v0.10.1

What's New

• vault as Upstream Authority built-in plugin (#1611, #1632)
• Improved configuration file docs to list all possible configuration settings (#1608, #1618)

What's Changed

• Improved container ID parsing from cgroup path in the docker workload attestor plugin (#1605)
• Improved container ID parsing from cgroup path in the k8s workload attestor plugin (#1649)
• Envoy SDS support is now always on (#1579)
• Errors on agent SVID rotation are now fatal if the agent's current SVID has expired, forcing an agent restart (#1584)

v0.10.0

• Added support for JWT-SVID in nested SPIRE topologies (#1388, #1394, #1396, #1406, #1409, #1410, #1411, #1415, #1416, #1417, #1423, #1440, #1455, #1458, #1469, #1476)
• Reduced database load under certain configurations (#1439)
• Agent now proactively rotates workload SVIDs in response to registration updates (#1441, #1477)
• Removed redundant telemetry counter in agent cache manager (#1445)
• Added environment variable config templating support (#1453)
• Added CreateEntryIfNotExists RPC to Registration API (#1464)
• The X.509 CA key now defaults to EC P-256 instead of EC P-384 (#1468)
• Added validate subcommand to the SPIRE Server and SPIRE Agent CLIs to validate the configuration file (#1471, #1489)
• Removed deprecated ttl configurable from upstreamauthority plugins (#1482)
• Fixed a bug which resulted in incorrect SHA for certain types of workloads (#1405)
• OIDC Discovery Provider now supports listening on a Unix Domain Socket (#1408)
• Fixed a bug that could lead to agent eviction if a crash occurred during agent SVID rotation (#1399)
• The upstream_bundle configurable now defaults to true, and is marked as deprecated (#1404)
• OIDC Discovery Provider and the Kubernetes Workload Registrar release binaries are now available via the spire-extras tarball (#1424)
• Introduced new plugin type UpstreamAuthority, which supports both X509-SVID and JWT-SVID as well as the ability to push upstream changes into SPIRE Server (#1388, #1394, #1406, #1455)
• AWS PCA, AWS Secrets, Disk and SPIRE UpstreamCA plugins have been ported to the UpstreamAuthority type (#1411, #1409, #1410, #1415)
• Introduced a new RPC PushJWTKeyUpstream in the Node API for publishing JWT-SVID signing keys from downstream servers (#1416)
• Introduced a new RPC FetchBundle in the Node API for fetching an up-to-date bundle (#1458)
• AWS PCA UpstreamAuthority plugin endpoint is now configurable (#1498)
• The UpstreamCA plugin type is now marked as deprecated in favor of the UpstreamAuthority plugin type (#1406)

v0.9.3

• Significantly reduced the server's database load (#1350, #1355, #1397)
• Improved consistency in SVID propagation time for some cases (#1352)
• AWS IID node attestor now supports the v2 metadata service (#1369)
• SQL datastore plugin now supports leveraging read-only replicas (#1363)
• Fixed a bug in which CA certificates may have an empty Subject if incorrectly configured (#1387)
• Server now logs an agent ID when an invalid agent makes a request (#1395)
• Fixed a bug in which the server CLI did not correctly show entries when querying with multiple selectors (#1398)
• Registration API now has an RPC for listing entries that supports paging (#1392)

v0.9.2

• Fixed a crash when a key protecting the bundle endpoint is removed (#1326)
• Bundle endpoint client now supports Web-PKI authenticated endpoints (#1327)
• SPIRE now warns if the CA TTL will result in shorter-than-expected SVID lifetimes (#1294)

0.9.1

• Agent cache file writes are now atomic, more resilient (#1267)
• Introduced Google Cloud Storage bundle notifier plugin for server (#1227)
• Server and agent now detect unknown configuration options in supported blocks (#1289, #1299, #1306, #1307)
• Improved agent response to heavy server load through use of request backoffs (#1270)
• The in-memory telemetry sink can now be disabled, and will be by default in a future release (#1248)
• Agents will now re-balance connections to servers (and re-resolve DNS) automatically (#1265)
• Improved behavior of M3 duration telemetry (#1262)
• Fixed a bug in which MySQL deadlock may occur under heavy attestation load (#1291)
• KeyManager "disk" now emits a friendly error when directory option is missing (#1313)

0.9.0

• Users can now opt-out of workload executable hashing when enabling the workload path as a selector (#1078)
• Added M3 support to telemetry and other telemetry and logging improvements (#1059, #1085, #1086, #1094, #1102, #1122,#1138,#1160,#1186,#1208)
• SQL auto-migration can be disabled (#1089)
• SQL schema compatability checks are aligned with upgrade compatability guarantees (#1089)
• Agent CLI can provide information on attested nodes (#1098)
• SPIRE can tolerate small SVID expiration periods (#1115)
• Reduced Docker image sizes by roughly 25% (#1140)
• The upstream_bundle configurable is deprecated (#1147)
• Agents can be configured to bootstrap insecurely with SPIRE Servers for ease of evaluation (#1148)
• The issuer claim in JWT-SVIDs can be customized (#1164)
• SPIRE Server supports a wider variety of signing key types (#1169)
• New OIDC discovery provider that serves a compatible JWKS document with signing keys from the trust domain (#1170,#1175)
• New Upstream CA plugin that signs SPIRE Server CA CSRs using a Private Ceriticate Authority in AWS Certificate Manager (#1172)
• Agents respond more predictably when making requests to an overloaded SPIRE Server (#1182)
• Docker Workload Attestor supports a wider variety of cgroup drivers (#1188)
• Docker Workload Attestor supports selection based on container environment variables (#1205)
• Fixed an issue in which Kubernetes workload attestation occasionally fails to identify the caller (#1216)

0.8.4

• Fixed spurious agent synchronization failures during agent SVID rotation (#1084)
• Added support for Kind to the Kubernetes Workload Attestor (#1133)
• Added support for ACME v2 to the bundle endpoint (#1187)
• Fixed a bug that could result in agent crashes after upgrading to 0.8.2 or newer (#1194)

0.8.3

• Upgrade to Go 1.12.12 in response to CVE-2019-17596 (#1204)

0.8.2

• Connection pool details in SQL DataStore plugin are now configurable (#1028)
• SQL DataStore plugin now emits telemetry (#998)
• The SPIFFE bundle endpoint now supports serving Web PKI via ACME (#1029)
• Fix Workload API socket permissions when enclosing directory is automatically created (#1048)
• The Kubernetes PSAT node attestor now emits node and pod label selectors (#1042)
• SVIDs can now be created directly against SPIRE server using the new mint feature (#1036)
• SPIRE agent behavior improved to more efficiently balance load across SPIRE servers (#1061)
• Significant SQL DataStore performance improvements (#1069, #1079)
• Kubernetes workload registrar now supports assigning SPIFFE IDs based on an annotation (#1047)
• Registration entries with an expiry set are now automatically pruned from the datastore (#1056)
• Fix bug that resulted in authorized workloads being denied SVIDs (#1103)

0.8.1

• Failure to obtain peer information from a Workload API connection no longer brings down the agent (#946)
• Agent now detects expired cached SVID when it starts and will attempt to re-attest instead of failing (#1000)
• GCP IIT-based node attestation produces selectors for the project, zone, instance name, tags, service accounts, metadata and labels (#969, #1006, #1012)
• X.509 certificate serial numbers are now random 128-bit numbers (#999)
• Added SQL table indexes to SQL datastore to improve query performance (#1007)
• Improved metrics coverage (#931, #932, #935, #968)
• Plugins can now emit metrics (#990, #993)
• GCP CloudSQL support (#995)
• Experimental support for SPIFFE federation (#951, #983)
• Fixed a peertracker bug parsing /proc/PID/stat on Linux (#982)
• Fixed a bug causing occasional panics on shutdown when running on a BSD-based system (#970)
• Fixed a bug in the unix workload attestor failing attestation if the user or group lookup failed (#973)
• Server plugins can now query for attested agent information (#964)
• AWS Secrets UpstreamCA plugin can now authenticate to AWS via a Role ARN (#938, #963)
• K8S Workload Attestor now works with Docker's systemd cgroup driver (#950)
• Improved documentation and examples (#915, #916, #918, #926, #930, #940, #941, #948, #954, #955, #1014)
• Fixed SSH-based node attested agent IDs to be URL-safe (#944)
• Fixed bug preventing agent bootstrapping when an UpstreamCA is used in conjunction with upstream_bundle = false (#939)
• Agent now properly handles signing SVIDs for multiple registration entries mapped to the same SPIFFE ID (#929)
• Agent Node Attestor plugins no longer have to determine the agent ID (#922)
• GCP IIT node attestor can now be configured with the host used to obtain the token (#917)
• Fixed race in bundle pruning for HA deployments (#919)
• Disk UpstreamCA plugin now supports intermediate CAs (#910)
• Docker workload attestation now retries connections to the Docker deamon on transient failures (#901)
• New Kubernetes Workload Registrar that automatically registers Kubernetes workloads (#885, #953)
• Logs can now be emitted in JSON format (#866)