Added
- `uniqueid` CredentialComposer plugin that adds the x509UniqueIdentifier attribute to workload X509-SVIDs (4862)
- Agent's Admin API has now a default location defined (4856)
- Partial selectors from workload attestation are now logged when attestation is interrupted (4846)
- X509-SVIDs minted by SPIRE can now include wildcards in the DNS names (4814)
Changed
- CA journal data is now stored in the datastore, removing the on-disk dependency of the server (4690)
- `aws_kms`, `azure_key_vault`, and `gcp_kms` KeyManager plugins no longer require storing metadata files on disk (4700)
- Bundle endpoint refresh hint now defaults to 5 minutes (4847, 4888)
- Graceful shutdown is now blocked while built-in plugin RPCs drain (4820)
- Entry cache hydration is now done with paginated requests to the datastore (4721, 4826)
- Agents renew SVIDs through re-attestation by default when using a supporting Node Attestor (4791)
- The SPIRE Agent LRU SVID cache is no longer experimental and is enabled by default (4773)
- Small documentation improvements (4764, 4787)
- Read-replicas are no longer used when hydrating the experimental events-based entry cache (4868)
- Workload gRPC connections are now terminated when the peertracker liveness check fails instead of just failing the RPC calls (4611)
Fixed
- Missing creation of events in the experimental events-based cache entry when an entry was pruned (4860)
- Bug in SPIRE Agent LRU SVID cache that caused health checks to fail (4852)
- Refreshing of selectors of attested agents when using the experimental events-based entry cache (4803)
Deprecated
- `k8s_sat` NodeAttestor plugin (4841)
Removed
- X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (4862)