All Versions
56
Latest Version
Avg Release Cycle
38 days
Latest Release
606 days ago

Changelog History
Page 5

  • v0.9.2 Changes

    January 14, 2020
    • ๐Ÿ›  Fixed a crash when a key protecting the bundle endpoint is removed (#1326)
    • ๐ŸŒ Bundle endpoint client now supports Web-PKI authenticated endpoints (#1327)
    • SPIRE now warns if the CA TTL will result in shorter-than-expected SVID lifetimes (#1294)

  • v0.9.1 Changes

    December 19, 2019
    • Agent cache file writes are now atomic, more resilient (#1267)
    • ๐Ÿ”Œ Introduced Google Cloud Storage bundle notifier plugin for server (#1227)
    • ๐Ÿ”ง Server and agent now detect unknown configuration options in supported blocks (#1289, #1299, #1306, #1307)
    • ๐Ÿ‘Œ Improved agent response to heavy server load through use of request backoffs (#1270)
    • ๐Ÿš€ The in-memory telemetry sink can now be disabled, and will be by default in a future release (#1248)
    • Agents will now re-balance connections to servers (and re-resolve DNS) automatically (#1265)
    • ๐Ÿ‘Œ Improved behavior of M3 duration telemetry (#1262)
    • ๐Ÿ›  Fixed a bug in which MySQL deadlock may occur under heavy attestation load (#1291)
    • KeyManager "disk" now emits a friendly error when directory option is missing (#1313)

  • v0.9.0 Changes

    November 14, 2019
    • ๐Ÿ‘‰ Users can now opt-out of workload executable hashing when enabling the workload path as a selector (#1078)
    • โž• Added M3 support to telemetry and other telemetry and logging improvements (#1059, #1085, #1086, #1094, #1102, #1122,#1138,#1160,#1186,#1208)
    • SQL auto-migration can be disabled (#1089)
    • โฌ†๏ธ SQL schema compatability checks are aligned with upgrade compatability guarantees (#1089)
    • โœ… Agent CLI can provide information on attested nodes (#1098)
    • SPIRE can tolerate small SVID expiration periods (#1115)
    • โฌ‡๏ธ Reduced Docker image sizes by roughly 25% (#1140)
    • ๐Ÿ”ง The upstream_bundle configurable is deprecated (#1147)
    • ๐Ÿ”ง Agents can be configured to bootstrap insecurely with SPIRE Servers for ease of evaluation (#1148)
    • The issuer claim in JWT-SVIDs can be customized (#1164)
    • ๐Ÿ‘ SPIRE Server supports a wider variety of signing key types (#1169)
    • ๐Ÿ†• New OIDC discovery provider that serves a compatible JWKS document with signing keys from the trust domain (#1170,#1175)
    • ๐Ÿ†• New Upstream CA plugin that signs SPIRE Server CA CSRs using a Private Ceriticate Authority in AWS Certificate Manager (#1172)
    • Agents respond more predictably when making requests to an overloaded SPIRE Server (#1182)
    • ๐Ÿณ Docker Workload Attestor supports a wider variety of cgroup drivers (#1188)
    • ๐Ÿณ Docker Workload Attestor supports selection based on container environment variables (#1205)
    • ๐Ÿ›  Fixed an issue in which Kubernetes workload attestation occasionally fails to identify the caller (#1216)

  • v0.8.5 Changes

    March 04, 2021

    ๐Ÿ”’ Security

    • ๐Ÿ›  Fixed CVE-2021-27098
    • ๐Ÿ›  Fixed file descriptor leak in peertracker

  • v0.8.4 Changes

    October 28, 2019
    • ๐Ÿ›  Fixed spurious agent synchronization failures during agent SVID rotation (#1084)
    • โž• Added support for Kind to the Kubernetes Workload Attestor (#1133)
    • โž• Added support for ACME v2 to the bundle endpoint (#1187)
    • ๐Ÿ›  Fixed a bug that could result in agent crashes after upgrading to 0.8.2 or newer (#1194)

  • v0.8.3 Changes

    October 18, 2019
    • โฌ†๏ธ Upgrade to Go 1.12.12 in response to CVE-2019-17596 (#1204)

  • v0.8.2 Changes

    October 10, 2019
    • ๐Ÿ”ง Connection pool details in SQL DataStore plugin are now configurable (#1028)
    • ๐Ÿ”Œ SQL DataStore plugin now emits telemetry (#998)
    • ๐ŸŒ The SPIFFE bundle endpoint now supports serving Web PKI via ACME (#1029)
    • ๐Ÿ›  Fix Workload API socket permissions when enclosing directory is automatically created (#1048)
    • โœ… The Kubernetes PSAT node attestor now emits node and pod label selectors (#1042)
    • SVIDs can now be created directly against SPIRE server using the new mint feature (#1036)
    • SPIRE agent behavior improved to more efficiently balance load across SPIRE servers (#1061)
    • ๐ŸŽ Significant SQL DataStore performance improvements (#1069, #1079)
    • ๐Ÿ‘ Kubernetes workload registrar now supports assigning SPIFFE IDs based on an annotation (#1047)
    • Registration entries with an expiry set are now automatically pruned from the datastore (#1056)
    • ๐Ÿ›  Fix bug that resulted in authorized workloads being denied SVIDs (#1103)

  • v0.8.1 Changes

    July 19, 2019
    • Failure to obtain peer information from a Workload API connection no longer brings down the agent (#946)
    • โœ… Agent now detects expired cached SVID when it starts and will attempt to re-attest instead of failing (#1000)
    • ๐Ÿ“‡ GCP IIT-based node attestation produces selectors for the project, zone, instance name, tags, service accounts, metadata and labels (#969, #1006, #1012)
    • X.509 certificate serial numbers are now random 128-bit numbers (#999)
    • โž• Added SQL table indexes to SQL datastore to improve query performance (#1007)
    • ๐Ÿ‘Œ Improved metrics coverage (#931, #932, #935, #968)
    • ๐Ÿ”Œ Plugins can now emit metrics (#990, #993)
    • ๐Ÿ‘ GCP CloudSQL support (#995)
    • ๐Ÿ‘ Experimental support for SPIFFE federation (#951, #983)
    • ๐Ÿ›  Fixed a peertracker bug parsing /proc/PID/stat on Linux (#982)
    • ๐Ÿ›  Fixed a bug causing occasional panics on shutdown when running on a BSD-based system (#970)
    • ๐Ÿ›  Fixed a bug in the unix workload attestor failing attestation if the user or group lookup failed (#973)
    • โœ… Server plugins can now query for attested agent information (#964)
    • ๐Ÿ”Œ AWS Secrets UpstreamCA plugin can now authenticate to AWS via a Role ARN (#938, #963)
    • ๐Ÿณ K8S Workload Attestor now works with Docker's systemd cgroup driver (#950)
    • ๐Ÿ‘Œ Improved documentation and examples (#915, #916, #918, #926, #930, #940, #941, #948, #954, #955, #1014)
    • ๐Ÿ›  Fixed SSH-based node attested agent IDs to be URL-safe (#944)
    • ๐Ÿ›  Fixed bug preventing agent bootstrapping when an UpstreamCA is used in conjunction with upstream_bundle = false (#939)
    • Agent now properly handles signing SVIDs for multiple registration entries mapped to the same SPIFFE ID (#929)
    • โœ… Agent Node Attestor plugins no longer have to determine the agent ID (#922)
    • ๐Ÿ”ง GCP IIT node attestor can now be configured with the host used to obtain the token (#917)
    • ๐Ÿ›  Fixed race in bundle pruning for HA deployments (#919)
    • ๐Ÿ”Œ Disk UpstreamCA plugin now supports intermediate CAs (#910)
    • ๐Ÿณ Docker workload attestation now retries connections to the Docker deamon on transient failures (#901)
    • ๐Ÿ†• New Kubernetes Workload Registrar that automatically registers Kubernetes workloads (#885, #953)
    • ๐Ÿ”Š Logs can now be emitted in JSON format (#866)

  • v0.8.0 Changes

    May 20, 2019
    • ๐Ÿ›  Fix a bug in which the agent periodically logged connection errors (#906)
    • โœ… Kubernetes SAT node attestor now supports the TokenReview API (#904)
    • ๐Ÿ”จ Agent cache refactored to improve memory management and fix a leak (#863)
    • UpstreamCA "disk" will now reload cert and keys when needed (#903)
    • Introduced Nested SPIRE: server clusters can now be chained together (#890)
    • ๐Ÿ›  Fix a bug in AWS IID NodeResolver with instance profile lookup (#888)
    • ๐Ÿ‘Œ Improved workload attestation and fixed a security bug related to PID reuse (#886)
    • ๐Ÿ†• New Kubernetes bundle notifier for keeping a bundle configmap up-to-date (#877)
    • ๐Ÿ†• New plugin type Notifier for programatically taking action on important events (#877)
    • ๐Ÿ†• New NodeAttestor based on SSH certificates (#868, #870)
    • v2 client library for Workload API interaction (#841)
    • ๐Ÿšš Back-compat bundle management code removed - bundle is now handled correctly (#858, #859)
    • ๐Ÿ”Œ Plugins can now expose auxiliary services and consume host-based services (#840)
    • ๐Ÿ›  Fix bug preventing agent recovery prior to its first SVID rotation (#839)
    • Agent and server can now export telemetry to Prometheus, Statsd, DogStatsd (#817)
    • ๐Ÿ›  Fix bug in SDS API that prevented updates following Envoy restart (#820)
    • โœ… Kubernetes workload attestor now supports using the secure port (#814)
    • ๐Ÿ‘Œ Support for TLS-protected connections to MySQL (#821)
    • X509-SVID can now include an optional CN/DNS SAN (#798)
    • ๐Ÿ”Œ SQL DataStore plugin now supports MySQL (#784)
    • ๐Ÿ›  Fix bug preventing agent from reconnecting to a new server after an error (#795)
    • ๐Ÿ›  Fix bug preventing agent from shutting down when streams are open (#790)
    • Registration entries can now have an expiry and be pruned automatically (#776, #793)
    • ๐Ÿ†• New Kubernetes NodeAttestor based on PSAT for node specificity (#771, #860)
    • ๐Ÿ†• New UpstreamCA plugin for AWS secret manager (#751)
    • Healthcheck commands exposed in server and agent (#758, #763)
    • โœ… Kubernetes workload attestor extended with additional selectors (#720)
    • ๐Ÿ‘ UpstreamCA "disk" now supports loading multiple key types (#717)

  • v0.7.3 Changes

    February 11, 2019
    • Agent can now expose Envoy SDS API for TLS certificate installation rotation (#667)
    • ๐Ÿ”ง Agent now automatically creates its configured data dir if it doesn't exist (#678)
    • โœ… Agent panic fixed in the event that rotation is attempted from non-attested node (#684)
    • ๐Ÿณ Docker workload attestor plugin introduced (#687)
    • โฌ†๏ธ Agent and server no longer force a configured umask, upgrades it if too permissive (#686)
    • ๐Ÿ‘ Registration entry CLI utility now supports --node entry distinction (#695)
    • โœ… Server can now evict previously-attested agents (#693)
    • ๐Ÿš€ Official docker images are now published on build and release (#700)