2.4 Changelogs#

v2.4.0#

Released: 2025-05-13

Kafka Encryption configuration has been updated for more clarity, to say Encrypted instead of just Encrypt:
- Old Configuration (Deprecated):
  - Serializer: com.inrupt.components.kafka.encryption.EncryptMessageSerializer
  - Deserializer: com.inrupt.components.kafka.encryption.DecryptMessageDeserializer
- New Configuration (Required):
  - Serializer: com.inrupt.components.kafka.encryption.EncryptedMessageSerializer
  - Deserializer: com.inrupt.components.kafka.encryption.EncryptedMessageDeserializer
If these have been set in a custom Kubernetes kustomization then please update your configuration to use these new class names.

The new class names improve clarity by reflecting the encrypted message format rather than the action.
The ESS base JVM images are now based on UBI 9, aligning with Red Hat’s supported and hardened base images.

The Access Grant Service emits Access Request/Access Grant change events. These events will be sent to the Notifications Service which will forward them to subscribers.
The paginated response from the query endpoint now contains a summary that includes a total of all Access Credentials matched.

Prevent potential recursive call from happening when finding ACRs.
Provisioning and creating ACRs in the Authorization Service is now idempotent.
Updated logging during provisioning and creating ACRs to remove ERROR logs that are no longer considered error scenarios.
Service now returns a 400 response when a client submits a PUT request with empty content.

Static authorization allow-list can now be set on the Authorization Service. This is currently only used by the Purger Service to protect its endpoints.

The default setting for INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST is now https://inrupt.com. This is not a valid client but is used as a placeholder to ensure that the default is not blank (which would leave ESS open to any client being able to update ACRs).

The Notification Service adds an HTTPS API where agents can subscribe to events from the Access Grant Service. These subscriptions will direct notifications to client-defined webhook URLs where they can be received.

The Pod Storage Service HTTP conditional requests management is now compliant with RFC 7232 HTTP Conditional Requests. In particular, ETag headers are now prioritized over If-Modified-Since.

New metric for tracking the number of active Storages called: application_com_inrupt_storage_metrics_MetricsCollector_sum{resourceStatus=active)`

The provision endpoint is now configured so it is included in the Solid Discovery Resource on the Pod Storage Service.
Added extra validation to storage URIs on purge. Storage URIs now must end with a /.

Added an allow list to the OpenID configuration that identifies trusted clients. The OpenID Consent screen will not be shown for trusted clients.

The icons on the Consent screen and Application Registration page are now embedded, so they are consistently available.

inrupt-kustomizer has been updated to use Kustomize version 5.5.
The Kubernetes bases for ess-fragments-ingest and ess-fragments-query have been changed to require TLS v1.3 connections to the Postgres database by default. Setting this as the default helps ensure security.
The stability of the Keycloak Kubernetes deployment used in the standalone overlay has been improved by removing resource constraints. Additionally, the health endpoint port (9000) from the Kubernetes service is now exposed.

Suspend ess-storage-migrate-system-resource Kubernetes CronJobs from running as they were only needed for migrating to ESS 2.2.0.
ESS 2.3 included a set of migration jobs for the Access Grant Service. These jobs, once run, can be removed from a Kubernetes deployment. For new (2.4+) deployments, the migration jobs are not relevant.