Releases: spiffe/spire
Releases · spiffe/spire
v1.10.4
Fixed
- Add missing commits to spire-plugin-sdk and spire-api-sdk releases (spiffe/spire-api-sdk#66, spiffe/spire-plugin-sdk#39)
v1.10.3
v1.10.2
Added
http_challenge
NodeAttestor plugin (#4909)- Experimental support for validating container image signatures through Sigstore selectors in the docker Workload Attestor (#5272)
- Metrics for monitoring the event-based cache (#5411)
Changed
- Delegated Identity API to allow subscription by process ID (#5272)
- Agent Debug endpoint to count SVIDs by type (#5352)
- Agent health check to report an unhealthy status until the Agent SVID is attested (#5298)
- Small documentation improvements (#5393)
Fixed
v1.10.1
v1.10.0
Added
- Plugin reconfiguration support using the
plugin_data_file
configurable (#5166)
Changed
- SPIRE Server and OIDC provider images to use non root users (#4967, #5227)
k8s_psat
NodeAttestor attestor to no longer fail when a cluster is not configured (#5216)- Agents are required to renew SVIDs through re-attestation when using a supporting Node Attestor (#5204)
- Small documentation improvements (#5181, #5189)
- Evicted agents that support reattestation can now reattest without being restarted (#4991)
Fixed
- PSAT node attestor to cross check the audience fields (#5142)
- Events-based cache to handle out of order events (#5071)
Deprecated
x509_svid_cache_max_size
anddisable_lru_cache
in agent configuration (#5150)
Removed
- The deprecated
disable_reattest_to_renew
agent configurable (#5217) - The deprecated
key_metadata_file
configurable from theaws_kms
,azure_key_vault
andgcp_kms
server KeyManagers (#5207) - The deprecated
use_msi
configurable from theazure_key_vault
server KeyManager andazure_msi
NodeAttestor (#5207, #5209) - The deprecated
exclude_sn_from_ca_subject
server configurable (#5203) - Agent no longer cleans up deprecated bundle and SVID files (#5205)
- The CA journal file is no longer stored on disk, and existing CA journal files are cleaned up (#5202)
v1.9.6
Added
- Opt-in support for CGroups v2 in K8s and Docker workload attestors (#5076)
gcp_cloudstorage
BundlePublisher plugin (#4961)- The
aws_iid
node attestor can now check if the AWS account ID is part of an AWS Organization (#4838) - More filtering options to count and show entries and agents (#4714)
Changed
- Credential composer to not convert timestamp related claims (i.e., exp and iat) to floating point values (#5115)
- FetchJWTBundles now returns an empty collection of keys instead of null (#5031)
Fixed
v1.9.5
Security
- Updated to Go 1.21.10 to address CVE-2024-24788
v1.8.11
Security
- Updated to Go 1.21.10 to address CVE-2024-24788
v1.9.4
Security
- Updated to google.golang.org/grpc v1.62.2 and golang.org/x/net v0.24.0 to address CVE-2023-45288
v1.8.10
Security
- Updated to google.golang.org/grpc v1.62.2 and golang.org/x/net v0.24.0 to address CVE-2023-45288