v2.5.0

Hints

• Azure is currently rolling out a new ID key on Azure CVMs. Therefore constellation-init may report an invalid idkeydigest. To circumvent the problem, add under the key idKeyDigest in your constellation-conf.yaml an additional value:
  934f68bd8ba01938eec21475c872e3a942b60c59fafc6df9e9a76ee66bc47f2d09c676f61c0315c578da26085fb13a71
  We're working on a permanent solution for this.

What's Changed

🎁 New features

• cli: add --generate-config flag to constellation iam create command, which creates a config file with IAM values filled in by @msanft in #782
• image: enable serial console access for MiniConstellation to simplify troubleshooting by @malt3 in #964
• azure: allow a set of idkeydigest values by @3u13r in #991

🐛 Bug fixes

• upgrade: fix broken reference from constellation-os to constellation-version by @datosh in #939
• cli: remove registry_auth for Docker Terraform module by @Nirusu in #957
• cli: use non-authoritative methods to manage iam policy memberships by @malt3 in #989
• image: fix "ignored null byte in input" warning on AWS by @Nirusu in #998
• cli: fix Terraform resource group dependencies on Azure by @msanft in #1048

🔧 Other changes

• ci: build reproducible container images with ko by @leongross in #871
• kms: rename kms to keyservice by @derpsteb in #943
• cli: debug: various improvements by @Nirusu in #995
• docs: explain how to use Terraform for create/terminate by @3u13r in #1037
• config: detailed validation errors for k8s version by @derpsteb in #1018

Full Changelog: v2.4.0...v2.5.0

v2.4.0

Hints

• Azure is currently rolling out a new ID key on Azure CVMs. Therefore constellation-init may report an invalid idkeydigest. To circumvent the problem change the key idKeyDigest in your constellation-conf.yaml to the new value: 0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3
• The original SBOM for the CLI uploaded with this release is invalid. The SBOMs for container images in the registry are unaffected by this issue. We uploaded a corrected for the CLI SBOM with the extension .fixed. below. We keep the original ones uploaded with .original. to keep the provenance valid. In doubt, you can independently generate a SBOM of all components using Syft.

What's Changed

🎁 New features

• kubernetes: add support for v1.26; set default version to v1.25 by @katexochen in #775
• cli: add verbose logging with --debug flag by @osintalex in #809

🐛 Bug fixes

• join: make Azure instance names k8s compliant by @3u13r in #807
• image: fix disk performance degradation on Azure by downgrading kernel by @malt3 in #862

🔧 Other changes

• cli: add microservice upgrades behind hidden flags by @derpsteb in #729
• Move Konnectivity socket to non-persistent /run by @Nirusu in #819
• Add upgrade agent for automatic version updates by @stdoutput in #745
• upgrade: support Kubernetes components by @3u13r in #839
• operator: add kubernetes cluster version to constellation-version by @3u13r in #865
• cli: create local backups before microservice upgrades by @derpsteb in #847
• cli: ask user to confirm cert-manager upgrades by @derpsteb in #853
• operator: reconcile Kubernetes cluster version by @3u13r in #879

New Contributors

• @osintalex made their first contribution in #809

Full Changelog: v2.3.0...v2.4.0

v2.3.0

Changes

Added

• constellation iam create can be used to automatically create service accounts and set permissions for Constellation
• Automatic CSI driver deployment for Azure and GCP during Constellation init
• Release CLI with SLSA Level 3 requirements.
• Improve reproducibility by pinning the Kubernetes components.
• Client verification during constellation init
• Environment variable CONSTELL_AZURE_CLIENT_SECRET_VALUE as an alternative way to provide the configuration value provider.azure.clientSecretValue.

Changed

• Constellation operators are now deployed using Helm.
• Updated the config version to v2. Check how to migrate your config.
• OS images are now configured globally in the images field of the configuration file.
• The measurements entry in the CLI now uses an updated format, merging enforcedMeasurements and old measurements into one
• Expected measurements in the config and Constellation's Cluster-ID are now hex encoded by default. Base64 is still supported.

Removed

• access-manager was removed from code base. K8s native way to SSH into nodes documented.
• SSHUsers has been removed from the user configuration following the removal of access-manager.
• Azure Trusted Launch support. May come back in the future.

Fixed

• constellation create on GCP now always uses the local default credentials.

v2.2.2

Fixed

• constellation create on GCP now always uses the local default credentials.
• A release process error encountered in v2.2.1. This led to a broken QEMU-based Constellation deployment, where PCR[8] didn't match.

Hint

• The original SBOM uploaded with this release lists more packages than shipped in the built version of the CLI. This may create false positives with vulnerability scanners. Please consider using the .new. SBOM file uploaded. In doubt, you can independently generate a SBOM of all components using Syft.

v2.2.1

⚠️ The default config for QEMU-based cluster creation is broken in this release. Please upgrade to v2.2.2.

Changed

• Increase timeout for constellation config fetch-measurements from 3 seconds to 60 seconds.
• Consistently log CLI warnings and errors to stderr.

Security

Vulnerabilities in kube-apiserver fixed by upgrading to v1.23.14, v1.24.8 and v1.25.4:

• CVE-2022-3162
• CVE-2022-3294

v2.2.0

Added

• Support for Constellation on AWS.
• Sign generated SBOMs and store container image SBOMs in registry for easier usage.
• Constellation Kubernetes services are now managed using Helm.
• Use tags to mark all applicable resources using a Constellation's UID on Azure.
• Use labels to mark all applicable resources using a Constellation's UID on GCP.

Changed

• Verify measurements using Rekor transparency log.
• The constellation create on Azure now uses Terraform to create and destroy cloud resources.
  • This is a breaking change. Cluster created with a CLI at version v2.1.0 or older cannot be terminated using the v2.2.0 CLI
• Constellation OS images are now based on Fedora directly and are built using mkosi.
• constellation terminate will now prompt the user for confirmation before destroying any resources (can be skipped with --yes).
• Use the constellation-role tag instead of role to indicate an instance's role on Azure. This is a breaking change for existing clusters.
• Use labels instead of metadata to apply the constellation-uid and constellation-role tags on GCP. This is a breaking change for existing clusters.

Deprecated

• access-manager is no longer deployed.

Removed

• endpoint flag of constellation init. IP is now always taken from the constellation-id.json file.
• constellation-state.json file won't be created anymore. Resources are now managed through Terraform.

v2.1.0

Added

• Mini Constellation: Try out Constellation locally without any cloud subscription required just with one command: constellation mini up
• Loadbalancer for control-plane recovery
• K8s conformance mode
• Local cluster creation based on QEMU
• Verification of Azure trusted launch attestation keys
• Kubernetes version v1.25 is now fully supported.
• Enabled Konnectivity.

Changed

• Autoscaling is now directly managed inside Kubernetes, by the Constellation node operator.
• The constellation create on GCP now uses Terraform to create and destroy cloud resources.
• GCP instances are now created without public IPs by default.
• Kubernetes default version used in Constellation is now v1.24.

Removed

• CLI options for autoscaling, as this is now managed inside Kubernetes.
• Kubernetes version v1.22 is no longer supported.

Security

Vulnerability inside the Go standard library fixed by updating to Go 1.19.2:

• GO-2022-1037 (CVE-2022-2879)
• GO-2022-1038 (CVE-2022-2880)
• GO-2022-0969 (CVE-2022-27664)

View all changes

v2.0.0

This is the initial Open Source release of Constellation!