v1.8.10

Security

• Updated to google.golang.org/grpc v1.62.2 and golang.org/x/net v0.24.0 to address CVE-2023-45288

v1.9.3

Security

• Updated to Go 1.21.9 to address CVE-2023-45288
• Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs

v1.8.9

Security

• Updated to Go 1.21.9 to address CVE-2023-45288
• Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs

v1.9.2

Added

• Support for AWS IAM-based authentication with AWS RDS backed databases (#4828)
• Support for adjusting the SPIRE Server log level at runtime (#4880)
• New retry_bootstrap option to SPIRE Agent to retry failed bootstrapping with SPIRE Server, with a backoff, in lieu of failing the startup process (#4597)
• Improved logging (#4902, #4906)
• Documentation improvements (#4895, #4951, #4907)

v1.9.1

Security

• Update Go to 1.21.8 to patch CVE-2024-24783

v1.8.8

Security

• Update Go to v1.21.8 to patch CVE-2024-24783

v1.9.0

Added

• uniqueid CredentialComposer plugin that adds the x509UniqueIdentifier attribute to workload X509-SVIDs (#4862)
• Agent's Admin API has now a default location defined (#4856)
• Partial selectors from workload attestation are now logged when attestation is interrupted (#4846)
• X509-SVIDs minted by SPIRE can now include wildcards in the DNS names (#4814)

Changed

• CA journal data is now stored in the datastore, removing the on-disk dependency of the server (#4690)
• aws_kms, azure_key_vault, and gcp_kms KeyManager plugins no longer require storing metadata files on disk (#4700)
• Bundle endpoint refresh hint now defaults to 5 minutes (#4847, #4888)
• Graceful shutdown is now blocked while built-in plugin RPCs drain (#4820)
• Entry cache hydration is now done with paginated requests to the datastore (#4721, #4826)
• Agents renew SVIDs through re-attestation by default when using a supporting Node Attestor (#4791)
• The SPIRE Agent LRU SVID cache is no longer experimental and is enabled by default (#4773)
• Small documentation improvements (#4764, #4787)
• Read-replicas are no longer used when hydrating the experimental events-based entry cache (#4868)
• Workload gRPC connections are now terminated when the peertracker liveness check fails instead of just failing the RPC calls (#4611)

Fixed

• Missing creation of events in the experimental events-based cache entry when an entry was pruned (#4860)
• Bug in SPIRE Agent LRU SVID cache that caused health checks to fail (#4852)
• Refreshing of selectors of attested agents when using the experimental events-based entry cache (#4803)

Deprecated

• k8s_sat NodeAttestor plugin (#4841)

Removed

• X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (#4862)

v1.8.7

Added

• Agents can now be configured with an availability target, which establishes the minimum amount of time desired to gracefully handle server or agent downtime, influencing how aggressively X509-SVIDs should be rotated (#4599)
• SyncAuthorizedEntries RPC, which allows agents to only sync down changes instead of the entire set of entries. Agents can be configured to use this new RPC through the use_sync_authorized_entries experimental setting (#4648)
• Experimental support for an events based entry cache which reduces overhead on the database (#4379, #4411, #4527, #4451, #4562, #4723, #4731)

Changed

• The maximum number of open database connections in the datastore now defaults to 100 instead of unlimited (#4656)
• Agents now shut down when they can't synchronize entries with the server due to an unknown authority error (#4617)

Removed

• Agents no longer maintains agent SVID and bundle information in the legacy paths in the data directory (#4717)

v1.8.6

Security

• Updated to Go 1.21.5 to address CVE-2023-39326

v1.7.6

Security

• Updated to Go 1.20.12 to address CVE-2023-39326