Spiffe

Added

- Support for forced rotation and revocation (<https://github.com/orgs/spiffe/projects/21>)
- New EJBCA UpstreamAuthority plugin for SPIRE Server (5378)
- Support for variables in templates contained in the config file (5576)
- Support for the configuration validation RPC on all built-in plugins (5303)
- Improved logging when built-in plugins panic (5476)
- Improved CPU and memory resource usage for concurrent Kubernetes Workload attestation (5408)
- Documentation additions and improvements (5589, 5588, 5499, 5433, 5430, 5269)

Changed

- SPIRE Agent LRU identity cache is now unconditionally enabled. The LRU size can be controlled via the `x509_svid_cache_max_size` configuration option. (5383, 5531)
- Entry API RPCs return per-entry InvalidArgument status when creating/updating malformed entries (5506)
- Support for CGroups v2 in K8s and Docker workload attestors is now enabled by default (5454)

Removed

- Deprecated -ttl flag from the SPIRE Server `entry create` and `entry update` commands (5483)
- Official support for MySQL 5.X. While SPIRE may continue to work with this version, no explicit testing will be performed by the project (5487)

Fixed

- Missing TrustDomain field passed to x509pop path template (5577)
- Behavior in the experimental events-based cache causing duplicate entries/agents evaluation in the same cycle (5509)

Fixed

- Add missing commits to spire-plugin-sdk and spire-api-sdk releases (spiffe/spire-api-sdk66, spiffe/spire-plugin-sdk39)

Fixed

- Regression in agent health check, requiring the agent to have an SVID on disk to be healthy (5459)

Added

- `http_challenge` NodeAttestor plugin (4909)
- Experimental support for validating container image signatures through Sigstore selectors in the docker Workload Attestor (5272)
- Metrics for monitoring the event-based cache (5411)

Changed

- Delegated Identity API to allow subscription by process ID (5272)
- Agent Debug endpoint to count SVIDs by type (5352)
- Agent health check to report an unhealthy status until the Agent SVID is attested (5298)
- Small documentation improvements (5393)

Fixed

- `aws_iid` NodeAttestor to properly handle multiple network interfaces (5300)
- Server configuration to correctly propagate the `sql_transaction_timeout` setting in the experimental events-based cache (5345)

Added

- New Grafana dashboard template (5188)
- `aws_rolesanywhere_trustanchor` BundlePublisher plugin (5048)

Changed

- `spire` UpstreamAuthority to optionally use the Preferred TTL on intermediate authorities (5264)
- Federation endpoint to support custom bundle and certificates for authorization (5163)
- Small documentation improvements (5235, 5220)

Fixed

- Event-based cache to handle events missed at the cache startup (5289)
- LRU cache to no longer send update notifications to all subscribers (5281)

Added

- Plugin reconfiguration support using the `plugin_data_file` configurable (5166)

Changed

- SPIRE Server and OIDC provider images to use non-root users (4967, 5227)
- `k8s_psat` NodeAttestor attestor to no longer fail when a cluster is not configured (5216)
- Agents are required to renew SVIDs through re-attestation when using a supporting Node Attestor (5204)
- Small documentation improvements (5181, 5189)
- Evicted agents that support reattestation can now reattest without being restarted (4991)

Fixed

- PSAT node attestor to cross-check the audience fields (5142)
- Events-based cache to handle out of order events (5071)

Deprecated

- `x509_svid_cache_max_size` and `disable_lru_cache` in agent configuration (5150)

Removed

- The deprecated `disable_reattest_to_renew` agent configurable (5217)
- The deprecated `key_metadata_file` configurable from the `aws_kms`, `azure_key_vault` and `gcp_kms` server KeyManagers (5207)
- The deprecated `use_msi` configurable from the `azure_key_vault` server KeyManager and `azure_msi` NodeAttestor (5207, 5209)
- The deprecated `exclude_sn_from_ca_subject` server configurable (5203)
- Agent no longer cleans up deprecated bundle and SVID files (5205)
- The CA journal file is no longer stored on disk, and existing CA journal files are cleaned up (5202)