v1.1.3

Security

• Fixed CVE-2021-44716

v1.0.3

Security

• Fixed CVE-2021-44716

v1.1.2

Added

• SPIRE Agent now supports the Delegated Identity API for delegating SVID management to trusted platform components (#2481)
• The K8s Workload Registrar now supports configuring DNS name templates (#2643)
• SPIRE Server now logs a message when expired registration entries are pruned (#2637)
• OIDC Discovery Provider now supports setting the use property on the JWKs it serves (#2634)

Fixed

• SPIRE Agent now provides reason for failure during certain kinds of attestation errors (#2628)

v1.1.1

Added

• SPIRE Agent can now store SVIDs with Google Cloud Secrets Manager (#2595)

Changed

• SPIRE Server downloads federated bundles a little sooner when federated relationships are added or updated (#2585)

Fixed

• Fixed a regression in Percona XTRA DB Cluster support introduced in 0.12.2 (#2605)
• Kubernetes Workload Attestation fixed for Kubernetes 1.21+ (#2600)
• SPIRE Agent now retries failed removals of SVIDs stored by SVIDStore plugins (#2620)

v1.1.0

Added

• SPIRE images are now published to GitHub Container Registry. They will continue to be published to Google Container Registry over the course of the next release (#2576,#2580)
• SPIRE Server now implements the TrustDomain API and related CLI commands (https://github.com/spiffe/spire/projects/11)
• The SVIDStore plugin type has been introduced to enable, amongst other things, agentless workload scenarios (#2176,#2483)
• The TPM DevID Node Attestor emits a new issuer:cn selector with the common name of the issuing certificate (#2581)
• The K8s Bundle Notifier plugin now supports pushing the bundle to resources in multiple clusters (#2531)
• A built-in AWS Secrets Manager SVIDStore plugin has been introduced, which can push workload SVIDs into AWS secrets for use in Lambda functions, etc. (#2542)
• The agent and entry list commands in the CLI gained additional filtering capabilities (#2478,#2479)
• The GCP CAS UpstreamAuthority has a new ca_pool configurable to identify which CA pool the signing CA resides in (#2569)

Changed

• With the GA release of GCP CAS, the UpstreamAuthority plugin now needs to know which pool the CA belongs to. If not configured, it will do a pessimistic scan of all pools to locate the correct CA. This scan will be removed in a future release (#2569)
• The K8s Workload Registrar now supports Kubernetes 1.22 (#2515,#2540)
• Self-signed CA certificates serial numbers are now conformant to RFC 5280 (#2494)
• The AWS KMS Key Manager plugin now creates keys with a very strict policy by default (#2424)
• The deprecated agent key file (svid.key) is proactively removed by the agent. It was only maintained to accomodate rollback from v1.0 to v0.12 (#2493)

Removed

• Support for the deprecated Registration API has been removed (#2487)
• Legacy (v0) plugin support has been removed. All plugins must now be authored using the plugin SDK.
• The deprecated service_account_whitelist configurables have been removed from the SAT and PSAT Node Attestor plugins (#2543)
• The deprecated projectid_whitelist configurable has been removed from the GCP IIT Node Attestor plugin (#2492)
• The deprecated bundle_endpoint and registration_uds_path configurables have been removed from SPIRE Server (#2486,#2519)

Fixed

• The GCP CAS UpstreamAuthority now works with the GA release of GCP CAS (#2569)
• Fixed a variety of issues with the scratch image, preparatory to publishing as the official image on GitHub Container Registry (#2582)
• Kubernetes Workload Attestor now uses the canonical path for the service account token (#2583)
• The server socketPath is now appropriately overriden via the configuration file (#2570)
• The server now restarts appropriately after undergoing forceful shutdown (#2496)
• The server CLI list commands now work reliably for large listings (#2456)

v1.0.2

Added

• Experimental support for custom authorization policies based on Open Policy Agent (OPA) (#2416)
• SPIRE Server can now be configured to emit audit logs (#2297, #2391, #2394, #2396, #2442, #2458)
• Envoy SDS v3 API in agent now supports the SPIFFE Certificate Validator for federated SPIFFE authentication (#2435, #2460)
• SPIRE OIDC Discovery Provider now intelligently handles host headers (#2404, #2453)
• SPIRE OIDC Discovery Provider can now serve over HTTP using the allow_insecure_scheme setting (#2404)
• Metrics configuration options to filter out metrics and labels (#2400)
• The k8s-workload-registrar now supports identity template based workload registration (#2417)
• Enhancements in filtering support in server APIs (#2467, #2463, #2464, #2468)
• Improvements in logging of errors in peertracker (#2469)

Changed

• CRD mode of the k8s-workload-registrar now uses SPIRE certificates for the validating webhook (#2321)
• The vault UpstreamAuthority plugin now continues retrying to renew tokens on failures until the lease time is exceeded (#2445)

Fixed

• Fixed a nil pointer dereference when the deprecated allow_unsafe_ids setting was configured (#2477)

Deprecated

• The SPIRE OIDC Discovery Provider domain configurable has been deprecated in favor of domains (#2404)

v1.0.1

Added

• LDevID-based TPM attestation can now be performed via a new tpm_devid NodeAttestor plugin (#2111, #2427)
• Caller details are now logged for unauthorized Server API calls (#2399)
• The aws_iid NodeAttestor plugin now supports attesting nodes across multiple AWS accounts via AWS IAM role assumption (#2387)
• Added support for running the k8s_sat NodeAttestor plugin with Kubernetes v1.21 (#2423)
• Call counter metrics are now emitted for SPIRE Server rate limiters (#2422)
• SPIRE Server now logs a message on startup when configured TTL values may result in SVIDs with a shorter lifetime than expected (#2284)

Changed

• Updated a trust domain validation error message to mention that underscores are valid trust domain characters (#2392)

Fixed

• Fixed bugs that broke the ACME bundle endpoint when using the aws_kms KeyManager plugin (#2390, #2397)
• Fixed a bug that resulted in SPIRE Agent sending unnecessary updates over the Workload API (#2305)
• Fixed a bug in the k8s_psat NodeAttestor plugin that prevented it from being configured with kubeconfig files (#2421)

v1.0.0

Added

• The vault UpstreamAuthority plugin now supports Kubernetes service account authentication (#2356)
• A new cert-manager UpstreamAuthority plugin is now available (#2274)
• SPIRE Server CLI can now be used to ban agents (#2374)
• SPIRE Server CLI now has count subcommands for agents, entries, and bundles (#2128)
• SPIRE Server can now be configured for SPIFFE federation using the configurables defined by the spec (#2340)
• SPIRE Server and Agent now expose the standard gRPC health service (#2057, #2058)
• SPIFFE bundle endpoint URL is now configurable in the federates_with configuation block (#2340)
• SPIRE Agent may now optionally provided unregistered callers with a bundle for SVID validation via the allow_unauthenticated_verifiers configurable (#2102)
• SPIRE Server JWT key type is now independently configurable via jwt_key_type (#1991)
• Registration entries can now be queried/filtered by federates_with when calling the entry API (#1967)

Changed

• SPIRE Server's SVID now uses the key type configured as ca_key_type (#2269)
• Caller address is now logged for agent API calls resulting in an error (#2281)
• Agent SVID renewals are now logged by the server at the INFO level (#2309)
• Workload API JWT-SVID profile will now return an error if the caller is unidentified (#2369)
• Workload API JWT-SVID profile will no longer return non-SPIFFE claims on validated JWTs from foreign trust domains (#2372)
• SPIRE artifact tarball no longer extracts . to avoid inadvertent changes in directory permisions (#2219)
• SPIRE Server default socket path is now /tmp/spire-server/private/api.sock (#2075)
• SPIRE Agent default socket path is now /tmp/spire-agent/public/api.sock (#2075)

Deprecated

• SPIRE Server federation configuration in the federates_with bundle_endpoint block is now deprecated (#2340)
• SPIRE Server gcp_iit NodeAttestor configurable projectid_whitelist is deprecated in favor of projectid_allow_list (#2253)
• SPIRE Server k8s_sat and k8s_psat NodeAttestor configurable service_account_whitelist is deprecated in favor of service_account_allow_list (#2253)
• SPIRE Sever registration_uds_path/-registrationUDSPath configurable and flag has been deprecateed in favor of socket_path/-socketPath (#2075)

Removed

• SPIRE Server no longer supports SPIFFE IDs with UTF-8 (#2368)
• SPIRE Server no longer supports the legacy Node API (#2093)
• SPIRE Server experimental configurable allow_agentless_node_attestors has been removed (#2098)
• The aws_iid NodeResolver plugin has been removed as it has been obviated (#2191)
• The noop NodeResolver plugin has been removed (#2189)
• The proto/spire go module has been removed in favor of the new SDKs (#2161)
• The deprected enable_sds configurable has been removed (#2021)
• The deprecated experimental bundle CLI subcommands have been removed (#2062)
• SPIRE Server experimental configurables related to federation have been removed (#2062)
• SPIRE Server bundle endpoint no longer supports TLS signature schemes utilizing non-SHA256 hashes when ACME is enabled (#2397)

Fixed

• Fixed a bug that caused health check failures in agents that have registration entries describing them (#2370)
• SPIRE Agent no longer logs a message when invoking a healthcheck via the CLI (#2058)
• Fixed a bug that caused federation to fail when using ACME in conjunction with the aws_kms KeyManager plugin (#2390)

v0.12.3

Added

• The k8s-workload-registrar now supports federation (#2160)
• The k8s_bundle notifier plugin can now keep API service CA bundles up to date (#2193)
• SPIRE Server internal cache reload timing can now be tuned (experimental) (#2169)

Changed

• Prometheus metrics that are emitted infrequently will no longer disappear after emission (#2239)
• The k8s-workload-registrar now uses paging to support very large deployments of 10,000+ pods (#2227)

Fixed

• Fixed a bug that sometimes caused newly attested agents to not receive their full set of selectors (#2242)
• Fixed several bugs related to the handling of SPIRE Server API paging (#2251)

v0.12.2

Added

• Added aws_kms server KeyManager plugin that uses the AWS Key Management Service (KMS) (#2066)
• Added gcp_cas UpstreamAuthority plugin that uses the Certificate Authority Service from Google Cloud Platform (#2172)
• Improved error returned during attestation of agents (#2159)
• The aws_iid NodeAttestor plugin now supports running in a location with no public internet access available for the server (#2119)
• The k8s notifier can now rotate Admission Controller Webhook CA Bundles (#2022)
• Rate limiting on X.509 signing and JWT signing can now be disabled (#2142)
• Added uptime metrics in server and agent (#2032)
• Calls to KeyManager plugins now time out at 30 seconds (#2044)
• Added logging when lookup of user by uid or group by gid fails in the unix WorkloadAttestor plugin (#2048)

Changed

• The k8s WorkloadAttestor plugin now emits selectors for both image and image ID (#2116)
• HTTP readiness endpoint on agent now checks the health of the Workload API (#2015, #2087)
• SDS API in agent now returns an error if an SDS client requests resource names that don't exist (#2020)
• Bundle and k8s-workload-registrar endpoints now only accept clients using TLS v1.2+ (#2025)

Fixed

• Registration entry update handling in CRD mode of the k8s-workload-registrar to prevent unnecessary issuance of new SVIDs (#2155)
• Failure to update CA bundle due to improper MySQL isolation level for read-modify-write operations (#2150)
• Regression preventing agent selectors from showing in spire-server agent show command (#2133)
• Issue in the token authentication method of the Vault Upstream Authority plugin (#2110)
• Reporting of errors in server entry cache telemetry (#2091)
• Agent logs an error and automatically shuts down when its SVID has expired and it requires re-attestation (#2065)