Spiffe

Security

- Updated to Go 1.17.12 to address CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, and CVE-2022-1962.

Added

- Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (3009,3014,3020,3034)

Security

- Updated to Go 1.17.9 to address CVE-2022-24675, CVE-2022-28327, CVE-2022-27536

Added

- SPIRE Server and Agent log files can be rotated by sending the `SIGUSR2` signal to the process (2703)
- K8s Workload Registrar CRD mode now supports registering "downstream" workloads (2885)
- SPIRE can now be compiled on macOS machines with an Apple Silicon CPU (2876)
- Small documentation improvements (2851)

Changed

- SPIRE Server no longer sets the `DigitalSignature` KeyUsage bit in its CA certificate (2896)

Fixed

- The `k8sbundle` Notifier plugin in SPIRE Server no longer consumes excessive CPU cycles (2857)

Added

- The SPIRE Agent `fetch jwt` CLI command now supports JSON output (2650)

Changed

- OIDC Discovery Provider now includes the `alg` parameter in JWKs to increase compatibility (2771)
- SPIRE Server now gracefully stops plugin servers, allowing outstanding RPCs a chance to complete (2722)
- SPIRE Server logs additional authorization information with RPC requests (2776)
- Small documentation improvements (2746, 2792)

Fixed

- SPIRE Server now properly rotates signing keys when prepared or activated keys are lost from the database (2770)
- The AWS IID node attestor now works with instance profiles which have paths (2825)
- Fixed a crash in SPIRE Agent caused by a race on the agent cache (2699)

Added

- SPIRE Server can now be configured to mint agent SVIDs with a specific TTL (2667)
- A set of fixed admin SPIFFE IDs can now be configured in SPIRE Server (2677)

Changed

- Upstream signed CA chain is now validated to prevent misconfigurations (2644)
- Improved SVID signing logs to include more context (2678)
- The deprecated agent key file (`svid.key`) is no longer proactively removed by the agent (2671)
- Improved errors when agent path template execution fails due to missing key (2683)
- SPIRE now consumes the SVIDStore V1 interface published in the SPIRE Plugin SDK (2688)

Deprecated

- API support for paths without leading slashes in `spire.api.types.SPIFFEID` messages has been deprecated (2686, 2692)
- The SVIDStore V1 interface published in SPIRE repository has been renamed to `svidstore.V1Unofficial` and is now deprecated in favor of the interface published in the SPIRE Plugin SDK (2688)

Removed

- The deprecated `domain` configurable has been removed from the SPIRE OIDC Discovery Provider (2672)
- The deprecated `allow_unsafe_ids` configurable has been removed from SPIRE Server (2685)