Spiffe

Added

- SPIRE images are now published to GitHub Container Registry. They will continue to be published to Google Container Registry over the course of the next release (2576,2580)
- SPIRE Server now implements the [TrustDomain API](https://github.com/spiffe/spire-api-sdk/blob/main/proto/spire/api/server/trustdomain/v1/trustdomain.proto) and related CLI commands (<https://github.com/spiffe/spire/projects/11>)
- The SVIDStore plugin type has been introduced to enable, amongst other things, agentless workload scenarios (2176,2483)
- The TPM DevID Node Attestor emits a new `issuer:cn` selector with the common name of the issuing certificate (2581)
- The K8s Bundle Notifier plugin now supports pushing the bundle to resources in multiple clusters (2531)
- A built-in AWS Secrets Manager SVIDStore plugin has been introduced, which can push workload SVIDs into AWS secrets for use in Lambda functions, etc. (2542)
- The agent and entry list commands in the CLI gained additional filtering capabilities (2478,2479)
- The GCP CAS UpstreamAuthority has a new `ca_pool` configurable to identify which CA pool the signing CA resides in (2569)

Changed

- With the GA release of GCP CAS, the UpstreamAuthority plugin now needs to know which pool the CA belongs to. If not configured, it will do a pessimistic scan of all pools to locate the correct CA. This scan will be removed in a future release (2569)
- The K8s Workload Registrar now supports Kubernetes 1.22 (2515,2540)
- Self-signed CA certificates serial numbers are now conformant to RFC 5280 (2494)
- The AWS KMS Key Manager plugin now creates keys with a very strict policy by default (2424)
- The deprecated agent key file (`svid.key`) is proactively removed by the agent. It was only maintained to accomodate rollback from v1.0 to v0.12 (2493)

Removed

- Support for the deprecated Registration API has been removed (2487)
- Legacy (v0) plugin support has been removed. All plugins must now be authored using the plugin SDK.
- The deprecated `service_account_whitelist` configurables have been removed from the SAT and PSAT Node Attestor plugins (2543)
- The deprecated `projectid_whitelist` configurable has been removed from the GCP IIT Node Attestor plugin (2492)
- The deprecated `bundle_endpoint` and `registration_uds_path` configurables have been removed from SPIRE Server (2486,2519)

Fixed

- The GCP CAS UpstreamAuthority now works with the GA release of GCP CAS (2569)
- Fixed a variety of issues with the scratch image, preparatory to publishing as the official image on GitHub Container Registry (2582)
- Kubernetes Workload Attestor now uses the canonical path for the service account token (2583)
- The server socketPath is now appropriately overridden via the configuration file (2570)
- The server now restarts appropriately after undergoing forceful shutdown (2496)
- The server CLI list commands now work reliably for large listings (2456)

Added

- Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (3009,3014,3020,3034)

Security

- Fixed CVE-2021-44716

Added

- Experimental support for custom authorization policies based on Open Policy Agent (OPA) (2416)
- SPIRE Server can now be configured to emit audit logs (2297, 2391, 2394, 2396, 2442, 2458)
- Envoy SDS v3 API in agent now supports the SPIFFE Certificate Validator for federated SPIFFE authentication (2435, 2460)
- SPIRE OIDC Discovery Provider now intelligently handles host headers (2404, 2453)
- SPIRE OIDC Discovery Provider can now serve over HTTP using the `allow_insecure_scheme` setting (2404)
- Metrics configuration options to filter out metrics and labels (2400)
- The `k8s-workload-registrar` now supports identity template based workload registration (2417)
- Enhancements in filtering support in server APIs (2467, 2463, 2464, 2468)
- Improvements in logging of errors in peertracker (2469)

Changed

- CRD mode of the `k8s-workload-registrar` now uses SPIRE certificates for the validating webhook (2321)
- The `vault` UpstreamAuthority plugin now continues retrying to renew tokens on failures until the lease time is exceeded (2445)

Fixed

- Fixed a nil pointer dereference when the deprecated `allow_unsafe_ids` setting was configured (2477)

Deprecated

- The SPIRE OIDC Discovery Provider `domain` configurable has been deprecated in favor of `domains` (2404)

Added

- LDevID-based TPM attestation can now be performed via a new `tpm_devid` NodeAttestor plugin (2111, 2427)
- Caller details are now logged for unauthorized Server API calls (2399)
- The `aws_iid` NodeAttestor plugin now supports attesting nodes across multiple AWS accounts via AWS IAM role assumption (2387)
- Added support for running the `k8s_sat` NodeAttestor plugin with Kubernetes v1.21 (2423)
- Call counter metrics are now emitted for SPIRE Server rate limiters (2422)
- SPIRE Server now logs a message on startup when configured TTL values may result in SVIDs with a shorter lifetime than expected (2284)

Changed

- Updated a trust domain validation error message to mention that underscores are valid trust domain characters (2392)

Fixed

- Fixed bugs that broke the ACME bundle endpoint when using the `aws_kms` KeyManager plugin (2390, 2397)
- Fixed a bug that resulted in SPIRE Agent sending unnecessary updates over the Workload API (2305)
- Fixed a bug in the `k8s_psat` NodeAttestor plugin that prevented it from being configured with kubeconfig files (2421)

Added

- The `vault` UpstreamAuthority plugin now supports Kubernetes service account authentication (2356)
- A new `cert-manager` UpstreamAuthority plugin is now available (2274)
- SPIRE Server CLI can now be used to ban agents (2374)
- SPIRE Server CLI now has `count` subcommands for agents, entries, and bundles (2128)
- SPIRE Server can now be configured for SPIFFE federation using the configurables defined by the spec (2340)
- SPIRE Server and Agent now expose the standard gRPC health service (2057, 2058)
- SPIFFE bundle endpoint URL is now configurable in the `federates_with` configuration block (2340)
- SPIRE Agent may now optionally provided unregistered callers with a bundle for SVID validation via the `allow_unauthenticated_verifiers` configurable (2102)
- SPIRE Server JWT key type is now independently configurable via `jwt_key_type` (1991)
- Registration entries can now be queried/filtered by `federates_with` when calling the entry API (1967)

Changed

- SPIRE Server's SVID now uses the key type configured as `ca_key_type` (2269)
- Caller address is now logged for agent API calls resulting in an error (2281)
- Agent SVID renewals are now logged by the server at the INFO level (2309)
- Workload API JWT-SVID profile will now return an error if the caller is unidentified (2369)
- Workload API JWT-SVID profile will no longer return non-SPIFFE claims on validated JWTs from foreign trust domains (2372)
- SPIRE artifact tarball no longer extracts `.` to avoid inadvertent changes in directory permisions (2219)
- SPIRE Server default socket path is now `/tmp/spire-server/private/api.sock` (2075)
- SPIRE Agent default socket path is now `/tmp/spire-agent/public/api.sock` (2075)

Deprecated

- SPIRE Server federation configuration in the `federates_with` `bundle_endpoint` block is now deprecated (2340)
- SPIRE Server `gcp_iit` NodeAttestor configurable `projectid_whitelist` is deprecated in favor of `projectid_allow_list` (2253)
- SPIRE Server `k8s_sat` and `k8s_psat` NodeAttestor configurable `service_account_whitelist` is deprecated in favor of `service_account_allow_list` (2253)
- SPIRE Server `registration_uds_path`/`-registrationUDSPath` configurable and flag has been deprecated in favor of `socket_path`/`-socketPath` (2075)

Removed

- SPIRE Server no longer supports SPIFFE IDs with UTF-8 (2368)
- SPIRE Server no longer supports the legacy Node API (2093)
- SPIRE Server experimental configurable `allow_agentless_node_attestors` has been removed (2098)
- The `aws_iid` NodeResolver plugin has been removed as it has been obviated (2191)
- The `noop` NodeResolver plugin has been removed (2189)
- The `proto/spire` go module has been removed in favor of the new SDKs (2161)
- The deprecated `enable_sds` configurable has been removed (2021)
- The deprecated `experimental bundle` CLI subcommands have been removed (2062)
- SPIRE Server experimental configurables related to federation have been removed (2062)
- SPIRE Server bundle endpoint no longer supports TLS signature schemes utilizing non-SHA256 hashes when ACME is enabled (2397)

Fixed

- Fixed a bug that caused health check failures in agents that have registration entries describing them (2370)
- SPIRE Agent no longer logs a message when invoking a healthcheck via the CLI (2058)
- Fixed a bug that caused federation to fail when using ACME in conjunction with the `aws_kms` KeyManager plugin (2390)