v1.9.0

Added

• uniqueid CredentialComposer plugin that adds the x509UniqueIdentifier attribute to workload X509-SVIDs (#4862)
• Agent's Admin API has now a default location defined (#4856)
• Partial selectors from workload attestation are now logged when attestation is interrupted (#4846)
• X509-SVIDs minted by SPIRE can now include wildcards in the DNS names (#4814)

Changed

• CA journal data is now stored in the datastore, removing the on-disk dependency of the server (#4690)
• aws_kms, azure_key_vault, and gcp_kms KeyManager plugins no longer require storing metadata files on disk (#4700)
• Bundle endpoint refresh hint now defaults to 5 minutes (#4847, #4888)
• Graceful shutdown is now blocked while built-in plugin RPCs drain (#4820)
• Entry cache hydration is now done with paginated requests to the datastore (#4721, #4826)
• Agents renew SVIDs through re-attestation by default when using a supporting Node Attestor (#4791)
• The SPIRE Agent LRU SVID cache is no longer experimental and is enabled by default (#4773)
• Small documentation improvements (#4764, #4787)
• Read-replicas are no longer used when hydrating the experimental events-based entry cache (#4868)
• Workload gRPC connections are now terminated when the peertracker liveness check fails instead of just failing the RPC calls (#4611)

Fixed

• Missing creation of events in the experimental events-based cache entry when an entry was pruned (#4860)
• Bug in SPIRE Agent LRU SVID cache that caused health checks to fail (#4852)
• Refreshing of selectors of attested agents when using the experimental events-based entry cache (#4803)

Deprecated

• k8s_sat NodeAttestor plugin (#4841)

Removed

• X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (#4862)

v1.8.7

Added

• Agents can now be configured with an availability target, which establishes the minimum amount of time desired to gracefully handle server or agent downtime, influencing how aggressively X509-SVIDs should be rotated (#4599)
• SyncAuthorizedEntries RPC, which allows agents to only sync down changes instead of the entire set of entries. Agents can be configured to use this new RPC through the use_sync_authorized_entries experimental setting (#4648)
• Experimental support for an events based entry cache which reduces overhead on the database (#4379, #4411, #4527, #4451, #4562, #4723, #4731)

Changed

• The maximum number of open database connections in the datastore now defaults to 100 instead of unlimited (#4656)
• Agents now shut down when they can't synchronize entries with the server due to an unknown authority error (#4617)

Removed

• Agents no longer maintains agent SVID and bundle information in the legacy paths in the data directory (#4717)

v1.8.6

Security

• Updated to Go 1.21.5 to address CVE-2023-39326

v1.7.6

Security

• Updated to Go 1.20.12 to address CVE-2023-39326

v1.8.5

Added

• All credential types supported by Azure can now be used in azure_msi NodeAttestor plugin and azure_key_vault KeyManager plugin (#4568)
• EnableHostnameLabel field in Server and Agent telemetry configuration section that enables addition of a hostname label to metrics (#4584)

Changed

• Agent SDS API now provides a SPIFFEValidationContext as the default CertificateValidationContext when the Envoy version cannot be determined (#4618)
• Server CAs now contain a serialNumber attribute in the Subject DN (#4585)
• Improved accuracy of Agent log message for SVID renewal events (#4654)

Deprecated

• use_msi configuration fields in azure_msi NodeAttestor plugin and azure_key_vault KeyManager plugin are deprecated in favor of the chained Azure SDK credential loading strategy (#4568)

Fixed

• Agent SDS API now provides correct CertificateValidationContext when Envoy registered in SPIRE after the first SDS request (#4611)

v1.8.4

Security

• Updated to Go 1.21.4 to address CVE-2023-45283, CVE-2023-45284

v1.7.5

Security

• Updated to Go 1.20.11 to address CVE-2023-45283, CVE-2023-45284

v1.8.3

Added

• SPIRE Agent distributes sync requests to the SPIRE server to mitigate thundering herd situations (#4534)
• Allow configuring prefixes for all metrics (#4535)
• Documentation improvements (#4579, #4569)

Changed

• SPIRE Agent performs the initial sync more aggressively when tuned with a longer sync interval (#4479)

Fixed

• Release artifacts have the correct version information (#4564)
• The SPIRE Agent insecureBootstrap and trustBundleUrl configurables are now mutually exclusive (#4532)
• Bug preventing JWT-SVIDs from being minted when a Credential Composer plugin is configured (#4489)

v1.8.2

Security

• Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487

v1.7.4

Security

• Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487