v1.11.0

Added

• Support for forced rotation and revocation (https://github.com/orgs/spiffe/projects/21)
• New EJBCA UpstreamAuthority plugin for SPIRE Server (#5378)
• Support for variables in templates contained in the config file (#5576)
• Support for the configuration validation RPC on all built-in plugins (#5303)
• Improved logging when built-in plugins panic (#5476)
• Improved CPU and memory resource usage for concurrent Kubernetes Workload attestation (#5408)
• Documentation additions and improvements (#5589, #5588, #5499, #5433, #5430, #5269)

Changed

• SPIRE Agent LRU identity cache is now unconditionally enabled. The LRU size can be controlled via the x509_svid_cache_max_size configuration option. (#5383, #5531)
• Entry API RPCs return per-entry InvalidArgument status when creating/updating malformed entries (#5506)
• Support for CGroups v2 in K8s and Docker workload attestors is now enabled by default (#5454)

Removed

• Deprecated -ttl flag from the SPIRE Server entry create and entry update commands (#5483)
• Official support for MySQL 5.X. While SPIRE may continue to work with this version, no explicit testing will be performed by the project (#5487)

Fixed

• Missing TrustDomain field passed to x509pop path template (#5577)
• Behavior in the experimental events-based cache causing duplicate entries/agents evaluation in the same cycle (#5509)

v1.10.4

Fixed

• Add missing commits to spire-plugin-sdk and spire-api-sdk releases (spiffe/spire-api-sdk#66, spiffe/spire-plugin-sdk#39)

v1.10.3

Fixed

• Regression in agent health check, requiring the agent to have an SVID on disk to be healthy (#5459)

v1.10.2

Added

• http_challenge NodeAttestor plugin (#4909)
• Experimental support for validating container image signatures through Sigstore selectors in the docker Workload Attestor (#5272)
• Metrics for monitoring the event-based cache (#5411)

Changed

• Delegated Identity API to allow subscription by process ID (#5272)
• Agent Debug endpoint to count SVIDs by type (#5352)
• Agent health check to report an unhealthy status until the Agent SVID is attested (#5298)
• Small documentation improvements (#5393)

Fixed

• aws_iid NodeAttestor to properly handle multiple network interfaces (#5300)
• Server configuration to correctly propagate the sql_transaction_timeout setting in the experimental events-based cache (#5345)

v1.10.1

Added

• New Grafana dashboard template (#5188)
• aws_rolesanywhere_trustanchor BundlePublisher plugin (#5048)

Changed

• spire UpstreamAuthority to optionally use the Preferred TTL on intermediate authorities (#5264)
• Federation endpoint to support custom bundle and certificates for authorization (#5163)
• Small documentation improvements (#5235, #5220)

Fixed

• Event-based cache to handle events missed at the cache startup (#5289)
• LRU cache to no longer send update notifications to all subscribers (#5281)

v1.10.0

Added

• Plugin reconfiguration support using the plugin_data_file configurable (#5166)

Changed

• SPIRE Server and OIDC provider images to use non root users (#4967, #5227)
• k8s_psat NodeAttestor attestor to no longer fail when a cluster is not configured (#5216)
• Agents are required to renew SVIDs through re-attestation when using a supporting Node Attestor (#5204)
• Small documentation improvements (#5181, #5189)
• Evicted agents that support reattestation can now reattest without being restarted (#4991)

Fixed

• PSAT node attestor to cross check the audience fields (#5142)
• Events-based cache to handle out of order events (#5071)

Deprecated

• x509_svid_cache_max_size and disable_lru_cache in agent configuration (#5150)

Removed

• The deprecated disable_reattest_to_renew agent configurable (#5217)
• The deprecated key_metadata_file configurable from the aws_kms, azure_key_vault and gcp_kms server KeyManagers (#5207)
• The deprecated use_msi configurable from the azure_key_vault server KeyManager and azure_msi NodeAttestor (#5207, #5209)
• The deprecated exclude_sn_from_ca_subject server configurable (#5203)
• Agent no longer cleans up deprecated bundle and SVID files (#5205)
• The CA journal file is no longer stored on disk, and existing CA journal files are cleaned up (#5202)

v1.9.6

Added

• Opt-in support for CGroups v2 in K8s and Docker workload attestors (#5076)
• gcp_cloudstorage BundlePublisher plugin (#4961)
• The aws_iid node attestor can now check if the AWS account ID is part of an AWS Organization (#4838)
• More filtering options to count and show entries and agents (#4714)

Changed

• Credential composer to not convert timestamp related claims (i.e., exp and iat) to floating point values (#5115)
• FetchJWTBundles now returns an empty collection of keys instead of null (#5031)

Fixed

• Using expired tokens when connecting to database (#5119)
• Server no longer tries to create JWT authority when X.509 authority fails (#5064)
• Issues in experimental events-based entry cache (#5030, #5037, #5042)

v1.9.5

Security

• Updated to Go 1.21.10 to address CVE-2024-24788

v1.8.11

Security

• Updated to Go 1.21.10 to address CVE-2024-24788

v1.9.4

Security

• Updated to google.golang.org/grpc v1.62.2 and golang.org/x/net v0.24.0 to address CVE-2023-45288