Spiffe

Added

- `uniqueid` CredentialComposer plugin that adds the x509UniqueIdentifier attribute to workload X509-SVIDs (4862)
- Agent's Admin API has now a default location defined (4856)
- Partial selectors from workload attestation are now logged when attestation is interrupted (4846)
- X509-SVIDs minted by SPIRE can now include wildcards in the DNS names (4814)

Changed

- CA journal data is now stored in the datastore, removing the on-disk dependency of the server (4690)
- `aws_kms`, `azure_key_vault`, and `gcp_kms` KeyManager plugins no longer require storing metadata files on disk (4700)
- Bundle endpoint refresh hint now defaults to 5 minutes (4847, 4888)
- Graceful shutdown is now blocked while built-in plugin RPCs drain (4820)
- Entry cache hydration is now done with paginated requests to the datastore (4721, 4826)
- Agents renew SVIDs through re-attestation by default when using a supporting Node Attestor (4791)
- The SPIRE Agent LRU SVID cache is no longer experimental and is enabled by default (4773)
- Small documentation improvements (4764, 4787)
- Read-replicas are no longer used when hydrating the experimental events-based entry cache (4868)
- Workload gRPC connections are now terminated when the peertracker liveness check fails instead of just failing the RPC calls (4611)

Fixed

- Missing creation of events in the experimental events-based cache entry when an entry was pruned (4860)
- Bug in SPIRE Agent LRU SVID cache that caused health checks to fail (4852)
- Refreshing of selectors of attested agents when using the experimental events-based entry cache (4803)

Deprecated

- `k8s_sat` NodeAttestor plugin (4841)

Removed

- X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (4862)

Security

- Updated to Go 1.21.10 to address CVE-2024-24788

Security

- Updated to google.golang.org/grpc v1.62.2 and golang.org/x/net v0.24.0 to address CVE-2023-45288

Security

- Updated to Go 1.21.9 to address CVE-2023-45288
- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs

Security

- Update Go to v1.21.8 to patch CVE-2024-24783

Added

- Agents can now be configured with an availability target, which establishes the minimum amount of time desired to gracefully handle server or agent downtime, influencing how aggressively X509-SVIDs should be rotated (4599)
- SyncAuthorizedEntries RPC, which allows agents to only sync down changes instead of the entire set of entries. Agents can be configured to use this new RPC through the `use_sync_authorized_entries` experimental setting (4648)
- Experimental support for an events based entry cache which reduces overhead on the database (4379, 4411, 4527, 4451, 4562, 4723, 4731)

Changed

- The maximum number of open database connections in the datastore now defaults to 100 instead of unlimited (4656)
- Agents now shut down when they can't synchronize entries with the server due to an unknown authority error (4617)

Removed

- Agents no longer maintains agent SVID and bundle information in the legacy paths in the data directory (4717)