mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
6.0 KiB
6.0 KiB
Changelog
All notable changes to Constellation will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Unreleased
Added
-
Environment variable
CONSTELL_AZURE_CLIENT_SECRET_VALUE
as an alternative way to provide the configuration valueprovider.azure.clientSecretValue
. -
Automatic CSI driver deployment for Azure and GCP during Constellation init
-
Improve reproducibility by pinning the Kubernetes components.
-
Client verification during
constellation init
-
Release CLI with SLSA Level 3 requirements.
Changed
- Constellation operators are now deployed using Helm.
- Updated the config version to v2. Check how to migrate your config.
- OS images are now configured globally in the
images
field of the configuration file. - The
measurements
entry in the CLI now uses an updated format, mergingenforcedMeasurements
and oldmeasurements
into one - Expected measurements in the config and Constellation's Cluster-ID are now hex encoded by default. Base64 is still supported.
Deprecated
Removed
access-manager
was removed from code base. K8s native way to SSH into nodes documented.SSHUsers
has been removed from the user configuration following the removal ofaccess-manager
.- Azure Trusted Launch support. May come back in the future.
Fixed
Security
Fixed
constellation create
on GCP now always uses the local default credentials.
[2.2.2] - 2022-11-17
Fixed
constellation create
on GCP now always uses the local default credentials.- A release process error encountered in v2.2.1. This led to a broken QEMU-based Constellation deployment, where PCR[8] didn't match.
[2.2.1] - 2022-11-16
Changed
- Increase timeout for
constellation config fetch-measurements
from 3 seconds to 60 seconds. - Consistently log CLI warnings and errors to
stderr
.
Security
Vulnerabilities in kube-apiserver
fixed by upgrading to v1.23.14, v1.24.8 and v1.25.4:
[2.2.0] - 2022-11-08
Added
- Sign generated SBOMs and store container image SBOMs in registry for easier usage.
- Support for Constellation on AWS.
- Constellation Kubernetes services are now managed using Helm.
- Use tags to mark all applicable resources using a Constellation's UID on Azure.
- Use labels to mark all applicable resources using a Constellation's UID on GCP.
Changed
- Verify measurements using Rekor transparency log.
- The
constellation create
on Azure now uses Terraform to create and destroy cloud resources. - Constellation OS images are now based on Fedora directly and are built using mkosi.
constellation terminate
will now prompt the user for confirmation before destroying any resources (can be skipped with--yes
).- Use the
constellation-role
tag instead ofrole
to indicate an instance's role on Azure. - Use labels instead of metadata to apply the
constellation-uid
andconstellation-role
tags on GCP.
Deprecated
access-manager
is no longer deployed.
Removed
endpoint
flag ofconstellation init
. IP is now always taken from theconstellation-id.json
file.constellation-state.json
file won't be created anymore. Resources are now managed through Terraform.
Fixed
Security
Internal
2.1.0 - 2022-10-07
Added
- MiniConstellation: Try out Constellation locally without any cloud subscription required just with one command:
constellation mini up
- Loadbalancer for control-plane recovery
- K8s conformance mode
- Local cluster creation based on QEMU
- Verification of Azure trusted launch attestation keys
- Kubernetes version v1.25 is now fully supported.
- Enabled Konnectivity.
Changed
- Autoscaling is now directly managed inside Kubernetes, by the Constellation node operator.
- The
constellation create
on GCP now uses Terraform to create and destroy cloud resources. - GCP instances are now created without public IPs by default.
- Kubernetes default version used in Constellation is now v1.24.
Deprecated
Removed
- CLI options for autoscaling, as this is now managed inside Kubernetes.
- Kubernetes version v1.22 is no longer supported.
Fixed
Security
Vulnerability inside the Go standard library fixed by updating to Go 1.19.2:
Internal
2.0.0 - 2022-09-12
Initial release of Constellation.