Added
- Added
aws_kmsserver KeyManager plugin that uses the AWS Key Management Service (KMS) (#2066) - Added
gcp_casUpstreamAuthority plugin that uses the Certificate Authority Service from Google Cloud Platform (#2172) - Improved error returned during attestation of agents (#2159)
- The
aws_iidNodeAttestor plugin now supports running in a location with no public internet access available for the server (#2119) - The
k8snotifier can now rotate Admission Controller Webhook CA Bundles (#2022) - Rate limiting on X.509 signing and JWT signing can now be disabled (#2142)
- Added uptime metrics in server and agent (#2032)
- Calls to KeyManager plugins now time out at 30 seconds (#2044)
- Added logging when lookup of user by uid or group by gid fails in the
unixWorkloadAttestor plugin (#2048)
Changed
- The
k8sWorkloadAttestor plugin now emits selectors for both image and image ID (#2116) - HTTP readiness endpoint on agent now checks the health of the Workload API (#2015, #2087)
- SDS API in agent now returns an error if an SDS client requests resource names that don't exist (#2020)
- Bundle and k8s-workload-registrar endpoints now only accept clients using TLS v1.2+ (#2025)
Fixed
- Registration entry update handling in CRD mode of the k8s-workload-registrar to prevent unnecessary issuance of new SVIDs (#2155)
- Failure to update CA bundle due to improper MySQL isolation level for read-modify-write operations (#2150)
- Regression preventing agent selectors from showing in
spire-server agent showcommand (#2133) - Issue in the token authentication method of the Vault Upstream Authority plugin (#2110)
- Reporting of errors in server entry cache telemetry (#2091)
- Agent logs an error and automatically shuts down when its SVID has expired and it requires re-attestation (#2065)