v1.3.0

Added

• Experimental Windows support (https://github.com/spiffe/spire/projects/12)
• Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009, #3014, #3020, #3034)
• Configurable leader election resource lock type for the K8s Workload Registrar (#3030)
• Ability to fetch JWT SVIDs and JWT Bundles on behalf of workloads via the Delegated Identity API (#2789)
• CanReattest flag to NodeAttestor responses to facilitate future features (#2646)

Fixed

• Spurious message to STDOUT when there is no plugin_data section configured for a plugin (#2927)

Changed

• SPIRE entries with malformed parent or SPIFFE IDs are removed on server startup (#2965)
• SPIRE no longer prepends slashes to paths passed to the API when missing (#2963)
• K8s Workload Registrar retries up to 5 seconds to connect to SPIRE Server (#2921)
• Improved error messaging when unauthorized resources are requested via SDS (#2916)
• Small documentation improvements (#2934, #2947, #3013)

Deprecated

• The webhook mode for the K8s Workload Register has been deprecated (#2964)

v1.2.4

Added

• Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009,#3014,#3020,#3034)

v1.1.5

Added

• Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009,#3014,#3020,#3034)

v1.0.4

Added

Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009,#3014,#3020,#3034)

v1.2.3

Security

• Updated to Go 1.17.9 to address CVE-2022-24675, CVE-2022-28327, CVE-2022-27536.

v1.1.4

Security

• Updated to Go 1.17.9 to address CVE-2022-24675, CVE-2022-28327, CVE-2022-27536.

v1.2.2

Added

• SPIRE Server and Agent log files can be rotated by sending the SIGUSR2 signal to the process (#2703)
• K8s Workload Registrar CRD mode now supports registering "downstream" workloads (#2885)
• SPIRE can now be compiled on macOS machines with an Apple Silicon CPU (#2876)
• Small documentation improvements (#2851)

Changed

• SPIRE Server no longer sets the DigitalSignature KeyUsage bit in its CA certificate (#2896)

Fixed

• The k8sbundle Notifier plugin in SPIRE Server no longer consumes excessive CPU cycles (#2857)

v1.2.1

Added

• The SPIRE Agent fetch jwt CLI command now supports JSON output (#2650)

Changed

• OIDC Discovery Provider now includes the alg parameter in JWKs to increase compatibility (#2771)
• SPIRE Server now gracefully stops plugin servers, allowing outstanding RPCs a chance to complete (#2722)
• SPIRE Server logs additional authorization information with RPC requests (#2776)
• Small documentation improvements (#2746, #2792)

Fixed

• SPIRE Server now properly rotates signing keys when prepared or activated keys are lost from the database (#2770)
• The AWS IID node attestor now works with instance profiles which have paths (#2825)
• Fixed a crash in SPIRE Agent caused by a race on the agent cache (#2699)

v1.2.0

Added

• SPIRE Server can now be configured to mint agent SVIDs with a specific TTL (#2667)
• A set of fixed admin SPIFFE IDs can now be configured in SPIRE Server (#2677)

Changed

• Upstream signed CA chain is now validated to prevent misconfigurations (#2644)
• Improved SVID signing logs to include more context (#2678)
• The deprecated agent key file (svid.key) is no longer proactively removed by the agent (#2671)
• Improved errors when agent path template execution fails due to missing key (#2683)
• SPIRE now consumes the SVIDStore V1 interface published in the SPIRE Plugin SDK (#2688)

Deprecated

• API support for paths without leading slashes in spire.api.types.SPIFFEID messages has been deprecated (#2686, #2692)
• The SVIDStore V1 interface published in SPIRE repository has been renamed to svidstore.V1Unofficial and is now deprecated in favor of the interface published in the SPIRE Plugin SDK (#2688)

Removed

• The deprecated domain configurable has been removed from the SPIRE OIDC Discovery Provider (#2672)
• The deprecated allow_unsafe_ids configurable has been removed from SPIRE Server (#2685)

v1.1.3

Security

• Fixed CVE-2021-44716