Immutable
release. Only release title and notes can be modified.
Added
- Support for configuring JTI claim inclusion in JWT-SVIDs at entry level (#6514)
- Experimental per-caller rate limiting for the agent Workload API and Envoy SDS (#6724)
- TLS support for the Prometheus metrics endpoint using a SPIRE SVID, with an optional SPIFFE ID allowlist (#6812)
- Optional verification of client certificate IPs in the
x509popnode attestor (#6911) - SPIFFE Broker endpoint, API, and documentation (#6915, #7112)
disable_group_name_selectorsoption for the Windows workload attestor (#6957)log_selectorsconfiguration item for the agent (#6981)- Support for two additional PQC curves (#6999)
- Tag-based key discovery support in the
aws_kmsKey Manager plugin (#7006) - Logger service for
spire-agent(#7017) - Configurable batch size for pruning attested nodes (#7100)
Security
- Migrated
github.com/docker/dockerdependencies to theirgithub.com/moby/mobyequivalents to resolve CVEs (#7078)
Changed
- Deprecation warnings now use dedicated log markers, making them easier to detect in logs (#6908)
- The OIDC Discovery Provider now warns when
allow_insecure_schemeis enabled (#6970) - The post-quantum cryptography policy is now applied to the bundle endpoint and Prometheus server (#6995)
- Attested nodes are now fetched in bulk, reducing database load in large deployments (#7022)
- Agent health check loopback calls no longer emit RPC metrics, reducing metrics noise (#6929)
- Pod and container IDs are now preferably determined from the cgroup file (#7060)
- Optimized the MySQL list entries query to reduce database CPU usage under load (#7113)
- Added AWS CA certificates for new regions to the
aws_iidnode attestor (#6879) - Documented
URISanSelectorsfor the agent SPIFFE ID template (#6872) - Datastore configuration documentation updates (#7023)
Fixed
azure_imdsnode attestation for standalone VMs (#6807)azure_imdsplugin signature validation (#6960)- The auto-created join-token alias entry is now cascade-deleted when its attested node is deleted, evicted, or pruned (#6946)
- The CA journal now survives transient datastore save failures, preserving CA continuity (#6964)
- The delegated API no longer serves JWT-SVIDs for admin or downstream entries (#6972)
- The event cache now keeps previous first/last event information when reloading (#6994)
- The structured logger is now used for rebootstrap messages, and typos were fixed (#7000)
- The
spireupstream authority plugin now validates a missing Workload API endpoint (#7008) - The
gcp_kmsplugin no longer intermittently fails to retrieve a newly created public key (#6924) - Tolerate
mountinfolines with an empty mount source (#7044) - The agent now treats failure of all attestation plugins as an overall failure and returns
Unavailable(#7045) - Fixed the
http_challengeagent name validation regex (#7066) - Corrected TTL logging in the delegated identity X.509-SVID subscriber (#7071)
spire-agentnow attempts to enableSE_DEBUG_PRIVILEGEat startup on Windows (#7073)- Data races in the built-in BundlePublisher plugins on dynamic reconfiguration (#7082)