Tags: dennisgove/spire
Tags
v1.3.0 Added: - Experimental Windows support (https://github.com/spiffe/spire/projects/12) - Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (spiffe#3009, spiffe#3014, spiffe#3020, spiffe#3034) - Configurable leader election resource lock type for the K8s Workload Registrar (spiffe#3030) - Ability to fetch JWT SVIDs and JWT Bundles on behalf of workloads via the Delegated Identity API (spiffe#2789) - CanReattest flag to NodeAttestor responses to facilitate future features (spiffe#2646) Fixed: - Spurious message to STDOUT when there is no plugin_data section configured for a plugin (spiffe#2927) Changed: - SPIRE entries with malformed parent or SPIFFE IDs are removed on server startup (spiffe#2965) - SPIRE no longer prepends slashes to paths passed to the API when missing (spiffe#2963) - K8s Workload Registrar retries up to 5 seconds to connect to SPIRE Server (spiffe#2921) - Improved error messaging when unauthorized resources are requested via SDS (spiffe#2916) - Small documentation improvements (spiffe#2934, spiffe#2947, spiffe#3013) Deprecated: - The webhook mode for the K8s Workload Register has been deprecated (spiffe#2964)
v1.2.4 Added: - Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (spiffe#3009,spiffe#3014,spiffe#3020,spiffe#3034)
v1.1.5 Added: - Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (spiffe#3009,spiffe#3014,spiffe#3020,spiffe#3034)
v1.0.4 Added: Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (spiffe#3009,spiffe#3014,spiffe#3020,spiffe#3034)
v1.2.3 Security: - Updated to Go 1.17.9 to address CVE-2022-24675, CVE-2022-28327, CVE-2022-27536.
v1.1.4 Security: Updated to Go 1.17.9 to address CVE-2022-24675, CVE-2022-28327, CVE-2022-27536.
v1.2.2 Added: - SPIRE Server and Agent log files can be rotated by sending the `SIGUSR2` signal to the process (spiffe#2703) - K8s Workload Registrar CRD mode now supports registering "downstream" workloads (spiffe#2885) - SPIRE can now be compiled on macOS machines with an Apple Silicon CPU (spiffe#2876) - Small documentation improvements (spiffe#2851) Changed: - SPIRE Server no longer sets the `DigitalSignature` KeyUsage bit in its CA certificate (spiffe#2896) Fixed: - The `k8sbundle` Notifier plugin in SPIRE Server no longer consumes excessive CPU cycles (spiffe#2857)
v1.2.1 Added: - The SPIRE Agent `fetch jwt` CLI command now supports JSON output (spiffe#2650) Changed: - OIDC Discovery Provider now includes the `alg` parameter in JWKs to increase compatibility (spiffe#2771) - SPIRE Server now gracefully stops plugin servers, allowing outstanding RPCs a chance to complete (spiffe#2722) - SPIRE Server logs additional authorization information with RPC requests (spiffe#2776) - Small documentation improvements (spiffe#2746, spiffe#2792) Fixed: - SPIRE Server now properly rotates signing keys when prepared or activated keys are lost from the database (spiffe#2770) - The AWS IID node attestor now works with instance profiles which have paths (spiffe#2825) - Fixed a crash in SPIRE Agent caused by a race on the agent cache (spiffe#2699)
v1.2.0 Added: - SPIRE Server can now be configured to mint agent SVIDs with a specific TTL (spiffe#2667) - A set of fixed admin SPIFFE IDs can now be configured in SPIRE Server (spiffe#2677) Changed: - Upstream signed CA chain is now validated to prevent misconfigurations (spiffe#2644) - Improved SVID signing logs to include more context (spiffe#2678) - The deprecated agent key file (`svid.key`) is no longer proactively removed by the agent (spiffe#2671) - Improved errors when agent path template execution fails due to missing key (spiffe#2683) - SPIRE now consumes the SVIDStore V1 interface published in the SPIRE Plugin SDK (spiffe#2688) Deprecated: - API support for paths without leading slashes in `spire.api.types.SPIFFEID` messages has been deprecated (spiffe#2686, spiffe#2692) - The SVIDStore V1 interface published in SPIRE repository has been renamed to `svidstore.V1Unofficial` and is now deprecated in favor of the interface published in the SPIRE Plugin SDK (spiffe#2688) Removed: - The deprecated `domain` configurable has been removed from the SPIRE OIDC Discovery Provider (spiffe#2672) - The deprecated `allow_unsafe_ids` configurable has been removed from SPIRE Server (spiffe#2685)
PreviousNext