SPIRE
v1.15.0SecuritySPIRE v1.15.0 adds HashiCorp Vault key management, rootless Podman support, and PROXY protocol rate limiting, while promoting sigstore attestation out of experimental. One CLI JSON output change requires attention before upgrading.
breakingAudit CLI JSON consumers before upgrading
The CLI no longer wraps objects in slices when printing JSON output. Any scripts, pipelines, or tools that parse SPIRE CLI JSON output will likely break — they expected arrays and will now get single objects. Audit all automation that calls spire-server or spire-agent CLI with JSON output flags before rolling this out. Test in a non-production environment first.
breakingUpdate metric dashboards for 'bootstrapped' label rename
The metric label 'bootstraped' (one 'p') was corrected to 'bootstrapped'. Any Prometheus queries, Grafana dashboards, or alerting rules referencing the old misspelled label will silently stop matching after upgrade. Find and update all references before deploying v1.15.0.
enhancementMigrate to HashiCorp Vault Key Manager if your org already runs Vault
If your team already operates HashiCorp Vault, the new Vault Key Manager plugin lets you consolidate key storage there instead of managing a separate AWS KMS or Azure Key Vault setup. This is particularly useful for on-prem or multi-cloud deployments where cloud-native KMS options are awkward. Review the plugin configuration docs and plan a key migration window — existing keys in other backends won't auto-migrate.
enhancementPromote sigstore attestation to production workloads
Sigstore-based attestation in both the k8s and docker attestors is now stable. If you've been holding off due to the experimental flag, this is the release to enable it for production. Verify your signing workflows are compatible and enable the feature in staging first to confirm selector behavior matches expectations.
主な変更 (6)
- HashiCorp Vault Key Manager plugin added — new option for key storage alongside existing AWS KMS and Azure Key Vault backends
- CLI JSON output breaking change: objects are no longer wrapped in slices, which will break any tooling parsing the current format
- sigstore support in k8s and docker attestors is now stable (out of experimental) — safe to use in production
- Docker workload attestor now handles rootless Podman, expanding coverage for non-root container runtimes
- GCP IIT node attestor no longer requires 'use_instance_metadata: true' to get service account email — simplifies GCP configs
- Metric label typo fixed: 'bootstraped' renamed to 'bootstrapped' — update any dashboards or alerts using this label