diff --git a/CHANGELOG.md b/CHANGELOG.md
index c6a9811c3c..6823c4e64b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,39 @@
 # Changelog
 
+## [1.1.0] - 2021-10-10
+
+### Added
+- SPIRE images are now published to GitHub Container Registry. They will continue to be published to Google Container Registry over the course of the next release (#2576,#2580)
+- SPIRE Server now implements the [TrustDomain API](https://github.com/spiffe/spire-api-sdk/blob/main/proto/spire/api/server/trustdomain/v1/trustdomain.proto) and related CLI commands (https://github.com/spiffe/spire/projects/11)
+- The SVIDStore plugin type has been introduced to enable, amongst other things, agentless workload scenarios (#2176,#2483)
+- The TPM DevID Node Attestor emits a new `issuer:cn` selector with the common name of the issuing certificate (#2581)
+- The K8s Bundle Notifier plugin now supports pushing the bundle to resources in multiple clusters (#2531)
+- A built-in AWS Secrets Manager SVIDStore plugin has been introduced, which can push workload SVIDs into AWS secrets for use in Lambda functions, etc. (#2542)
+- The agent and entry list commands in the CLI gained additional filtering capabilities (#2478,#2479)
+- The GCP CAS UpstreamAuthority has a new `ca_pool` configurable to identify which CA pool the signing CA resides in (#2569)
+
+### Changed
+- With the GA release of GCP CAS, the UpstreamAuthority plugin now needs to know which pool the CA belongs to. If not configured, it will do a pessimistic scan of all pools to locate the correct CA. This scan will be removed in a future release (#2569)
+- The K8s Workload Registrar now supports Kubernetes 1.22 (#2515,#2540) 
+- Self-signed CA certificates serial numbers are now conformant to RFC 5280 (#2494)
+- The AWS KMS Key Manager plugin now creates keys with a very strict policy by default (#2424)
+- The deprecated agent key file (`svid.key`) is proactively removed by the agent. It was only maintained to accomodate rollback from v1.0 to v0.12 (#2493)
+
+### Removed
+- Support for the deprecated Registration API has been removed (#2487)
+- Legacy (v0) plugin support has been removed. All plugins must now be authored using the plugin SDK.
+- The deprecated `service_account_whitelist` configurables have been removed from the SAT and PSAT Node Attestor plugins (#2543)
+- The deprecated `projectid_whitelist` configurable has been removed from the GCP IIT Node Attestor plugin (#2492)
+- The deprecated `bundle_endpoint` and `registration_uds_path` configurables have been removed from SPIRE Server (#2486,#2519)
+
+### Fixed
+- The GCP CAS UpstreamAuthority now works with the GA release of GCP CAS (#2569)
+- Fixed a variety of issues with the scratch image, preparatory to publishing as the official image on GitHub Container Registry (#2582)
+- Kubernetes Workload Attestor now uses the canonical path for the service account token (#2583)
+- The server socketPath is now appropriately overriden via the configuration file (#2570)
+- The server now restarts appropriately after undergoing forceful shutdown (#2496)
+- The server CLI list commands now work reliably for large listings (#2456)
+
 ## [1.0.2] - 2021-09-02
 
 ### Added