Added
- Experimental support for custom authorization policies based on Open Policy Agent (OPA) (#2416)
- SPIRE Server can now be configured to emit audit logs (#2297, #2391, #2394, #2396, #2442, #2458)
- Envoy SDS v3 API in agent now supports the SPIFFE Certificate Validator for federated SPIFFE authentication (#2435, #2460)
- SPIRE OIDC Discovery Provider now intelligently handles host headers (#2404, #2453)
- SPIRE OIDC Discovery Provider can now serve over HTTP using the
allow_insecure_scheme
setting (#2404) - Metrics configuration options to filter out metrics and labels (#2400)
- The
k8s-workload-registrar
now supports identity template based workload registration (#2417) - Enhancements in filtering support in server APIs (#2467, #2463, #2464, #2468)
- Improvements in logging of errors in peertracker (#2469)
Changed
- CRD mode of the
k8s-workload-registrar
now uses SPIRE certificates for the validating webhook (#2321) - The
vault
UpstreamAuthority plugin now continues retrying to renew tokens on failures until the lease time is exceeded (#2445)
Fixed
- Fixed a nil pointer dereference when the deprecated
allow_unsafe_ids
setting was configured (#2477)
Deprecated
- The SPIRE OIDC Discovery Provider
domain
configurable has been deprecated in favor ofdomains
(#2404)