Spiffe

Added

- Plugin reconfiguration support using the `plugin_data_file` configurable (5166)

Changed

- SPIRE Server and OIDC provider images to use non-root users (4967, 5227)
- `k8s_psat` NodeAttestor attestor to no longer fail when a cluster is not configured (5216)
- Agents are required to renew SVIDs through re-attestation when using a supporting Node Attestor (5204)
- Small documentation improvements (5181, 5189)
- Evicted agents that support reattestation can now reattest without being restarted (4991)

Fixed

- PSAT node attestor to cross-check the audience fields (5142)
- Events-based cache to handle out of order events (5071)

Deprecated

- `x509_svid_cache_max_size` and `disable_lru_cache` in agent configuration (5150)

Removed

- The deprecated `disable_reattest_to_renew` agent configurable (5217)
- The deprecated `key_metadata_file` configurable from the `aws_kms`, `azure_key_vault` and `gcp_kms` server KeyManagers (5207)
- The deprecated `use_msi` configurable from the `azure_key_vault` server KeyManager and `azure_msi` NodeAttestor (5207, 5209)
- The deprecated `exclude_sn_from_ca_subject` server configurable (5203)
- Agent no longer cleans up deprecated bundle and SVID files (5205)
- The CA journal file is no longer stored on disk, and existing CA journal files are cleaned up (5202)

Added

- Opt-in support for CGroups v2 in K8s and Docker workload attestors (5076)
- `gcp_cloudstorage` BundlePublisher plugin (4961)
- The `aws_iid` node attestor can now check if the AWS account ID is part of an AWS Organization (4838)
- More filtering options to count and show entries and agents (4714)

Changed

- Credential composer to not convert timestamp related claims (i.e., exp and iat) to floating point values (5115)
- FetchJWTBundles now returns an empty collection of keys instead of null (5031)

Fixed

- Using expired tokens when connecting to database (5119)
- Server no longer tries to create JWT authority when X.509 authority fails (5064)
- Issues in experimental events-based entry cache (5030, 5037, 5042)

Security

- Updated to Go 1.21.10 to address CVE-2024-24788

Security

- Updated to google.golang.org/grpc v1.62.2 and golang.org/x/net v0.24.0 to address CVE-2023-45288

Security

- Updated to Go 1.21.9 to address CVE-2023-45288
- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs

Added

- Support for AWS IAM-based authentication with AWS RDS backed databases (4828)
- Support for adjusting the SPIRE Server log level at runtime (4880)
- New `retry_bootstrap` option to SPIRE Agent to retry failed bootstrapping with SPIRE Server, with a backoff, in lieu of failing the startup process (4597)
- Improved logging (4902, 4906)
- Documentation improvements (4895, 4951, 4907)