Releases: spiffe/spire
Releases · spiffe/spire
v1.9.0
Added
uniqueid
CredentialComposer plugin that adds the x509UniqueIdentifier attribute to workload X509-SVIDs (#4862)- Agent's Admin API has now a default location defined (#4856)
- Partial selectors from workload attestation are now logged when attestation is interrupted (#4846)
- X509-SVIDs minted by SPIRE can now include wildcards in the DNS names (#4814)
Changed
- CA journal data is now stored in the datastore, removing the on-disk dependency of the server (#4690)
aws_kms
,azure_key_vault
, andgcp_kms
KeyManager plugins no longer require storing metadata files on disk (#4700)- Bundle endpoint refresh hint now defaults to 5 minutes (#4847, #4888)
- Graceful shutdown is now blocked while built-in plugin RPCs drain (#4820)
- Entry cache hydration is now done with paginated requests to the datastore (#4721, #4826)
- Agents renew SVIDs through re-attestation by default when using a supporting Node Attestor (#4791)
- The SPIRE Agent LRU SVID cache is no longer experimental and is enabled by default (#4773)
- Small documentation improvements (#4764, #4787)
- Read-replicas are no longer used when hydrating the experimental events-based entry cache (#4868)
- Workload gRPC connections are now terminated when the peertracker liveness check fails instead of just failing the RPC calls (#4611)
Fixed
- Missing creation of events in the experimental events-based cache entry when an entry was pruned (#4860)
- Bug in SPIRE Agent LRU SVID cache that caused health checks to fail (#4852)
- Refreshing of selectors of attested agents when using the experimental events-based entry cache (#4803)
Deprecated
k8s_sat
NodeAttestor plugin (#4841)
Removed
- X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (#4862)
v1.8.7
Added
- Agents can now be configured with an availability target, which establishes the minimum amount of time desired to gracefully handle server or agent downtime, influencing how aggressively X509-SVIDs should be rotated (#4599)
- SyncAuthorizedEntries RPC, which allows agents to only sync down changes instead of the entire set of entries. Agents can be configured to use this new RPC through the
use_sync_authorized_entries
experimental setting (#4648) - Experimental support for an events based entry cache which reduces overhead on the database (#4379, #4411, #4527, #4451, #4562, #4723, #4731)
Changed
- The maximum number of open database connections in the datastore now defaults to 100 instead of unlimited (#4656)
- Agents now shut down when they can't synchronize entries with the server due to an unknown authority error (#4617)
Removed
- Agents no longer maintains agent SVID and bundle information in the legacy paths in the data directory (#4717)
v1.8.6
Security
- Updated to Go 1.21.5 to address CVE-2023-39326
v1.7.6
Security
- Updated to Go 1.20.12 to address CVE-2023-39326
v1.8.5
Added
- All credential types supported by Azure can now be used in
azure_msi
NodeAttestor plugin andazure_key_vault
KeyManager plugin (#4568) EnableHostnameLabel
field in Server and Agenttelemetry
configuration section that enables addition of a hostname label to metrics (#4584)
Changed
- Agent SDS API now provides a SPIFFEValidationContext as the default CertificateValidationContext when the Envoy version cannot be determined (#4618)
- Server CAs now contain a
serialNumber
attribute in theSubject
DN (#4585) - Improved accuracy of Agent log message for SVID renewal events (#4654)
Deprecated
use_msi
configuration fields inazure_msi
NodeAttestor plugin andazure_key_vault
KeyManager plugin are deprecated in favor of the chained Azure SDK credential loading strategy (#4568)
Fixed
- Agent SDS API now provides correct CertificateValidationContext when Envoy registered in SPIRE after the first SDS request (#4611)
v1.8.4
Security
- Updated to Go 1.21.4 to address CVE-2023-45283, CVE-2023-45284
v1.7.5
Security
- Updated to Go 1.20.11 to address CVE-2023-45283, CVE-2023-45284
v1.8.3
Added
- SPIRE Agent distributes sync requests to the SPIRE server to mitigate thundering herd situations (#4534)
- Allow configuring prefixes for all metrics (#4535)
- Documentation improvements (#4579, #4569)
Changed
- SPIRE Agent performs the initial sync more aggressively when tuned with a longer sync interval (#4479)
Fixed
v1.8.2
Security
- Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487
v1.7.4
Security
- Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487