All Versions
56
Latest Version
Avg Release Cycle
38 days
Latest Release
708 days ago
Changelog History
Page 5
Changelog History
Page 5
-
v0.9.2 Changes
January 14, 2020- ๐ Fixed a crash when a key protecting the bundle endpoint is removed (#1326)
- ๐ Bundle endpoint client now supports Web-PKI authenticated endpoints (#1327)
- SPIRE now warns if the CA TTL will result in shorter-than-expected SVID lifetimes (#1294)
-
v0.9.1 Changes
December 19, 2019- Agent cache file writes are now atomic, more resilient (#1267)
- ๐ Introduced Google Cloud Storage bundle notifier plugin for server (#1227)
- ๐ง Server and agent now detect unknown configuration options in supported blocks (#1289, #1299, #1306, #1307)
- ๐ Improved agent response to heavy server load through use of request backoffs (#1270)
- ๐ The in-memory telemetry sink can now be disabled, and will be by default in a future release (#1248)
- Agents will now re-balance connections to servers (and re-resolve DNS) automatically (#1265)
- ๐ Improved behavior of M3 duration telemetry (#1262)
- ๐ Fixed a bug in which MySQL deadlock may occur under heavy attestation load (#1291)
- KeyManager "disk" now emits a friendly error when directory option is missing (#1313)
-
v0.9.0 Changes
November 14, 2019- ๐ Users can now opt-out of workload executable hashing when enabling the workload path as a selector (#1078)
- โ Added M3 support to telemetry and other telemetry and logging improvements (#1059, #1085, #1086, #1094, #1102, #1122,#1138,#1160,#1186,#1208)
- SQL auto-migration can be disabled (#1089)
- โฌ๏ธ SQL schema compatability checks are aligned with upgrade compatability guarantees (#1089)
- โ Agent CLI can provide information on attested nodes (#1098)
- SPIRE can tolerate small SVID expiration periods (#1115)
- โฌ๏ธ Reduced Docker image sizes by roughly 25% (#1140)
- ๐ง The
upstream_bundle
configurable is deprecated (#1147) - ๐ง Agents can be configured to bootstrap insecurely with SPIRE Servers for ease of evaluation (#1148)
- The issuer claim in JWT-SVIDs can be customized (#1164)
- ๐ SPIRE Server supports a wider variety of signing key types (#1169)
- ๐ New OIDC discovery provider that serves a compatible JWKS document with signing keys from the trust domain (#1170,#1175)
- ๐ New Upstream CA plugin that signs SPIRE Server CA CSRs using a Private Ceriticate Authority in AWS Certificate Manager (#1172)
- Agents respond more predictably when making requests to an overloaded SPIRE Server (#1182)
- ๐ณ Docker Workload Attestor supports a wider variety of cgroup drivers (#1188)
- ๐ณ Docker Workload Attestor supports selection based on container environment variables (#1205)
- ๐ Fixed an issue in which Kubernetes workload attestation occasionally fails to identify the caller (#1216)
-
v0.8.5 Changes
March 04, 2021๐ Security
- ๐ Fixed CVE-2021-27098
- ๐ Fixed file descriptor leak in peertracker
-
v0.8.4 Changes
October 28, 2019- ๐ Fixed spurious agent synchronization failures during agent SVID rotation (#1084)
- โ Added support for Kind to the Kubernetes Workload Attestor (#1133)
- โ Added support for ACME v2 to the bundle endpoint (#1187)
- ๐ Fixed a bug that could result in agent crashes after upgrading to 0.8.2 or newer (#1194)
-
v0.8.3 Changes
October 18, 2019- โฌ๏ธ Upgrade to Go 1.12.12 in response to CVE-2019-17596 (#1204)
-
v0.8.2 Changes
October 10, 2019- ๐ง Connection pool details in SQL DataStore plugin are now configurable (#1028)
- ๐ SQL DataStore plugin now emits telemetry (#998)
- ๐ The SPIFFE bundle endpoint now supports serving Web PKI via ACME (#1029)
- ๐ Fix Workload API socket permissions when enclosing directory is automatically created (#1048)
- โ The Kubernetes PSAT node attestor now emits node and pod label selectors (#1042)
- SVIDs can now be created directly against SPIRE server using the new
mint
feature (#1036) - SPIRE agent behavior improved to more efficiently balance load across SPIRE servers (#1061)
- ๐ Significant SQL DataStore performance improvements (#1069, #1079)
- ๐ Kubernetes workload registrar now supports assigning SPIFFE IDs based on an annotation (#1047)
- Registration entries with an expiry set are now automatically pruned from the datastore (#1056)
- ๐ Fix bug that resulted in authorized workloads being denied SVIDs (#1103)
-
v0.8.1 Changes
July 19, 2019- Failure to obtain peer information from a Workload API connection no longer brings down the agent (#946)
- โ Agent now detects expired cached SVID when it starts and will attempt to re-attest instead of failing (#1000)
- ๐ GCP IIT-based node attestation produces selectors for the project, zone, instance name, tags, service accounts, metadata and labels (#969, #1006, #1012)
- X.509 certificate serial numbers are now random 128-bit numbers (#999)
- โ Added SQL table indexes to SQL datastore to improve query performance (#1007)
- ๐ Improved metrics coverage (#931, #932, #935, #968)
- ๐ Plugins can now emit metrics (#990, #993)
- ๐ GCP CloudSQL support (#995)
- ๐ Experimental support for SPIFFE federation (#951, #983)
- ๐ Fixed a peertracker bug parsing /proc/PID/stat on Linux (#982)
- ๐ Fixed a bug causing occasional panics on shutdown when running on a BSD-based system (#970)
- ๐ Fixed a bug in the unix workload attestor failing attestation if the user or group lookup failed (#973)
- โ Server plugins can now query for attested agent information (#964)
- ๐ AWS Secrets UpstreamCA plugin can now authenticate to AWS via a Role ARN (#938, #963)
- ๐ณ K8S Workload Attestor now works with Docker's systemd cgroup driver (#950)
- ๐ Improved documentation and examples (#915, #916, #918, #926, #930, #940, #941, #948, #954, #955, #1014)
- ๐ Fixed SSH-based node attested agent IDs to be URL-safe (#944)
- ๐ Fixed bug preventing agent bootstrapping when an UpstreamCA is used in conjunction with
upstream_bundle = false
(#939) - Agent now properly handles signing SVIDs for multiple registration entries mapped to the same SPIFFE ID (#929)
- โ Agent Node Attestor plugins no longer have to determine the agent ID (#922)
- ๐ง GCP IIT node attestor can now be configured with the host used to obtain the token (#917)
- ๐ Fixed race in bundle pruning for HA deployments (#919)
- ๐ Disk UpstreamCA plugin now supports intermediate CAs (#910)
- ๐ณ Docker workload attestation now retries connections to the Docker deamon on transient failures (#901)
- ๐ New Kubernetes Workload Registrar that automatically registers Kubernetes workloads (#885, #953)
- ๐ Logs can now be emitted in JSON format (#866)
-
v0.8.0 Changes
May 20, 2019- ๐ Fix a bug in which the agent periodically logged connection errors (#906)
- โ Kubernetes SAT node attestor now supports the TokenReview API (#904)
- ๐จ Agent cache refactored to improve memory management and fix a leak (#863)
- UpstreamCA "disk" will now reload cert and keys when needed (#903)
- Introduced Nested SPIRE: server clusters can now be chained together (#890)
- ๐ Fix a bug in AWS IID NodeResolver with instance profile lookup (#888)
- ๐ Improved workload attestation and fixed a security bug related to PID reuse (#886)
- ๐ New Kubernetes bundle notifier for keeping a bundle configmap up-to-date (#877)
- ๐ New plugin type Notifier for programatically taking action on important events (#877)
- ๐ New NodeAttestor based on SSH certificates (#868, #870)
- v2 client library for Workload API interaction (#841)
- ๐ Back-compat bundle management code removed - bundle is now handled correctly (#858, #859)
- ๐ Plugins can now expose auxiliary services and consume host-based services (#840)
- ๐ Fix bug preventing agent recovery prior to its first SVID rotation (#839)
- Agent and server can now export telemetry to Prometheus, Statsd, DogStatsd (#817)
- ๐ Fix bug in SDS API that prevented updates following Envoy restart (#820)
- โ Kubernetes workload attestor now supports using the secure port (#814)
- ๐ Support for TLS-protected connections to MySQL (#821)
- X509-SVID can now include an optional CN/DNS SAN (#798)
- ๐ SQL DataStore plugin now supports MySQL (#784)
- ๐ Fix bug preventing agent from reconnecting to a new server after an error (#795)
- ๐ Fix bug preventing agent from shutting down when streams are open (#790)
- Registration entries can now have an expiry and be pruned automatically (#776, #793)
- ๐ New Kubernetes NodeAttestor based on PSAT for node specificity (#771, #860)
- ๐ New UpstreamCA plugin for AWS secret manager (#751)
- Healthcheck commands exposed in server and agent (#758, #763)
- โ Kubernetes workload attestor extended with additional selectors (#720)
- ๐ UpstreamCA "disk" now supports loading multiple key types (#717)
-
v0.7.3 Changes
February 11, 2019- Agent can now expose Envoy SDS API for TLS certificate installation rotation (#667)
- ๐ง Agent now automatically creates its configured data dir if it doesn't exist (#678)
- โ Agent panic fixed in the event that rotation is attempted from non-attested node (#684)
- ๐ณ Docker workload attestor plugin introduced (#687)
- โฌ๏ธ Agent and server no longer force a configured umask, upgrades it if too permissive (#686)
- ๐ Registration entry CLI utility now supports --node entry distinction (#695)
- โ Server can now evict previously-attested agents (#693)
- ๐ Official docker images are now published on build and release (#700)