Skip to content

Releases: spiffe/spire

v1.11.1

12 Dec 19:48
32cc98e
Compare
Choose a tag to compare

Added

  • The Go based text/template engine used in various plugins has been extended to include a set of functions from the SPRIG library (#5593, #5625)
  • The JWT-SVID cache in the agent is now configurable (#5633)
  • The JWT issuer is now configurable in the OIDC Discovery Provider (#5657)

Changed

  • CA journal now relies on the authority ID instead of the issued time when updating the status of keys (#5622)

Fixed

  • Spelling and grammar fixes (#5571)
  • Handling of IPv6 address consistently for the binding address of the server and health checks (#5623)
  • Link to Telemetry documentation in the Contributing guide (#5650)
  • Handling of registration entries with revision number 0 when the agent syncs entries with the server (#5680)

Known Issues

  • Setting the new jwt_issuer configuration property in oidc-discovery-provider is not compatible with deployments that use a server port other than 443 (#5696)
  • Domain verification is bypassed when setting the new jwt_issuer configuration property in oidc-discovery-provider (#5697)

v1.11.0

24 Oct 20:08
ca35234
Compare
Choose a tag to compare

Added

  • Support for forced rotation and revocation (https://github.com/orgs/spiffe/projects/21)
  • New EJBCA UpstreamAuthority plugin for SPIRE Server (#5378)
  • Support for variables in templates contained in the config file (#5576)
  • Support for the configuration validation RPC on all built-in plugins (#5303)
  • Improved logging when built-in plugins panic (#5476)
  • Improved CPU and memory resource usage for concurrent Kubernetes Workload attestation (#5408)
  • Documentation additions and improvements (#5589, #5588, #5499, #5433, #5430, #5269)

Changed

  • SPIRE Agent LRU identity cache is now unconditionally enabled. The LRU size can be controlled via the x509_svid_cache_max_size configuration option. (#5383, #5531)
  • Entry API RPCs return per-entry InvalidArgument status when creating/updating malformed entries (#5506)
  • Support for CGroups v2 in K8s and Docker workload attestors is now enabled by default (#5454)

Removed

  • Deprecated -ttl flag from the SPIRE Server entry create and entry update commands (#5483)
  • Official support for MySQL 5.X. While SPIRE may continue to work with this version, no explicit testing will be performed by the project (#5487)

Fixed

  • Missing TrustDomain field passed to x509pop path template (#5577)
  • Behavior in the experimental events-based cache causing duplicate entries/agents evaluation in the same cycle (#5509)

v1.10.4

13 Sep 18:45
9c4d83a
Compare
Choose a tag to compare

Fixed

v1.10.3

04 Sep 12:38
7be2981
Compare
Choose a tag to compare

Fixed

  • Regression in agent health check, requiring the agent to have an SVID on disk to be healthy (#5459)

v1.10.2

03 Sep 13:48
6ba4d56
Compare
Choose a tag to compare

Added

  • http_challenge NodeAttestor plugin (#4909)
  • Experimental support for validating container image signatures through Sigstore selectors in the docker Workload Attestor (#5272)
  • Metrics for monitoring the event-based cache (#5411)

Changed

  • Delegated Identity API to allow subscription by process ID (#5272)
  • Agent Debug endpoint to count SVIDs by type (#5352)
  • Agent health check to report an unhealthy status until the Agent SVID is attested (#5298)
  • Small documentation improvements (#5393)

Fixed

  • aws_iid NodeAttestor to properly handle multiple network interfaces (#5300)
  • Server configuration to correctly propagate the sql_transaction_timeout setting in the experimental events-based cache (#5345)

v1.10.1

01 Aug 20:02
a38f056
Compare
Choose a tag to compare

Added

  • New Grafana dashboard template (#5188)
  • aws_rolesanywhere_trustanchor BundlePublisher plugin (#5048)

Changed

  • spire UpstreamAuthority to optionally use the Preferred TTL on intermediate authorities (#5264)
  • Federation endpoint to support custom bundle and certificates for authorization (#5163)
  • Small documentation improvements (#5235, #5220)

Fixed

  • Event-based cache to handle events missed at the cache startup (#5289)
  • LRU cache to no longer send update notifications to all subscribers (#5281)

v1.10.0

24 Jun 14:13
fa6639b
Compare
Choose a tag to compare

Added

  • Plugin reconfiguration support using the plugin_data_file configurable (#5166)

Changed

  • SPIRE Server and OIDC provider images to use non root users (#4967, #5227)
  • k8s_psat NodeAttestor attestor to no longer fail when a cluster is not configured (#5216)
  • Agents are required to renew SVIDs through re-attestation when using a supporting Node Attestor (#5204)
  • Small documentation improvements (#5181, #5189)
  • Evicted agents that support reattestation can now reattest without being restarted (#4991)

Fixed

  • PSAT node attestor to cross check the audience fields (#5142)
  • Events-based cache to handle out of order events (#5071)

Deprecated

  • x509_svid_cache_max_size and disable_lru_cache in agent configuration (#5150)

Removed

  • The deprecated disable_reattest_to_renew agent configurable (#5217)
  • The deprecated key_metadata_file configurable from the aws_kms, azure_key_vault and gcp_kms server KeyManagers (#5207)
  • The deprecated use_msi configurable from the azure_key_vault server KeyManager and azure_msi NodeAttestor (#5207, #5209)
  • The deprecated exclude_sn_from_ca_subject server configurable (#5203)
  • Agent no longer cleans up deprecated bundle and SVID files (#5205)
  • The CA journal file is no longer stored on disk, and existing CA journal files are cleaned up (#5202)

v1.9.6

14 May 21:46
deda8a0
Compare
Choose a tag to compare

Added

  • Opt-in support for CGroups v2 in K8s and Docker workload attestors (#5076)
  • gcp_cloudstorage BundlePublisher plugin (#4961)
  • The aws_iid node attestor can now check if the AWS account ID is part of an AWS Organization (#4838)
  • More filtering options to count and show entries and agents (#4714)

Changed

  • Credential composer to not convert timestamp related claims (i.e., exp and iat) to floating point values (#5115)
  • FetchJWTBundles now returns an empty collection of keys instead of null (#5031)

Fixed

  • Using expired tokens when connecting to database (#5119)
  • Server no longer tries to create JWT authority when X.509 authority fails (#5064)
  • Issues in experimental events-based entry cache (#5030, #5037, #5042)

v1.9.5

08 May 00:07
Compare
Choose a tag to compare

Security

v1.8.11

07 May 21:34
Compare
Choose a tag to compare

Security