Spiffe

Added

- `aws_s3` BundlePublisher plugin (4355)
- SPIRE Server bundle endpoint now includes bundle sequence number (4389)
- Telemetry in experimental Agent LRU cache (4335)
- Telemetry in Agent Delegated Identity API (4399)
- Documentation improvements (4336, 4407)

Fixed

- Server no longer unnecessarily activates its CA a second time on startup (4368)

Added

- x509pop node attestor emits a new selector with the leaf certificate serial number (4216)
- HTTPS server in the OIDC Discovery Provider can now be configured to use a certificate file (4190)
- Option to log source information in server and agent logs (4246)

Changed

- Agent now has an exponential backoff strategy when syncing with the server (4279)

Fixed

- Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they have the digitalSignature key usage set (4352)
- SPIRE Agent cache bug resulting in workloads receiving JWT-SVIDs with incomplete audience set (4309)
- The `spire-server agent show` command to properly show the "Can re-attest" attribute (4288)

Added

- AWS IID Node Attestor now supports all regions, including GovCloud and regions in China (4124)

Fixed

- Systemd workload attestor fails with error `connection closed by user` (4165)
- Reduced SPIRE Agent CPU usage during kubernetes workload attestation (4240)

Removed

- Envoy SDSv2 API is deprecated and now disabled by default (4228)

Fixed

- Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they have the digitalSignature key usage set (4352)

Added

- ARM64 binaries are now included in the release artifacts (4143)
- Various build script improvements (4062, 4081, 4096, 4127)
- Various doc improvements (4076)
- Workload API hint support (3993, 4074)
- Improved performance when listing queries for PostgreSQL (4111)
- Support for SPIFFE bundle sequence numbers (4061)
- New Systemd Workload Attestor plugin (4058)
- New [BundlePublisher](https://github.com/spiffe/spire-plugin-sdk/blob/v1.6.4/proto/spire/plugin/server/bundlepublisher/v1/bundlepublisher.proto) plugin type (#4022)
- New `agent purge` command for removing stale agent records (3982)

Fixed

- Bug determining if an entry was unique (4063)

Added

- Entry API responses now include the `created_at` field (3975)
- `spire-server agent` CLI commands and Agent APIs now show if agents can be re-attested and supports `by_can_reattest` filtering (3880)
- Entry API along with `spire-server entry create`, `spire-server entry show` and `spire-server entry update` CLI commands now support hint information, allowing hinting to workloads the intended use of the SVID (3926, 3787)

Fixed

- The `vault` UpstreamAuthority plugin to properly set the URI SAN (3971)
- Node selector data related to nodes is now cleaned when deleting a node (3873)
- Clean stale node selector data from previously deleted nodes (3941)
- Regression causing a failure to parse JSON formatted and verbose HCL configuration for plugins (3939, 3999)
- Regression where some workloads with active FetchX509SVID streams were not notified when an entry is removed (3923)
- The federated bundle updater now properly logs the trust domain name (3927)
- Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they did not have a URI SAN (3997)