Tags: forkkit/spire
Tags
0.9.3 - Significantly reduced the server's database load (spiffe#1350, spiffe#1355, spiffe#1397) - Improved consistency in SVID propagation time for some cases (spiffe#1352) - AWS IID node attestor now supports the v2 metadata service (spiffe#1369) - SQL datastore plugin now supports leveraging read-only replicas (spiffe#1363) - Fixed a bug in which CA certificates may have an empty Subject if incorrectly configured (spiffe#1387) - Server now logs an agent ID when an invalid agent makes a request (spiffe#1395) - Fixed a bug in which the server CLI did not correctly show entries when querying with multiple selectors (spiffe#1398) - Registration API now has an RPC for listing entries that supports paging (spiffe#1392)
Merge pull request spiffe#1430 from evan2645/fix-changelog-release-date Update release date for 0.9.3 in the changelog
0.9.2 - Fixed a crash when a key protecting the bundle endpoint is removed (spiffe#1326) - Bundle endpoint client now supports Web-PKI authenticated endpoints (spiffe#1327) - SPIRE now warns if the CA TTL will result in shorter-than-expected SVID lifetimes (spiffe#1294)
0.9.2 - Fixed a crash when a key protecting the bundle endpoint is removed (spiffe#1326) - Bundle endpoint client now supports Web-PKI authenticated endpoints (spiffe#1327) - SPIRE now warns if the CA TTL will result in shorter-than-expected SVID lifetimes (spiffe#1294)
0.9.1 - Agent cache file writes are now atomic, more resilient (spiffe#1267) - Introduced Google Cloud Storage bundle notifier plugin for server (spiffe#1227) - Server and agent now detect unknown configuration options in supported blocks (spiffe#1289, spiffe#1299, spiffe#1306, spiffe#1307) - Improved agent response to heavy server load through use of request backoffs (spiffe#1270) - The in-memory telemetry sink can now be disabled, and will be by default in a future release (spiffe#1248) - Agents will now re-balance connections to servers (and re-resolve DNS) automatically (spiffe#1265) - Improved behavior of M3 duration telemetry (spiffe#1262) - Fixed a bug in which MySQL deadlock may occur under heavy attestation load (spiffe#1291) - KeyManager "disk" now emits a friendly error when directory option is missing (spiffe#1313)
0.9.0 - Users can now opt-out of workload executable hashing when enabling the workload path as a selector (spiffe#1078) - Added M3 support to telemetry and other telemetry and logging improvements (spiffe#1059, spiffe#1085, spiffe#1086, spiffe#1094, spiffe#1102, spiffe#1122,spiffe#1138,spiffe#1160,spiffe#1186,spiffe#1208) - SQL auto-migration can be disabled (spiffe#1089) - SQL schema compatability checks are aligned with upgrade compatability guarantees (spiffe#1089) - Agent CLI can provide information on attested nodes (spiffe#1098) - SPIRE can tolerate small SVID expiration periods (spiffe#1115) - Reduced Docker image sizes by roughly 25% (spiffe#1140) - The `upstream_bundle` configurable is deprecated (spiffe#1147) - Agents can be configured to bootstrap insecurely with SPIRE Servers for ease of evaluation (spiffe#1148) - The issuer claim in JWT-SVIDs can be customized (spiffe#1164) - SPIRE Server supports a wider variety of signing key types (spiffe#1169) - New OIDC discovery provider that serves a compatible JWKS document with signing keys from the trust domain (spiffe#1170,spiffe#1175) - New Upstream CA plugin that signs SPIRE Server CA CSRs using a Private Ceriticate Authority in AWS Certificate Manager (spiffe#1172) - Agents respond more predictably when making requests to an overloaded SPIRE Server (spiffe#1182) - Docker Workload Attestor supports a wider variety of cgroup drivers (spiffe#1188) - Docker Workload Attestor supports selection based on container environment variables (spiffe#1205) - Fixed an issue in which Kubernetes workload attestation occasionally fails to identify the caller (spiffe#1216)
0.8.4 - Fixed spurious agent synchronization failures during agent SVID rotation (spiffe#1084) - Added support for [Kind](https://kind.sigs.k8s.io) to the Kubernetes Workload Attestor (spiffe#1133) - Added support for ACME v2 to the bundle endpoint (spiffe#1187) - Fixed a bug that could result in agent crashes after upgrading to 0.8.2 or newer (spiffe#1194)
0.8.3 - Upgrade to Go 1.12.12 in response to CVE-2019-17596 (spiffe#1204)
0.8.2 - Connection pool details in SQL DataStore plugin are now configurable (spiffe#1028) - SQL DataStore plugin now emits telemetry (spiffe#998) - The SPIFFE bundle endpoint now supports serving Web PKI via ACME (spiffe#1029) - Fix Workload API socket permissions when enclosing directory is automatically created (spiffe#1048) - The Kubernetes PSAT node attestor now emits node and pod label selectors (spiffe#1042) - SVIDs can now be created directly against SPIRE server using the new `mint` feature (spiffe#1036) - SPIRE agent behavior improved to more efficiently balance load across SPIRE servers (spiffe#1061) - Significant SQL DataStore performance improvements (spiffe#1069, spiffe#1079) - Kubernetes workload registrar now supports assigning SPIFFE IDs based on an annotation (spiffe#1047) - Registration entries with an expiry set are now automatically pruned from the datastore (spiffe#1056) - Fix bug that resulted in authorized workloads being denied SVIDs (spiffe#1103)
0.8.1 - Failure to obtain peer information from a Workload API connection no longer brings down the agent (spiffe#946) - Agent now detects expired cached SVID when it starts and will attempt to re-attest instead of failing (spiffe#1000) - GCP IIT-based node attestation produces selectors for the project, zone, instance name, tags, service accounts, metadata and labels (spiffe#969, spiffe#1006, spiffe#1012) - X.509 certificate serial numbers are now random 128-bit numbers (spiffe#999) - Added SQL table indexes to SQL datastore to improve query performance (spiffe#1007) - Improved metrics coverage (spiffe#931, spiffe#932, spiffe#935, spiffe#968) - Plugins can now emit metrics (spiffe#990, spiffe#993) - GCP CloudSQL support (spiffe#995) - Experimental support for SPIFFE federation (spiffe#951, spiffe#983) - Fixed a peertracker bug parsing /proc/PID/stat on Linux (spiffe#982) - Fixed a bug causing occasional panics on shutdown when running on a BSD-based system (spiffe#970) - Fixed a bug in the unix workload attestor failing attestation if the user or group lookup failed (spiffe#973) - Server plugins can now query for attested agent information (spiffe#964) - AWS Secrets UpstreamCA plugin can now authenticate to AWS via a Role ARN (spiffe#938, spiffe#963) - K8S Workload Attestor now works with Docker's systemd cgroup driver (spiffe#950) - Improved documentation and examples (spiffe#915, spiffe#916, spiffe#918, spiffe#926, spiffe#930, spiffe#940, spiffe#941, spiffe#948, spiffe#954, spiffe#955, spiffe#1014) - Fixed SSH-based node attested agent IDs to be URL-safe (spiffe#944) - Fixed bug preventing agent bootstrapping when an UpstreamCA is used in conjunction with `upstream_bundle = false` (spiffe#939) - Agent now properly handles signing SVIDs for multiple registration entries mapped to the same SPIFFE ID (spiffe#929) - Agent Node Attestor plugins no longer have to determine the agent ID (spiffe#922) - GCP IIT node attestor can now be configured with the host used to obtain the token (spiffe#917) - Fixed race in bundle pruning for HA deployments (spiffe#919) - Disk UpstreamCA plugin now supports intermediate CAs (spiffe#910) - Docker workload attestation now retries connections to the Docker deamon on transient failures (spiffe#901) - New Kubernetes Workload Registrar that automatically registers Kubernetes workloads (spiffe#885, spiffe#953) - Logs can now be emitted in JSON format (spiffe#866)
PreviousNext