Spiffe

Added

- A new `gcp_kms` KeyManager plugin is now available (3410, 3638, 3653, 3655)
- `spire-server agent`, `spire-server bundle`, and `spire-server entry` CLI commands now support `-output` flag (3523, 3624, 3628)

Changed

- SPIRE-managed files on Windows no longer inherit permissions from parent directory (3577, 3604)
- Documentation improvements (3534, 3546, 3461, 3565, 3630, 3632, 3639,)

Fixed

- oidc-discovery-provider healthcheck HTTP server now binds to all network interfaces for visibility outside containers using virtual IP (3580)
- k8s-workload-registrar CRD and reconcile modes now have correct example leader election RBAC YAML (3617)

Security

- Updated to Go 1.19.4 to address CVE-2022-41717.

Fixed

- The deprecated `default_svid_ttl` configurable is now correctly observed after fixing a regression introduced in 1.5.0 (3583)

Added

- X.509-SVID and JWT-SVID TTLs can now be configured separately at both the entry-level and Server default level (3445)
- Entry protobuf type in `/v1/entry` API includes new `jwt_svid_ttl` field (3445)
- `k8s-workload-registrar` and `oidc-discovery-provider` CLIs now print their version when the `-version` flag is set (3475)
- Support for customizing SPIFFE ID paths of SPIRE Agents attested with the `azure_msi` NodeAttestor plugin (3488)

Changed

- Entry `ttl` protobuf field in `/v1/entry` API is renamed to `x509_ttl` (3445)
- External plugins can no longer be named `join_token` to avoid conflicts with the builtin plugin (3469)
- `spire-server run` command now supports DNS names for the configured bind address (3421)
- Documentation improvements (3468, 3472, 3473, 3474, 3515)

Deprecated

- `k8s-workload-registrar` is deprecated in favor of [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager) (#3526)
- Server `default_svid_ttl` configuration field is deprecated in favor of `default_x509_svid_ttl` and `default_jwt_svid_ttl` fields (3445)
- `-ttl` flag in `spire-server entry create` and `spire-server entry update` commands is deprecated in favor of `-x509SVIDTTL` and `-jwtSVIDTTL` flags (3445)
- `-format` flag in `spire-agent fetch jwt` CLI command is deprecated in favor of `-output` flag (3528)
- `InMem` telemetry collector is deprecated and no longer enabled by default (3492)

Removed

- NodeResolver plugin type and `azure_msi` builtin NodeResolver plugin (3470)

Security

- Updated to Go 1.19.6 and golang.org/x/net v0.7.0 to address CVE-2022-41723, CVE-2022-41724, CVE-2022-41725.

Security

- Updated to Go 1.19.4 to address CVE-2022-41717.