0.7.3

- Agent can now expose Envoy SDS API for TLS certificate installation rotation (spiffe#667)
- Agent now automatically creates its configured data dir if it doesn't exist (spiffe#678)
- Agent panic fixed in the event that rotation is attempted from non-attested node (spiffe#684)
- Docker workload attestor plugin introduced (spiffe#687)
- Agent and Server no longer force a configured umask, upgrades it if too permissive (spiffe#686)
- Registration entry CLI utility now supports --node entry distinction (spiffe#695)
- Server can now evict previously-attested agents (spiffe#693)
- Official docker images are now published on build and release (spiffe#700)
- Server now validates Agent credentials on every API call instead of only when TLS is established (spiffe#711)

0.7.2

- Fix non-random UUID bug by moving to gofrs-maintained uuid pkg (spiffe#659)
- Server now supports multiple node resolvers (spiffe#652)
- Server no longer allows agent to specify X.509 Subject value (spiffe#663)
- Registration API is now authenticated, can be reached remotely (spiffe#656)
- Fixed debug log message in the Node API handler (spiffe#666)
- Agent's KeyManager interface updated for better durability (spiffe#669)
- Use FQDN in the GCP Node Attestor to prevent reliance on shortname resolution (spiffe#672)
- Upgrade to Go 1.11.5 in response to CVE-2019-6486 (spiffe#690)

0.7.1

- Documentation updates for Azure plugins, agent, server (spiffe#629, spiffe#631, spiffe#642, spiffe#651, spiffe#654)
- Intermediate certificates now included in bundle for compatibility with 0.6 (spiffe#633)
- Attestation now fails if NodeResolver encounters an error (spiffe#634)
- Fix bootstrap bug when upstream_bundle is not set (spiffe#639)
- Additional telemetry points added, introduced telemetry in server (spiffe#640)
- CLI utilities now print TTL value of default instead of 0 when not set (spiffe#645)
- Fix bug in CLI utilities causing them to write PEM files with the wrong header (spiffe#647)
- Go runtime upgraded in response to CVE-2018-16875 (spiffe#653)
- Server now detects and prevents trust domain configuration change (spiffe#644)
- Fix vulnerability in which X.509 path validation is not performed on node API (spiffe#655)

0.7.0

- JWT Support (spiffe#616)
- Workload API now returns intermediate chains (spiffe#611)
- UNIX attestor now returns binary path and sha256 (spiffe#590)
- UNIX attestor now returns effective user and group name (spiffe#589)
- Node API now ratelimits expensive calls (spiffe#577)
- Soft delete disabled in SQL datastore plugin (spiffe#560)
- Basic federation support (spiffe#559, spiffe#563, spiffe#581, spiffe#582)
- Kubernetes node attestor (spiffe#557)
- AWS node resolver builtin (spiffe#554)
- Azure node attestor (spiffe#551)
- Azure node resolver (spiffe#553)
- KeyManager plugin interface for server (spiffe#539)
- Disk-based KeyManager server plugin (spiffe#532)
- x509pop now supports intermediate chains (spiffe#524)
- Fix bug that resulted in some SVIDs outliving CA (spiffe#520)
- Let agent fail over to different server on failure (spiffe#561)
- Node attestors can now return selectors (spiffe#516)
- Improved SPIFFE ID validation (spiffe#513, spiffe#515)

- Support for Azure node attestation (spiffe#551)

- Support for Azure node resolution (spiffe#553)
- Updated DNS resolution to support DNS-based HA failover (spiffe#561)
- Updated x509pop challenge to strengthen against signature replay attacks (spiffe#562)
- Removed sql plugin soft delete for better space management (spiffe#560)
- Performance improvements and bugfixes in sql plugin (spiffe#564)
- Support for HTTP/HTTPS CONNECT proxies (spiffe#568, spiffe#585)
- Updated Node API to perform ratelimiting (spiffe#577)