Spiffe

What's New

- Added AWS PCA configurable allowing operators to provide additional CA certificates for inclusion in the bundle (1574)
- Added a configurable to server for disabling rate limiting of node attestation requests (1794, 1870)

What's Changed

- Fixed Kubernetes Workload Registrar issues (1814, 1818, 1823)
- Fixed BatchCreateEntry return value to match docs, returning the contents of an entry if it already exists (1824)
- Fixed issue preventing brand-new deployments from downgrading successfully (1829)
- Fixed a regression introduced in 0.11.0 that caused external node attestor plugins that rely on binary data to fail (1863)

What's New

- Introduced refactored server APIs (1533, 1548, 1563, 1567, 1568, 1571, 1575, 1576, 1577, 1578, 1582, 1585, 1586, 1587, 1588, 1589, 1590, 1591, 1592, 1593, 1594, 1595, 1597, 1604, 1606, 1607, 1613, 1615, 1617, 1622, 1623, 1628, 1630, 1633, 1641, 1643, 1646, 1647, 1654, 1659, 1667, 1673, 1674, 1683, 1684, 1689, 1690, 1692, 1693, 1694, 1701, 1708, 1727, 1728, 1730, 1733, 1734, 1739, 1749, 1753, 1768, 1772, 1779, 1783, 1787, 1788, 1789, 1790, 1791)
- Unix workloads can now be attested using auxiliary group membership (1771)
- The Kubernetes Workload Registrar now supports two new registration modes (`crd` and `reconcile`)

What's Changed

- Federation is now a stable feature (1656, 1737, 1777)
- Removed support for the `UpstreamCA` plugin, which was deprecated in favor of the `UpstreamAuthority` plugin in v0.10.0 (1699)
- Removed deprecated `upstream_bundle` server configurable. The server now always use the upstream bundle as the trust bundle (1702)
- The server's AWS node attestor subsumed all the functionality of the node resolver, which has been deprecated (1705)
- Removed pluggability of the DataStore interface, restricting use to the current built-in `sql` plugin (1707)
- Unknown config options now make the server and agent fail to start (1714)
- Improved registration entry change detection on agent (1720)
- `/tmp/agent.sock` is now the default socket path for the agent (1738)

Security

- Fixed CVE-2021-27098
- Fixed file descriptor leak in peertracker

What's New

- `vault` as Upstream Authority built-in plugin (1611, 1632)
- Improved configuration file docs to list all possible configuration settings (1608, 1618)

What's Changed

- Improved container ID parsing from cgroup path in the `docker` workload attestor plugin (1605)
- Improved container ID parsing from cgroup path in the `k8s` workload attestor plugin (1649)
- Envoy SDS support is now always on (1579)
- Errors on agent SVID rotation are now fatal if the agent's current SVID has expired, forcing an agent restart (1584)

- Added support for JWT-SVID in nested SPIRE topologies (1388, 1394, 1396, 1406, 1409, 1410, 1411, 1415, 1416, 1417, 1423, 1440, 1455, 1458, 1469, 1476)
- Reduced database load under certain configurations (1439)
- Agent now proactively rotates workload SVIDs in response to registration updates (1441, 1477)
- Removed redundant telemetry counter in agent cache manager (1445)
- Added environment variable config templating support (1453)
- Added CreateEntryIfNotExists RPC to Registration API (1464)
- The X.509 CA key now defaults to EC P-256 instead of EC P-384 (1468)
- Added `validate` subcommand to the SPIRE Server and SPIRE Agent CLIs to validate the configuration file (1471, 1489)
- Removed deprecated `ttl` configurable from upstreamauthority plugins (1482)
- Fixed a bug which resulted in incorrect SHA for certain types of workloads (1405)
- OIDC Discovery Provider now supports listening on a Unix Domain Socket (1408)
- Fixed a bug that could lead to agent eviction if a crash occurred during agent SVID rotation (1399)
- The `upstream_bundle` configurable now defaults to true, and is marked as deprecated (1404)
- OIDC Discovery Provider and the Kubernetes Workload Registrar release binaries are now available via the `spire-extras` tarball (1424)
- Introduced new plugin type UpstreamAuthority, which supports both X509-SVID and JWT-SVID as well as the ability to push upstream changes into SPIRE Server (1388, 1394, 1406, 1455)
- AWS PCA, AWS Secrets, Disk and SPIRE UpstreamCA plugins have been ported to the UpstreamAuthority type (1411, 1409, 1410, 1415)
- Introduced a new RPC `PushJWTKeyUpstream` in the Node API for publishing JWT-SVID signing keys from downstream servers (1416)
- Introduced a new RPC `FetchBundle` in the Node API for fetching an up-to-date bundle (1458)
- AWS PCA UpstreamAuthority plugin endpoint is now configurable (1498)
- The UpstreamCA plugin type is now marked as deprecated in favor of the UpstreamAuthority plugin type (1406)

Security

- Fixed CVE-2021-27098
- Fixed file descriptor leak in peertracker