Releases: spiffe/spire
Releases · spiffe/spire
v1.11.1
Added
- The Go based text/template engine used in various plugins has been extended to include a set of functions from the SPRIG library (#5593, #5625)
- The JWT-SVID cache in the agent is now configurable (#5633)
- The JWT issuer is now configurable in the OIDC Discovery Provider (#5657)
Changed
- CA journal now relies on the authority ID instead of the issued time when updating the status of keys (#5622)
Fixed
- Spelling and grammar fixes (#5571)
- Handling of IPv6 address consistently for the binding address of the server and health checks (#5623)
- Link to Telemetry documentation in the Contributing guide (#5650)
- Handling of registration entries with revision number 0 when the agent syncs entries with the server (#5680)
Known Issues
v1.11.0
Added
- Support for forced rotation and revocation (https://github.com/orgs/spiffe/projects/21)
- New EJBCA UpstreamAuthority plugin for SPIRE Server (#5378)
- Support for variables in templates contained in the config file (#5576)
- Support for the configuration validation RPC on all built-in plugins (#5303)
- Improved logging when built-in plugins panic (#5476)
- Improved CPU and memory resource usage for concurrent Kubernetes Workload attestation (#5408)
- Documentation additions and improvements (#5589, #5588, #5499, #5433, #5430, #5269)
Changed
- SPIRE Agent LRU identity cache is now unconditionally enabled. The LRU size can be controlled via the
x509_svid_cache_max_size
configuration option. (#5383, #5531) - Entry API RPCs return per-entry InvalidArgument status when creating/updating malformed entries (#5506)
- Support for CGroups v2 in K8s and Docker workload attestors is now enabled by default (#5454)
Removed
- Deprecated -ttl flag from the SPIRE Server
entry create
andentry update
commands (#5483) - Official support for MySQL 5.X. While SPIRE may continue to work with this version, no explicit testing will be performed by the project (#5487)
Fixed
v1.10.4
Fixed
- Add missing commits to spire-plugin-sdk and spire-api-sdk releases (spiffe/spire-api-sdk#66, spiffe/spire-plugin-sdk#39)
v1.10.3
v1.10.2
Added
http_challenge
NodeAttestor plugin (#4909)- Experimental support for validating container image signatures through Sigstore selectors in the docker Workload Attestor (#5272)
- Metrics for monitoring the event-based cache (#5411)
Changed
- Delegated Identity API to allow subscription by process ID (#5272)
- Agent Debug endpoint to count SVIDs by type (#5352)
- Agent health check to report an unhealthy status until the Agent SVID is attested (#5298)
- Small documentation improvements (#5393)
Fixed
v1.10.1
v1.10.0
Added
- Plugin reconfiguration support using the
plugin_data_file
configurable (#5166)
Changed
- SPIRE Server and OIDC provider images to use non root users (#4967, #5227)
k8s_psat
NodeAttestor attestor to no longer fail when a cluster is not configured (#5216)- Agents are required to renew SVIDs through re-attestation when using a supporting Node Attestor (#5204)
- Small documentation improvements (#5181, #5189)
- Evicted agents that support reattestation can now reattest without being restarted (#4991)
Fixed
- PSAT node attestor to cross check the audience fields (#5142)
- Events-based cache to handle out of order events (#5071)
Deprecated
x509_svid_cache_max_size
anddisable_lru_cache
in agent configuration (#5150)
Removed
- The deprecated
disable_reattest_to_renew
agent configurable (#5217) - The deprecated
key_metadata_file
configurable from theaws_kms
,azure_key_vault
andgcp_kms
server KeyManagers (#5207) - The deprecated
use_msi
configurable from theazure_key_vault
server KeyManager andazure_msi
NodeAttestor (#5207, #5209) - The deprecated
exclude_sn_from_ca_subject
server configurable (#5203) - Agent no longer cleans up deprecated bundle and SVID files (#5205)
- The CA journal file is no longer stored on disk, and existing CA journal files are cleaned up (#5202)
v1.9.6
Added
- Opt-in support for CGroups v2 in K8s and Docker workload attestors (#5076)
gcp_cloudstorage
BundlePublisher plugin (#4961)- The
aws_iid
node attestor can now check if the AWS account ID is part of an AWS Organization (#4838) - More filtering options to count and show entries and agents (#4714)
Changed
- Credential composer to not convert timestamp related claims (i.e., exp and iat) to floating point values (#5115)
- FetchJWTBundles now returns an empty collection of keys instead of null (#5031)
Fixed
v1.9.5
Security
- Updated to Go 1.21.10 to address CVE-2024-24788
v1.8.11
Security
- Updated to Go 1.21.10 to address CVE-2024-24788