Spiffe

Added

- Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (3009,3014,3020,3034)

Security

- Fixed CVE-2021-44716

Added

- Experimental support for custom authorization policies based on Open Policy Agent (OPA) (2416)
- SPIRE Server can now be configured to emit audit logs (2297, 2391, 2394, 2396, 2442, 2458)
- Envoy SDS v3 API in agent now supports the SPIFFE Certificate Validator for federated SPIFFE authentication (2435, 2460)
- SPIRE OIDC Discovery Provider now intelligently handles host headers (2404, 2453)
- SPIRE OIDC Discovery Provider can now serve over HTTP using the `allow_insecure_scheme` setting (2404)
- Metrics configuration options to filter out metrics and labels (2400)
- The `k8s-workload-registrar` now supports identity template based workload registration (2417)
- Enhancements in filtering support in server APIs (2467, 2463, 2464, 2468)
- Improvements in logging of errors in peertracker (2469)

Changed

- CRD mode of the `k8s-workload-registrar` now uses SPIRE certificates for the validating webhook (2321)
- The `vault` UpstreamAuthority plugin now continues retrying to renew tokens on failures until the lease time is exceeded (2445)

Fixed

- Fixed a nil pointer dereference when the deprecated `allow_unsafe_ids` setting was configured (2477)

Deprecated

- The SPIRE OIDC Discovery Provider `domain` configurable has been deprecated in favor of `domains` (2404)

Added

- LDevID-based TPM attestation can now be performed via a new `tpm_devid` NodeAttestor plugin (2111, 2427)
- Caller details are now logged for unauthorized Server API calls (2399)
- The `aws_iid` NodeAttestor plugin now supports attesting nodes across multiple AWS accounts via AWS IAM role assumption (2387)
- Added support for running the `k8s_sat` NodeAttestor plugin with Kubernetes v1.21 (2423)
- Call counter metrics are now emitted for SPIRE Server rate limiters (2422)
- SPIRE Server now logs a message on startup when configured TTL values may result in SVIDs with a shorter lifetime than expected (2284)

Changed

- Updated a trust domain validation error message to mention that underscores are valid trust domain characters (2392)

Fixed

- Fixed bugs that broke the ACME bundle endpoint when using the `aws_kms` KeyManager plugin (2390, 2397)
- Fixed a bug that resulted in SPIRE Agent sending unnecessary updates over the Workload API (2305)
- Fixed a bug in the `k8s_psat` NodeAttestor plugin that prevented it from being configured with kubeconfig files (2421)

Added

- The `vault` UpstreamAuthority plugin now supports Kubernetes service account authentication (2356)
- A new `cert-manager` UpstreamAuthority plugin is now available (2274)
- SPIRE Server CLI can now be used to ban agents (2374)
- SPIRE Server CLI now has `count` subcommands for agents, entries, and bundles (2128)
- SPIRE Server can now be configured for SPIFFE federation using the configurables defined by the spec (2340)
- SPIRE Server and Agent now expose the standard gRPC health service (2057, 2058)
- SPIFFE bundle endpoint URL is now configurable in the `federates_with` configuration block (2340)
- SPIRE Agent may now optionally provided unregistered callers with a bundle for SVID validation via the `allow_unauthenticated_verifiers` configurable (2102)
- SPIRE Server JWT key type is now independently configurable via `jwt_key_type` (1991)
- Registration entries can now be queried/filtered by `federates_with` when calling the entry API (1967)

Changed

- SPIRE Server's SVID now uses the key type configured as `ca_key_type` (2269)
- Caller address is now logged for agent API calls resulting in an error (2281)
- Agent SVID renewals are now logged by the server at the INFO level (2309)
- Workload API JWT-SVID profile will now return an error if the caller is unidentified (2369)
- Workload API JWT-SVID profile will no longer return non-SPIFFE claims on validated JWTs from foreign trust domains (2372)
- SPIRE artifact tarball no longer extracts `.` to avoid inadvertent changes in directory permisions (2219)
- SPIRE Server default socket path is now `/tmp/spire-server/private/api.sock` (2075)
- SPIRE Agent default socket path is now `/tmp/spire-agent/public/api.sock` (2075)

Deprecated

- SPIRE Server federation configuration in the `federates_with` `bundle_endpoint` block is now deprecated (2340)
- SPIRE Server `gcp_iit` NodeAttestor configurable `projectid_whitelist` is deprecated in favor of `projectid_allow_list` (2253)
- SPIRE Server `k8s_sat` and `k8s_psat` NodeAttestor configurable `service_account_whitelist` is deprecated in favor of `service_account_allow_list` (2253)
- SPIRE Server `registration_uds_path`/`-registrationUDSPath` configurable and flag has been deprecated in favor of `socket_path`/`-socketPath` (2075)

Removed

- SPIRE Server no longer supports SPIFFE IDs with UTF-8 (2368)
- SPIRE Server no longer supports the legacy Node API (2093)
- SPIRE Server experimental configurable `allow_agentless_node_attestors` has been removed (2098)
- The `aws_iid` NodeResolver plugin has been removed as it has been obviated (2191)
- The `noop` NodeResolver plugin has been removed (2189)
- The `proto/spire` go module has been removed in favor of the new SDKs (2161)
- The deprecated `enable_sds` configurable has been removed (2021)
- The deprecated `experimental bundle` CLI subcommands have been removed (2062)
- SPIRE Server experimental configurables related to federation have been removed (2062)
- SPIRE Server bundle endpoint no longer supports TLS signature schemes utilizing non-SHA256 hashes when ACME is enabled (2397)

Fixed

- Fixed a bug that caused health check failures in agents that have registration entries describing them (2370)
- SPIRE Agent no longer logs a message when invoking a healthcheck via the CLI (2058)
- Fixed a bug that caused federation to fail when using ACME in conjunction with the `aws_kms` KeyManager plugin (2390)

Added

- The `k8s-workload-registrar` now supports federation (2160)
- The `k8s_bundle` notifier plugin can now keep API service CA bundles up to date (2193)
- SPIRE Server internal cache reload timing can now be tuned (experimental) (2169)

Changed

- Prometheus metrics that are emitted infrequently will no longer disappear after emission (2239)
- The `k8s-workload-registrar` now uses paging to support very large deployments of 10,000+ pods (2227)

Fixed

- Fixed a bug that sometimes caused newly attested agents to not receive their full set of selectors (2242)
- Fixed several bugs related to the handling of SPIRE Server API paging (2251)