CHANGELOG.md

Changelog

[1.1.1] - 2021-11-17

Added

• SPIRE Agent can now store SVIDs with Google Cloud Secrets Manager (#2595)

Changed

• SPIRE Server downloads federated bundles a little sooner when federated relationships are added or updated (#2585)

Fixed

• Fixed a regression in Percona XTRA DB Cluster support introduced in 0.12.2 (#2605)
• Kubernetes Workload Attestation fixed for Kubernetes 1.21+ (#2600)
• SPIRE Agent now retries failed removals of SVIDs stored by SVIDStore plugins (#2620)

[1.1.0] - 2021-10-10

Added

• SPIRE images are now published to GitHub Container Registry. They will continue to be published to Google Container Registry over the course of the next release (#2576,#2580)
• SPIRE Server now implements the TrustDomain API and related CLI commands (https://github.com/spiffe/spire/projects/11)
• The SVIDStore plugin type has been introduced to enable, amongst other things, agentless workload scenarios (#2176,#2483)
• The TPM DevID Node Attestor emits a new issuer:cn selector with the common name of the issuing certificate (#2581)
• The K8s Bundle Notifier plugin now supports pushing the bundle to resources in multiple clusters (#2531)
• A built-in AWS Secrets Manager SVIDStore plugin has been introduced, which can push workload SVIDs into AWS secrets for use in Lambda functions, etc. (#2542)
• The agent and entry list commands in the CLI gained additional filtering capabilities (#2478,#2479)
• The GCP CAS UpstreamAuthority has a new ca_pool configurable to identify which CA pool the signing CA resides in (#2569)

Changed

• With the GA release of GCP CAS, the UpstreamAuthority plugin now needs to know which pool the CA belongs to. If not configured, it will do a pessimistic scan of all pools to locate the correct CA. This scan will be removed in a future release (#2569)
• The K8s Workload Registrar now supports Kubernetes 1.22 (#2515,#2540)
• Self-signed CA certificates serial numbers are now conformant to RFC 5280 (#2494)
• The AWS KMS Key Manager plugin now creates keys with a very strict policy by default (#2424)
• The deprecated agent key file (svid.key) is proactively removed by the agent. It was only maintained to accomodate rollback from v1.0 to v0.12 (#2493)

Removed

• Support for the deprecated Registration API has been removed (#2487)
• Legacy (v0) plugin support has been removed. All plugins must now be authored using the plugin SDK.
• The deprecated service_account_whitelist configurables have been removed from the SAT and PSAT Node Attestor plugins (#2543)
• The deprecated projectid_whitelist configurable has been removed from the GCP IIT Node Attestor plugin (#2492)
• The deprecated bundle_endpoint and registration_uds_path configurables have been removed from SPIRE Server (#2486,#2519)

Fixed

• The GCP CAS UpstreamAuthority now works with the GA release of GCP CAS (#2569)
• Fixed a variety of issues with the scratch image, preparatory to publishing as the official image on GitHub Container Registry (#2582)
• Kubernetes Workload Attestor now uses the canonical path for the service account token (#2583)
• The server socketPath is now appropriately overriden via the configuration file (#2570)
• The server now restarts appropriately after undergoing forceful shutdown (#2496)
• The server CLI list commands now work reliably for large listings (#2456)

[1.0.2] - 2021-09-02

Added

• Experimental support for custom authorization policies based on Open Policy Agent (OPA) (#2416)
• SPIRE Server can now be configured to emit audit logs (#2297, #2391, #2394, #2396, #2442, #2458)
• Envoy SDS v3 API in agent now supports the SPIFFE Certificate Validator for federated SPIFFE authentication (#2435, #2460)
• SPIRE OIDC Discovery Provider now intelligently handles host headers (#2404, #2453)
• SPIRE OIDC Discovery Provider can now serve over HTTP using the allow_insecure_scheme setting (#2404)
• Metrics configuration options to filter out metrics and labels (#2400)
• The k8s-workload-registrar now supports identity template based workload registration (#2417)
• Enhancements in filtering support in server APIs (#2467, #2463, #2464, #2468)
• Improvements in logging of errors in peertracker (#2469)

Changed

• CRD mode of the k8s-workload-registrar now uses SPIRE certificates for the validating webhook (#2321)
• The vault UpstreamAuthority plugin now continues retrying to renew tokens on failures until the lease time is exceeded (#2445)

Fixed

• Fixed a nil pointer dereference when the deprecated allow_unsafe_ids setting was configured (#2477)

Deprecated

• The SPIRE OIDC Discovery Provider domain configurable has been deprecated in favor of domains (#2404)

[1.0.1] - 2021-08-05

Added

• LDevID-based TPM attestation can now be performed via a new tpm_devid NodeAttestor plugin (#2111, #2427)
• Caller details are now logged for unauthorized Server API calls (#2399)
• The aws_iid NodeAttestor plugin now supports attesting nodes across multiple AWS accounts via AWS IAM role assumption (#2387)
• Added support for running the k8s_sat NodeAttestor plugin with Kubernetes v1.21 (#2423)
• Call counter metrics are now emitted for SPIRE Server rate limiters (#2422)
• SPIRE Server now logs a message on startup when configured TTL values may result in SVIDs with a shorter lifetime than expected (#2284)

Changed

• Updated a trust domain validation error message to mention that underscores are valid trust domain characters (#2392)

Fixed

• Fixed bugs that broke the ACME bundle endpoint when using the aws_kms KeyManager plugin (#2390, #2397)
• Fixed a bug that resulted in SPIRE Agent sending unnecessary updates over the Workload API (#2305)
• Fixed a bug in the k8s_psat NodeAttestor plugin that prevented it from being configured with kubeconfig files (#2421)

[1.0.0] - 2021-07-08

Added

• The vault UpstreamAuthority plugin now supports Kubernetes service account authentication (#2356)
• A new cert-manager UpstreamAuthority plugin is now available (#2274)
• SPIRE Server CLI can now be used to ban agents (#2374)
• SPIRE Server CLI now has count subcommands for agents, entries, and bundles (#2128)
• SPIRE Server can now be configured for SPIFFE federation using the configurables defined by the spec (#2340)
• SPIRE Server and Agent now expose the standard gRPC health service (#2057, #2058)
• SPIFFE bundle endpoint URL is now configurable in the federates_with configuation block (#2340)
• SPIRE Agent may now optionally provided unregistered callers with a bundle for SVID validation via the allow_unauthenticated_verifiers configurable (#2102)
• SPIRE Server JWT key type is now independently configurable via jwt_key_type (#1991)
• Registration entries can now be queried/filtered by federates_with when calling the entry API (#1967)

Changed

• SPIRE Server's SVID now uses the key type configured as ca_key_type (#2269)
• Caller address is now logged for agent API calls resulting in an error (#2281)
• Agent SVID renewals are now logged by the server at the INFO level (#2309)
• Workload API JWT-SVID profile will now return an error if the caller is unidentified (#2369)
• Workload API JWT-SVID profile will no longer return non-SPIFFE claims on validated JWTs from foreign trust domains (#2372)
• SPIRE artifact tarball no longer extracts . to avoid inadvertent changes in directory permisions (#2219)
• SPIRE Server default socket path is now /tmp/spire-server/private/api.sock (#2075)
• SPIRE Agent default socket path is now /tmp/spire-agent/public/api.sock (#2075)

Deprecated

• SPIRE Server federation configuration in the federates_with bundle_endpoint block is now deprecated (#2340)
• SPIRE Server gcp_iit NodeAttestor configurable projectid_whitelist is deprecated in favor of projectid_allow_list (#2253)
• SPIRE Server k8s_sat and k8s_psat NodeAttestor configurable service_account_whitelist is deprecated in favor of service_account_allow_list (#2253)
• SPIRE Sever registration_uds_path/-registrationUDSPath configurable and flag has been deprecateed in favor of socket_path/-socketPath (#2075)

Removed

• SPIRE Server no longer supports SPIFFE IDs with UTF-8 (#2368)
• SPIRE Server no longer supports the legacy Node API (#2093)
• SPIRE Server experimental configurable allow_agentless_node_attestors has been removed (#2098)
• The aws_iid NodeResolver plugin has been removed as it has been obviated (#2191)
• The noop NodeResolver plugin has been removed (#2189)
• The proto/spire go module has been removed in favor of the new SDKs (#2161)
• The deprected enable_sds configurable has been removed (#2021)
• The deprecated experimental bundle CLI subcommands have been removed (#2062)
• SPIRE Server experimental configurables related to federation have been removed (#2062)
• SPIRE Server bundle endpoint no longer supports TLS signature schemes utilizing non-SHA256 hashes when ACME is enabled (#2397)

Fixed

• Fixed a bug that caused health check failures in agents that have registration entries describing them (#2370)
• SPIRE Agent no longer logs a message when invoking a healthcheck via the CLI (#2058)
• Fixed a bug that caused federation to fail when using ACME in conjunction with the aws_kms KeyManager plugin (#2390)

[0.12.3] - 2021-05-17

Added

• The k8s-workload-registrar now supports federation (#2160)
• The k8s_bundle notifier plugin can now keep API service CA bundles up to date (#2193)
• SPIRE Server internal cache reload timing can now be tuned (experimental) (#2169)

Changed

• Prometheus metrics that are emitted infrequently will no longer disappear after emission (#2239)
• The k8s-workload-registrar now uses paging to support very large deployments of 10,000+ pods (#2227)

Fixed

• Fixed a bug that sometimes caused newly attested agents to not receive their full set of selectors (#2242)
• Fixed several bugs related to the handling of SPIRE Server API paging (#2251)

[0.12.2] - 2021-04-14

Added

• Added aws_kms server KeyManager plugin that uses the AWS Key Management Service (KMS) (#2066)
• Added gcp_cas UpstreamAuthority plugin that uses the Certificate Authority Service from Google Cloud Platform (#2172)
• Improved error returned during attestation of agents (#2159)
• The aws_iid NodeAttestor plugin now supports running in a location with no public internet access available for the server (#2119)
• The k8s notifier can now rotate Admission Controller Webhook CA Bundles (#2022)
• Rate limiting on X.509 signing and JWT signing can now be disabled (#2142)
• Added uptime metrics in server and agent (#2032)
• Calls to KeyManager plugins now time out at 30 seconds (#2044)
• Added logging when lookup of user by uid or group by gid fails in the unix WorkloadAttestor plugin (#2048)

Changed

• The k8s WorkloadAttestor plugin now emits selectors for both image and image ID (#2116)
• HTTP readiness endpoint on agent now checks the health of the Workload API (#2015, #2087)
• SDS API in agent now returns an error if an SDS client requests resource names that don't exist (#2020)
• Bundle and k8s-workload-registrar endpoints now only accept clients using TLS v1.2+ (#2025)

Fixed

• Registration entry update handling in CRD mode of the k8s-workload-registrar to prevent unnecessary issuance of new SVIDs (#2155)
• Failure to update CA bundle due to improper MySQL isolation level for read-modify-write operations (#2150)
• Regression preventing agent selectors from showing in spire-server agent show command (#2133)
• Issue in the token authentication method of the Vault Upstream Authority plugin (#2110)
• Reporting of errors in server entry cache telemetry (#2091)
• Agent logs an error and automatically shuts down when its SVID has expired and it requires re-attestation (#2065)

[0.12.1] - 2021-03-04

Security

• Fixed CVE-2021-27098
• Fixed CVE-2021-27099
• Fixed file descriptor leak in peertracker

[0.12.0] - 2020-12-17

Added

• Debug endpoints (#1792)
• Agent support for SDS v3 API (#1906)
• Improved metrics handling (#1885, #1925, #1932)
• Significantly improved performance related to performing agent authorization lookups (#1859, #1896, #1943, #1944, #1956)
• Database indexes to attested node columns (#1912)
• Support for configuring Vault roles, namespaces, and re-authentication to the Vault UpstreamAuthority plugin (#1871, #1981)
• Support for non-renewable Vault tokens to the Vault UpstreamAuthority plugin (#1965)
• Delete mode for federated bundles to the bundle API (#1897)
• The CLI now reads JSON from STDIN for entry create/update commands (#1905)
• Support for multiple CA bundle files in x509pop (#1949)
• Added ExpiresAt to entry show output (#1973)
• Added k8s_psat:agent_node_ip selector (#1979)

Changed

• The agent now shuts down when it is no longer attested (#1797)
• Internals now rely on new server APIs (#1849, #1878, #1907, #1908, #1909, #1913, #1947, #1982, #1998, #2001)
• Workload API now returns a standardized JWKS object (#1904)
• Log message casing and punctuation are more consistent with project guidelines (#1950, #1952)

Deprecated

• The Registration and Node APIs are deprecated, and a warning is logged on use (#1997)
• The registration_api configuration section is deprecated in favor of server_api in the k8s-workload-registrar (#2001)

Removed

• Removed some superfluous or otherwise unusable metrics and labels (#1881, #1946, #2004)

Fixed

• Fixed CLI exit codes when entry create or update fails (#1990)
• Fixed a bug that could cause external plugins to become orphaned processes after agent/server shutdown (#1962)
• Fixed handling of the Vault PKI certificate chain (#2012, #2017)
• Fixed a bug that could cause some gRPC libraries to fail to connect to the server over HTTP/2 (#1968)
• Fixed Registration API to validate selector syntax (#1919)

Security

• JWT-SVIDs that fail validation are no longer logged (#1953)

[0.11.3] - 2021-03-04

Security

• Fixed CVE-2021-27098
• Fixed CVE-2021-27099
• Fixed file descriptor leak in peertracker

[0.11.2] - 2020-10-29

What's New

• Error messages related to a specific class of software bugs are now rate limited (#1901)

What's Changed

• Fixed an issue in the Upstream Authority plugin that could result in a delay in the propagation of bundle updates/changes (#1917)
• Fixed error messages when attestation is disabled (#1899)
• Fixed some incorrectly-formatted log messages (#1920)

[0.11.1] - 2020-09-29

What's New

• Added AWS PCA configurable allowing operators to provide additional CA certificates for inclusion in the bundle (#1574)
• Added a configurable to server for disabling rate limiting of node attestation requests (#1794, #1870)

What's Changed

• Fixed Kubernetes Workload Registrar issues (#1814, #1818, #1823)
• Fixed BatchCreateEntry return value to match docs, returning the contents of an entry if it already exists (#1824)
• Fixed issue preventing brand new deployments from downgrading successfully (#1829)
• Fixed a regression introduced in 0.11.0 that caused external node attestor plugins that rely on binary data to fail (#1863)

[0.11.0] - 2020-08-28

What's New

• Introduced refactored server APIs (#1533, #1548, #1563, #1567, #1568, #1571, #1575, #1576, #1577, #1578, #1582, #1585, #1586, #1587, #1588, #1589, #1590, #1591, #1592, #1593, #1594, #1595, #1597, #1604, #1606, #1607, #1613, #1615, #1617, #1622, #1623, #1628, #1630, #1633, #1641, #1643, #1646, #1647, #1654, #1659, #1667, #1673, #1674, #1683, #1684, #1689, #1690, #1692, #1693, #1694, #1701, #1708, #1727, #1728, #1730, #1733, #1734, #1739, #1749, #1753, #1768, #1772, #1779, #1783, #1787, #1788, #1789, #1790, #1791)
• Unix workloads can now be attested using auxiliary group membership (#1771)
• The Kubernetes Workload Registrar now supports two new registration modes (crd and reconcile)

What's Changed

• Federation is now a stable feature (#1656, #1737, #1777)
• Removed support for the UpstreamCA plugin, which was deprecated in favor of the UpstreamAuthority plugin in v0.10.0 (#1699)
• Removed deprecated upstream_bundle server configurable. The server now always use the upstream bundle as the trust bundle (#1702)
• The server's AWS node attestor subsumed all the functionality of the node resolver, which has been deprecated (#1705)
• Removed pluggability of the DataStore interface, restricting use to the current built-in sql plugin (#1707)
• Unknown config options now make the server and agent fail to start (#1714)
• Improved registration entry change detection on agent (#1720)
• /tmp/agent.sock is now the default socket path for the agent (#1738)

[0.10.2] - 2021-03-04

Security

• Fixed CVE-2021-27098
• Fixed file descriptor leak in peertracker

[0.10.1] - 2020-06-23

What's New

• vault as Upstream Authority built-in plugin (#1611, #1632)
• Improved configuration file docs to list all possible configuration settings (#1608, #1618)

What's Changed

• Improved container ID parsing from cgroup path in the docker workload attestor plugin (#1605)
• Improved container ID parsing from cgroup path in the k8s workload attestor plugin (#1649)
• Envoy SDS support is now always on (#1579)
• Errors on agent SVID rotation are now fatal if the agent's current SVID has expired, forcing an agent restart (#1584)

[0.10.0] - 2020-04-22

• Added support for JWT-SVID in nested SPIRE topologies (#1388, #1394, #1396, #1406, #1409, #1410, #1411, #1415, #1416, #1417, #1423, #1440, #1455, #1458, #1469, #1476)
• Reduced database load under certain configurations (#1439)
• Agent now proactively rotates workload SVIDs in response to registration updates (#1441, #1477)
• Removed redundant telemetry counter in agent cache manager (#1445)
• Added environment variable config templating support (#1453)
• Added CreateEntryIfNotExists RPC to Registration API (#1464)
• The X.509 CA key now defaults to EC P-256 instead of EC P-384 (#1468)
• Added validate subcommand to the SPIRE Server and SPIRE Agent CLIs to validate the configuration file (#1471, #1489)
• Removed deprecated ttl configurable from upstreamauthority plugins (#1482)
• Fixed a bug which resulted in incorrect SHA for certain types of workloads (#1405)
• OIDC Discovery Provider now supports listening on a Unix Domain Socket (#1408)
• Fixed a bug that could lead to agent eviction if a crash occurred during agent SVID rotation (#1399)
• The upstream_bundle configurable now defaults to true, and is marked as deprecated (#1404)
• OIDC Discovery Provider and the Kubernetes Workload Registrar release binaries are now available via the spire-extras tarball (#1424)
• Introduced new plugin type UpstreamAuthority, which supports both X509-SVID and JWT-SVID as well as the ability to push upstream changes into SPIRE Server (#1388, #1394, #1406, #1455)
• AWS PCA, AWS Secrets, Disk and SPIRE UpstreamCA plugins have been ported to the UpstreamAuthority type (#1411, #1409, #1410, #1415)
• Introduced a new RPC PushJWTKeyUpstream in the Node API for publishing JWT-SVID signing keys from downstream servers (#1416)
• Introduced a new RPC FetchBundle in the Node API for fetching an up-to-date bundle (#1458)
• AWS PCA UpstreamAuthority plugin endpoint is now configurable (#1498)
• The UpstreamCA plugin type is now marked as deprecated in favor of the UpstreamAuthority plugin type (#1406)

[0.9.4] - 2021-03-04

Security

• Fixed CVE-2021-27098
• Fixed file descriptor leak in peertracker

[0.9.3] - 2020-03-05

• Significantly reduced the server's database load (#1350, #1355, #1397)
• Improved consistency in SVID propagation time for some cases (#1352)
• AWS IID node attestor now supports the v2 metadata service (#1369)
• SQL datastore plugin now supports leveraging read-only replicas (#1363)
• Fixed a bug in which CA certificates may have an empty Subject if incorrectly configured (#1387)
• Server now logs an agent ID when an invalid agent makes a request (#1395)
• Fixed a bug in which the server CLI did not correctly show entries when querying with multiple selectors (#1398)
• Registration API now has an RPC for listing entries that supports paging (#1392)

[0.9.2] - 2020-01-14

• Fixed a crash when a key protecting the bundle endpoint is removed (#1326)
• Bundle endpoint client now supports Web-PKI authenticated endpoints (#1327)
• SPIRE now warns if the CA TTL will result in shorter-than-expected SVID lifetimes (#1294)

[0.9.1] - 2019-12-19

• Agent cache file writes are now atomic, more resilient (#1267)
• Introduced Google Cloud Storage bundle notifier plugin for server (#1227)
• Server and agent now detect unknown configuration options in supported blocks (#1289, #1299, #1306, #1307)
• Improved agent response to heavy server load through use of request backoffs (#1270)
• The in-memory telemetry sink can now be disabled, and will be by default in a future release (#1248)
• Agents will now re-balance connections to servers (and re-resolve DNS) automatically (#1265)
• Improved behavior of M3 duration telemetry (#1262)
• Fixed a bug in which MySQL deadlock may occur under heavy attestation load (#1291)
• KeyManager "disk" now emits a friendly error when directory option is missing (#1313)

[0.9.0] - 2019-11-14

• Users can now opt-out of workload executable hashing when enabling the workload path as a selector (#1078)
• Added M3 support to telemetry and other telemetry and logging improvements (#1059, #1085, #1086, #1094, #1102, #1122,#1138,#1160,#1186,#1208)
• SQL auto-migration can be disabled (#1089)
• SQL schema compatability checks are aligned with upgrade compatability guarantees (#1089)
• Agent CLI can provide information on attested nodes (#1098)
• SPIRE can tolerate small SVID expiration periods (#1115)
• Reduced Docker image sizes by roughly 25% (#1140)
• The upstream_bundle configurable is deprecated (#1147)
• Agents can be configured to bootstrap insecurely with SPIRE Servers for ease of evaluation (#1148)
• The issuer claim in JWT-SVIDs can be customized (#1164)
• SPIRE Server supports a wider variety of signing key types (#1169)
• New OIDC discovery provider that serves a compatible JWKS document with signing keys from the trust domain (#1170,#1175)
• New Upstream CA plugin that signs SPIRE Server CA CSRs using a Private Ceriticate Authority in AWS Certificate Manager (#1172)
• Agents respond more predictably when making requests to an overloaded SPIRE Server (#1182)
• Docker Workload Attestor supports a wider variety of cgroup drivers (#1188)
• Docker Workload Attestor supports selection based on container environment variables (#1205)
• Fixed an issue in which Kubernetes workload attestation occasionally fails to identify the caller (#1216)

[0.8.5] - 2021-03-04

Security

• Fixed CVE-2021-27098
• Fixed file descriptor leak in peertracker

[0.8.4] - 2019-10-28

• Fixed spurious agent synchronization failures during agent SVID rotation (#1084)
• Added support for Kind to the Kubernetes Workload Attestor (#1133)
• Added support for ACME v2 to the bundle endpoint (#1187)
• Fixed a bug that could result in agent crashes after upgrading to 0.8.2 or newer (#1194)

[0.8.3] - 2019-10-18

• Upgrade to Go 1.12.12 in response to CVE-2019-17596 (#1204)

[0.8.2] - 2019-10-10

• Connection pool details in SQL DataStore plugin are now configurable (#1028)
• SQL DataStore plugin now emits telemetry (#998)
• The SPIFFE bundle endpoint now supports serving Web PKI via ACME (#1029)
• Fix Workload API socket permissions when enclosing directory is automatically created (#1048)
• The Kubernetes PSAT node attestor now emits node and pod label selectors (#1042)
• SVIDs can now be created directly against SPIRE server using the new mint feature (#1036)
• SPIRE agent behavior improved to more efficiently balance load across SPIRE servers (#1061)
• Significant SQL DataStore performance improvements (#1069, #1079)
• Kubernetes workload registrar now supports assigning SPIFFE IDs based on an annotation (#1047)
• Registration entries with an expiry set are now automatically pruned from the datastore (#1056)
• Fix bug that resulted in authorized workloads being denied SVIDs (#1103)

[0.8.1] - 2019-07-19

• Failure to obtain peer information from a Workload API connection no longer brings down the agent (#946)
• Agent now detects expired cached SVID when it starts and will attempt to re-attest instead of failing (#1000)
• GCP IIT-based node attestation produces selectors for the project, zone, instance name, tags, service accounts, metadata and labels (#969, #1006, #1012)
• X.509 certificate serial numbers are now random 128-bit numbers (#999)
• Added SQL table indexes to SQL datastore to improve query performance (#1007)
• Improved metrics coverage (#931, #932, #935, #968)
• Plugins can now emit metrics (#990, #993)
• GCP CloudSQL support (#995)
• Experimental support for SPIFFE federation (#951, #983)
• Fixed a peertracker bug parsing /proc/PID/stat on Linux (#982)
• Fixed a bug causing occasional panics on shutdown when running on a BSD-based system (#970)
• Fixed a bug in the unix workload attestor failing attestation if the user or group lookup failed (#973)
• Server plugins can now query for attested agent information (#964)
• AWS Secrets UpstreamCA plugin can now authenticate to AWS via a Role ARN (#938, #963)
• K8S Workload Attestor now works with Docker's systemd cgroup driver (#950)
• Improved documentation and examples (#915, #916, #918, #926, #930, #940, #941, #948, #954, #955, #1014)
• Fixed SSH-based node attested agent IDs to be URL-safe (#944)
• Fixed bug preventing agent bootstrapping when an UpstreamCA is used in conjunction with upstream_bundle = false (#939)
• Agent now properly handles signing SVIDs for multiple registration entries mapped to the same SPIFFE ID (#929)
• Agent Node Attestor plugins no longer have to determine the agent ID (#922)
• GCP IIT node attestor can now be configured with the host used to obtain the token (#917)
• Fixed race in bundle pruning for HA deployments (#919)
• Disk UpstreamCA plugin now supports intermediate CAs (#910)
• Docker workload attestation now retries connections to the Docker deamon on transient failures (#901)
• New Kubernetes Workload Registrar that automatically registers Kubernetes workloads (#885, #953)
• Logs can now be emitted in JSON format (#866)

[0.8.0] - 2019-05-20

• Fix a bug in which the agent periodically logged connection errors (#906)
• Kubernetes SAT node attestor now supports the TokenReview API (#904)
• Agent cache refactored to improve memory management and fix a leak (#863)
• UpstreamCA "disk" will now reload cert and keys when needed (#903)
• Introduced Nested SPIRE: server clusters can now be chained together (#890)
• Fix a bug in AWS IID NodeResolver with instance profile lookup (#888)
• Improved workload attestation and fixed a security bug related to PID reuse (#886)
• New Kubernetes bundle notifier for keeping a bundle configmap up-to-date (#877)
• New plugin type Notifier for programatically taking action on important events (#877)
• New NodeAttestor based on SSH certificates (#868, #870)
• v2 client library for Workload API interaction (#841)
• Back-compat bundle management code removed - bundle is now handled correctly (#858, #859)
• Plugins can now expose auxiliary services and consume host-based services (#840)
• Fix bug preventing agent recovery prior to its first SVID rotation (#839)
• Agent and server can now export telemetry to Prometheus, Statsd, DogStatsd (#817)
• Fix bug in SDS API that prevented updates following Envoy restart (#820)
• Kubernetes workload attestor now supports using the secure port (#814)
• Support for TLS-protected connections to MySQL (#821)
• X509-SVID can now include an optional CN/DNS SAN (#798)
• SQL DataStore plugin now supports MySQL (#784)
• Fix bug preventing agent from reconnecting to a new server after an error (#795)
• Fix bug preventing agent from shutting down when streams are open (#790)
• Registration entries can now have an expiry and be pruned automatically (#776, #793)
• New Kubernetes NodeAttestor based on PSAT for node specificity (#771, #860)
• New UpstreamCA plugin for AWS secret manager (#751)
• Healthcheck commands exposed in server and agent (#758, #763)
• Kubernetes workload attestor extended with additional selectors (#720)
• UpstreamCA "disk" now supports loading multiple key types (#717)

[0.7.3] - 2019-02-11

• Agent can now expose Envoy SDS API for TLS certificate installation rotation (#667)
• Agent now automatically creates its configured data dir if it doesn't exist (#678)
• Agent panic fixed in the event that rotation is attempted from non-attested node (#684)
• Docker workload attestor plugin introduced (#687)
• Agent and server no longer force a configured umask, upgrades it if too permissive (#686)
• Registration entry CLI utility now supports --node entry distinction (#695)
• Server can now evict previously-attested agents (#693)
• Official docker images are now published on build and release (#700)

[0.7.2] - 2019-01-23

• Fix non-random UUID bug by moving to gofrs-maintained uuid pkg (#659)
• Server now supports multiple node resolvers (#652)
• Server no longer allows agent to specify X.509 Subject value (#663)
• Registration API is now authenticated, can be reached remotely (#656)
• Fixed debug log message in the Node API handler (#666)
• Agent's KeyManager interface updated for better durability (#669)
• Use FQDN in the GCP Node Attestor to prevent reliance on shortname resolution (#672)
• Upgrade to Go 1.11.5 in response to CVE-2019-6486 (#690)

[0.7.1] - 2018-12-20

• Documentation updates for Azure plugins, agent, server (#629, #631, #642, #651, #654)
• Intermediate certificates now included in bundle for compatibility with 0.6 (#633)
• Attestation now fails if NodeResolver encounters an error (#634)
• Fix bootstrap bug when upstream_bundle is not set (#639)
• Additional telemetry points added, introduced telemetry in server (#640)
• CLI utilities now print TTL value of default instead of 0 when not set (#645)
• Fix bug in CLI utilities causing them to write PEM files with the wrong header (#647)
• Go runtime upgraded in response to CVE-2018-16875 (#653)
• Server now detects and prevents trust domain configuration change (#644)
• Fix vulnerability in which X.509 path validation is not performed on node API (#655)

[0.7.0] - 2018-11-08

• JWT Support (#616)
• Workload API now returns intermediate chains (#611)
• UNIX attestor now returns binary path and sha256 (#590)
• UNIX attestor now returns effective user and group name (#589)
• Node API now ratelimits expensive calls (#577)
• Soft delete disabled in SQL datastore plugin (#560)
• Basic federation support (#559, #563, #581, #582)
• Kubernetes node attestor (#557)
• AWS node resolver builtin (#554)
• Azure node attestor (#551)
• Azure node resolver (#553)
• KeyManager plugin interface for server (#539)
• Disk-based KeyManager server plugin (#532)
• x509pop now supports intermediate chains (#524)
• Fix bug that resulted in some SVIDs outliving CA (#520)
• Let agent fail over to different server on failure (#561)
• Node attestors can now return selectors (#516)
• Improved SPIFFE ID validation (#513, #515)

[0.6.2] - 2018-09-12

• Support for Azure node attestation (#551)
• Support for Azure node resolution (#553)
• Updated DNS resolution to support DNS-based HA failover (#561)
• Updated x509pop challenge to strengthen against signature replay attacks (#562)
• Removed sql plugin soft delete for better space management (#560)
• Performance improvements and bugfixes in sql plugin (#564)
• Support for HTTP/HTTPS CONNECT proxies (#568, #585)
• Updated Node API to perform ratelimiting (#577)

[0.6.1] - 2018-07-27

• Fixed SVID renewal bug (#520)
• Support separate file for intermediates in x509pop node attestor (#524)
• Allow node attestors to provide supplemental selectors (#516)
• ServerCA "memory" can now optionally persist keys to disk (#532)
• Config file updates so spire commands can be run from any CWD (#541)
• Minor doc/example fixes (#535)

[0.6.0] - 2018-06-26

• Added GCP Instance Identity Token (IIT) node attestation.
• Added X509 Proof-of-Possession node attestation.
• Added challenge/response support to node attestation API.
• SQL datastore plugin renamed. Now includes support for PostgresSQL.
• Improved k8s workload attestation resilience.
• Lots of bug fixes.