# Changelog All notable changes to Constellation will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ### Added - Environment variable `CONSTELL_AZURE_CLIENT_SECRET_VALUE` as an alternative way to provide the configuration value `provider.azure.clientSecretValue`. - Automatic CSI driver deployment for Azure and GCP during Constellation init - Improve reproducibility by pinning the Kubernetes components. - Client verification during `constellation init` - Release CLI with SLSA Level 3 requirements. ### Changed - Constellation operators are now deployed using Helm. - Updated the config version to v2. Check [how to migrate your config](https://constellation-docs.edgeless.systems/constellation/next/reference/config-migration). - OS images are now configured globally in the `images` field of the configuration file. - The `measurements` entry in the CLI now uses an updated format, merging `enforcedMeasurements` and old `measurements` into one - Expected measurements in the config and Constellation's Cluster-ID are now hex encoded by default. Base64 is still supported. ### Deprecated ### Removed - `access-manager` was removed from code base. K8s native way to SSH into nodes documented. - `SSHUsers` has been removed from the user configuration following the removal of `access-manager`. - Azure Trusted Launch support. May come back in the future. ### Fixed ### Security ### Fixed - `constellation create` on GCP now always uses the local default credentials. ## [2.2.2] - 2022-11-17 ### Fixed - `constellation create` on GCP now always uses the local default credentials. - A release process error encountered in v2.2.1. This led to a broken QEMU-based Constellation deployment, where PCR[8] didn't match. ## [2.2.1] - 2022-11-16 ### Changed - Increase timeout for `constellation config fetch-measurements` from 3 seconds to 60 seconds. - Consistently log CLI warnings and errors to `stderr`. ### Security Vulnerabilities in `kube-apiserver` fixed by upgrading to v1.23.14, v1.24.8 and v1.25.4: - [CVE-2022-3162](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3162) - [CVE-2022-3294](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3294) ## [2.2.0] - 2022-11-08 ### Added - Sign generated SBOMs and store container image SBOMs in registry for easier usage. - Support for Constellation on AWS. - Constellation Kubernetes services are now managed using Helm. - Use tags to mark all applicable resources using a Constellation's UID on Azure. - Use labels to mark all applicable resources using a Constellation's UID on GCP. ### Changed - Verify measurements using [Rekor](https://github.com/sigstore/rekor) transparency log. - The `constellation create` on Azure now uses Terraform to create and destroy cloud resources. - Constellation OS images are now based on Fedora directly and are built using [mkosi](https://github.com/systemd/mkosi). - `constellation terminate` will now prompt the user for confirmation before destroying any resources (can be skipped with `--yes`). - Use the `constellation-role` tag instead of `role` to indicate an instance's role on Azure. - Use labels instead of metadata to apply the `constellation-uid` and `constellation-role` tags on GCP. ### Deprecated - `access-manager` is no longer deployed. ### Removed - `endpoint` flag of `constellation init`. IP is now always taken from the `constellation-id.json` file. - `constellation-state.json` file won't be created anymore. Resources are now managed through Terraform. ### Fixed ### Security ### Internal ## [2.1.0] - 2022-10-07 ### Added - MiniConstellation: Try out Constellation locally without any cloud subscription required just with one command: `constellation mini up` - Loadbalancer for control-plane recovery - K8s conformance mode - Local cluster creation based on QEMU - Verification of Azure trusted launch attestation keys - Kubernetes version v1.25 is now fully supported. - Enabled Konnectivity. ### Changed - Autoscaling is now directly managed inside Kubernetes, by the Constellation node operator. - The `constellation create` on GCP now uses Terraform to create and destroy cloud resources. - GCP instances are now created without public IPs by default. - Kubernetes default version used in Constellation is now v1.24. ### Deprecated ### Removed - CLI options for autoscaling, as this is now managed inside Kubernetes. - Kubernetes version v1.22 is no longer supported. ### Fixed ### Security Vulnerability inside the Go standard library fixed by updating to Go 1.19.2: - [GO-2022-1037](https://pkg.go.dev/vuln/GO-2022-1037) ([CVE-2022-2879](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2879)) - [GO-2022-1038](https://pkg.go.dev/vuln/GO-2022-1038) ([CVE-2022-2880](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2880)) - [GO-2022-0969](https://pkg.go.dev/vuln/GO-2022-0969) ([CVE-2022-27664](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27664)) ### Internal ## [2.0.0] - 2022-09-12 Initial release of Constellation. [Unreleased]: https://github.com/edgelesssys/constellation/compare/v2.1.0...HEAD [2.1.0]: https://github.com/edgelesssys/constellation/compare/v2.0.0...v2.1.0 [2.0.0]: https://github.com/edgelesssys/constellation/releases/tag/v2.0.0