2.5 Changelogs

v2.5.1

Released: 2025-07-09

All services

Security Fixes

CRITICAL: Removed ingress layer vulnerability that could allow unauthorized access to administrative functions, metrics endpoints, and cluster secrets. This addresses CVE-2021-25742. All users should upgrade immediately.

Updates

Each ESS service makes endpoints available for metrics and health. These endpoints are now available on port 9000 within the cluster. A metrics collector that consumes the prometheus.io metadata annotations will discover the new endpoints automatically. Metrics collectors that are manually configured will need to be adjusted to use the new port. Port 9000 is not accessible from outside the cluster.

v2.5.0

Released: 2025-05-13

Services

All Services

Updates

• Kafka Encryption configuration has been updated for more clarity, to say Encrypted instead of just Encrypt:

  • Old Configuration (Deprecated):

    • Serializer: com.inrupt.components.kafka.encryption.EncryptMessageSerializer

    • Deserializer: com.inrupt.components.kafka.encryption.DecryptMessageDeserializer

  • New Configuration (Required):

    • Serializer: com.inrupt.components.kafka.encryption.EncryptedMessageSerializer

    • Deserializer: com.inrupt.components.kafka.encryption.EncryptedMessageDeserializer

  If these have been set in a custom Kubernetes kustomization then please update your configuration to use these new class names.

  The new class names improve clarity by reflecting the encrypted message format rather than the action.

• The ESS base JVM images are now based on UBI 9, aligning with Red Hat’s supported and hardened base images.

Access Grant Service

Additions

• The Access Grant Service emits Access Request/Access Grant change events. These events will be sent to the Notifications Service which will forward them to subscribers.

• The paginated response from the query endpoint now contains a summary that includes a total of all Access Credentials matched.

Authorization Service

Bugs fixed

• Prevent potential recursive call from happening when finding ACRs.

• Provisioning and creating ACRs in the Authorization Service is now idempotent.

• Updated logging during provisioning and creating ACRs to remove ERROR logs that are no longer considered error scenarios.

• Service now returns a 400 response when a client submits a PUT request with empty content.

Additions

• Static authorization allow-list can now be set on the Authorization Service. This is currently only used by the Purger Service to protect its endpoints.

Updates

• The default setting for INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST is now https://inrupt.com. This is not a valid client but is used as a placeholder to ensure that the default is not blank (which would leave ESS open to any client being able to update ACRs).

Notification Service

Additions

• The Notification Service adds an HTTPS API where agents can subscribe to events from the Access Grant Service. These subscriptions will direct notifications to client-defined webhook URLs where they can be received.

Pod Storage Service

Updates

• The Pod Storage Service HTTP conditional requests management is now compliant with RFC 7232 HTTP Conditional Requests. In particular, ETag headers are now prioritized over If-Modified-Since.

Additions

• New metric for tracking the number of active Storages called: application_com_inrupt_storage_metrics_MetricsCollector_sum{resourceStatus=active)`

Bugs fixed

• The provision endpoint is now configured so it is included in the Solid Discovery Resource on the Pod Storage Service.

• Added extra validation to storage URIs on purge. Storage URIs now must end with a /.

Purger Service

Additions

• User data and Pods can now be deleted from ESS using the new Purger Service.

Solid OIDC Broker Service

Additions

• Added an allow list to the OpenID configuration that identifies trusted clients. The OpenID Consent screen will not be shown for trusted clients.

Removals

• Responses will no longer serialize null fields in JSON.

Bugs fixed

• The icons on the Consent screen and Application Registration page are now embedded, so they are consistently available.

WebID Service

Additions

• Database connection pool updates to improve graceful backoff under load.

Deployment

Updates

• inrupt-kustomizer has been updated to use Kustomize version 5.5.

• The Kubernetes bases for ess-fragments-ingest and ess-fragments-query have been changed to require TLS v1.3 connections to the Postgres database by default. Setting this as the default helps ensure security.

• The stability of the Keycloak Kubernetes deployment used in the standalone overlay has been improved by removing resource constraints. Additionally, the health endpoint port (9000) from the Kubernetes service is now exposed.

Removals

• Suspend ess-storage-migrate-system-resource Kubernetes CronJobs from running as they were only needed for migrating to ESS 2.2.0.

• ESS 2.3 included a set of migration jobs for the Access Grant Service. These jobs, once run, can be removed from a Kubernetes deployment. For new (2.5+) deployments, the migration jobs are not relevant.