Skip to content

Tags: dennisgove/spire

Tags

v1.3.0

Toggle v1.3.0's commit message 
v1.3.0

Added:
- Experimental Windows support (https://github.com/spiffe/spire/projects/12)
- Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (spiffe#3009, spiffe#3014, spiffe#3020, spiffe#3034)
- Configurable leader election resource lock type for the K8s Workload Registrar (spiffe#3030)
- Ability to fetch JWT SVIDs and JWT Bundles on behalf of workloads via the Delegated Identity API (spiffe#2789)
- CanReattest flag to NodeAttestor responses to facilitate future features (spiffe#2646)

Fixed:
- Spurious message to STDOUT when there is no plugin_data section configured for a plugin (spiffe#2927)

Changed:
- SPIRE entries with malformed parent or SPIFFE IDs are removed on server startup (spiffe#2965)
- SPIRE no longer prepends slashes to paths passed to the API when missing (spiffe#2963)
- K8s Workload Registrar retries up to 5 seconds to connect to SPIRE Server (spiffe#2921)
- Improved error messaging when unauthorized resources are requested via SDS (spiffe#2916)
- Small documentation improvements (spiffe#2934, spiffe#2947, spiffe#3013)

Deprecated:
- The webhook mode for the K8s Workload Register has been deprecated (spiffe#2964)

v1.2.4

Toggle v1.2.4's commit message 
v1.2.4

Added:
- Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (spiffe#3009,spiffe#3014,spiffe#3020,spiffe#3034)

v1.1.5

Toggle v1.1.5's commit message 
v1.1.5

Added:
- Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (spiffe#3009,spiffe#3014,spiffe#3020,spiffe#3034)

v1.0.4

Toggle v1.0.4's commit message 
v1.0.4

Added:
Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (spiffe#3009,spiffe#3014,spiffe#3020,spiffe#3034)

v1.2.3

Toggle v1.2.3's commit message 
v1.2.3

Security:
- Updated to Go 1.17.9 to address CVE-2022-24675, CVE-2022-28327, CVE-2022-27536.

v1.1.4

Toggle v1.1.4's commit message 
v1.1.4

Security:
Updated to Go 1.17.9 to address CVE-2022-24675, CVE-2022-28327, CVE-2022-27536.

v1.2.2

Toggle v1.2.2's commit message 
v1.2.2

Added:
- SPIRE Server and Agent log files can be rotated by sending the `SIGUSR2` signal to the process (spiffe#2703)
- K8s Workload Registrar CRD mode now supports registering "downstream" workloads (spiffe#2885)
- SPIRE can now be compiled on macOS machines with an Apple Silicon CPU (spiffe#2876)
- Small documentation improvements (spiffe#2851)

Changed:
- SPIRE Server no longer sets the `DigitalSignature` KeyUsage bit in its CA certificate (spiffe#2896)

Fixed:
- The `k8sbundle` Notifier plugin in SPIRE Server no longer consumes excessive CPU cycles (spiffe#2857)

v1.2.1

Toggle v1.2.1's commit message 
v1.2.1

Added:
- The SPIRE Agent `fetch jwt` CLI command now supports JSON output (spiffe#2650)

Changed:
- OIDC Discovery Provider now includes the `alg` parameter in JWKs to increase compatibility  (spiffe#2771)
- SPIRE Server now gracefully stops plugin servers, allowing outstanding RPCs a chance to complete (spiffe#2722)
- SPIRE Server logs additional authorization information with RPC requests (spiffe#2776)
- Small documentation improvements (spiffe#2746, spiffe#2792)

Fixed:
- SPIRE Server now properly rotates signing keys when prepared or activated keys are lost from the database (spiffe#2770)
- The AWS IID node attestor now works with instance profiles which have paths (spiffe#2825)
- Fixed a crash in SPIRE Agent caused by a race on the agent cache (spiffe#2699)

v1.2.0

Toggle v1.2.0's commit message 
v1.2.0

Added:
- SPIRE Server can now be configured to mint agent SVIDs with a specific TTL (spiffe#2667)
- A set of fixed admin SPIFFE IDs can now be configured in SPIRE Server (spiffe#2677)

Changed:
- Upstream signed CA chain is now validated to prevent misconfigurations (spiffe#2644)
- Improved SVID signing logs to include more context (spiffe#2678)
- The deprecated agent key file (`svid.key`) is no longer proactively removed by the agent (spiffe#2671)
- Improved errors when agent path template execution fails due to missing key (spiffe#2683)
- SPIRE now consumes the SVIDStore V1 interface published in the SPIRE Plugin SDK (spiffe#2688)

Deprecated:
- API support for paths without leading slashes in `spire.api.types.SPIFFEID` messages has been deprecated (spiffe#2686, spiffe#2692)
- The SVIDStore V1 interface published in SPIRE repository has been renamed to `svidstore.V1Unofficial` and is now deprecated in favor of the interface published in the SPIRE Plugin SDK (spiffe#2688)

Removed:
- The deprecated `domain` configurable has been removed from the SPIRE OIDC Discovery Provider (spiffe#2672)
- The deprecated `allow_unsafe_ids` configurable has been removed from SPIRE Server (spiffe#2685)

v1.1.3

Toggle v1.1.3's commit message 
v1.1.3

Security
- Fixed CVE-2021-44716