github spiffe/spire v1.1.0
on GitHub

latest releases: v1.9.4, v1.8.10, v1.9.3...
2 years ago

Added

  • SPIRE images are now published to GitHub Container Registry. They will continue to be published to Google Container Registry over the course of the next release (#2576,#2580)
  • SPIRE Server now implements the TrustDomain API and related CLI commands (https://github.com/spiffe/spire/projects/11)
  • The SVIDStore plugin type has been introduced to enable, amongst other things, agentless workload scenarios (#2176,#2483)
  • The TPM DevID Node Attestor emits a new issuer:cn selector with the common name of the issuing certificate (#2581)
  • The K8s Bundle Notifier plugin now supports pushing the bundle to resources in multiple clusters (#2531)
  • A built-in AWS Secrets Manager SVIDStore plugin has been introduced, which can push workload SVIDs into AWS secrets for use in Lambda functions, etc. (#2542)
  • The agent and entry list commands in the CLI gained additional filtering capabilities (#2478,#2479)
  • The GCP CAS UpstreamAuthority has a new ca_pool configurable to identify which CA pool the signing CA resides in (#2569)

Changed

  • With the GA release of GCP CAS, the UpstreamAuthority plugin now needs to know which pool the CA belongs to. If not configured, it will do a pessimistic scan of all pools to locate the correct CA. This scan will be removed in a future release (#2569)
  • The K8s Workload Registrar now supports Kubernetes 1.22 (#2515,#2540)
  • Self-signed CA certificates serial numbers are now conformant to RFC 5280 (#2494)
  • The AWS KMS Key Manager plugin now creates keys with a very strict policy by default (#2424)
  • The deprecated agent key file (svid.key) is proactively removed by the agent. It was only maintained to accomodate rollback from v1.0 to v0.12 (#2493)

Removed

  • Support for the deprecated Registration API has been removed (#2487)
  • Legacy (v0) plugin support has been removed. All plugins must now be authored using the plugin SDK.
  • The deprecated service_account_whitelist configurables have been removed from the SAT and PSAT Node Attestor plugins (#2543)
  • The deprecated projectid_whitelist configurable has been removed from the GCP IIT Node Attestor plugin (#2492)
  • The deprecated bundle_endpoint and registration_uds_path configurables have been removed from SPIRE Server (#2486,#2519)

Fixed

  • The GCP CAS UpstreamAuthority now works with the GA release of GCP CAS (#2569)
  • Fixed a variety of issues with the scratch image, preparatory to publishing as the official image on GitHub Container Registry (#2582)
  • Kubernetes Workload Attestor now uses the canonical path for the service account token (#2583)
  • The server socketPath is now appropriately overriden via the configuration file (#2570)
  • The server now restarts appropriately after undergoing forceful shutdown (#2496)
  • The server CLI list commands now work reliably for large listings (#2456)
Check out latest releases or
releases around spiffe/spire v1.1.0

Don't miss a new spire release

NewReleases is sending notifications on new releases.

Get notifications