constellation/CHANGELOG.md

Changelog

All notable changes to Constellation will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

Added

• Kubernetes version is configured through an entry in constellation-config.yaml.
• Kubernetes version 1.24 is now supported.

Changed

• Nodes add themselves to the cluster after constellation init is done

• Owner ID and Unique ID merged into a single value: Cluster ID

Deprecated

Removed

• User facing WireGuard VPN

Fixed

• Correctly wait for bootstrapper to come online in constellation init

Security

• Create Kubernetes CA signed kubelet certificates on activation.

Internal

1.3.1 - 2022-07-11

Changed

• Update default CoreOS image to latest version (1657199013).

Fixed

• Add load balancer path to Azure deployment so that PCR values can be read.
• Show correct version number in constellation version.

Removed

• Support for Azure Standard_*_v3 types.

1.3.0 - 2022-07-05

Added

• Early boot logging for GCP and Azure. [Docs]
• constellation-access-manager allows users to manage SSH users over a ConfigMap. Enables persistent and dynamic management of SSH users on multiple nodes, even after a reboot. [Docs]
• GCP-native Kubernetes load balancing. [Docs]
• constellation version prints more information to aid in troubleshooting. [Docs]
• Standard logging for all services and CLI, allows users to control output in a consistent manner.
• constellation-id.json in Constellation workspace now holds cluster IDs, to reduce required arguments in Constellation commands, e.g., constellation verify.

Changed

• New constellation-activation-service offloads Kubernetes node activation from monolithic Coordinator to Kubernetes native micro-service. [ReadMe]
• Improve user-friendliness of error messages in Constellation CLI.
• Move verification from extracting attestation statements out of aTLS handshake to a dedicated verify-service in Kubernetes with gRPC and HTTP endpoints.

Security

• GCP WireGuard encryption via cilium.

Internal

• Refactore folder structure of repository to better reflect internal implementation and public API.
• Extend goleak checks to all tests.

1.2.0 - 2022-06-02

Changed

• Replace flannel CNI with Cilium.

1.1.0 - 2022-06-02

Added

• CLI
  • Command constellation recover to re-initialize a completely stopped cluster.
  • Command constellation config generate to generate a default configuration file for a specific cloud provider.
• CSI
  • Option to enable dm-integrity in a StorageClass.
  • Support volume expansion.
  • Support volume snapshots.
• KMS
  • Deploy Key Management Service (KMS) in Constellation clusters to handle key derivation.
• Option to add SSH users on init.

Changed

• CLI UX
  • constellation create now requires a configuration file. The usual workflow is to run constellation config generate first.
  • Consistent command format with at most one argument and named flags otherwise.
  • Display usage when invalid arguments are passed.
  • Add list of instance types to command help.
  • Wording tweaks.
• CLI config
  • Rename dev-config to config.
  • Change format to YAML.
  • Make it self-documenting.
  • Validation.
  • Rename PCRs to Measurements.

Removed

• Support for non-CVMs on GCP.

Fixed

• Pin Kubernetes version deployed by kubeadm init.

Security

• Replace single, never expiring Kubernetes join token with expiring unique tokens.
• Apply CIS benchmark for kubeadm clusterconf and kubelet conf.
• Enable Kubernetes audit log.

Internal

• Create GCP images in constellation-images project so that they can be shared with customers.
• Add customer onboarding docs.
• Add E2E test as Github Action.
• Improvements to local QEMU testing.
• Preparations for mutual ATLS.

1.0.0 - 2022-04-28

Initial release of Constellation. With underlying WireGuard and Kubernetes compliant.