All Versions
56
Latest Version
Avg Release Cycle
38 days
Latest Release
1015 days ago
Changelog History
Page 1
Changelog History
Page 1
-
v1.4.3 Changes
October 04, 2022๐ Security
- โก๏ธ Updated minimum TLS version to 1.2 for the k8s-workload-registrar CRD mode webhook and the oidc-discovery-provider when using ACME
-
v1.4.2 Changes
September 07, 2022โ Added
- The X509-SVID Subject field now contains a unique ID to satisfy RFC 5280 requirements (#3367)
- Agents now shut down when banned (#3308)
๐ Changed
- ๐ Small documentation improvements (#3309, #3377)
-
v1.4.1 Changes
September 06, 2022๐ Security
- โก๏ธ Updated to Go 1.18.6 to address CVE-2022-27664
-
v1.4.0 Changes
August 08, 2022โ Added
- ๐ Support for Windows workload attestation on Kubernetes (#3191)
- ๐ Support for using RSA keys with Workload X509-SVIDs (#3237)
- ๐ Support for anonymous authentication to the Kubelet secure port when performing workload attestation on Kubernetes (#3273)
๐ Deprecated
- ๐ The Node Resolver plugin type (#3272)
๐ Fixed
- โ Persistence of the can_reattest flag during agent SVID renewal (#3292)
- โ A regression in behavior preventing an agent from re-attesting when it has been evicted (#3269)
๐ Changed
- โ The Azure Node Attestor to optionally provide selectors (#3272)
- ๐ณ The Docker Workload Attestor now fails when configured with unknown options (#3243)
- ๐ Improved CRI-O support with Kubernetes workload attestation (#3242)
- Agent data stored on disk has been consolidated to a single JSON file (#3201)
- ๐ Agent and server data directories on Windows no longer inherit permissions from parent directory (#3227)
- Endpoints exposed using named pipes explicitly deny access to remote callers (#3236)
- ๐ Small documentation improvements (#3264)
โ Removed
- ๐ The deprecated webhook mode from the k8s-workload-registrar (#3235)
- ๐ Support for the configmap leader election lock type from the k8s-workload-registrar (#3241)
-
v1.3.5 Changes
October 04, 2022๐ Security
- โก๏ธ Updated minimum TLS version to 1.2 for the k8s-workload-registrar CRD mode webhook and the oidc-discovery-provider when using ACME
-
v1.3.4 Changes
September 06, 2022๐ Security
- โก๏ธ Updated to Go 1.18.6 to address CVE-2022-27664
-
v1.3.3 Changes
July 13, 2022๐ Security
- โก๏ธ Updated to Go 1.18.4 to address CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, and CVE-2022-1962.
-
v1.3.2 Changes
July 08, 2022โ Added
- ๐ Support for K8s workload attestation when the Kubelet is run as a standalone component (#3163)
- Optional health check endpoints to the OIDC Discovery Provider (#3151)
- ๐ Pagination support to the server
entry show
command (#3135)
๐ Fixed
- A regression in workload SVID minting that caused DNS names not to be set in the SVID (#3215)
- ๐ A regression in the server that caused a panic instead of a clean shutdown if a plugin was misconfigured (#3166)
๐ Changed
- ๐ Directories for UDS endpoints are no longer created by SPIRE on Windows (#3192)
-
v1.3.1 Changes
June 09, 2022โ Added
- ๐ The
windows
workload attestor gained a newsha256
selector that can attest the SHA256 digest of the workload binary (#3100)
๐ Fixed
- ๐ Database rows related to registration entries are now properly removed (#3127, #3132)
- ๐ Agent reduces bandwidth use by requesting only required information when syncing with the server (#3123)
- Issue with read-modify-write operations when using PostgreSQL datastore in hot standby mode (#3103)
๐ Changed
- โก๏ธ FetchX509Bundles RPC no longer sends spurious updates that contain no changes (#3102)
- โ
Warn if the built-in
join_token
node attestor is attempted to be overridden by an external plugin (#3045) - Database connections are now proactively closed when SPIRE server is shut down (#3047)
- ๐ The
-
v1.3.0 Changes
May 12, 2022โ Added
- ๐ Experimental Windows support (https://github.com/spiffe/spire/projects/12)
- โช Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009, #3014, #3020, #3034)
- ๐ Configurable leader election resource lock type for the K8s Workload Registrar (#3030)
- Ability to fetch JWT SVIDs and JWT Bundles on behalf of workloads via the Delegated Identity API (#2789)
- โ CanReattest flag to NodeAttestor responses to facilitate future features (#2646)
๐ Fixed
- ๐ง Spurious message to STDOUT when there is no plugin_data section configured for a plugin (#2927)
๐ Changed
- ๐ SPIRE entries with malformed parent or SPIFFE IDs are removed on server startup (#2965)
- SPIRE no longer prepends slashes to paths passed to the API when missing (#2963)
- K8s Workload Registrar retries up to 5 seconds to connect to SPIRE Server (#2921)
- ๐ Improved error messaging when unauthorized resources are requested via SDS (#2916)
- ๐ Small documentation improvements (#2934, #2947, #3013)
๐ Deprecated
- ๐ The webhook mode for the K8s Workload Register has been deprecated (#2964)