Spiffe

- Upgrade to Go 1.12.12 in response to CVE-2019-17596 (1204)

- Connection pool details in SQL DataStore plugin are now configurable (1028)
- SQL DataStore plugin now emits telemetry (998)
- The SPIFFE bundle endpoint now supports serving Web PKI via ACME (1029)
- Fix Workload API socket permissions when enclosing directory is automatically created (1048)
- The Kubernetes PSAT node attestor now emits node and pod label selectors (1042)
- SVIDs can now be created directly against SPIRE server using the new `mint` feature (1036)
- SPIRE agent behavior improved to more efficiently balance load across SPIRE servers (1061)
- Significant SQL DataStore performance improvements (1069, 1079)
- Kubernetes workload registrar now supports assigning SPIFFE IDs based on an annotation (1047)
- Registration entries with an expiry set are now automatically pruned from the datastore (1056)
- Fix bug that resulted in authorized workloads being denied SVIDs (1103)

- Failure to obtain peer information from a Workload API connection no longer brings down the agent (946)
- Agent now detects expired cached SVID when it starts and will attempt to re-attest instead of failing (1000)
- GCP IIT-based node attestation produces selectors for the project, zone, instance name, tags, service accounts, metadata and labels (969, 1006, 1012)
- X.509 certificate serial numbers are now random 128-bit numbers (999)
- Added SQL table indexes to SQL datastore to improve query performance (1007)
- Improved metrics coverage (931, 932, 935, 968)
- Plugins can now emit metrics (990, 993)
- GCP CloudSQL support (995)
- Experimental support for SPIFFE federation (951, 983)
- Fixed a peertracker bug parsing /proc/PID/stat on Linux (982)
- Fixed a bug causing occasional panics on shutdown when running on a BSD-based system (970)
- Fixed a bug in the unix workload attestor failing attestation if the user or group lookup failed (973)
- Server plugins can now query for attested agent information (964)
- AWS Secrets UpstreamCA plugin can now authenticate to AWS via a Role ARN (938, 963)
- K8S Workload Attestor now works with Docker's systemd cgroup driver (950)
- Improved documentation and examples (915, 916, 918, 926, 930, 940, 941, 948, 954, 955, 1014)
- Fixed SSH-based node attested agent IDs to be URL-safe (944)
- Fixed bug preventing agent bootstrapping when an UpstreamCA is used in conjunction with `upstream_bundle = false` (939)
- Agent now properly handles signing SVIDs for multiple registration entries mapped to the same SPIFFE ID (929)
- Agent Node Attestor plugins no longer have to determine the agent ID (922)
- GCP IIT node attestor can now be configured with the host used to obtain the token (917)
- Fixed race in bundle pruning for HA deployments (919)
- Disk UpstreamCA plugin now supports intermediate CAs (910)
- Docker workload attestation now retries connections to the Docker deamon on transient failures (901)
- New Kubernetes Workload Registrar that automatically registers Kubernetes workloads (885, 953)
- Logs can now be emitted in JSON format (866)

- Fix a bug in which the agent periodically logged connection errors (906)
- Kubernetes SAT node attestor now supports the TokenReview API (904)
- Agent cache refactored to improve memory management and fix a leak (863)
- UpstreamCA "disk" will now reload cert and keys when needed (903)
- Introduced Nested SPIRE: server clusters can now be chained together (890)
- Fix a bug in AWS IID NodeResolver with instance profile lookup (888)
- Improved workload attestation and fixed a security bug related to PID reuse (886)
- New Kubernetes bundle notifier for keeping a bundle configmap up-to-date (877)
- New plugin type Notifier for programmatically taking action on important events (877)
- New NodeAttestor based on SSH certificates (868, 870)
- v2 client library for Workload API interaction (841)
- Back-compat bundle management code removed - bundle is now handled correctly (858, 859)
- Plugins can now expose auxiliary services and consume host-based services (840)
- Fix bug preventing agent recovery prior to its first SVID rotation (839)
- Agent and server can now export telemetry to Prometheus, Statsd, DogStatsd (817)
- Fix bug in SDS API that prevented updates following Envoy restart (820)
- Kubernetes workload attestor now supports using the secure port (814)
- Support for TLS-protected connections to MySQL (821)
- X509-SVID can now include an optional CN/DNS SAN (798)
- SQL DataStore plugin now supports MySQL (784)
- Fix bug preventing agent from reconnecting to a new server after an error (795)
- Fix bug preventing agent from shutting down when streams are open (790)
- Registration entries can now have an expiry and be pruned automatically (776, 793)
- New Kubernetes NodeAttestor based on PSAT for node specificity (771, 860)
- New UpstreamCA plugin for AWS secret manager (751)
- Healthcheck commands exposed in server and agent (758, 763)
- Kubernetes workload attestor extended with additional selectors (720)
- UpstreamCA "disk" now supports loading multiple key types (717)

- Agent can now expose Envoy SDS API for TLS certificate installation rotation (667)
- Agent now automatically creates its configured data dir if it doesn't exist (678)
- Agent panic fixed in the event that rotation is attempted from non-attested node (684)
- Docker workload attestor plugin introduced (687)
- Agent and server no longer force a configured umask, upgrades it if too permissive (686)
- Registration entry CLI utility now supports --node entry distinction (695)
- Server can now evict previously-attested agents (693)
- Official docker images are now published on build and release (700)

- Fix non-random UUID bug by moving to gofrs-maintained uuid pkg (659)
- Server now supports multiple node resolvers (652)
- Server no longer allows agent to specify X.509 Subject value (663)
- Registration API is now authenticated, can be reached remotely (656)
- Fixed debug log message in the Node API handler (666)
- Agent's KeyManager interface updated for better durability (669)
- Use FQDN in the GCP Node Attestor to prevent reliance on shortname resolution (672)
- Upgrade to Go 1.11.5 in response to CVE-2019-6486 (690)