2025.04.12 Release Note

This release brings many configuration and deployment enhancements as well as the general availability of Network Usage monitoring.

Upgrade risk

warning

Breaking change on Controller's API to get its config.

• A parameter was added to match Gocipher & Whisperer APIs.
• If you have Controllers deployed in remote cluster, either
  • Redeploy them with scripts generated on the UI
  • Add ?view=client to spiderConfigURI field in spider-controller-\{service\}-secret

{
  "controller":      "12345abf",
  "privateKey":      "PEM private",
  "spiderConfigURI": "https://server.adr/controls/v1/controllers/12345abf/config?view=client"
}

Not upgrading this would cause Controllers to fail to restart, and associated attachments to end.

Key changes

• Network usage monitoring
• Local Agents
• Improved compatibility with ArgoCD
  • No more need to change the flags createLocalController or createLocalGocipher to false any more. The Helm generated files are now stable across renders, and the variability has been moved to an init container.

How to upgrade

1. Use Helm chart 4.7.0 from repository
2. Adjust global.version field value to 2025.04.12 in your values.yaml
3. Deploy

tip

See Reference documentation for details.

Versions

Spider

New versions of Spider components:

Component	Version	Docker tag
Helm chart	4.7.0	-
Analysis UI	12.1.4	2025.04.12
Controllers	2.0	2025.04.12
Gossipers	7.4	2025.04.12
Gociphers	1.5	2025.04.12
Back office	-	2025.04.12
Login UI	-	2025.04.12
Monitoring UI	-	2025.04.12

Dependencies

These components are set up in the correct versions by the Helm chart:

Dependency	Version	Docker tag
Elastic stack	7.17.28	7.17.28
Redis	7	7-alpine
Traefik	2.11	2.11

Compatibility

Spider has been successfully tested under these versions of dependencies:

3rd party software	Version
Helm	3.14 - 3.17
Kube	1.24 - 1.31

List of changes

Helm chart

✨ New features	Whisp API to get default Whisperer config Possibility to use a proxy for Docker registry Manage Network Usage features
⚙️ Improvements	PacketsDiscarded field in Capture status Improve compatibility with ArgoCD Possibility to update the local gocipher and controller security keys (but require restart of components) Change demo Whisperer keys to PKCS#8 Upgrade to ES 7.17.28
🐞 Bug fixes

Analysis UI

✨ New features	Option not to display local agents in Whisperers, Controllers and Gociphers lists. Option to set a Throughput limiter for Whisperers Gociphers details - New Config tab Controllers details - New Config tabs Refactor navigation to allow selection of Whisperer or Controller New Help screen when no agent is selected New Network usage screen, with logical view map + grid + dashboard + stats Workload details + link to attach Whisperer New loading dialog to fasten (and allow cancelling) network map loading
⚙️ Improvements	Removing custom values from Whisperer config to get back to default works better Add Controller state in its Status tab. Add count of nodes, Sidecar Whisperers and Gociphers in Controller status. Gociphers details - New Config permission Controllers details - New Config, Monitor & Attach permissions Filters drop down - Manage multi fields value listing to get values for both client and server sides
🐞 Bug fixes	Fixed regression on Whisperer Attachment tab that did not list containers any more (Back End fix). Fixed regression on Whisperer Global tab that did not display Container names for Gossipers (Gossiper fix). Fixed Quality lines computation that was erroneous when no TCP session were present (at all) Fix count of totalRecords for Timeline when computing delay to fetch Fix 'Delete saved query' action that was not working

Controllers

✨ New features	Stop Controller when it is a local agent running in a multi node cluster. When STOPPED, existing attachments are stopped and new ones are not spawned. Gather network usage from Gociphers, enrich them and send to Controls Configuration option for cluster PODs IP range(s)
⚙️ Improvements	Overwrite security context when spawning Whisperers to allow root execution even when POD does not allow it Manage new SideCar pattern introduced with Kubernetes 1.29 when looking for sidecars Whisperers
🐞 Bug fixes	Manage PODs in completed or failed state sent by K8S API. -> Remove objects and IPs from local state. This was causing wrong IP -> Name association.kubernetes

Gossipers (Whisperers)

✨ New features	Throughput limiter
⚙️ Improvements	Manage PKCS#8 format for keys
🐞 Bug fixes	Fixed regression - Gossiper were not sending Container names in status

Gociphers

✨ New features	Capture and send Network usage Manage service activation options in config
⚙️ Improvements	Manage PKCS#8 format for keys Optimise memory allocation for TLS capture
🐞 Bug fixes

Back office

✨ New features	Whisp API to get default Whisperer config Discarded packets stats collection and aggregation Network usage features + status metrics Manage configuration of Controllers & Gociphers
⚙️ Improvements	New API keys are in PKCS#8 format
🐞 Bug fixes	Controls - Fixed regression on Whisperer attachment tab that did not list containers any more.

Login UI

✨ New features
⚙️ Improvements
🐞 Bug fixes

Monitoring UI

✨ New features	Network usage stats in Gocipher status Added new APIs and ES index on map
⚙️ Improvements	Discarded packets field in Whisperer status grid
🐞 Bug fixes

Online documentation

Main updated parts:

• Circuit Breakers
• Installing agents locally for local development debugging
• Quick start - Rework with new Helper and Network Usage screens
• Data Captured - New chapter
• Cluster Map - New top panel
• Workloads - New data details
• Changing an agent configuration - Refactor page for common configuration UI patterns
• Controller configuration - New page
• Controller sharing - New attach, monitor and config rights + team rights
• Gocipher configuration - New page
• Gocipher sharing - New config right
• Gocipher monitoring - 2 new charts for usage and messages

API impacts

note

This section informs about any impact on Spider API, so you may adjust your scripts.

• Controls
  • New APIs
    • GET /controls/v1/defaultConfig
    • PATCH /controls/v1/controllers/{id}/config
    • POST /controls/v1/controllers/{id}/network-usage/
    • POST /controls/v1/controllers/{id}/network-usage/_search
    • POST /controls/v1/controllers/{id}/attachments/_search
  • And updated access rights for Controllers with new monitor and attach rights
• Ciphers
  • New APIs
    • GET /ciphers/v1/defaultConfig
    • PATCH /ciphers/v1/gociphers/{id}/config
• Whisperers
  • New APIs
    • GET /whisp/v1/defaultConfig

Data impacts

note

The table below tells if there are data mapping changes in Elasticsearch indices, associated or not with migrations (Yes ✅ / No ❌).
Migration are automated at upgrade time, but they may leave unattended indices that you have to remove manually.

Index	Description	Migration
spider-status-{{ dsp }}-*	New mapping for discarded packets count	❌
spider-capture-status-{{ dsp }}-*	New mapping for discarded packets count	❌
spider-network-usage-{{ dsp }}-*	New index for network usage
spider-raw-ciphers-status-*	New fields for network usage metrics

note

Network usage index usage is roughly 1 MB / Pod / day - on unstable environment (dev).
-> 4000 Pods * 5 days = 20 GB