From 2d8f2af91b207ddb618d53696b50800bf5388ebc Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Mon, 12 Sep 2022 15:17:27 +0200 Subject: [PATCH] prepare release v2.0.0 --- CHANGELOG.md | 195 +-------------------------- internal/config/images_enterprise.go | 4 +- internal/versions/versions.go | 10 +- 3 files changed, 11 insertions(+), 198 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba57534fa..308f7c0e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,38 +22,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added -- Support Linux arm64 and macOS (arm64 and amd64) for Constellation CLI. -- Create multiple load balancers to enable load balacing TCP traffic for different backend services. All load balancers currently share the same public IP address. -- Improve rollback on GCP resource termination. You can now terminate multiple times. -- Implement SSH peer to peer distribution between debugd nodes. -- GCP service account can now be managed manually. -- Azure resource group can now be managed manually and can be resused after termination. -- Azure Active Directory client credentials can now be managed manually. -- Resources on Azure are now tagged with the UID of the constellation. -- CoreOS images are publicly available for Azure. -- GCP: Support for higher end N2D standard (128 & 224 vCPUs), *high-mem* and *high-cpu* VMs -- Add `constellation upgrade` to update node images in Constellation. -- Add cilium v1.12.1 with strict mode v2 -- Konnectivity is now deployed for secure API server to node/pod/service communication. - ### Changed -- Use IP from Constellation ID file in init and verify instead of IPs from state file. -- Terminate now deletes all resources found within the given resource group. -- Change cdbg to use load balancer for deploy. -- cdbg now uses the Constellation config directly and does not require any extra config -- Azure CVMs are attested using SNP attestation -- Replaced kube-proxy with cilium -- VM instance types are now defined in the config, not via a CLI argument -- Config has a `debugCluster` flag required to enable debugd ingress firewall rules and create the required load balancer. ### Deprecated ### Removed -- Azure Trusted Launch instance types with 2 CPUs (SMT disabled due to Retbleed (CVE-2022-29900)). -- cdbg: Custom systemd service deployment -- No user configurable `ingressFirewall` and `egressFirewall` in the config ### Fixed @@ -61,171 +36,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Internal -## [1.5.0] - 2022-08-19 +## [2.0.0] - 2022-09-12 -### Added +Initial release of Constellation. -- Kubernetes operator for Constellation nodes with ability to update node images. -- CoreOS images are publicly available for GCP. -- Cilium strict pod2pod encryption. -- Add a configurable list of enforced measurements to the config. If an expected measurement can not be verified during attestation, but it is not in the list of enforced measurements, only a warning is logged. -- License check during init - -### Changed - -- Use Azure CVMs instead of Trusted Launch VMs. -- Parallel resource creation on Azure. - -### Fixed - -- Fix timeout issue during cilium installation. - -### Internal - -- Run e2e tests on all supported versions. -- Run e2e tests on latest debug images, instead of release image. -- Upgrade Azure SDK - -## [1.4.0] - 2022-08-02 - -### Added - -- Publish measurements for each released coreos-image. -- `constellation config fetch-measurements` to download and verify measurements, and writing them into the config file. -- Configurable Kubernetes version through an entry in `constellation-config.yaml`. -- Kubernetes version 1.24 support. -- Kubernetes version 1.22 support. -- Log disk UUID to cloud logging for recovery. -- Configurable disk type for Azure and GCP. -- Create Kubernetes CA signed kubelet certificates on activation. -- Salt key derivation. -- Integrity protection of state disks. - -### Changed - -- Nodes add themselves to the cluster after `constellation init` is done. Previously, nodes were asked to join the cluster by the bootstrapper. -- Owner ID and Unique ID are merged into a single value: Cluster ID. -- Streamline logging to only use one logging library, instead of multiple. -- Replace dependency on github.com/willdonnelly/passwd with own implementation. -- Refactor disk-mapper to allow a more streamlined node recovery - -### Removed - -- User facing WireGuard VPN. - -### Fixed - -- Correctly wait for `bootstrapper` to come online during `constellation init`. - -## [1.3.1] - 2022-07-11 - -### Changed - -- Update default CoreOS image to latest version (1657199013). - -### Fixed - -- Add load balancer path to Azure deployment so that PCR values can be read. -- Show correct version number in `constellation version`. - -### Removed - -- Support for Azure `Standard_*_v3` types. - -## [1.3.0] - 2022-07-05 - -### Added - -- Early boot logging for GCP and Azure. [[Docs]](https://docs.edgeless.systems/constellation/workflows/troubleshooting#cloud-logging) -- `constellation-access-manager` allows users to manage SSH users over a ConfigMap. Enables persistent and dynamic management of SSH users on multiple nodes, even after a reboot. [[Docs]](https://docs.edgeless.systems/constellation/workflows/ssh) -- GCP-native Kubernetes load balancing. [[Docs]](https://docs.edgeless.systems/constellation/architecture/networking) -- `constellation version` prints more information to aid in troubleshooting. [[Docs]](https://docs.edgeless.systems/constellation/reference/cli#constellation-version) -- Standard logging for all services and CLI, allows users to control output in a consistent manner. -- `constellation-id.json` in Constellation workspace now holds cluster IDs, to reduce required arguments in Constellation commands, e.g., `constellation verify`. - -### Changed - -- New `constellation-activation-service` offloads Kubernetes node activation from monolithic Coordinator to Kubernetes native micro-service. [[ReadMe]](https://github.com/edgelesssys/constellation/blob/main/activation/README.md) -- Improve user-friendliness of error messages in Constellation CLI. -- Move verification from extracting attestation statements out of aTLS handshake to a dedicated `verify-service` in Kubernetes with gRPC and HTTP endpoints. -- `constellation create` and `constellation verify` do not require specifying the provider anymore (automatically parsed from config) - -### Security - -- GCP WireGuard encryption via cilium. - -### Internal - -- Refactore folder structure of repository to better reflect `internal` implementation and public API. -- Extend `goleak` checks to all tests. - -## [1.2.0] - 2022-06-02 - -### Changed - -- Replace flannel CNI with Cilium. - -## [1.1.0] - 2022-06-02 - -### Added - -- CLI - - Command `constellation recover` to re-initialize a completely stopped cluster. - - Command `constellation config generate` to generate a default configuration file for a specific cloud provider. -- CSI - - Option to enable dm-integrity in a StorageClass. - - Support volume expansion. - - Support volume snapshots. -- KMS - - Deploy Key Management Service (KMS) in Constellation clusters to handle key derivation. -- Option to add SSH users on init. - -### Changed - -- CLI UX - - `constellation create` now requires a configuration file. The usual workflow is to run `constellation config generate` first. - - Consistent command format with at most one argument and named flags otherwise. - - Display usage when invalid arguments are passed. - - Add list of instance types to command help. - - Wording tweaks. -- CLI config - - Rename dev-config to config. - - Change format to YAML. - - Make it self-documenting. - - Validation. - - Rename *PCRs* to *Measurements*. - -### Removed - -- Support for non-CVMs on GCP. - -### Fixed - -- Pin Kubernetes version deployed by `kubeadm init`. - -### Security - -- Replace single, never expiring Kubernetes join token with expiring unique tokens. -- Apply CIS benchmark for kubeadm clusterconf and kubelet conf. -- Enable Kubernetes audit log. - -### Internal - -- Create GCP images in `constellation-images` project so that they can be shared with customers. -- Add customer onboarding docs. -- Add E2E test as Github Action. -- Improvements to local QEMU testing. -- Preparations for mutual ATLS. - -## [1.0.0] - 2022-04-28 - -Initial release of Constellation. With underlying WireGuard and Kubernetes compliant. - -[Unreleased]: https://github.com/edgelesssys/constellation/compare/v1.5.0...HEAD -[1.5.0]: https://github.com/edgelesssys/constellation/compare/v1.4.0...v1.5.0 -[1.4.0]: https://github.com/edgelesssys/constellation/compare/v1.3.1...v1.4.0 -[1.3.1]: https://github.com/edgelesssys/constellation/compare/v1.3.0...v1.3.1 -[1.3.0]: https://github.com/edgelesssys/constellation/compare/v1.2.0...v1.3.0 -[1.2.0]: https://github.com/edgelesssys/constellation/compare/v1.1.0...v1.2.0 -[1.1.0]: https://github.com/edgelesssys/constellation/compare/v1.0.0...v1.1.0 -[1.0.0]: https://github.com/edgelesssys/constellation/releases/tag/v1.0.0 +[Unreleased]: https://github.com/edgelesssys/constellation/compare/v2.0.0...HEAD +[2.0.0]: https://github.com/edgelesssys/constellation/releases/tag/v2.0.0 diff --git a/internal/config/images_enterprise.go b/internal/config/images_enterprise.go index 7597b9545..4f6a525a0 100644 --- a/internal/config/images_enterprise.go +++ b/internal/config/images_enterprise.go @@ -9,6 +9,6 @@ SPDX-License-Identifier: AGPL-3.0-only package config const ( - DefaultImageAzure = "/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/0.0.1" - DefaultImageGCP = "projects/constellation-images/global/images/constellation-v0-0-1" + DefaultImageAzure = "/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/2.0.0" + DefaultImageGCP = "projects/constellation-images/global/images/constellation-v2-0-0" ) diff --git a/internal/versions/versions.go b/internal/versions/versions.go index d97bf0d05..05679e6e5 100644 --- a/internal/versions/versions.go +++ b/internal/versions/versions.go @@ -45,13 +45,13 @@ const ( // These images are built in a way that they support all versions currently listed in VersionConfigs. KonnectivityAgentImage = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.32" KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.32" - JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v0.0.2-0.20220909145031-b6c06735c313" - AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v0.0.1" - KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v0.0.2-0.20220909145031-b6c06735c313" - VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v0.0.2-0.20220831181049-47d4c9e30423" + JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.0.0" + AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v2.0.0" + KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.0.0" + VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.0.0" GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:20220713.00" NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog" - NodeOperatorVersion = "v0.0.2-0.20220902144959-2f871578b2db" + NodeOperatorVersion = "v2.0.0" // TODO: switch node maintenance operator catalog back to upstream quay.io/medik8s/node-maintenance-operator-catalog // once https://github.com/medik8s/node-maintenance-operator/issues/49 is resolved. NodeMaintenanceOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-maintenance-operator-catalog"