Tags: joaoguazzelli/spire
Tags
0.12.0 === Added === - Debug endpoints (spiffe#1792) - Agent support for SDS v3 API (spiffe#1906) - Improved metrics handling (spiffe#1885, spiffe#1925, spiffe#1932) - Significantly improved performance related to performing agent authorization lookups (spiffe#1859, spiffe#1896, spiffe#1943, spiffe#1944, spiffe#1956) - Database indexes to attested node columns (spiffe#1912) - Support for configuring Vault roles, namespaces, and re-authentication to the Vault UpstreamAuthority plugin (spiffe#1871, spiffe#1981) - Support for non-renewable Vault tokens to the Vault UpstreamAuthority plugin (spiffe#1965) - Delete mode for federated bundles to the bundle API (spiffe#1897) - The CLI now reads JSON from STDIN for entry create/update commands (spiffe#1905) - Support for multiple CA bundle files in x509pop (spiffe#1949) - Added `ExpiresAt` to `entry show` output (spiffe#1973) - Added `k8s_psat:agent_node_ip` selector (spiffe#1979) === Changed === - The agent now shuts down when it is no longer attested (spiffe#1797) - Internals now rely on new server APIs (spiffe#1849, spiffe#1878, spiffe#1907, spiffe#1908, spiffe#1909, spiffe#1913, spiffe#1947, spiffe#1982, spiffe#1998, spiffe#2001) - Workload API now returns a standardized JWKS object (spiffe#1904) - Log message casing and punctuation are more consistent with project guidelines (spiffe#1950, spiffe#1952) === Deprecated === - The Registration and Node APIs are deprecated, and a warning is logged on use (spiffe#1997) - The `registration_api` configuration section is deprecated in favor of `server_api` in the k8s-workload-registrar (spiffe#2001) === Removed === - Removed some superfluous or otherwise unusable metrics and labels (spiffe#1881, spiffe#1946, spiffe#2004) === Fixed === - Fixed CLI exit codes when entry create or update fails (spiffe#1990) - Fixed a bug that could cause external plugins to become orphaned processes after agent/server shutdown (spiffe#1962) - Fixed handling of the Vault PKI certificate chain (spiffe#2012, spiffe#2017) - Fixed a bug that could cause some gRPC libraries to fail to connect to the server over HTTP/2 (spiffe#1968) - Fixed Registration API to validate selector syntax (spiffe#1919) === Security === - JWT-SVIDs that fail validation are no longer logged (spiffe#1953)
0.12.0 === Added === - Debug endpoints (spiffe#1792) - Agent support for SDS v3 API (spiffe#1906) - Improved metrics handling (spiffe#1885, spiffe#1925, spiffe#1932) - Significantly improved performance related to performing agent authorization lookups (spiffe#1859, spiffe#1896, spiffe#1943, spiffe#1944, spiffe#1956) - Database indexes to attested node columns (spiffe#1912) - Support for configuring Vault roles, namespaces, and re-authentication to the Vault UpstreamAuthority plugin (spiffe#1871, spiffe#1981) - Support for non-renewable Vault tokens to the Vault UpstreamAuthority plugin (spiffe#1965) - Delete mode for federated bundles to the bundle API (spiffe#1897) - The CLI now reads JSON from STDIN for entry create/update commands (spiffe#1905) - Support for multiple CA bundle files in x509pop (spiffe#1949) - Added `ExpiresAt` to `entry show` output (spiffe#1973) - Added `k8s_psat:agent_node_ip` selector (spiffe#1979) === Changed === - The agent now shuts down when it is no longer attested (spiffe#1797) - Internals now rely on new server APIs (spiffe#1849, spiffe#1878, spiffe#1907, spiffe#1908, spiffe#1909, spiffe#1913, spiffe#1947, spiffe#1982, spiffe#1998, spiffe#2001) - Workload API now returns a standardized JWKS object (spiffe#1904) - Log message casing and punctuation are more consistent with project guidelines (spiffe#1950, spiffe#1952) === Deprecated === - The Registration and Node APIs are deprecated, and a warning is logged on use (s 8000 piffe#1997) - The `registration_api` configuration section is deprecated in favor of `server_api` in the k8s-workload-registrar (spiffe#2001) === Removed === - Removed some superfluous or otherwise unusable metrics and labels (spiffe#1881, spiffe#1946, spiffe#2004) === Fixed === - Fixed CLI exit codes when entry create or update fails (spiffe#1990) - Fixed a bug that could cause external plugins to become orphaned processes after agent/server shutdown (spiffe#1962) - Fixed handling of the Vault PKI certificate chain (spiffe#2012, spiffe#2017) - Fixed a bug that could cause some gRPC libraries to fail to connect to the server over HTTP/2 (spiffe#1968) - Fixed Registration API to validate selector syntax (spiffe#1919) === Security === - JWT-SVIDs that fail validation are no longer logged (spiffe#1953)
v0.11.2 - Error messages related to a specific class of software bugs are now rate limited (spiffe#1901) - Fixed an issue in the Upstream Authority plugin that could result in a delay in the propagation of bundle updates/changes (spiffe#1917) - Fixed error messages when attestation is disabled (spiffe#1899) - Fixed some incorrectly-formatted log messages (spiffe#1920)
proto/spire/v0.11.2 - Error messages related to a specific class of software bugs are now rate limited (spiffe#1901) - Fixed an issue in the Upstream Authority plugin that could result in a delay in the propagation of bundle updates/changes (spiffe#1917) - Fixed error messages when attestation is disabled (spiffe#1899) - Fixed some incorrectly-formatted log messages (spiffe#1920)
v0.11.1 - Added AWS PCA configurable allowing operators to provide additional CA certificates for inclusion in the bundle (spiffe#1574) - Added a configurable to server for disabling rate limiting of node attestation requests (spiffe#1794, spiffe#1870) - Fixed Kubernetes Workload Registrar issues (spiffe#1814, spiffe#1818, spiffe#1823) - Fixed BatchCreateEntry return value to match docs, returning the contents of an entry if it already exists (spiffe#1824) - Fixed issue preventing brand new deployments from downgrading successfully (spiffe#1829) - Fixed a regression introduced in 0.11.0 that caused external node attestor plugins that rely on binary data to fail (spiffe#1863)
proto/spire/v0.11.1 - Added AWS PCA configurable allowing operators to provide additional CA certificates for inclusion in the bundle (spiffe#1574) - Added a configurable to server for disabling rate limiting of node attestation requests (spiffe#1794, spiffe#1870) - Fixed Kubernetes Workload Registrar issues (spiffe#1814, spiffe#1818, spiffe#1823) - Fixed BatchCreateEntry return value to match docs, returning the contents of an entry if it already exists (spiffe#1824) - Fixed issue preventing brand new deployments from downgrading successfully (spiffe#1829) - Fixed a regression introduced in 0.11.0 that caused external node attestor plugins that rely on binary data to fail (spiffe#1863)
0.11.0 - Introduced refactored server APIs (spiffe#1533, spiffe#1548, spiffe#1563, spiffe#1567, spiffe#1568, spiffe#1571, spiffe#1575, spiffe#1576, spiffe#1577, spiffe#1578, spiffe#1582, spiffe#1585, spiffe#1586, spiffe#1587, spiffe#1588, spiffe#1589, spiffe#1590, spiffe#1591, spiffe#1592, spiffe#1593, spiffe#1594, spiffe#1595, spiffe#1597, spiffe#1604, spiffe#1606, spiffe#1607, spiffe#1613, spiffe#1615, spiffe#1617, spiffe#1622, spiffe#1623, spiffe#1628, spiffe#1630, spiffe#1633, spiffe#1641, spiffe#1643, spiffe#1646, spiffe#1647, spiffe#1654, spiffe#1659, spiffe#1667, spiffe#1673, spiffe#1674, spiffe#1683, spiffe#1684, spiffe#1689, spiffe#1690, spiffe#1692, spiffe#1693, spiffe#1694, spiffe#1701, spiffe#1708, spiffe#1727, spiffe#1728, spiffe#1730, spiffe#1733, spiffe#1734, spiffe#1739, spiffe#1749, spiffe#1753, spiffe#1768, spiffe#1772, spiffe#1779, spiffe#1783, spiffe#1787, spiffe#1788, spiffe#1789, spiffe#1790, spiffe#1791) - Unix workloads can now be attested using auxiliary group membership (spiffe#1771) - The Kubernetes Workload Registrar now supports two new registration modes (`crd` and `reconcile`) - Federation is now a stable feature (spiffe#1656, spiffe#1737, spiffe#1777) - Removed support for the `UpstreamCA` plugin, which was deprecated in favor of the `UpstreamAuthority` plugin in v0.10.0 (spiffe#1699) - Removed deprecated `upstream_bundle` server configurable. The server now always use the upstream bundle as the trust bundle (spiffe#1702) - The server's AWS node attestor subsumed all the functionality of the node resolver, which has been deprecated (spiffe#1705) - Removed pluggability of the DataStore interface, restricting use to the current built-in `sql` plugin (spiffe#1707) - Unknown config options now make the server and agent fail to start (spiffe#1714) - Improved registration entry change detection on agent (spiffe#1720) - `/tmp/agent.sock` is now the default socket path for the agent (spiffe#1738)
0.11.0 - Introduced refactored server APIs (spiffe#1533, spiffe#1548, spiffe#1563, spiffe#1567, spiffe#1568, spiffe#1571, spiffe#1575, spiffe#1576, spiffe#1577, spiffe#1578, spiffe#1582, spiffe#1585, spiffe#1586, spiffe#1587, spiffe#1588, spiffe#1589, spiffe#1590, spiffe#1591, spiffe#1592, spiffe#1593, spiffe#1594, spiffe#1595, spiffe#1597, spiffe#1604, spiffe#1606, spiffe#1607, spiffe#1613, spiffe#1615, spiffe#1617, spiffe#1622, spiffe#1623, spiffe#1628, spiffe#1630, spiffe#1633, spiffe#1641, spiffe#1643, spiffe#1646, spiffe#1647, spiffe#1654, spiffe#1659, spiffe#1667, spiffe#1673, spiffe#1674, spiffe#1683, spiffe#1684, spiffe#1689, spiffe#1690, spiffe#1692, spiffe#1693, spiffe#1694, spiffe#1701, spiffe#1708, spiffe#1727, spiffe#1728, spiffe#1730, spiffe#1733, spiffe#1734, spiffe#1739, spiffe#1749, spiffe#1753, spiffe#1768, spiffe#1772, spiffe#1779, spiffe#1783, spiffe#1787, spiffe#1788, spiffe#1789, spiffe#1790, spiffe#1791) - Unix workloads can now be attested using auxiliary group membership (spiffe#1771) - The Kubernetes Workload Registrar now supports two new registration modes (`crd` and `reconcile`) - Federation is now a stable feature (spiffe#1656, spiffe#1737, spiffe#1777) - Removed support for the `UpstreamCA` plugin, which was deprecated in favor of the `UpstreamAuthority` plugin in v0.10.0 (spiffe#1699) - Removed deprecated `upstream_bundle` server configurable. The server now always use the upstream bundle as the trust bundle (spiffe#1702) - The server's AWS node attestor subsumed all the functionality of the node resolver, which has been deprecated (spiffe#1705) - Removed pluggability of the DataStore interface, restricting use to the current built-in `sql` plugin (spiffe#1707) - Unknown config options now make the server and agent fail to start (spiffe#1714) - Improved registration entry change detection on agent (spiffe#1720) - `/tmp/agent.sock` is now the default socket path for the agent (spiffe#1738)
0.10.1 - `vault` as Upstream Authority built-in plugin (spiffe#1611, spiffe#1632) - Improved configuration file docs to list all possible configuration settings (spiffe#1608, spiffe#1618) - Improved container ID parsing from cgroup path in the `docker` workload attestor plugin (spiffe#1605) - Improved container ID parsing from cgroup path in the `k8s` workload attestor plugin (spiffe#1649) - Envoy SDS support is now always on (spiffe#1579) - Errors on agent SVID rotation are now fatal if the agent's current SVID has expired, forcing an agent restart (spiffe#1584)
0.10.1 - `vault` as Upstream Authority built-in plugin (spiffe#1611, spiffe#1632) - Improved configuration file docs to list all possible configuration settings (spiffe#1608, spiffe#1618) - Improved container ID parsing from cgroup path in the `docker` workload attestor plugin (spiffe#1605) - Improved container ID parsing from cgroup path in the `k8s` workload attestor plugin (spiffe#1649) - Envoy SDS support is now always on (spiffe#1579) - Errors on agent SVID rotation are now fatal if the agent's current SVID has expired, forcing an agent restart (spiffe#1584)
PreviousNext