Skip to content

@drrt drrt released this Jul 19, 2019

  • Failure to obtain peer information from a Workload API connection no longer brings down the agent (#946)
  • Agent now detects expired cached SVID when it starts and will attempt to re-attest instead of failing (#1000)
  • GCP IIT-based node attestation produces selectors for the project, zone, instance name, tags, service accounts, metadata and labels (#969, #1006, #1012)
  • X.509 certificate serial numbers are now random 128-bit numbers (#999)
  • Added SQL table indexes to SQL datastore to improve query performance (#1007)
  • Improved metrics coverage (#931, #932, #935, #968)
  • Plugins can now emit metrics (#990, #993)
  • GCP CloudSQL support (#995)
  • Experimental support for SPIFFE federation (#951, #983)
  • Fixed a peertracker bug parsing /proc/PID/stat on Linux (#982)
  • Fixed a bug causing occasional panics on shutdown when running on a BSD-based system (#970)
  • Fixed a bug in the unix workload attestor failing attestation if the user or group lookup failed (#973)
  • Server plugins can now query for attested agent information (#964)
  • AWS Secrets UpstreamCA plugin can now authenticate to AWS via a Role ARN (#938, #963)
  • K8S Workload Attestor now works with Docker's systemd cgroup driver (#950)
  • Improved documentation and examples (#915, #916, #918, #926, #930, #940, #941, #948, #954, #955, #1014)
  • Fixed SSH-based node attested agent IDs to be URL-safe (#944)
  • Fixed bug preventing agent bootstrapping when an UpstreamCA is used in conjunction with upstream_bundle = false (#939)
  • Agent now properly handles signing SVIDs for multiple registration entries mapped to the same SPIFFE ID (#929)
  • Agent Node Attestor plugins no longer have to determine the agent ID (#922)
  • GCP IIT node attestor can now be configured with the host used to obtain the token (#917)
  • Fixed race in bundle pruning for HA deployments (#919)
  • Disk UpstreamCA plugin now supports intermediate CAs (#910)
  • Docker workload attestation now retries connections to the Docker deamon on transient failures (#901)
  • New Kubernetes Workload Registrar that automatically registers Kubernetes workloads (#885, #953)
  • Logs can now be emitted in JSON format (#866)
Assets 4
You can’t perform that action at this time.