Added
uniqueidCredentialComposer plugin that adds the x509UniqueIdentifier attribute to workload X509-SVIDs (#4862)- Agent's Admin API has now a default location defined (#4856)
- Partial selectors from workload attestation are now logged when attestation is interrupted (#4846)
- X509-SVIDs minted by SPIRE can now include wildcards in the DNS names (#4814)
Changed
- CA journal data is now stored in the datastore, removing the on-disk dependency of the server (#4690)
aws_kms,azure_key_vault, andgcp_kmsKeyManager plugins no longer require storing metadata files on disk (#4700)- Bundle endpoint refresh hint now defaults to 5 minutes (#4847, #4888)
- Graceful shutdown is now blocked while built-in plugin RPCs drain (#4820)
- Entry cache hydration is now done with paginated requests to the datastore (#4721, #4826)
- Agents renew SVIDs through re-attestation by default when using a supporting Node Attestor (#4791)
- The SPIRE Agent LRU SVID cache is no longer experimental and is enabled by default (#4773)
- Small documentation improvements (#4764, #4787)
- Read-replicas are no longer used when hydrating the experimental events-based entry cache (#4868)
- Workload gRPC connections are now terminated when the peertracker liveness check fails instead of just failing the RPC calls (#4611)
Fixed
- Missing creation of events in the experimental events-based cache entry when an entry was pruned (#4860)
- Bug in SPIRE Agent LRU SVID cache that caused health checks to fail (#4852)
- Refreshing of selectors of attested agents when using the experimental events-based entry cache (#4803)
Deprecated
k8s_satNodeAttestor plugin (#4841)
Removed
- X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (#4862)