Added

• Debug endpoints (#1792)
• Agent support for SDS v3 API (#1906)
• Improved metrics handling (#1885, #1925, #1932)
• Significantly improved performance related to performing agent authorization lookups (#1859, #1896, #1943, #1944, #1956)
• Database indexes to attested node columns (#1912)
• Support for configuring Vault roles, namespaces, and re-authentication to the Vault UpstreamAuthority plugin (#1871, #1981)
• Support for non-renewable Vault tokens to the Vault UpstreamAuthority plugin (#1965)
• Delete mode for federated bundles to the bundle API (#1897)
• The CLI now reads JSON from STDIN for entry create/update commands (#1905)
• Support for multiple CA bundle files in x509pop (#1949)
• Added ExpiresAt to entry show output (#1973)
• Added k8s_psat:agent_node_ip selector (#1979)

Changed

• The agent now shuts down when it is no longer attested (#1797)
• Internals now rely on new server APIs (#1849, #1878, #1907, #1908, #1909, #1913, #1947, #1982, #1998, #2001)
• Workload API now returns a standardized JWKS object (#1904)
• Log message casing and punctuation are more consistent with project guidelines (#1950, #1952)

Deprecated

• The Registration and Node APIs are deprecated, and a warning is logged on use (#1997)
• The registration_api configuration section is deprecated in favor of server_api in the k8s-workload-registrar (#2001)

Removed

• Removed some superfluous or otherwise unusable metrics and labels (#1881, #1946, #2004)

Fixed

• Fixed CLI exit codes when entry create or update fails (#1990)
• Fixed a bug that could cause external plugins to become orphaned processes after agent/server shutdown (#1962)
• Fixed handling of the Vault PKI certificate chain (#2012, #2017)
• Fixed a bug that could cause some gRPC libraries to fail to connect to the server over HTTP/2 (#1968)
• Fixed Registration API to validate selector syntax (#1919)

Security

• JWT-SVIDs that fail validation are no longer logged (#1953)