Spiffe

Added

- Experimental Windows support (<https://github.com/spiffe/spire/projects/12>)
- Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (3009, 3014, 3020, 3034)
- Configurable leader election resource lock type for the K8s Workload Registrar (3030)
- Ability to fetch JWT SVIDs and JWT Bundles on behalf of workloads via the Delegated Identity API (2789)
- CanReattest flag to NodeAttestor responses to facilitate future features (2646)

Fixed

- Spurious message to STDOUT when there is no plugin_data section configured for a plugin (2927)

Changed

- SPIRE entries with malformed parent or SPIFFE IDs are removed on server startup (2965)
- SPIRE no longer prepends slashes to paths passed to the API when missing (2963)
- K8s Workload Registrar retries up to 5 seconds to connect to SPIRE Server (2921)
- Improved error messaging when unauthorized resources are requested via SDS (2916)
- Small documentation improvements (2934, 2947, 3013)

Deprecated

- The webhook mode for the K8s Workload Register has been deprecated (2964)

Security

- Updated to Go 1.17.12 to address CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, and CVE-2022-1962.

Added

- Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (3009,3014,3020,3034)

Security

- Updated to Go 1.17.9 to address CVE-2022-24675, CVE-2022-28327, CVE-2022-27536

Added

- SPIRE Server and Agent log files can be rotated by sending the `SIGUSR2` signal to the process (2703)
- K8s Workload Registrar CRD mode now supports registering "downstream" workloads (2885)
- SPIRE can now be compiled on macOS machines with an Apple Silicon CPU (2876)
- Small documentation improvements (2851)

Changed

- SPIRE Server no longer sets the `DigitalSignature` KeyUsage bit in its CA certificate (2896)

Fixed

- The `k8sbundle` Notifier plugin in SPIRE Server no longer consumes excessive CPU cycles (2857)

Added

- The SPIRE Agent `fetch jwt` CLI command now supports JSON output (2650)

Changed

- OIDC Discovery Provider now includes the `alg` parameter in JWKs to increase compatibility (2771)
- SPIRE Server now gracefully stops plugin servers, allowing outstanding RPCs a chance to complete (2722)
- SPIRE Server logs additional authorization information with RPC requests (2776)
- Small documentation improvements (2746, 2792)

Fixed

- SPIRE Server now properly rotates signing keys when prepared or activated keys are lost from the database (2770)
- The AWS IID node attestor now works with instance profiles which have paths (2825)
- Fixed a crash in SPIRE Agent caused by a race on the agent cache (2699)