Spiffe

Added

- The Go based text/template engine used in various plugins has been extended to include a set of functions from the SPRIG library (5593, 5625)
- The JWT-SVID cache in the agent is now configurable (5633)
- The JWT issuer is now configurable in the OIDC Discovery Provider (5657)

Changed

- CA journal now relies on the authority ID instead of the issued time when updating the status of keys (5622)

Fixed

- Spelling and grammar fixes (5571)
- Handling of IPv6 address consistently for the binding address of the server and health checks (5623)
- Link to Telemetry documentation in the Contributing guide (5650)
- Handling of registration entries with revision number 0 when the agent syncs entries with the server (5680)

Known Issues

- Setting the new `jwt_issuer` configuration property in oidc-discovery-provider is not compatible with deployments that use a server port other than 443 (5696)
- Domain verification is bypassed when setting the new `jwt_issuer` configuration property in oidc-discovery-provider (5697)

Added

- Support for forced rotation and revocation (<https://github.com/orgs/spiffe/projects/21>)
- New EJBCA UpstreamAuthority plugin for SPIRE Server (5378)
- Support for variables in templates contained in the config file (5576)
- Support for the configuration validation RPC on all built-in plugins (5303)
- Improved logging when built-in plugins panic (5476)
- Improved CPU and memory resource usage for concurrent Kubernetes Workload attestation (5408)
- Documentation additions and improvements (5589, 5588, 5499, 5433, 5430, 5269)

Changed

- SPIRE Agent LRU identity cache is now unconditionally enabled. The LRU size can be controlled via the `x509_svid_cache_max_size` configuration option. (5383, 5531)
- Entry API RPCs return per-entry InvalidArgument status when creating/updating malformed entries (5506)
- Support for CGroups v2 in K8s and Docker workload attestors is now enabled by default (5454)

Removed

- Deprecated -ttl flag from the SPIRE Server `entry create` and `entry update` commands (5483)
- Official support for MySQL 5.X. While SPIRE may continue to work with this version, no explicit testing will be performed by the project (5487)

Fixed

- Missing TrustDomain field passed to x509pop path template (5577)
- Behavior in the experimental events-based cache causing duplicate entries/agents evaluation in the same cycle (5509)

Fixed

- Add missing commits to spire-plugin-sdk and spire-api-sdk releases (spiffe/spire-api-sdk66, spiffe/spire-plugin-sdk39)

Fixed

- Regression in agent health check, requiring the agent to have an SVID on disk to be healthy (5459)

Added

- `http_challenge` NodeAttestor plugin (4909)
- Experimental support for validating container image signatures through Sigstore selectors in the docker Workload Attestor (5272)
- Metrics for monitoring the event-based cache (5411)

Changed

- Delegated Identity API to allow subscription by process ID (5272)
- Agent Debug endpoint to count SVIDs by type (5352)
- Agent health check to report an unhealthy status until the Agent SVID is attested (5298)
- Small documentation improvements (5393)

Fixed

- `aws_iid` NodeAttestor to properly handle multiple network interfaces (5300)
- Server configuration to correctly propagate the `sql_transaction_timeout` setting in the experimental events-based cache (5345)

Added

- New Grafana dashboard template (5188)
- `aws_rolesanywhere_trustanchor` BundlePublisher plugin (5048)

Changed

- `spire` UpstreamAuthority to optionally use the Preferred TTL on intermediate authorities (5264)
- Federation endpoint to support custom bundle and certificates for authorization (5163)
- Small documentation improvements (5235, 5220)

Fixed

- Event-based cache to handle events missed at the cache startup (5289)
- LRU cache to no longer send update notifications to all subscribers (5281)