prepare release v2.0.0

2025-06-07 06:03:05 -04:00 · 2022-09-12 15:17:27 +02:00 · 2022-09-12 15:17:27 +02:00 · 2d8f2af91b
commit 2d8f2af91b
parent 4a6b99d2f4
3 changed files with 11 additions and 198 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -22,38 +22,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Support Linux arm64 and macOS (arm64 and amd64) for Constellation CLI.
 - Create multiple load balancers to enable load balacing TCP traffic for different backend services. All load balancers currently share the same public IP address.
 - Improve rollback on GCP resource termination. You can now terminate multiple times.
 - Implement SSH peer to peer distribution between debugd nodes.
 - GCP service account can now be managed manually.
 - Azure resource group can now be managed manually and can be resused after termination.
 - Azure Active Directory client credentials can now be managed manually.
 - Resources on Azure are now tagged with the UID of the constellation.
 - CoreOS images are publicly available for Azure.
 - GCP: Support for higher end N2D standard (128 & 224 vCPUs), *high-mem* and *high-cpu* VMs
 - Add `constellation upgrade` to update node images in Constellation.
 - Add cilium v1.12.1 with strict mode v2
 - Konnectivity is now deployed for secure API server to node/pod/service communication.
 ### Changed
 <!-- For changes in existing functionality.  -->
 - Use IP from Constellation ID file in init and verify instead of IPs from state file.
 - Terminate now deletes all resources found within the given resource group.
 - Change cdbg to use load balancer for deploy.
 - cdbg now uses the Constellation config directly and does not require any extra config
 - Azure CVMs are attested using SNP attestation
 - Replaced kube-proxy with cilium
 - VM instance types are now defined in the config, not via a CLI argument
 - Config has a `debugCluster` flag required to enable debugd ingress firewall rules and create the required load balancer.
 ### Deprecated
 <!-- For soon-to-be removed features. -->
 ### Removed
 <!-- For now removed features. -->
 - Azure Trusted Launch instance types with 2 CPUs (SMT disabled due to Retbleed (CVE-2022-29900)).
 - cdbg: Custom systemd service deployment
 - No user configurable `ingressFirewall` and `egressFirewall` in the config
 ### Fixed
@ -61,171 +36,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 <!-- In case of vulnerabilities. -->
 ### Internal
-## [1.5.0] - 2022-08-19
+## [2.0.0] - 2022-09-12
-### Added
+Initial release of Constellation.
- Kubernetes operator for Constellation nodes with ability to update node images.
+[Unreleased]: https://github.com/edgelesssys/constellation/compare/v2.0.0...HEAD
- CoreOS images are publicly available for GCP.
+[2.0.0]: https://github.com/edgelesssys/constellation/releases/tag/v2.0.0
 - Cilium strict pod2pod encryption.
 - Add a configurable list of enforced measurements to the config. If an expected measurement can not be verified during attestation, but it is not in the list of enforced measurements, only a warning is logged.
 - License check during init
 ### Changed
 - Use Azure CVMs instead of Trusted Launch VMs.
 - Parallel resource creation on Azure.
 ### Fixed
 - Fix timeout issue during cilium installation.
 ### Internal
 - Run e2e tests on all supported versions.
 - Run e2e tests on latest debug images, instead of release image.
 - Upgrade Azure SDK
 ## [1.4.0] - 2022-08-02
 ### Added
 - Publish measurements for each released coreos-image.
 - `constellation config fetch-measurements` to download and verify measurements, and writing them into the config file.
 - Configurable Kubernetes version through an entry in `constellation-config.yaml`.
 - Kubernetes version 1.24 support.
 - Kubernetes version 1.22 support.
 - Log disk UUID to cloud logging for recovery.
 - Configurable disk type for Azure and GCP.
 - Create Kubernetes CA signed kubelet certificates on activation.
 - Salt key derivation.
 - Integrity protection of state disks.
 ### Changed
 - Nodes add themselves to the cluster after `constellation init` is done. Previously, nodes were asked to join the cluster by the bootstrapper.
 - Owner ID and Unique ID are merged into a single value: Cluster ID.
 - Streamline logging to only use one logging library, instead of multiple.
 - Replace dependency on github.com/willdonnelly/passwd with own implementation.
 - Refactor disk-mapper to allow a more streamlined node recovery
 ### Removed
 - User facing WireGuard VPN.
 ### Fixed
 - Correctly wait for `bootstrapper` to come online during `constellation init`.
 ## [1.3.1] - 2022-07-11
 ### Changed
 - Update default CoreOS image to latest version (1657199013).
 ### Fixed
 - Add load balancer path to Azure deployment so that PCR values can be read.
 - Show correct version number in `constellation version`.
 ### Removed
 - Support for Azure `Standard_*_v3` types.
 ## [1.3.0] - 2022-07-05
 ### Added
 - Early boot logging for GCP and Azure. [[Docs]](https://docs.edgeless.systems/constellation/workflows/troubleshooting#cloud-logging)
 - `constellation-access-manager` allows users to manage SSH users over a ConfigMap. Enables persistent and dynamic management of SSH users on multiple nodes, even after a reboot. [[Docs]](https://docs.edgeless.systems/constellation/workflows/ssh)
 - GCP-native Kubernetes load balancing. [[Docs]](https://docs.edgeless.systems/constellation/architecture/networking)
 - `constellation version` prints more information to aid in troubleshooting. [[Docs]](https://docs.edgeless.systems/constellation/reference/cli#constellation-version)
 - Standard logging for all services and CLI, allows users to control output in a consistent manner.
 - `constellation-id.json` in Constellation workspace now holds cluster IDs, to reduce required arguments in Constellation commands, e.g., `constellation verify`.
 ### Changed
 - New `constellation-activation-service` offloads Kubernetes node activation from monolithic Coordinator to Kubernetes native micro-service. [[ReadMe]](https://github.com/edgelesssys/constellation/blob/main/activation/README.md)
 - Improve user-friendliness of error messages in Constellation CLI.
 - Move verification from extracting attestation statements out of aTLS handshake to a dedicated `verify-service` in Kubernetes with gRPC and HTTP endpoints.
 - `constellation create` and `constellation verify` do not require specifying the provider anymore (automatically parsed from config)
 ### Security
 - GCP WireGuard encryption via cilium.
 ### Internal
 - Refactore folder structure of repository to better reflect `internal` implementation and public API.
 - Extend `goleak` checks to all tests.
 ## [1.2.0] - 2022-06-02
 ### Changed
 - Replace flannel CNI with Cilium.
 ## [1.1.0] - 2022-06-02
 ### Added
 - CLI
  - Command `constellation recover` to re-initialize a completely stopped cluster.
  - Command `constellation config generate` to generate a default configuration file for a specific cloud provider.
 - CSI
  - Option to enable dm-integrity in a StorageClass.
  - Support volume expansion.
  - Support volume snapshots.
 - KMS
  - Deploy Key Management Service (KMS) in Constellation clusters to handle key derivation.
 - Option to add SSH users on init.
 ### Changed
 - CLI UX
  - `constellation create` now requires a configuration file. The usual workflow is to run `constellation config generate` first.
  - Consistent command format with at most one argument and named flags otherwise.
  - Display usage when invalid arguments are passed.
  - Add list of instance types to command help.
  - Wording tweaks.
 - CLI config
  - Rename dev-config to config.
  - Change format to YAML.
  - Make it self-documenting.
  - Validation.
  - Rename *PCRs* to *Measurements*.
 ### Removed
 - Support for non-CVMs on GCP.
 ### Fixed
 - Pin Kubernetes version deployed by `kubeadm init`.
 ### Security
 - Replace single, never expiring Kubernetes join token with expiring unique tokens.
 - Apply CIS benchmark for kubeadm clusterconf and kubelet conf.
 - Enable Kubernetes audit log.
 ### Internal
 - Create GCP images in `constellation-images` project so that they can be shared with customers.
 - Add customer onboarding docs.
 - Add E2E test as Github Action.
 - Improvements to local QEMU testing.
 - Preparations for mutual ATLS.
 ## [1.0.0] - 2022-04-28
 Initial release of Constellation. With underlying WireGuard and Kubernetes compliant.
 [Unreleased]: https://github.com/edgelesssys/constellation/compare/v1.5.0...HEAD
 [1.5.0]: https://github.com/edgelesssys/constellation/compare/v1.4.0...v1.5.0
 [1.4.0]: https://github.com/edgelesssys/constellation/compare/v1.3.1...v1.4.0
 [1.3.1]: https://github.com/edgelesssys/constellation/compare/v1.3.0...v1.3.1
 [1.3.0]: https://github.com/edgelesssys/constellation/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/edgelesssys/constellation/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/edgelesssys/constellation/compare/v1.0.0...v1.1.0
 [1.0.0]: https://github.com/edgelesssys/constellation/releases/tag/v1.0.0
--- a/internal/config/images_enterprise.go
+++ b/internal/config/images_enterprise.go
@ -9,6 +9,6 @@ SPDX-License-Identifier: AGPL-3.0-only
 package config
 const (
-	DefaultImageAzure = "/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/0.0.1"
+	DefaultImageAzure = "/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/2.0.0"
-	DefaultImageGCP   = "projects/constellation-images/global/images/constellation-v0-0-1"
+	DefaultImageGCP   = "projects/constellation-images/global/images/constellation-v2-0-0"
 )
--- a/internal/versions/versions.go
+++ b/internal/versions/versions.go
@ -45,13 +45,13 @@ const (
 	// These images are built in a way that they support all versions currently listed in VersionConfigs.
 	KonnectivityAgentImage   = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.32"
 	KonnectivityServerImage  = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.32"
-	JoinImage                = "ghcr.io/edgelesssys/constellation/join-service:v0.0.2-0.20220909145031-b6c06735c313"
+	JoinImage                = "ghcr.io/edgelesssys/constellation/join-service:v2.0.0"
-	AccessManagerImage       = "ghcr.io/edgelesssys/constellation/access-manager:v0.0.1"
+	AccessManagerImage       = "ghcr.io/edgelesssys/constellation/access-manager:v2.0.0"
-	KmsImage                 = "ghcr.io/edgelesssys/constellation/kmsserver:v0.0.2-0.20220909145031-b6c06735c313"
+	KmsImage                 = "ghcr.io/edgelesssys/constellation/kmsserver:v2.0.0"
-	VerificationImage        = "ghcr.io/edgelesssys/constellation/verification-service:v0.0.2-0.20220831181049-47d4c9e30423"
+	VerificationImage        = "ghcr.io/edgelesssys/constellation/verification-service:v2.0.0"
 	GcpGuestImage            = "ghcr.io/edgelesssys/gcp-guest-agent:20220713.00"
 	NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog"
-	NodeOperatorVersion      = "v0.0.2-0.20220902144959-2f871578b2db"
+	NodeOperatorVersion      = "v2.0.0"
 	// TODO: switch node maintenance operator catalog back to upstream quay.io/medik8s/node-maintenance-operator-catalog
 	// once https://github.com/medik8s/node-maintenance-operator/issues/49 is resolved.
 	NodeMaintenanceOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-maintenance-operator-catalog"