v1.8.5

Added

• All credential types supported by Azure can now be used in azure_msi NodeAttestor plugin and azure_key_vault KeyManager plugin (#4568)
• EnableHostnameLabel field in Server and Agent telemetry configuration section that enables addition of a hostname label to metrics (#4584)

Changed

• Agent SDS API now provides a SPIFFEValidationContext as the default CertificateValidationContext when the Envoy version cannot be determined (#4618)
• Server CAs now contain a serialNumber attribute in the Subject DN (#4585)
• Improved accuracy of Agent log message for SVID renewal events (#4654)

Deprecated

• use_msi configuration fields in azure_msi NodeAttestor plugin and azure_key_vault KeyManager plugin are deprecated in favor of the chained Azure SDK credential loading strategy (#4568)

Fixed

• Agent SDS API now provides correct CertificateValidationContext when Envoy registered in SPIRE after the first SDS request (#4611)

v1.8.4

Security

• Updated to Go 1.21.4 to address CVE-2023-45283, CVE-2023-45284

v1.7.5

Security

• Updated to Go 1.20.11 to address CVE-2023-45283, CVE-2023-45284

v1.8.3

Added

• SPIRE Agent distributes sync requests to the SPIRE server to mitigate thundering herd situations (#4534)
• Allow configuring prefixes for all metrics (#4535)
• Documentation improvements (#4579, #4569)

Changed

• SPIRE Agent performs the initial sync more aggressively when tuned with a longer sync interval (#4479)

Fixed

• Release artifacts have the correct version information (#4564)
• The SPIRE Agent insecureBootstrap and trustBundleUrl configurables are now mutually exclusive (#4532)
• Bug preventing JWT-SVIDs from being minted when a Credential Composer plugin is configured (#4489)

v1.8.2

Security

• Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487

v1.7.4

Security

• Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487

v1.8.1

Security

• Updated to Go 1.21.3 to address CVE-2023-39325, CVE-2023-44487

v1.7.3

Security

• Updated to Go 1.20.10 to address CVE-2023-39325, CVE-2023-44487

v1.8.0

Added

• azure_key_vault KeyManager plugin (#4458)
• Server configuration to set refresh hint of local bundle (#4400)
• Support for batch entry deletion in spire-server CLI (#4371)
• aws_iid NodeAttestor can now be used in AWS Gov Cloud and China regions (#4427)
• status_code and status_message fields in SPIRE Agent logs on gRPC errors (#4262)

Changed

• Bundle server configuration is now organized by endpoint profiles (#4476)
• Release artifacts are now statically linked with musl rather than glibc (#4491)
• Agent no longer requests unused SVIDs for node aliases they belong to, reducing server signing load (#4467)
• Entry IDs can now be optionally set by the client for BatchCreateEntry requests (#4477)

Fixed

• Concurrent workload attestation using systemd plugin (#4360)
• Bug in k8s WorkloadAttestor plugin that failed attestation in some scenarios (#4468)
• Server can now be run on Linux arm64 when using SQLite (#4491)

Removed

• Support for Envoy SDS v2 API (#4444)
• Server no longer cleans up stale data in the database on startup (#4443)
• Server no longer deletes entries with invalid SPIFFE IDs on startup (#4449)

v1.7.2

Added

• aws_s3 BundlePublisher plugin (#4355)
• SPIRE Server bundle endpoint now includes bundle sequence number (#4389)
• Telemetry in experimental Agent LRU cache (#4335)
• Telemetry in Agent Delegated Identity API (#4399)
• Documentation improvements (#4336, #4407)

Fixed

• Server no longer unnecessarily activates its CA a second time on startup (#4368)