2.7 Changelogs

v2.7.0

Released: 2026-01-13

New features

Access Grant Service

Additions

• New Access Grant Metrics feature for monitoring Verifiable Credential state and lifecycle. Prometheus metrics are now exposed for:

  • Access Requests - Track requests by status (pending, granted, denied, canceled, expired)

  • Access Grants - Monitor grants by status (active, expired, revoked)

  • Access Denials - Count total denials issued by the system

• Metrics are cached for performance optimization with configurable cache expiration times (default: 300 seconds)

• For more information, see Access Grant Metrics and Access Grant Metrics Cache Configuration

Security improvements

SSL/TLS connection to databases

A new component is now available in the kustomizer that allows to provide the databases CA bundles to the services. This allows to enforce SSL/TLS on the database connections.

For more information, see the databases SSL/TLS configuration page.

SSL/TLS connection to Kafka broker

A new component is now available in the kustomizer that allows to configure the Kafka clients so that they enforce SSL on their connection to the Kafka broker.

For more information, see the Kafka SSL configuration page.

Data Views API

Additions

• New Data Views API enables fine-grained access control over JSON resources through GraphQL-based filtering

• Data subjects can create filtered "view resources" that expose only specific fields from source data

• Key capabilities:

  • View Definitions - Reusable GraphQL queries defining what data to expose

  • View Resources - Single resource filtering with explicit destination URIs

  • View Containers - Bulk filtering of entire containers with automatic synchronization

  • Preview Functionality - Test view bindings before creation

  • Automatic Updates - View resources automatically sync when source data changes

  • Source Protection - Source resources cannot be deleted while view bindings exist

• Advanced GraphQL query features:

  • Field selection and nested object filtering

  • Numeric comparisons (gt, gte, lt, lte)

  • Date range queries (after, before)

  • Array membership filtering (in)

  • Extended scalar support (DateTime, Json)

• Security features:

  • Configurable query depth, complexity, and list size limits

  • Registry authorization for view definition management

  • Data subject permission required for creating bindings

For complete documentation, see Data Views API

Prune (Pod Storage Service)

Improvements

• Enhanced pruning architecture with batch iteration processing for improved performance and scalability

• Data Views Support:

  • Soft-deleted View Definitions are now included in the pruning process and will be permanently deleted after the retention window

  • Soft-deleted View Bindings are now included in the pruning process and will be permanently deleted after the retention window

• New Configuration Parameters:

  • INRUPT_STORAGE_PRUNE_MAX_ITERATIONS - Controls the maximum number of batch iterations per job run

    • Default: 100

    • Kubernetes deployment default: 1000

    • Allows fine-grained control over total processing time

  • INRUPT_STORAGE_PRUNE_ITERATION_DELAY_MS - Configurable delay between iterations to reduce system load

    • Default: 20 milliseconds

    • Can be set to 0 to disable

  • INRUPT_STORAGE_PRUNE_PRE_COMPLETION_DELAY_MS - Delay before process completion to allow metrics scraping

    • Default: 10000 milliseconds (10 seconds)

• Batch Size Changes:

  • INRUPT_STORAGE_PRUNE_PRUNABLE_BATCH_SIZE default changed from 10000 to 100 (per iteration)

  • INRUPT_STORAGE_PRUNE_ORPHAN_BATCH_SIZE default changed from 80000 to 100, Kubernetes deployment: 800 (per iteration)

  • Batch sizes now represent per-iteration limits rather than single-pass limits

• Improved Observability:

  • Simplified logging with new message IDs:

    • STORAGEPRUNE000001 - Pruning start process (INFO)

    • STORAGEPRUNE000002 - Prune process completion (INFO)

    • STORAGEPRUNE000003 - Individual pruner completion with count (INFO)

    • STORAGEPRUNE000004 - Maximum iterations reached warning (WARN)

  • Per-iteration progress tracking

  • Clear indication when max iterations limit is reached

• Performance Benefits:

  • Smaller batch sizes reduce peak system load and memory consumption

  • Multiple iterations allow jobs to run more frequently without overwhelming the system

  • Remaining items are automatically processed in subsequent scheduled runs if max iterations is reached

• Backward Compatibility: All configuration changes are backward compatible with existing deployments

For complete documentation, see Pruning Configuration

Deployment

Updates

The inrupt-kustomizer image has been updated with a new base image (UBI9), which includes important changes that may affect build workflows:

Changes:

• Base Image: Updated to Red Hat Universal Base Image 9 (UBI9)

• Removed Components: Internal RDF tools have been removed from the base image

• HOME Directory: The HOME directory location has changed from /root to /opt/app-root/src due to the UBI9 base image

Impact on kbld Crystallization:

If your build scripts use kbld for image crystallization with mounted Docker credentials, you must update the HOME directory mount path:

• The correct HOME directory path is now /opt/app-root/src

• Docker credentials must be mounted to the correct HOME directory for kbld authentication to work

• Failure to update the mount path will cause kbld crystallization to fail

• If you do not mount Docker credentials, no action is required

Deprecations

Important: The kbld tool for image crystallization is now deprecated and will be removed in a future release of ESS.

Organizations currently using kbld for Kubernetes manifest image resolution should begin planning migration to alternative solutions.