v1.23.0

Upgrade Notes

Behavioral change: the router public listener no longer serves /fission-function/<ns>/<name>. External tooling that today calls those paths through the public router URL (typically via Ingress) will receive 404 after upgrading. This closes GHSA-3g33-6vg6-27m8.

KEDA users: internalAuth.enabled now defaults to true. Upstream fission/kafka-http-connector images do not yet sign their requests, so KEDA-driven message-queue triggers will receive 401. Set --set internalAuth.enabled=false at upgrade time if you depend on stock KEDA connector images.

See the Upgrade Guide and Internal Service Authentication for the full procedure.

Deprecations/Removals

• We continue to support Kubernetes 1.28 and above (kubeVersion: ">=1.28.0-0" in the Helm chart). No change in supported Kubernetes versions from v1.22.0.
• /fission-function/<ns>/<name> is removed from the public router listener (port 8888) and now lives only on a new internal listener (port 8889). See Upgrade Notes above.
• The legacy bash-based integration test suite has been retired. All integration tests now run as Go test suites.

Highlights

• Application-layer HMAC authentication has been added across internal Fission services — StorageSvc /v1/archive, fetcher, builder, executor, and router-internal — so cross-service calls are authenticated even within the cluster. Enabled by default via internalAuth.enabled=true; see Internal Service Authentication for configuration, the toggle matrix, and master-secret rotation.
• Per-service NetworkPolicies now cover every Fission listener, restricting in-cluster traffic to the components that actually need it.
• The fission-fetcher ServiceAccount token is no longer mounted into user function containers, removing an unnecessary credential from the function runtime.

Fixes

• Multiple security sweeps refreshed Go dependencies and closed Dependabot CVEs, including docker/cli (3 CVEs), golang.org/x/image, go-git, and the keda/v2 module.
• Bumped the Go toolchain to 1.26, and refreshed workflow CLI tool versions (helm, kind, skaffold, cosign, golangci-lint).
• Helm chart published as 1.23.0, now versioned independently from the app version.
• Allow = characters in ingress trigger parsing — previously rejected as malformed (thanks @immanuwell).
• Internal refactors: switched to the logr interface across the codebase, replaced hashicorp/go-multierror with the stdlib errors package, optimized the throttler, reduced webhook code duplication, and improved abstractions in the mqtrigger package.

Changelog

What’s Changed

• Bump github.com/expr-lang/expr from 1.17.6 to 1.17.7 by @dependabot[bot] in https://github.com/fission/fission/pull/3295
• Separate chart and app version by @sanketsudake in https://github.com/fission/fission/pull/3297
• Bump github.com/kedacore/keda/v2 from 2.18.2 to 2.18.3 by @dependabot[bot] in https://github.com/fission/fission/pull/3299
• Bump the github-actions group with 3 updates by @dependabot[bot] in https://github.com/fission/fission/pull/3301
• Couple of enhancements & library updates by @dependabot[bot] in https://github.com/fission/fission/pull/3303
• Use errors instead of hashicorp/go-multierror package by @sanketsudake in https://github.com/fission/fission/pull/3304
• Use modernizer and upgrade golangci-lint config by @sanketsudake in https://github.com/fission/fission/pull/3306
• Bump anchore/sbom-action from 0.20.11 to 0.21.0 in the github-actions group by @dependabot[bot] in https://github.com/fission/fission/pull/3305
• Optimize throttler and reduce webhook code duplication by @sanketsudake in https://github.com/fission/fission/pull/3307
• Switch to logr interface across codebase by @sanketsudake in https://github.com/fission/fission/pull/3313
• Add better abstractions for Subscribe in mqtrigger package by @sanketsudake in https://github.com/fission/fission/pull/3317
• Add checks in specialize pod handler by @sanketsudake in https://github.com/fission/fission/pull/3318
• Bump the github-actions group across 1 directory with 6 updates by @dependabot[bot] in https://github.com/fission/fission/pull/3319
• Bump the go-dependencies group across 1 directory with 4 updates by @dependabot[bot] in https://github.com/fission/fission/pull/3316
• Update keda image versions to latest by @sanketsudake in https://github.com/fission/fission/pull/3320
• Upgrade go version 1.26 by @sanketsudake in https://github.com/fission/fission/pull/3326
• Bump the github-actions group across 1 directory with 5 updates by @dependabot[bot] in https://github.com/fission/fission/pull/3329
• Fix atomic usage by @sanketsudake in https://github.com/fission/fission/pull/3348
• Bump the github-actions group across 1 directory with 17 updates by @dependabot[bot] in https://github.com/fission/fission/pull/3341
• Add CLAUDE & AGENTS md by @sanketsudake in https://github.com/fission/fission/pull/3349
• Deps/security sweep 2026 04 by @sanketsudake in https://github.com/fission/fission/pull/3350
• Bump the github-actions group with 8 updates by @dependabot[bot] in https://github.com/fission/fission/pull/3352
• Bump the github-actions group with 2 updates by @dependabot[bot] in https://github.com/fission/fission/pull/3354
• Bump golang.org/x/image from 0.18.0 to 0.38.0 by @dependabot[bot] in https://github.com/fission/fission/pull/3342
• Migrate bash integration tests to Go by @sanketsudake in https://github.com/fission/fission/pull/3356
• Retire bash integration test suite (Phase 6 teardown) by @sanketsudake in https://github.com/fission/fission/pull/3357
• Bump Go dependencies (security sweep, 2026-05) by @sanketsudake in https://github.com/fission/fission/pull/3358
• Misc fixes by @sanketsudake in https://github.com/fission/fission/pull/3361
• Bump docker/cli to v29.4.3 to close 3 Dependabot CVEs by @sanketsudake in https://github.com/fission/fission/pull/3362
• Add debug-github-ci skill by @sanketsudake in https://github.com/fission/fission/pull/3363
• Security fixes 2026 05 by @sanketsudake in https://github.com/fission/fission/pull/3364
• Add per-service NetworkPolicies covering every Fission listener by @sanketsudake in https://github.com/fission/fission/pull/3365
• Drop fission-fetcher SA token from function user containers by @sanketsudake in https://github.com/fission/fission/pull/3366
• Add HMAC application-layer auth to StorageSvc /v1/archive by @sanketsudake in https://github.com/fission/fission/pull/3368
• fix: allow equals in ingress trigger parsing by @immanuwell in https://github.com/fission/fission/pull/3370
• Extend HMAC application-layer auth to fetcher, builder, executor, and router-internal by @sanketsudake in https://github.com/fission/fission/pull/3369
• Bump the github-actions group with 2 updates by @dependabot[bot] in https://github.com/fission/fission/pull/3360
• Bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 by @dependabot[bot] in https://github.com/fission/fission/pull/3371
• Go deps security sweep (2026-05b) + Go 1.26.3 + chart v1.23.0 by @sanketsudake in https://github.com/fission/fission/pull/3375
• Refresh workflow CLI tool versions (helm, kind, skaffold, cosign, golangci-lint) by @sanketsudake in https://github.com/fission/fission/pull/3376

New Contributors

• @immanuwell made their first contribution in https://github.com/fission/fission/pull/3370

Full Changelog: https://github.com/fission/fission/compare/v1.22.0...v1.23.0

References

• Environments
• Custom Resource Definition Specification
• Releases