Tags: elee/spire
Tags
0.8.1 - Failure to obtain peer information from a Workload API connection no longer brings down the agent (spiffe#946) - Agent now detects expired cached SVID when it starts and will attempt to re-attest instead of failing (spiffe#1000) - GCP IIT-based node attestation produces selectors for the project, zone, instance name, tags, service accounts, metadata and labels (spiffe#969, spiffe#1006, spiffe#1012) - X.509 certificate serial numbers are now random 128-bit numbers (spiffe#999) - Added SQL table indexes to SQL datastore to improve query performance (spiffe#1007) - Improved metrics coverage (spiffe#931, spiffe#932, spiffe#935, spiffe#968) - Plugins can now emit metrics (spiffe#990, spiffe#993) - GCP CloudSQL support (spiffe#995) - Experimental support for SPIFFE federation (spiffe#951, spiffe#983) - Fixed a peertracker bug parsing /proc/PID/stat on Linux (spiffe#982) - Fixed a bug causing occasional panics on shutdown when running on a BSD-based system (spiffe#970) - Fixed a bug in the unix workload attestor failing attestation if the user or group lookup failed (spiffe#973) - Server plugins can now query for attested agent information (spiffe#964) - AWS Secrets UpstreamCA plugin can now authenticate to AWS via a Role ARN (spiffe#938, spiffe#963) - K8S Workload Attestor now works with Docker's systemd cgroup driver (spiffe#950) - Improved documentation and examples (spiffe#915, spiffe#916, spiffe#918, spiffe#926, spiffe#930, spiffe#940, spiffe#941, spiffe#948, spiffe#954, spiffe#955, spiffe#1014) - Fixed SSH-based node attested agent IDs to be URL-safe (spiffe#944) - Fixed bug preventing agent bootstrapping when an UpstreamCA is used in conjunction with `upstream_bundle = false` (spiffe#939) - Agent now properly handles signing SVIDs for multiple registration entries mapped to the same SPIFFE ID (spiffe#929) - Agent Node Attestor plugins no longer have to determine the agent ID (spiffe#922) - GCP IIT node attestor can now be configured with the host used to obtain the token (spiffe#917) - Fixed race in bundle pruning for HA deployments (spiffe#919) - Disk UpstreamCA plugin now supports intermediate CAs (spiffe#910) - Docker workload attestation now retries connections to the Docker deamon on transient failures (spiffe#901) - New Kubernetes Workload Registrar that automatically registers Kubernetes workloads (spiffe#885, spiffe#953) - Logs can now be emitted in JSON format (spiffe#866)
0.8.0 - Fix a bug in which the agent periodically logged connection errors (spiffe#906) - Kubernetes SAT node attestor now supports the TokenReview API (spiffe#904) - Agent cache refactored to improve memory management and fix a leak (spiffe#863) - UpstreamCA "disk" will now reload cert and keys when needed (spiffe#903) - Introduced Nested SPIRE: server clusters can now be chained together (spiffe#890) - Fix a bug in AWS IID NodeResolver with instance profile lookup (spiffe#888) - Improved workload attestation and fixed a security bug related to PID reuse (spiffe#886) - New Kubernetes bundle notifier for keeping a bundle configmap up-to-date (spiffe#877) - New plugin type Notifier for programatically taking action on important events (spiffe#877) - New NodeAttestor based on SSH certificates (spiffe#868, spiffe#870) - v2 client library for Workload API interaction (spiffe#841) - Back-compat bundle management code removed - bundle is now handled correctly (spiffe#858, spiffe#859) - Plugins can now expose auxiliary services and consume host-based services (spiffe#840) - Fix bug preventing agent recovery prior to its first SVID rotation (spiffe#839) - Agent and server can now export telemetry to Prometheus, Statsd, DogStatsd (spiffe#817) - Fix bug in SDS API that prevented updates following Envoy restart (spiffe#820) - Kubernetes workload attestor now supports using the secure port (spiffe#814) - Support for TLS-protected connections to MySQL (spiffe#821) - X509-SVID can now include an optional CN/DNS SAN (spiffe#798) - SQL DataStore plugin now supports MySQL (spiffe#784) - Fix bug preventing agent from reconnecting to a new server after an error (spiffe#795) - Fix bug preventing agent from shutting down when streams are open (spiffe#790) - Registration entries can now have an expiry and be pruned automatically (spiffe#776, spiffe#793) - New Kubernetes NodeAttestor based on PSAT for node specificity (spiffe#771, spiffe#860) - New UpstreamCA plugin for AWS secret manager (spiffe#751) - Healthcheck commands exposed in server and agent (spiffe#758, spiffe#763) - Kubernetes workload attestor extended with additional selectors (spiffe#720) - UpstreamCA "disk" now supports loading multiple key types (spiffe#717)
0.7.3 - Agent can now expose Envoy SDS API for TLS certificate installation rotation (spiffe#667) - Agent now automatically creates its configured data dir if it doesn't exist (spiffe#678) - Agent panic fixed in the event that rotation is attempted from non-attested node (spiffe#684) - Docker workload attestor plugin introduced (spiffe#687) - Agent and Server no longer force a configured umask, upgrades it if too permissive (spiffe#686) - Registration entry CLI utility now supports --node entry distinction (spiffe#695) - Server can now evict previously-attested agents (spiffe#693) - Official docker images are now published on build and release (spiffe#700) - Server now validates Agent credentials on every API call instead of only when TLS is established (spiffe#711)
0.7.2 - Fix non-random UUID bug by moving to gofrs-maintained uuid pkg (spiffe#659) - Server now supports multiple node resolvers (spiffe#652) - Server no longer allows agent to specify X.509 Subject value (spiffe#663) - Registration API is now authenticated, can be reached remotely (spiffe#656) - Fixed debug log message in the Node API handler (spiffe#666) - Agent's KeyManager interface updated for better durability (spiffe#669) - Use FQDN in the GCP Node Attestor to prevent reliance on shortname resolution (spiffe#672) - Upgrade to Go 1.11.5 in response to CVE-2019-6486 (spiffe#690)
0.7.1 - Documentation updates for Azure plugins, agent, server (spiffe#629, spiffe#631, spiffe#642, spiffe#651, spiffe#654) - Intermediate certificates now included in bundle for compatibility with 0.6 (spiffe#633) - Attestation now fails if NodeResolver encounters an error (spiffe#634) - Fix bootstrap bug when upstream_bundle is not set (spiffe#639) - Additional telemetry points added, introduced telemetry in server (spiffe#640) - CLI utilities now print TTL value of default instead of 0 when not set (spiffe#645) - Fix bug in CLI utilities causing them to write PEM files with the wrong header (spiffe#647) - Go runtime upgraded in response to CVE-2018-16875 (spiffe#653) - Server now detects and prevents trust domain configuration change (spiffe#644) - Fix vulnerability in which X.509 path validation is not performed on node API (spiffe#655)
0.7.0 - JWT Support (spiffe#616) - Workload API now returns intermediate chains (spiffe#611) - UNIX attestor now returns binary path and sha256 (spiffe#590) - UNIX attestor now returns effective user and group name (spiffe#589) - Node API now ratelimits expensive calls (spiffe#577) - Soft delete disabled in SQL datastore plugin (spiffe#560) - Basic federation support (spiffe#559, spiffe#563, spiffe#581, spiffe#582) - Kubernetes node attestor (spiffe#557) - AWS node resolver builtin (spiffe#554) - Azure node attestor (spiffe#551) - Azure node resolver (spiffe#553) - KeyManager plugin interface for server (spiffe#539) - Disk-based KeyManager server plugin (spiffe#532) - x509pop now supports intermediate chains (spiffe#524) - Fix bug that resulted in some SVIDs outliving CA (spiffe#520) - Let agent fail over to different server on failure (spiffe#561) - Node attestors can now return selectors (spiffe#516) - Improved SPIFFE ID validation (spiffe#513, spiffe#515)
- Support for Azure node attestation (spiffe#551) - Support for Azure node resolution (spiffe#553) - Updated DNS resolution to support DNS-based HA failover (spiffe#561) - Updated x509pop challenge to strengthen against signature replay attacks (spiffe#562) - Removed sql plugin soft delete for better space management (spiffe#560) - Performance improvements and bugfixes in sql plugin (spiffe#564) - Support for HTTP/HTTPS CONNECT proxies (spiffe#568, spiffe#585) - Updated Node API to perform ratelimiting (spiffe#577)
PreviousNext