0.7.3

• Agent can now expose Envoy SDS API for TLS certificate installation rotation (#667)
• Agent now automatically creates its configured data dir if it doesn't exist (#678)
• Agent panic fixed in the event that rotation is attempted from non-attested node (#684)
• Docker workload attestor plugin introduced (#687)
• Agent and Server no longer force a configured umask, upgrades it if too permissive (#686)
• Registration entry CLI utility now supports --node entry distinction (#695)
• Server can now evict previously-attested agents (#693)
• Official docker images are now published on build and release (#700)
• Server now validates Agent credentials on every API call instead of only when TLS is established (#711)

0.7.2

• Fix non-random UUID bug by moving to gofrs-maintained uuid pkg (#659)
• Server now supports multiple node resolvers (#652)
• Server no longer allows agent to specify X.509 Subject value (#663)
• Registration API is now authenticated, can be reached remotely (#656)
• Fixed debug log message in the Node API handler (#666)
• Agent's KeyManager interface updated for better durability (#669)
• Use FQDN in the GCP Node Attestor to prevent reliance on shortname resolution (#672)
• Upgrade to Go 1.11.5 in response to CVE-2019-6486 (#690)

0.7.1

• Documentation updates for Azure plugins, agent, server (#629, #631, #642, #651, #654)
• Intermediate certificates now included in bundle for compatibility with 0.6 (#633)
• Attestation now fails if NodeResolver encounters an error (#634)
• Fix bootstrap bug when upstream_bundle is not set (#639)
• Additional telemetry points added, introduced telemetry in server (#640)
• CLI utilities now print TTL value of default instead of 0 when not set (#645)
• Fix bug in CLI utilities causing them to write PEM files with the wrong header (#647)
• Go runtime upgraded in response to CVE-2018-16875 (#653)
• Server now detects and prevents trust domain configuration change (#644)
• Fix vulnerability in which X.509 path validation is not performed on node API (#655)

0.7.0

• JWT Support (#616)
• Workload API now returns intermediate chains (#611)
• UNIX attestor now returns binary path and sha256 (#590)
• UNIX attestor now returns effective user and group name (#589)
• Node API now ratelimits expensive calls (#577)
• Soft delete disabled in SQL datastore plugin (#560)
• Basic federation support (#559, #563, #581, #582)
• Kubernetes node attestor (#557)
• AWS node resolver builtin (#554)
• Azure node attestor (#551)
• Azure node resolver (#553)
• KeyManager plugin interface for server (#539)
• Disk-based KeyManager server plugin (#532)
• x509pop now supports intermediate chains (#524)
• Fix bug that resulted in some SVIDs outliving CA (#520)
• Let agent fail over to different server on failure (#561)
• Node attestors can now return selectors (#516)
• Improved SPIFFE ID validation (#513, #515)

0.6.2

• Support for Azure node attestation (#551)
• Support for Azure node resolution (#553)
• Updated DNS resolution to support DNS-based HA failover (#561)
• Updated x509pop challenge to strengthen against signature replay attacks (#562)
• Removed sql plugin soft delete for better space management (#560)
• Performance improvements and bugfixes in sql plugin (#564)
• Support for HTTP/HTTPS CONNECT proxies (#568, #585)
• Updated Node API to perform ratelimiting (#577)

0.6.1

• Fixed SVID renewal bug (#520)
• Support separate file for intermediates in x509pop node attestor (#524)
• Allow node attestors to provide supplemental selectors (#516)
• ServerCA "memory" can now optionally persist keys to disk (#532)
• Config file updates so spire commands can be run from any CWD (#541)
• Minor doc/example fixes (#535)

0.6.0

• Added GCP Instance Identity Token (IIT) node attestation.
• Added X509 Proof-of-Possession node attestation.
• Added challenge/response support to node attestation API.
• SQL datastore plugin renamed. Now includes support for PostgresSQL.
• Improved k8s workload attestation resilience.
• Lots of bug fixes.

0.5.1

0.5.1

0.5

New:

• #320 Builtin plugins should be statically linked
• #356 Refactor Cache Manager and introduce subscriber
• #357 Implement Workload fetchX509SVID handler
• #355 Add a configurable option to distribute the full chain
• #393 Add a new feature to spire-server to print to standard output the server's bundle in PEM format

Documentation

• #339 Fix workload registration instructions on README.md
• #98 CA plugins: validate configuration values in Configure()

Build

• #70 Basic run-time startup tests

0.4

New:

• #234 The spire-server command line interface now supports reading, updating and deleting registration entries in addition to creating them
• #308 spire-server now rotates the SVID it used to authenticate itself to spire-agents
• #310 spire-server SQLite datastore plugin now persists state to disk
• #321 Unified config file format for spire-server and spire-agent

Bugs:

• #326 Workloads fail to receive identity when using AWS Node Resolver plugin
• #335 Setting a plugin to enabled = false causes SIGSEV

Documentation:

• HOWTO: Write a plugin