Skip to content

Releases: spiffe/spire

v1.7.2

16 Aug 22:31
a6ce058
Compare
Choose a tag to compare

Added

  • aws_s3 BundlePublisher plugin (#4355)
  • SPIRE Server bundle endpoint now includes bundle sequence number (#4389)
  • Telemetry in experimental Agent LRU cache (#4335)
  • Telemetry in Agent Delegated Identity API (#4399)
  • Documentation improvements (#4336, #4407)

Fixed

  • Server no longer unnecessarily activates its CA a second time on startup (#4368)

v1.7.1

27 Jul 23:06
1b775d5
Compare
Choose a tag to compare

Added

  • x509pop node attestor emits a new selector with the leaf certificate serial number (#4216)
  • HTTPS server in the OIDC Discovery Provider can now be configured to use a certificate file (#4190)
  • Option to log source information in server and agent logs (#4246)

Changed

  • Agent now has an exponential backoff strategy when syncing with the server (#4279)

Fixed

  • Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they have the digitalSignature key usage set (#4352)
  • SPIRE Agent cache bug resulting in workloads receiving JWT-SVIDs with incomplete audience set (#4309)
  • The spire-server agent show command to properly show the "Can re-attest" attribute (#4288)

v1.6.5

27 Jul 21:26
6c03483
Compare
Choose a tag to compare

Fixed

  • Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they have the digitalSignature key usage set (#4352)

v1.7.0

14 Jun 21:09
c765281
Compare
Choose a tag to compare

Added:

  • AWS IID Node Attestor now supports all regions, including GovCloud and regions in China (#4124)

Fixed:

  • Systemd workload attestor fails with error connection closed by user (#4165)
  • Reduced SPIRE Agent CPU usage during kubernetes workload attestation (#4240)

Removed:

  • Envoy SDSv2 API is deprecated and now disabled by default (#4228)

v1.6.4

17 May 21:56
2d7930a
Compare
Choose a tag to compare

Added

  • ARM64 binaries are now included in the release artifacts (#4143)
  • Various build script improvements (#4062, #4081, #4096, #4127)
  • Various doc improvements (#4076)
  • Workload API hint support (#3993, #4074)
  • Improved performance when listing queries for PostgreSQL (#4111)
  • Support for SPIFFE bundle sequence numbers (#4061)
  • New Systemd Workload Attestor plugin (#4058)
  • New BundlePublisher plugin type (#4022)
  • New agent purge command for removing stale agent records (#3982)

Fixed

  • Bug determining if an entry was unique (#4063)

v1.6.3

13 Apr 20:22
c0e1709
Compare
Choose a tag to compare

Added:

  • Entry API responses now include the created_at field (#3975)
  • spire-server agent CLI commands and Agent APIs now show if agents can be re-attested and supports by_can_reattest filtering (#3880)
  • Entry API along with spire-server entry create, spire-server entry show and spire-server entry update CLI commands now support hint information, allowing hinting to workloads the intended use of the SVID (#3926, #3787)

Fixed:

  • The vault UpstreamAuthority plugin to properly set the URI SAN (#3971)
  • Node selector data related to nodes is now cleaned when deleting a node (#3873)
  • Clean stale node selector data from previously deleted nodes (#3941)
  • Regression causing a failure to parse JSON formatted and verbose HCL configuration for plugins (#3939, #3999)
  • Regression where some workloads with active FetchX509SVID streams were not notified when an entry is removed (#3923)
  • The federated bundle updater now properly logs the trust domain name (#3927)
  • Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they did not have a URI SAN (#3997)

v1.6.2

05 Apr 02:31
Compare
Choose a tag to compare

Security

v1.5.6

05 Apr 01:54
Compare
Choose a tag to compare

Added

  • A log message in the k8s-workload-registrar webhook when validation fails (#4011)

Security

v1.6.1

02 Mar 01:04
Compare
Choose a tag to compare

Fixed

  • Different CA TTL than configured (#3934)

v1.6.0

28 Feb 21:24
45da87c
Compare
Choose a tag to compare

Added

  • Support for customization of SVID and CA attributes through CredentialComposer plugins (#3819, #3832, #3862, #3869)
  • Experimental support to validate container images signatures through sigstore selectors (#3159)
  • Published scratch images now support ARM64 architecture (#3607)
  • Published scratch images are now signed using Sigstore (#3707)
  • spire-server mint and spire-server token generate CLI commands now support the -output flag (#3800)
  • spire-agent api CLI command now supports the -output flag (#3818)
  • Release images now include a non-root user and default folders (#3811)
  • Agent accepts bootstrap bundles in SPIFFE format (#3753)
  • Database index for registration entry hint column (#3828)

Changed

  • Plugins are configured and executed in the order they are defined (#3797)
  • Documentation improvements (#3826, #3842, #3870)

Fixed

  • Server crash when authorization layer was unable to talk to the datastore (#3829)
  • Timestamps in logs are now consistently in local time (#3734)
  • Removed
  • Non-scratch images are no longer published (#3785)
  • k8s-workload-registar is no longer released and maintained (#3853)
  • Unused database column x509_svid_ttl from registered_entries table (#3808)
  • The deprecated enabled flag from InMem telemetry config (#3796)
  • The deprecated default_svid_ttl configurable (#3795)
  • The deprecated omit_x509svid_uid configurable (#3794)