment on Kubernetes clusters. diff --git a/content/en/continuous-deployment/installation/armory-operator/_index.md b/content/en/continuous-deployment/installation/armory-operator/_index.md index 05caf494ec..b867d4615c 100644 --- a/content/en/continuous-deployment/installation/armory-operator/_index.md +++ b/content/en/continuous-deployment/installation/armory-operator/_index.md @@ -11,6 +11,11 @@ aliases: {{< include "armory-license.md" >}} +{{% alert color="warning" title="Important" %}} +[Armory Operator]({{< ref "armory-operator" >}}) has been deprecated and will is considered EOL. Please migrate to the [Kustomize]({{< ref "armory-operator-to-kustomize-migration" >}}) method of deployment. +{{% /alert %}} + + ## What are Kubernetes Operators for Spinnaker? From the Kubernetes [Operator pattern docs](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/): "Operators are software extensions to Kubernetes that make use of custom resources to manage applications and their components." In other words, an Operator is a Kubernetes controller that manages a specific application using a custom resource. Both the proprietary Armory Operator and the open source [Spinnaker Operator for Kubernetes](https://github.com/armory/spinnaker-operator) are custom Kubernetes Operators that you can install in your cluster. diff --git a/content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md b/content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md index 0232f2c931..be0f638dd7 100644 --- a/content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md +++ b/content/en/continuous-deployment/release-notes/rn-prerelease-armory-spinnaker/armoryspinnaker_v2-38-0-rc2.md @@ -30,8 +30,11 @@ You acknowledge that Armory has provided the Services in reliance upon the limit ## Required Armory Operator version +{{% alert color="warning" title="Important" %}} +[Armory Operator]({{< ref "armory-operator" >}}) has been deprecated and will is considered EOL. Please migrate to the [Kustomize]({{< ref "armory-operator-to-kustomize-migration" >}}) method of deployment. +{{% /alert %}} -To install, upgrade, or configure Armory CD 2.38.0-rc2, use Armory Operator 1.70 or later. +To install, upgrade, or configure Armory CD 2.38.0-rc2, use Armory Operator 1.8.6 or later. ## Security @@ -43,7 +46,7 @@ Armory scans the codebase as we develop and release software. Contact your Armor > Breaking changes are kept in this list for 3 minor versions from when the change is introduced. For example, a breaking change introduced in 2.21.0 appears in the list up to and including the 2.24.x releases. It would not appear on 2.25.x release notes. ### Gate: Spring Security 5 Oauth2 Migration -Armory CD 2.38.0 removes deprecate Oauth2 annotations and uses Spring Security 5 DSL. In order to configure oauth2 in gate have changed to: +Armory CD 2.38.0 removes deprecate Oauth2 annotations and uses Spring Security 5 DSL. In order to configure oauth2 in `gate-local.yml` have changed to: ## Google Oauth configuration ```yaml @@ -94,7 +97,7 @@ spring: ``` ### Orca: Tasks configuration changes -The following configuration properties have been restructured: +The following configuration properties have been restructured in `orca-local.yml`: Previous Configuration: @@ -136,7 +139,7 @@ Each item category (such as UI) under here should be an h3 (###). List the follo Starting in Armory Continuous Deployment 2.36.5, we have enabled to capability to filter/restrict urls that can be accessed per artifact accounts. This feature provides a safeguard around user input of remote urls when artifact accounts are in used in the context of a pipeline execution. -An example configuration for clouddriver-local.yml can be found below which can be added per artifact account (http, github, helm): +An example configuration for `clouddriver-local.yml` can be found below which can be added per artifact account (http, github, helm): ```yaml artifacts: http: @@ -157,12 +160,42 @@ artifacts: By default the configuration blocks any local CIDR ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost, link local and raw IPs. For full configuration details please refer to this [configuration class](https://github.com/spinnaker/spinnaker/blob/main/clouddriver/clouddriver-artifacts/src/main/java/com/netflix/spinnaker/clouddriver/artifacts/config/HttpUrlRestrictions.java) -### Clouddriver: Account management API enhancement for ECS and GCP accounts +### Clouddriver: Account management API enhancement for AWS, ECS and GCP accounts +OSS Spinnaker 1.28 introduced the [account management API feature](https://spinnaker.io/docs/setup/other_config/accounts/) for loading, storing, updating, and otherwise managing Clouddriver account configurations from a database. +In Armory CD 2.38.x the Account management API has been enhanced to support AWS, ECS and GCP accounts. To enable this functionality please use the following configuration in your `clouddriver-local.yml`: + +```yaml +account: + storage: + enabled: true + aws: + enabled: true + ecs: + enabled: true + google: + enabled: true +credentials: #Enable the credentials poller per provider congifuration enabled in the Account Managment API + poller: + enabled: true + types: + kubernetes: + reloadFrequencyMs: 60000 + aws: + reloadFrequencyMs: 60000 + ecs: + reloadFrequencyMs: 60000 + google: + reloadFrequencyMs: 60000 +``` + +[Clouddriver PR7238](https://github.com/spinnaker/spinnaker/pull/7238) +[Clouddriver PR7247](https://github.com/spinnaker/spinnaker/pull/7247) +[Clouddriver PR7270](https://github.com/spinnaker/spinnaker/pull/7270) ### Clouddriver AWS accounts assume-role enhancement Introduce in OSS Spinnaker 1.37.0 a configurable retry and backoff logic for AWS credentials parsing has been added. -Additionally a configurable per account (or default) sessionDurationSeconds property has been added. +Additionally a configurable per account (or default) sessionDurationSeconds property has been added in `clouddriver-local.yml`. ```yaml aws: loadAccounts: @@ -177,22 +210,6 @@ aws: [PR6342](https://github.com/spinnaker/clouddriver/pull/6342) [PR6344](https://github.com/spinnaker/clouddriver/pull/6344) -### Orca: Webhook stage improvements and security features - - -```yaml -orca: - webhooks: - allowList: ["https://hooks.company.com"] - maxRequestSizeBytes: 1048576 - maxResponseSizeBytes: 1048576 - followRedirects: false - timeoutSeconds: 60 - audit: - enabled: true - -``` - ### Helm OCI Registry Chart Support Docker registry provider now supports adding OCI-based registries hosting Helm repositories. This feature allows users to download and bake Helm charts hosted in OCI-compliant registries (such as Docker Hub). @@ -203,7 +220,7 @@ Related PRs: - https://github.com/spinnaker/spinnaker/pull/7113 To enable the Helm OCI support in a Docker Registry account set a list of OCI repositories in the `helmOciRepositories` -of the Docker Registry account configuration. The `helmOciRepositories` is a list of repository names in the format `/`. For example: +of the Docker Registry account configuration. The `helmOciRepositories` is a list of repository names in the format `/`. For example in your `clouddriver-local.yml`: ```yaml dockerRegistry: enabled: true @@ -275,7 +292,7 @@ Additionally, a new trigger type (named `helm/oci`) has been implemented to allo ### Orca: Limit the execution retrieval of Disabled pipelines -A new configuration has been added to exclude execution retrieval for disabled pipelines in Front50. This can be enabled with: +A new configuration has been added to exclude execution retrieval for disabled pipelines in Front50. This can be enabled in your `orca-local.yml` with: ```yaml tasks: controller: @@ -289,7 +306,7 @@ load for applications with numerous pipelines, especially when obsolete, disable ### Front50: Scheduled agent for Disabling unused pipelines An agent has been introduced to detect and disable unused or unexecuted pipelines within an application. This agent checks pipelines that have not been executed for the past `thresholdDays` days and disables them in Front50. -This feature is only available for SQL execution repositories and is configurable as bellow: +This feature is only available for SQL execution repositories and is configurable in your `front50-local.yml` as bellow: ```yaml pollers: unused-pipelines-disable: @@ -306,20 +323,12 @@ to specify a back-off period in milliseconds for stages that may need to retry o pipeline authors had no control over the backoff period. It came from either spinnaker configuration properties or implementations of RetryableTask.getDynamicBackoffPeriod. -Additionally, the following configuration options have been added that allow admins to specify globablly the backoff period: -{{< highlight yaml "linenos=table,hl_lines=9-11" >}} -apiVersion: spinnaker.armory.io/v1alpha2 -kind: SpinnakerService -metadata: - name: spinnaker -spec: - spinnakerConfig: - profiles: - orca: - tasks.global.backOffPeriod: - tasks..backOffPeriod: - tasks...backOffPeriod: -{{< /highlight >}} +Additionally, the following configuration options have been added that allow admins to specify globablly the backoff period in your `orca-local.yml`: +``` +tasks.global.backOffPeriod: +tasks..backOffPeriod: +tasks...backOffPeriod: +``` *Orca [PR 4841](https://github.com/spinnaker/orca/pull/4841)* @@ -371,7 +380,7 @@ Key Improvements Configuration Example -To enable the read connection pool, add the following configuration: +To enable the read connection pool, add the following configuration in your `orca-local.yml`: ```yaml sql: connectionPools: @@ -393,6 +402,15 @@ sql: ### Migration of Retrofit1 to Retrofit2 for all services +Retrofit1 clients from the following spinnaker services have been upgraded to retrofit2. With this release, retrofit2 upgrade of all spinnaker services is completed. +Any internal plugins that rely on retrofit1 clients will need to be upgraded to retrofit2. + +A new CallAdapter named LegacySignatureCallAdapter has been introduced in Kork to provide support for legacy Retrofit +method signatures. This adapter enables the use of Retrofit interfaces that do not return Call<..>, similar to how +Retrofit 1 worked. Both Kayenta and Halyard leveraged this feature during their Retrofit 2 upgrades, allowing them to +maintain their existing method signatures without wrapping them in Call<..> or using Retrofit2SyncCall.execute() + +- https://github.com/spinnaker/spinnaker/pull/7088 ### Spinnaker community contributions diff --git a/content/en/continuous-deployment/spinnaker-user-guides/armory-operator-to-kustomize-migration.md b/content/en/continuous-deployment/spinnaker-user-guides/armory-operator-to-kustomize-migration.md new file mode 100644 index 0000000000..adbef5ab72 --- /dev/null +++ b/content/en/continuous-deployment/spinnaker-user-guides/armory-operator-to-kustomize-migration.md @@ -0,0 +1,262 @@ +--- +title: Migrating Armory CD from Operator to Kustomize Deployment +linkTitle: Migrating from Operator to Kustomize Deployment +aliases: [] +description: > + Learn how to migrate Armory CD from Operator to Kustomize Deployment. +--- + +## Migrating Armory CD from Operator to Kustomize Deployment + +### Introduction + +This document provides step-by-step instructions for migrating your Spinnaker installation from using the Operator deployment method to a native Kubernetes deployment using Kustomize. This approach gives you more direct control over your Spinnaker resources and removes the dependency on the Operator. + +{{% alert color="warning" title="Important" %}} +Please thoroughly test this migration in a non-production environment before deploying to production. +{{% /alert %}} + + +#### Prerequisites + +- Kubectl command-line tool installed and configured to access your cluster +- Basic understanding of Kubernetes resources (deployments, services, configmaps) +- Access to the current Spinnaker namespace + +#### Migration Process Overview + +1. Download current configuration files and Kubernetes resources +2. Set up Kustomize structure for native deployment +3. Remove Operator ownership from services +4. Scale down the Operator +5. Deploy using Kustomize +6. Validate the deployment +7. Remove Operator and CRDs (after confirming stability) + +##### Step 1: Download Current Configuration + +The script provided below will download: +- All configuration files located in /opt/spinnaker/config from each service +- All deployment, service, and statefulset YAML files for each service + + +###### How to Use the Download Script + +1. Save the script at the bottom of this document to a file named `download_spinnaker_configs.sh` +2. Make the script executable: +`chmod +x download_spinnaker_configs.sh` +3. Run the script with your Spinnaker namespace: +`./download_spinnaker_configs.sh your-spinnaker-namespace` +4. The script will create an operator-migration directory containing all needed files + +###### What Gets Downloaded + +- **Deployments:** YAML files for each service deployment +- **Services:** YAML files for all Spinnaker services +- **StatefulSets:** YAML files for any statefulsets (like front50) +- **Configuration Files:** All files from /opt/spinnaker/config in each pod + +##### Step 2: Set Up Kustomize Structure + +Create a Kustomize directory structure for your Spinnaker deployment: +1. Move the downloaded deployments and services to their respective directories +2. Create configmaps from the downloaded configuration files +3. Set up the kustomization.yaml files + +{{% alert color="warning" title="Tip" %}} +You can use the GitHub - spinnaker/spinnaker-kustomize: Spinnaker installation via kustomize as a reference for Kustomize structure +{{% /alert %}} + +##### Step 3: Remove Operator Ownership from Services + +This step detaches the Operator's control while keeping services running. +1. Identify resources owned by the Operator: +`kubectl get all -n your-spinnaker-namespace -o json | jq '.items[] | select(.metadata.ownerReferences[]? | .apiVersion=="spinnaker.armory.io/v1alpha2" and .kind=="SpinnakerService") | {name: .metadata.name, kind: .kind}'` +2. Remove ownership references using patch commands: +`kubectl patch deployment spin-deck -n your-spinnaker-namespace --type json -p='[{"op": "remove", "path": "/metadata/ownerReferences"}]'` +3. Repeat for all resources with Operator ownership +{{% alert color="warning" title="Note" %}} +This breaks the connection between the Operator and services but keeps everything running +{{% /alert %}} + +##### Step 4: Verify Ownership Removal + +Confirm that no resources are still owned by the Operator: +`kubectl get all -n your-spinnaker-namespace -o json | jq '.items[] | select(.metadata.ownerReferences[]? | .apiVersion=="spinnaker.armory.io/v1alpha2" and .kind=="SpinnakerService") | {name: .metadata.name, kind: .kind}'` +The command should return empty if all ownership references have been removed. + +##### Step 5: Extra Precautions Before Deployment +Compare current resources with your Kustomize configurations: +`kubectl diff -f <(kustomize build ./overlays/prod)` + +Review the differences carefully. Look for: +- Immutable field changes (might require special handling) +- Configuration changes that could affect service behavior +- Missing resources that should be included + +###### Perform a Dry Run + +Test your deployment without actually applying changes: +`kubectl apply --dry-run=client -f <(kustomize build ./overlays/prod)` + +##### Step 6: Scale Down the Operator +Prevent the Operator from interfering with your deployment: +`kubectl scale deployment spinnaker-operator -n your-spinnaker-namespace --replicas=0` + +##### Step 7: Deploy Using Kustomize + +Apply your Kustomize configurations: + +`kubectl apply -f <(kustomize build ./overlays/prod)` + +##### Step 8: Validate and Monitor +1. Check that all pods are running: +`kubectl get pods -n your-spinnaker-namespace` +2. Verify Spinnaker services are accessible: + - Access the Spinnaker UI + - Test a simple pipeline + - Check integrations are working +3. Monitor the environment for stability over the next few days + +##### Step 9: Remove Operator and CRDs + +Once stability is confirmed (at least 24 hours later): +1. Remove the Operator CRDs: +`kubectl delete crd spinnakerservices.spinnaker.armory.io` +2. Remove the Operator deployment if still present: +`kubectl delete deployment spinnaker-operator -n your-spinnaker-namespace` + + +##### Rollback Plan +If issues arise during migration: +1. Scale up the Operator: +`kubectl scale deployment spinnaker-operator -n your-spinnaker-namespace --replicas=1` +2. Reapply the previous SpinnakerService resource: +`kubectl apply -f original-spinnakerservice.yaml` +3. Allow the Operator to reconcile and restore the previous state + +#### Download Script +```bash +#!/bin/bash + +# Script to download ONLY files from /opt/spinnaker/config in Spinnaker pods + +set -e + +if [ -z "$1" ]; then + echo "Please provide a namespace" + echo "Usage: $0 " + exit 1 +fi + +NAMESPACE=$1 +OUTPUT_DIR="operator-migration" + +echo "Creating output directory: $OUTPUT_DIR" +rm -rf "$OUTPUT_DIR" +mkdir -p "$OUTPUT_DIR" + +# 1. First download deployments and services +echo "Downloading Kubernetes deployments and services..." + +# Download Deployments +echo "Downloading deployments..." +mkdir -p "$OUTPUT_DIR/deployments" +kubectl get deployments -n "$NAMESPACE" -o name | while read -r deployment; do + deployment_name=$(echo "$deployment" | cut -d/ -f2) + echo "Downloading deployment: $deployment_name" + kubectl get deployment "$deployment_name" -n "$NAMESPACE" -o yaml > "$OUTPUT_DIR/deployments/$deployment_name.yaml" +done + +# Download Services +echo "Downloading services..." +mkdir -p "$OUTPUT_DIR/services" +kubectl get services -n "$NAMESPACE" -o name | while read -r service; do + service_name=$(echo "$service" | cut -d/ -f2) + echo "Downloading service: $service_name" + kubectl get service "$service_name" -n "$NAMESPACE" -o yaml > "$OUTPUT_DIR/services/$service_name.yaml" +done + +# Download StatefulSets if any +echo "Checking for statefulsets..." +if kubectl get statefulsets -n "$NAMESPACE" 2>/dev/null | grep -q .; then + mkdir -p "$OUTPUT_DIR/statefulsets" + kubectl get statefulsets -n "$NAMESPACE" -o name | while read -r statefulset; do + statefulset_name=$(echo "$statefulset" | cut -d/ -f2) + echo "Downloading statefulset: $statefulset_name" + kubectl get statefulset "$statefulset_name" -n "$NAMESPACE" -o yaml > "$OUTPUT_DIR/statefulsets/$statefulset_name.yaml" + done +fi + +# 2. Now download files from /opt/spinnaker/config +echo "Downloading files ONLY from /opt/spinnaker/config..." + +# Get all pods +PODS=$(kubectl get pods -n "$NAMESPACE" -o name | cut -d/ -f2) +for POD in $PODS; do + SERVICE=$(echo "$POD" | sed -E 's/([a-z-]+)-[0-9a-z-]+.*/\1/') + + echo "Processing pod: $POD (service: $SERVICE)" + mkdir -p "$OUTPUT_DIR/$SERVICE" + + # Check ONLY for /opt/spinnaker/config + if kubectl exec -n "$NAMESPACE" "$POD" -- ls -la /opt/spinnaker/config &>/dev/null; then + echo "Found /opt/spinnaker/config directory in $POD" + + # List all files first + CONFIG_FILES=$(kubectl exec -n "$NAMESPACE" "$POD" -- find /opt/spinnaker/config -type f 2>/dev/null) + if [ -z "$CONFIG_FILES" ]; then + echo "No files found in /opt/spinnaker/config for $POD" + continue + fi + + echo "Found $(echo "$CONFIG_FILES" | wc -l | tr -d ' ') files in /opt/spinnaker/config for $POD" + + # Download each file + for FILE in $CONFIG_FILES; do + FILENAME=$(basename "$FILE") + echo "Downloading $FILENAME from $POD" + + FILE_CONTENT=$(kubectl exec -n "$NAMESPACE" "$POD" -- cat "$FILE" 2>/dev/null) + if [ $? -eq 0 ] && [ -n "$FILE_CONTENT" ]; then + echo "$FILE_CONTENT" > "$OUTPUT_DIR/$SERVICE/$FILENAME" + echo "Saved $FILENAME to $OUTPUT_DIR/$SERVICE/$FILENAME" + else + echo "Failed to download $FILENAME or file is empty" + fi + done + + # Check if we downloaded any files + if [ -z "$(ls -A "$OUTPUT_DIR/$SERVICE" 2>/dev/null)" ]; then + echo "No files were successfully downloaded from $POD" + else + echo "Successfully downloaded $(ls -1 "$OUTPUT_DIR/$SERVICE" | wc -l | tr -d ' ') files from $POD" + fi + else + echo "No /opt/spinnaker/config directory found in $POD" + fi +done + +echo "======================================" +echo "Download completed. Files saved to: $OUTPUT_DIR" +echo "Summary of downloaded files by service:" + +# Generate summary +for DIR in $(find "$OUTPUT_DIR" -mindepth 1 -maxdepth 1 -type d | sort); do + SERVICE=$(basename "$DIR") + FILE_COUNT=$(find "$DIR" -type f | wc -l) + + echo "- $SERVICE: $FILE_COUNT files" + if [ "$FILE_COUNT" -gt 0 ]; then + ls -1 "$DIR" | sort | while read -r file; do + echo " - $file" + done + fi +done + +echo "Script execution complete!" + +``` +### Conclusion +By following these steps, you'll successfully migrate from the Spinnaker Operator to a native Kubernetes deployment using Kustomize. This approach gives you more direct control over your Spinnaker resources and eliminates dependency on the Operator. +If you encounter any issues during the migration process, please submit a support ticket for assistance.