Spiffe

Added

- `azure_key_vault` KeyManager plugin (4458)
- Server configuration to set refresh hint of local bundle (4400)
- Support for batch entry deletion in `spire-server` CLI (4371)
- `aws_iid` NodeAttestor can now be used in AWS Gov Cloud and China regions (4427)
- `status_code` and `status_message` fields in SPIRE Agent logs on gRPC errors (4262)

Changed

- Bundle server configuration is now organized by endpoint profiles (4476)
- Release artifacts are now statically linked with musl rather than glibc (4491)
- Agent no longer requests unused SVIDs for node aliases they belong to, reducing server signing load (4467)
- Entry IDs can now be optionally set by the client for BatchCreateEntry requests (4477)

Fixed

- Concurrent workload attestation using `systemd` plugin (4360)
- Bug in `k8s` WorkloadAttestor plugin that failed attestation in some scenarios (4468)
- Server can now be run on Linux arm64 when using SQLite (4491)

Removed

- Support for Envoy SDS v2 API (4444)
- Server no longer cleans up stale data in the database on startup (4443)
- Server no longer deletes entries with invalid SPIFFE IDs on startup (4449)

Security

- Updated to Go 1.20.12 to address CVE-2023-39326

Security

- Updated to Go 1.20.11 to address CVE-2023-45283, CVE-2023-45284

Security

- Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487

Security

- Updated to Go 1.20.10 to address CVE-2023-39325, CVE-2023-44487

Added

- `aws_s3` BundlePublisher plugin (4355)
- SPIRE Server bundle endpoint now includes bundle sequence number (4389)
- Telemetry in experimental Agent LRU cache (4335)
- Telemetry in Agent Delegated Identity API (4399)
- Documentation improvements (4336, 4407)

Fixed

- Server no longer unnecessarily activates its CA a second time on startup (4368)