Releases: spiffe/spire
Releases · spiffe/spire
v1.7.2
Added
aws_s3
BundlePublisher plugin (#4355)- SPIRE Server bundle endpoint now includes bundle sequence number (#4389)
- Telemetry in experimental Agent LRU cache (#4335)
- Telemetry in Agent Delegated Identity API (#4399)
- Documentation improvements (#4336, #4407)
Fixed
- Server no longer unnecessarily activates its CA a second time on startup (#4368)
v1.7.1
Added
- x509pop node attestor emits a new selector with the leaf certificate serial number (#4216)
- HTTPS server in the OIDC Discovery Provider can now be configured to use a certificate file (#4190)
- Option to log source information in server and agent logs (#4246)
Changed
- Agent now has an exponential backoff strategy when syncing with the server (#4279)
Fixed
- Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they have the digitalSignature key usage set (#4352)
- SPIRE Agent cache bug resulting in workloads receiving JWT-SVIDs with incomplete audience set (#4309)
- The
spire-server agent show
command to properly show the "Can re-attest" attribute (#4288)
v1.6.5
v1.7.0
Added:
- AWS IID Node Attestor now supports all regions, including GovCloud and regions in China (#4124)
Fixed:
- Systemd workload attestor fails with error
connection closed by user
(#4165) - Reduced SPIRE Agent CPU usage during kubernetes workload attestation (#4240)
Removed:
- Envoy SDSv2 API is deprecated and now disabled by default (#4228)
v1.6.4
Added
- ARM64 binaries are now included in the release artifacts (#4143)
- Various build script improvements (#4062, #4081, #4096, #4127)
- Various doc improvements (#4076)
- Workload API hint support (#3993, #4074)
- Improved performance when listing queries for PostgreSQL (#4111)
- Support for SPIFFE bundle sequence numbers (#4061)
- New Systemd Workload Attestor plugin (#4058)
- New BundlePublisher plugin type (#4022)
- New
agent purge
command for removing stale agent records (#3982)
Fixed
- Bug determining if an entry was unique (#4063)
v1.6.3
Added:
- Entry API responses now include the
created_at
field (#3975) spire-server agent
CLI commands and Agent APIs now show if agents can be re-attested and supportsby_can_reattest
filtering (#3880)- Entry API along with
spire-server entry create
,spire-server entry show
andspire-server entry update
CLI commands now support hint information, allowing hinting to workloads the intended use of the SVID (#3926, #3787)
Fixed:
- The
vault
UpstreamAuthority plugin to properly set the URI SAN (#3971) - Node selector data related to nodes is now cleaned when deleting a node (#3873)
- Clean stale node selector data from previously deleted nodes (#3941)
- Regression causing a failure to parse JSON formatted and verbose HCL configuration for plugins (#3939, #3999)
- Regression where some workloads with active FetchX509SVID streams were not notified when an entry is removed (#3923)
- The federated bundle updater now properly logs the trust domain name (#3927)
- Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they did not have a URI SAN (#3997)
v1.6.2
Security
- Updated to Go 1.20.3 to address CVE-2023-24534
v1.5.6
Added
- A log message in the k8s-workload-registrar webhook when validation fails (#4011)
Security
- Updated to Go 1.19.8 to address CVE-2023-24534
v1.6.1
v1.6.0
Added
- Support for customization of SVID and CA attributes through CredentialComposer plugins (#3819, #3832, #3862, #3869)
- Experimental support to validate container images signatures through sigstore selectors (#3159)
- Published scratch images now support ARM64 architecture (#3607)
- Published scratch images are now signed using Sigstore (#3707)
- spire-server mint and spire-server token generate CLI commands now support the -output flag (#3800)
- spire-agent api CLI command now supports the -output flag (#3818)
- Release images now include a non-root user and default folders (#3811)
- Agent accepts bootstrap bundles in SPIFFE format (#3753)
- Database index for registration entry hint column (#3828)
Changed
- Plugins are configured and executed in the order they are defined (#3797)
- Documentation improvements (#3826, #3842, #3870)
Fixed
- Server crash when authorization layer was unable to talk to the datastore (#3829)
- Timestamps in logs are now consistently in local time (#3734)
- Removed
- Non-scratch images are no longer published (#3785)
- k8s-workload-registar is no longer released and maintained (#3853)
- Unused database column x509_svid_ttl from registered_entries table (#3808)
- The deprecated enabled flag from InMem telemetry config (#3796)
- The deprecated default_svid_ttl configurable (#3795)
- The deprecated omit_x509svid_uid configurable (#3794)