All Versions
56
Latest Version
Avg Release Cycle
38 days
Latest Release
1015 days ago

Changelog History
Page 1

  • v1.4.3 Changes

    October 04, 2022

    ๐Ÿ”’ Security

    • โšก๏ธ Updated minimum TLS version to 1.2 for the k8s-workload-registrar CRD mode webhook and the oidc-discovery-provider when using ACME
  • v1.4.2 Changes

    September 07, 2022

    โž• Added

    • The X509-SVID Subject field now contains a unique ID to satisfy RFC 5280 requirements (#3367)
    • Agents now shut down when banned (#3308)

    ๐Ÿ”„ Changed

    • ๐Ÿ“š Small documentation improvements (#3309, #3377)
  • v1.4.1 Changes

    September 06, 2022

    ๐Ÿ”’ Security

    • โšก๏ธ Updated to Go 1.18.6 to address CVE-2022-27664
  • v1.4.0 Changes

    August 08, 2022

    โž• Added

    • ๐Ÿ‘Œ Support for Windows workload attestation on Kubernetes (#3191)
    • ๐Ÿ‘Œ Support for using RSA keys with Workload X509-SVIDs (#3237)
    • ๐Ÿ‘Œ Support for anonymous authentication to the Kubelet secure port when performing workload attestation on Kubernetes (#3273)

    ๐Ÿ—„ Deprecated

    • ๐Ÿ”Œ The Node Resolver plugin type (#3272)

    ๐Ÿ›  Fixed

    • โœ… Persistence of the can_reattest flag during agent SVID renewal (#3292)
    • โœ… A regression in behavior preventing an agent from re-attesting when it has been evicted (#3269)

    ๐Ÿ”„ Changed

    • โœ… The Azure Node Attestor to optionally provide selectors (#3272)
    • ๐Ÿณ The Docker Workload Attestor now fails when configured with unknown options (#3243)
    • ๐Ÿ‘Œ Improved CRI-O support with Kubernetes workload attestation (#3242)
    • Agent data stored on disk has been consolidated to a single JSON file (#3201)
    • ๐Ÿ Agent and server data directories on Windows no longer inherit permissions from parent directory (#3227)
    • Endpoints exposed using named pipes explicitly deny access to remote callers (#3236)
    • ๐Ÿ“š Small documentation improvements (#3264)

    โœ‚ Removed

    • ๐Ÿ—„ The deprecated webhook mode from the k8s-workload-registrar (#3235)
    • ๐Ÿ‘Œ Support for the configmap leader election lock type from the k8s-workload-registrar (#3241)
  • v1.3.5 Changes

    October 04, 2022

    ๐Ÿ”’ Security

    • โšก๏ธ Updated minimum TLS version to 1.2 for the k8s-workload-registrar CRD mode webhook and the oidc-discovery-provider when using ACME
  • v1.3.4 Changes

    September 06, 2022

    ๐Ÿ”’ Security

    • โšก๏ธ Updated to Go 1.18.6 to address CVE-2022-27664
  • v1.3.3 Changes

    July 13, 2022

    ๐Ÿ”’ Security

    • โšก๏ธ Updated to Go 1.18.4 to address CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, and CVE-2022-1962.
  • v1.3.2 Changes

    July 08, 2022

    โž• Added

    • ๐Ÿ‘Œ Support for K8s workload attestation when the Kubelet is run as a standalone component (#3163)
    • Optional health check endpoints to the OIDC Discovery Provider (#3151)
    • ๐Ÿ‘ Pagination support to the server entry show command (#3135)

    ๐Ÿ›  Fixed

    • A regression in workload SVID minting that caused DNS names not to be set in the SVID (#3215)
    • ๐Ÿ”Œ A regression in the server that caused a panic instead of a clean shutdown if a plugin was misconfigured (#3166)

    ๐Ÿ”„ Changed

    • ๐Ÿ Directories for UDS endpoints are no longer created by SPIRE on Windows (#3192)
  • v1.3.1 Changes

    June 09, 2022

    โž• Added

    • ๐Ÿ The windows workload attestor gained a new sha256 selector that can attest the SHA256 digest of the workload binary (#3100)

    ๐Ÿ›  Fixed

    • ๐Ÿšš Database rows related to registration entries are now properly removed (#3127, #3132)
    • ๐Ÿ”€ Agent reduces bandwidth use by requesting only required information when syncing with the server (#3123)
    • Issue with read-modify-write operations when using PostgreSQL datastore in hot standby mode (#3103)

    ๐Ÿ”„ Changed

    • โšก๏ธ FetchX509Bundles RPC no longer sends spurious updates that contain no changes (#3102)
    • โœ… Warn if the built-in join_token node attestor is attempted to be overridden by an external plugin (#3045)
    • Database connections are now proactively closed when SPIRE server is shut down (#3047)
  • v1.3.0 Changes

    May 12, 2022

    โž• Added

    • ๐Ÿ Experimental Windows support (https://github.com/spiffe/spire/projects/12)
    • โช Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009, #3014, #3020, #3034)
    • ๐Ÿ”’ Configurable leader election resource lock type for the K8s Workload Registrar (#3030)
    • Ability to fetch JWT SVIDs and JWT Bundles on behalf of workloads via the Delegated Identity API (#2789)
    • โœ… CanReattest flag to NodeAttestor responses to facilitate future features (#2646)

    ๐Ÿ›  Fixed

    • ๐Ÿ”ง Spurious message to STDOUT when there is no plugin_data section configured for a plugin (#2927)

    ๐Ÿ”„ Changed

    • ๐Ÿšš SPIRE entries with malformed parent or SPIFFE IDs are removed on server startup (#2965)
    • SPIRE no longer prepends slashes to paths passed to the API when missing (#2963)
    • K8s Workload Registrar retries up to 5 seconds to connect to SPIRE Server (#2921)
    • ๐Ÿ‘Œ Improved error messaging when unauthorized resources are requested via SDS (#2916)
    • ๐Ÿ“š Small documentation improvements (#2934, #2947, #3013)

    ๐Ÿ—„ Deprecated

    • ๐Ÿ—„ The webhook mode for the K8s Workload Register has been deprecated (#2964)