v1.8.4

Security

• Updated to Go 1.21.4 to address CVE-2023-45283, CVE-2023-45284

v1.7.5

Security

• Updated to Go 1.20.11 to address CVE-2023-45283, CVE-2023-45284

v1.8.3

Added

• SPIRE Agent distributes sync requests to the SPIRE server to mitigate thundering herd situations (#4534)
• Allow configuring prefixes for all metrics (#4535)
• Documentation improvements (#4579, #4569)

Changed

• SPIRE Agent performs the initial sync more aggressively when tuned with a longer sync interval (#4479)

Fixed

• Release artifacts have the correct version information (#4564)
• The SPIRE Agent insecureBootstrap and trustBundleUrl configurables are now mutually exclusive (#4532)
• Bug preventing JWT-SVIDs from being minted when a Credential Composer plugin is configured (#4489)

v1.8.2

Security

• Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487

v1.7.4

Security

• Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487

v1.8.1

Security

• Updated to Go 1.21.3 to address CVE-2023-39325, CVE-2023-44487

v1.7.3

Security

• Updated to Go 1.20.10 to address CVE-2023-39325, CVE-2023-44487

v1.8.0

Added

• azure_key_vault KeyManager plugin (#4458)
• Server configuration to set refresh hint of local bundle (#4400)
• Support for batch entry deletion in spire-server CLI (#4371)
• aws_iid NodeAttestor can now be used in AWS Gov Cloud and China regions (#4427)
• status_code and status_message fields in SPIRE Agent logs on gRPC errors (#4262)

Changed

• Bundle server configuration is now organized by endpoint profiles (#4476)
• Release artifacts are now statically linked with musl rather than glibc (#4491)
• Agent no longer requests unused SVIDs for node aliases they belong to, reducing server signing load (#4467)
• Entry IDs can now be optionally set by the client for BatchCreateEntry requests (#4477)

Fixed

• Concurrent workload attestation using systemd plugin (#4360)
• Bug in k8s WorkloadAttestor plugin that failed attestation in some scenarios (#4468)
• Server can now be run on Linux arm64 when using SQLite (#4491)

Removed

• Support for Envoy SDS v2 API (#4444)
• Server no longer cleans up stale data in the database on startup (#4443)
• Server no longer deletes entries with invalid SPIFFE IDs on startup (#4449)

v1.7.2

Added

• aws_s3 BundlePublisher plugin (#4355)
• SPIRE Server bundle endpoint now includes bundle sequence number (#4389)
• Telemetry in experimental Agent LRU cache (#4335)
• Telemetry in Agent Delegated Identity API (#4399)
• Documentation improvements (#4336, #4407)

Fixed

• Server no longer unnecessarily activates its CA a second time on startup (#4368)

v1.7.1

Added

• x509pop node attestor emits a new selector with the leaf certificate serial number (#4216)
• HTTPS server in the OIDC Discovery Provider can now be configured to use a certificate file (#4190)
• Option to log source information in server and agent logs (#4246)

Changed

• Agent now has an exponential backoff strategy when syncing with the server (#4279)

Fixed

• Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they have the digitalSignature key usage set (#4352)
• SPIRE Agent cache bug resulting in workloads receiving JWT-SVIDs with incomplete audience set (#4309)
• The spire-server agent show command to properly show the "Can re-attest" attribute (#4288)