v1.4.7

Security

• Updated to Go 1.19.6 and golang.org/x/net v0.7.0 to address CVE-2022-41723, CVE-2022-41724, CVE-2022-41725.

v1.5.4

Added

• Support to run SPIRE as a Windows service (#3625)
• Configure admin SPIFFE IDs from federated trust domains (#3642)
• New selectors in the aws_iid NodeAttestor plugin (#3640)
• Support for additional upstream root certificates to the awssecret UpstreamAuthority plugin (#3578)
• Serial number and revision number to SVID minting logging (#3699)
• spire-server federation CLI commands now support the -output flag (#3660)

Fixed

• Service configurations provided by the gRPC resolver are now ignored by SPIRE Agent (#3712)
• CLI commands that supported the -output flag now properly shows the default value for the flag (#3713)

v1.5.3

Added

• A new gcp_kms KeyManager plugin is now available (#3410, #3638, #3653, #3655)
• spire-server agent, spire-server bundle, and spire-server entry CLI commands now support -output flag (#3523, #3624, #3628)

Changed

• SPIRE-managed files on Windows no longer inherit permissions from parent directory (#3577, #3604)
• Documentation improvements (#3534, #3546, #3461, #3565, #3630, #3632, #3639,)

Fixed

• oidc-discovery-provider healthcheck HTTP server now binds to all network interfaces for visibility outside containers using virtual IP (#3580)
• k8s-workload-registrar CRD and reconcile modes now have correct example leader election RBAC YAML (#3617)

v1.5.2

Security

• Updated to Go 1.19.4 to address CVE-2022-41717.

v1.4.6

Security

• Updated to Go 1.19.4 to address CVE-2022-41717.

v1.5.1

Fixed:

• The deprecated default_svid_ttl configurable is now correctly observed after fixing a regression

v1.5.0

Added

• X.509-SVID and JWT-SVID TTLs can now be configured separately at both the entry-level and Server default level (#3445)
• Entry protobuf type in /v1/entry API includes new jwt_svid_ttl field (#3445)
• k8s-workload-registrar and oidc-discovery-provider CLIs now print their version when the -version flag is set (#3475)
• Support for customizing SPIFFE ID paths of SPIRE Agents attested with the azure_msi NodeAttestor plugin (#3488)

Changed

• Entry ttl protobuf field in /v1/entry API is renamed to x509_ttl (#3445)
• External plugins can no longer be named join_token to avoid conflicts with the builtin plugin (#3469)
• spire-server run command now supports DNS names for the configured bind address (#3421)
• Documentation improvements (#3468, #3472, #3473, #3474, #3515)

Deprecated

• k8s-workload-registrar is deprecated in favor of SPIRE Controller Manager (#3526)
• Server default_svid_ttl configuration field is deprecated in favor of default_x509_svid_ttl and default_jwt_svid_ttl fields (#3445)
• -ttl flag in spire-server entry create and spire-server entry update commands is deprecated in favor of -x509SVIDTTL and -jwtSVIDTTL flags (#3445)
• -format flag in spire-agent fetch jwt CLI command is deprecated in favor of -output flag (#3528)
• InMem telemetry collector is deprecated and no longer enabled by default (#3492)

Removed

• NodeResolver plugin type and azure_msi builtin NodeResolver plugin (#3470)

v1.4.5

Security

• Updated to Go 1.19.3 to address CVE-2022-41716. This vulnerability only affects users configuring external Server or Agent plugins on Windows.

v1.3.6

Security

• Updated to Go 1.18.8 to address CVE-2022-41716. This vulnerability only affects users configuring external Server or Agent plugins on Windows.

v1.4.4

Added

• Experimental support for limiting the number of SVIDs in the agent's cache (#3181)
• Support for attesting Envoy proxy workloads when Istio is configured with holdApplicationUntilProxyStarts (#3460)

Changed

• Improved bundle endpoint misconfiguration diagnostics (#3395)
• OIDC Discovery Provider endpoint now has a timeout to read request headers (#3435)
• Small documentation improvements (#3443)