- Added
aws_kms
server KeyManager plugin that uses the AWS Key Management Service (KMS) (#2066) - Added
gcp_cas
UpstreamAuthority plugin that uses the Certificate Authority Service from Google Cloud Platform (#2172) - Improved error returned during attestation of agents (#2159)
- The
aws_iid
NodeAttestor plugin now supports running in a location with no public internet access available for the server (#2119) - The
k8s
notifier can now rotate Admission Controller Webhook CA Bundles (#2022) - Rate limiting on X.509 signing and JWT signing can now be disabled (#2142)
- Added uptime metrics in server and agent (#2032)
- Calls to KeyManager plugins now time out at 30 seconds (#2044)
- Added logging when lookup of user by uid or group by gid fails in the
unix
WorkloadAttestor plugin (#2048)
- The
k8s
WorkloadAttestor plugin now emits selectors for both image and image ID (#2116) - HTTP readiness endpoint on agent now checks the health of the Workload API (#2015, #2087)
- SDS API in agent now returns an error if an SDS client requests resource names that don't exist (#2020)
- Bundle and k8s-workload-registrar endpoints now only accept clients using TLS v1.2+ (#2025)
- Registration entry update handling in CRD mode of the k8s-workload-registrar to prevent unnecessary issuance of new SVIDs (#2155)
- Failure to update CA bundle due to improper MySQL isolation level for read-modify-write operations (#2150)
- Regression preventing agent selectors from showing in
spire-server agent show
command (#2133) - Issue in the token authentication method of the Vault Upstream Authority plugin (#2110)
- Reporting of errors in server entry cache telemetry (#2091)
- Agent logs an error and automatically shuts down when its SVID has expired and it requires re-attestation (#2065)
- Fixed CVE-2021-27098
- Fixed CVE-2021-27099
- Fixed file descriptor leak in peertracker
- Debug endpoints (#1792)
- Agent support for SDS v3 API (#1906)
- Improved metrics handling (#1885, #1925, #1932)
- Significantly improved performance related to performing agent authorization lookups (#1859, #1896, #1943, #1944, #1956)
- Database indexes to attested node columns (#1912)
- Support for configuring Vault roles, namespaces, and re-authentication to the Vault UpstreamAuthority plugin (#1871, #1981)
- Support for non-renewable Vault tokens to the Vault UpstreamAuthority plugin (#1965)
- Delete mode for federated bundles to the bundle API (#1897)
- The CLI now reads JSON from STDIN for entry create/update commands (#1905)
- Support for multiple CA bundle files in x509pop (#1949)
- Added
ExpiresAt
toentry show
output (#1973) - Added
k8s_psat:agent_node_ip
selector (#1979)
- The agent now shuts down when it is no longer attested (#1797)
- Internals now rely on new server APIs (#1849, #1878, #1907, #1908, #1909, #1913, #1947, #1982, #1998, #2001)
- Workload API now returns a standardized JWKS object (#1904)
- Log message casing and punctuation are more consistent with project guidelines (#1950, #1952)
- The Registration and Node APIs are deprecated, and a warning is logged on use (#1997)
- The
registration_api
configuration section is deprecated in favor ofserver_api
in the k8s-workload-registrar (#2001)
- Removed some superfluous or otherwise unusable metrics and labels (#1881, #1946, #2004)
- Fixed CLI exit codes when entry create or update fails (#1990)
- Fixed a bug that could cause external plugins to become orphaned processes after agent/server shutdown (#1962)
- Fixed handling of the Vault PKI certificate chain (#2012, #2017)
- Fixed a bug that could cause some gRPC libraries to fail to connect to the server over HTTP/2 (#1968)
- Fixed Registration API to validate selector syntax (#1919)
- JWT-SVIDs that fail validation are no longer logged (#1953)
- Fixed CVE-2021-27098
- Fixed CVE-2021-27099
- Fixed file descriptor leak in peertracker
- Error messages related to a specific class of software bugs are now rate limited (#1901)
- Fixed an issue in the Upstream Authority plugin that could result in a delay in the propagation of bundle updates/changes (#1917)
- Fixed error messages when attestation is disabled (#1899)
- Fixed some incorrectly-formatted log messages (#1920)
- Added AWS PCA configurable allowing operators to provide additional CA certificates for inclusion in the bundle (#1574)
- Added a configurable to server for disabling rate limiting of node attestation requests (#1794, #1870)
- Fixed Kubernetes Workload Registrar issues (#1814, #1818, #1823)
- Fixed BatchCreateEntry return value to match docs, returning the contents of an entry if it already exists (#1824)
- Fixed issue preventing brand new deployments from downgrading successfully (#1829)
- Fixed a regression introduced in 0.11.0 that caused external node attestor plugins that rely on binary data to fail (#1863)
- Introduced refactored server APIs (#1533, #1548, #1563, #1567, #1568, #1571, #1575, #1576, #1577, #1578, #1582, #1585, #1586, #1587, #1588, #1589, #1590, #1591, #1592, #1593, #1594, #1595, #1597, #1604, #1606, #1607, #1613, #1615, #1617, #1622, #1623, #1628, #1630, #1633, #1641, #1643, #1646, #1647, #1654, #1659, #1667, #1673, #1674, #1683, #1684, #1689, #1690, #1692, #1693, #1694, #1701, #1708, #1727, #1728, #1730, #1733, #1734, #1739, #1749, #1753, #1768, #1772, #1779, #1783, #1787, #1788, #1789, #1790, #1791)
- Unix workloads can now be attested using auxiliary group membership (#1771)
- The Kubernetes Workload Registrar now supports two new registration modes (
crd
andreconcile
)
- Federation is now a stable feature (#1656, #1737, #1777)
- Removed support for the
UpstreamCA
plugin, which was deprecated in favor of theUpstreamAuthority
plugin in v0.10.0 (#1699) - Removed deprecated
upstream_bundle
server configurable. The server now always use the upstream bundle as the trust bundle (#1702) - The server's AWS node attestor subsumed all the functionality of the node resolver, which has been deprecated (#1705)
- Removed pluggability of the DataStore interface, restricting use to the current built-in
sql
plugin (#1707) - Unknown config options now make the server and agent fail to start (#1714)
- Improved registration entry change detection on agent (#1720)
/tmp/agent.sock
is now the default socket path for the agent (#1738)
- Fixed CVE-2021-27098
- Fixed file descriptor leak in peertracker
vault
as Upstream Authority built-in plugin (#1611, #1632)- Improved configuration file docs to list all possible configuration settings (#1608, #1618)
- Improved container ID parsing from cgroup path in the
docker
workload attestor plugin (#1605) - Improved container ID parsing from cgroup path in the
k8s
workload attestor plugin (#1649) - Envoy SDS support is now always on (#1579)
- Errors on agent SVID rotation are now fatal if the agent's current SVID has expired, forcing an agent restart (#1584)
- Added support for JWT-SVID in nested SPIRE topologies (#1388, #1394, #1396, #1406, #1409, #1410, #1411, #1415, #1416, #1417, #1423, #1440, #1455, #1458, #1469, #1476)
- Reduced database load under certain configurations (#1439)
- Agent now proactively rotates workload SVIDs in response to registration updates (#1441, #1477)
- Removed redundant telemetry counter in agent cache manager (#1445)
- Added environment variable config templating support (#1453)
- Added CreateEntryIfNotExists RPC to Registration API (#1464)
- The X.509 CA key now defaults to EC P-256 instead of EC P-384 (#1468)
- Added
validate
subcommand to the SPIRE Server and SPIRE Agent CLIs to validate the configuration file (#1471, #1489) - Removed deprecated
ttl
configurable from upstreamauthority plugins (#1482) - Fixed a bug which resulted in incorrect SHA for certain types of workloads (#1405)
- OIDC Discovery Provider now supports listening on a Unix Domain Socket (#1408)
- Fixed a bug that could lead to agent eviction if a crash occurred during agent SVID rotation (#1399)
- The
upstream_bundle
configurable now defaults to true, and is marked as deprecated (#1404) - OIDC Discovery Provider and the Kubernetes Workload Registrar release binaries are now available via the
spire-extras
tarball (#1424) - Introduced new plugin type UpstreamAuthority, which supports both X509-SVID and JWT-SVID as well as the ability to push upstream changes into SPIRE Server (#1388, #1394, #1406, #1455)
- AWS PCA, AWS Secrets, Disk and SPIRE UpstreamCA plugins have been ported to the UpstreamAuthority type (#1411, #1409, #1410, #1415)
- Introduced a new RPC
PushJWTKeyUpstream
in the Node API for publishing JWT-SVID signing keys from downstream servers (#1416) - Introduced a new RPC
FetchBundle
in the Node API for fetching an up-to-date bundle (#1458) - AWS PCA UpstreamAuthority plugin endpoint is now configurable (#1498)
- The UpstreamCA plugin type is now marked as deprecated in favor of the UpstreamAuthority plugin type (#1406)
- Fixed CVE-2021-27098
- Fixed file descriptor leak in peertracker
- Significantly reduced the server's database load (#1350, #1355, #1397)
- Improved consistency in SVID propagation time for some cases (#1352)
- AWS IID node attestor now supports the v2 metadata service (#1369)
- SQL datastore plugin now supports leveraging read-only replicas (#1363)
- Fixed a bug in which CA certificates may have an empty Subject if incorrectly configured (#1387)
- Server now logs an agent ID when an invalid agent makes a request (#1395)
- Fixed a bug in which the server CLI did not correctly show entries when querying with multiple selectors (#1398)
- Registration API now has an RPC for listing entries that supports paging (#1392)
- Fixed a crash when a key protecting the bundle endpoint is removed (#1326)
- Bundle endpoint client now supports Web-PKI authenticated endpoints (#1327)
- SPIRE now warns if the CA TTL will result in shorter-than-expected SVID lifetimes (#1294)
- Agent cache file writes are now atomic, more resilient (#1267)
- Introduced Google Cloud Storage bundle notifier plugin for server (#1227)
- Server and agent now detect unknown configuration options in supported blocks (#1289, #1299, #1306, #1307)
- Improved agent response to heavy server load through use of request backoffs (#1270)
- The in-memory telemetry sink can now be disabled, and will be by default in a future release (#1248)
- Agents will now re-balance connections to servers (and re-resolve DNS) automatically (#1265)
- Improved behavior of M3 duration telemetry (#1262)
- Fixed a bug in which MySQL deadlock may occur under heavy attestation load (#1291)
- KeyManager "disk" now emits a friendly error when directory option is missing (#1313)
- Users can now opt-out of workload executable hashing when enabling the workload path as a selector (#1078)
- Added M3 support to telemetry and other telemetry and logging improvements (#1059, #1085, #1086, #1094, #1102, #1122,#1138,#1160,#1186,#1208)
- SQL auto-migration can be disabled (#1089)
- SQL schema compatability checks are aligned with upgrade compatability guarantees (#1089)
- Agent CLI can provide information on attested nodes (#1098)
- SPIRE can tolerate small SVID expiration periods (#1115)
- Reduced Docker image sizes by roughly 25% (#1140)
- The
upstream_bundle
configurable is deprecated (#1147) - Agents can be configured to bootstrap insecurely with SPIRE Servers for ease of evaluation (#1148)
- The issuer claim in JWT-SVIDs can be customized (#1164)
- SPIRE Server supports a wider variety of signing key types (#1169)
- New OIDC discovery provider that serves a compatible JWKS document with signing keys from the trust domain (#1170,#1175)
- New Upstream CA plugin that signs SPIRE Server CA CSRs using a Private Ceriticate Authority in AWS Certificate Manager (#1172)
- Agents respond more predictably when making requests to an overloaded SPIRE Server (#1182)
- Docker Workload Attestor supports a wider variety of cgroup drivers (#1188)
- Docker Workload Attestor supports selection based on container environment variables (#1205)
- Fixed an issue in which Kubernetes workload attestation occasionally fails to identify the caller (#1216)
- Fixed CVE-2021-27098
- Fixed file descriptor leak in peertracker
- Fixed spurious agent synchronization failures during agent SVID rotation (#1084)
- Added support for Kind to the Kubernetes Workload Attestor (#1133)
- Added support for ACME v2 to the bundle endpoint (#1187)
- Fixed a bug that could result in agent crashes after upgrading to 0.8.2 or newer (#1194)
- Upgrade to Go 1.12.12 in response to CVE-2019-17596 (#1204)
- Connection pool details in SQL DataStore plugin are now configurable (#1028)
- SQL DataStore plugin now emits telemetry (#998)
- The SPIFFE bundle endpoint now supports serving Web PKI via ACME (#1029)
- Fix Workload API socket permissions when enclosing directory is automatically created (#1048)
- The Kubernetes PSAT node attestor now emits node and pod label selectors (#1042)
- SVIDs can now be created directly against SPIRE server using the new
mint
feature (#1036) - SPIRE agent behavior improved to more efficiently balance load across SPIRE servers (#1061)
- Significant SQL DataStore performance improvements (#1069, #1079)
- Kubernetes workload registrar now supports assigning SPIFFE IDs based on an annotation (#1047)
- Registration entries with an expiry set are now automatically pruned from the datastore (#1056)
- Fix bug that resulted in authorized workloads being denied SVIDs (#1103)
- Failure to obtain peer information from a Workload API connection no longer brings down the agent (#946)
- Agent now detects expired cached SVID when it starts and will attempt to re-attest instead of failing (#1000)
- GCP IIT-based node attestation produces selectors for the project, zone, instance name, tags, service accounts, metadata and labels (#969, #1006, #1012)
- X.509 certificate serial numbers are now random 128-bit numbers (#999)
- Added SQL table indexes to SQL datastore to improve query performance (#1007)
- Improved metrics coverage (#931, #932, #935, #968)
- Plugins can now emit metrics (#990, #993)
- GCP CloudSQL support (#995)
- Experimental support for SPIFFE federation (#951, #983)
- Fixed a peertracker bug parsing /proc/PID/stat on Linux (#982)
- Fixed a bug causing occasional panics on shutdown when running on a BSD-based system (#970)
- Fixed a bug in the unix workload attestor failing attestation if the user or group lookup failed (#973)
- Server plugins can now query for attested agent information (#964)
- AWS Secrets UpstreamCA plugin can now authenticate to AWS via a Role ARN (#938, #963)
- K8S Workload Attestor now works with Docker's systemd cgroup driver (#950)
- Improved documentation and examples (#915, #916, #918, #926, #930, #940, #941, #948, #954, #955, #1014)
- Fixed SSH-based node attested agent IDs to be URL-safe (#944)
- Fixed bug preventing agent bootstrapping when an UpstreamCA is used in conjunction with
upstream_bundle = false
(#939) - Agent now properly handles signing SVIDs for multiple registration entries mapped to the same SPIFFE ID (#929)
- Agent Node Attestor plugins no longer have to determine the agent ID (#922)
- GCP IIT node attestor can now be configured with the host used to obtain the token (#917)
- Fixed race in bundle pruning for HA deployments (#919)
- Disk UpstreamCA plugin now supports intermediate CAs (#910)
- Docker workload attestation now retries connections to the Docker deamon on transient failures (#901)
- New Kubernetes Workload Registrar that automatically registers Kubernetes workloads (#885, #953)
- Logs can now be emitted in JSON format (#866)
- Fix a bug in which the agent periodically logged connection errors (#906)
- Kubernetes SAT node attestor now supports the TokenReview API (#904)
- Agent cache refactored to improve memory management and fix a leak (#863)
- UpstreamCA "disk" will now reload cert and keys when needed (#903)
- Introduced Nested SPIRE: server clusters can now be chained together (#890)
- Fix a bug in AWS IID NodeResolver with instance profile lookup (#888)
- Improved workload attestation and fixed a security bug related to PID reuse (#886)
- New Kubernetes bundle notifier for keeping a bundle configmap up-to-date (#877)
- New plugin type Notifier for programatically taking action on important events (#877)
- New NodeAttestor based on SSH certificates (#868, #870)
- v2 client library for Workload API interaction (#841)
- Back-compat bundle management code removed - bundle is now handled correctly (#858, #859)
- Plugins can now expose auxiliary services and consume host-based services (#840)
- Fix bug preventing agent recovery prior to its first SVID rotation (#839)
- Agent and server can now export telemetry to Prometheus, Statsd, DogStatsd (#817)
- Fix bug in SDS API that prevented updates following Envoy restart (#820)
- Kubernetes workload attestor now supports using the secure port (#814)
- Support for TLS-protected connections to MySQL (#821)
- X509-SVID can now include an optional CN/DNS SAN (#798)
- SQL DataStore plugin now supports MySQL (#784)
- Fix bug preventing agent from reconnecting to a new server after an error (#795)
- Fix bug preventing agent from shutting down when streams are open (#790)
- Registration entries can now have an expiry and be pruned automatically (#776, #793)
- New Kubernetes NodeAttestor based on PSAT for node specificity (#771, #860)
- New UpstreamCA plugin for AWS secret manager (#751)
- Healthcheck commands exposed in server and agent (#758, #763)
- Kubernetes workload attestor extended with additional selectors (#720)
- UpstreamCA "disk" now supports loading multiple key types (#717)
- Agent can now expose Envoy SDS API for TLS certificate installation rotation (#667)
- Agent now automatically creates its configured data dir if it doesn't exist (#678)
- Agent panic fixed in the event that rotation is attempted from non-attested node (#684)
- Docker workload attestor plugin introduced (#687)
- Agent and server no longer force a configured umask, upgrades it if too permissive (#686)
- Registration entry CLI utility now supports --node entry distinction (#695)
- Server can now evict previously-attested agents (#693)
- Official docker images are now published on build and release (#700)
- Fix non-random UUID bug by moving to gofrs-maintained uuid pkg (#659)
- Server now supports multiple node resolvers (#652)
- Server no longer allows agent to specify X.509 Subject value (#663)
- Registration API is now authenticated, can be reached remotely (#656)
- Fixed debug log message in the Node API handler (#666)
- Agent's KeyManager interface updated for better durability (#669)
- Use FQDN in the GCP Node Attestor to prevent reliance on shortname resolution (#672)
- Upgrade to Go 1.11.5 in response to CVE-2019-6486 (#690)
- Documentation updates for Azure plugins, agent, server (#629, #631, #642, #651, #654)
- Intermediate certificates now included in bundle for compatibility with 0.6 (#633)
- Attestation now fails if NodeResolver encounters an error (#634)
- Fix bootstrap bug when
upstream_bundle
is not set (#639) - Additional telemetry points added, introduced telemetry in server (#640)
- CLI utilities now print TTL value of
default
instead of0
when not set (#645) - Fix bug in CLI utilities causing them to write PEM files with the wrong header (#647)
- Go runtime upgraded in response to CVE-2018-16875 (#653)
- Server now detects and prevents trust domain configuration change (#644)
- Fix vulnerability in which X.509 path validation is not performed on node API (#655)
- JWT Support (#616)
- Workload API now returns intermediate chains (#611)
- UNIX attestor now returns binary path and sha256 (#590)
- UNIX attestor now returns effective user and group name (#589)
- Node API now ratelimits expensive calls (#577)
- Soft delete disabled in SQL datastore plugin (#560)
- Basic federation support (#559, #563, #581, #582)
- Kubernetes node attestor (#557)
- AWS node resolver builtin (#554)
- Azure node attestor (#551)
- Azure node resolver (#553)
- KeyManager plugin interface for server (#539)
- Disk-based KeyManager server plugin (#532)
- x509pop now supports intermediate chains (#524)
- Fix bug that resulted in some SVIDs outliving CA (#520)
- Let agent fail over to different server on failure (#561)
- Node attestors can now return selectors (#516)
- Improved SPIFFE ID validation (#513, #515)
- Support for Azure node attestation (#551)
- Support for Azure node resolution (#553)
- Updated DNS resolution to support DNS-based HA failover (#561)
- Updated x509pop challenge to strengthen against signature replay attacks (#562)
- Removed sql plugin soft delete for better space management (#560)
- Performance improvements and bugfixes in sql plugin (#564)
- Support for HTTP/HTTPS CONNECT proxies (#568, #585)
- Updated Node API to perform ratelimiting (#577)
- Fixed SVID renewal bug (#520)
- Support separate file for intermediates in x509pop node attestor (#524)
- Allow node attestors to provide supplemental selectors (#516)
- ServerCA "memory" can now optionally persist keys to disk (#532)
- Config file updates so spire commands can be run from any CWD (#541)
- Minor doc/example fixes (#535)
- Added GCP Instance Identity Token (IIT) node attestation.
- Added X509 Proof-of-Possession node attestation.
- Added challenge/response support to node attestation API.
- SQL datastore plugin renamed. Now includes support for PostgresSQL.
- Improved k8s workload attestation resilience.
- Lots of bug fixes.