Edgelesssys Constellation Versions Save

What's Changed

🛠 Breaking changes

• config: remove deprecated upgradeConfig and require name and microserviceVersion fields by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1541

🎁 New features

• attestation: add options to the EnforceIDKeyDigest config field to enable Microsoft Azure Attestation fallback when verifying AMD SNP-SEV id key digest by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1257
• cli: upgrade apply now allows upgrading measurements only by @derpsteb in https://github.com/edgelesssys/constellation/pull/1432
• config: deprecate confidentialVM config option for Azure clusters in favor of attestationVariant by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1539
• docs: list minimal permissions set required for Constellation setup by @msanft in https://github.com/edgelesssys/constellation/pull/1442
• cli: add status command to print upgrade and version status of cluster by @derpsteb in https://github.com/edgelesssys/constellation/pull/1520
• cli: show available cli upgrades with upgrade check command by @msanft in https://github.com/edgelesssys/constellation/pull/1394
• cli: print attestation document during verification with constellation verify by @msanft in https://github.com/edgelesssys/constellation/pull/1577

🐛 Bug fixes

• bootstrapper: mitigate timeout issue during Cilium deployment by @Nirusu in https://github.com/edgelesssys/constellation/pull/1403
• cli: prevent double initialization in cases where an error was mistakenly retried by @Nirusu in https://github.com/edgelesssys/constellation/pull/1404
• cli: fix upgrade apply for image-only upgrades by @derpsteb in https://github.com/edgelesssys/constellation/pull/1468
• ci: correctly determine PCR5 value by measuring it during build time by @derpsteb in https://github.com/edgelesssys/constellation/pull/1521

🔧 Other changes

• attestation: create issuer based on kernel cmd line by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1355
• docs: embedd asciinema casts by @datosh in https://github.com/edgelesssys/constellation/pull/1154
• cli: only create resource backups if upgrade is executed by @derpsteb in https://github.com/edgelesssys/constellation/pull/1437
• cli: grant Azure user-assigned managed identities all permissions previously granted to app registration by @malt3 in https://github.com/edgelesssys/constellation/pull/1334
• experimental support for OpenStack by @malt3 in https://github.com/edgelesssys/constellation/pull/1443
• cli: warn about missing support for upgrades on AWS, OpenStack, QEMU by @derpsteb in https://github.com/edgelesssys/constellation/pull/1518

Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.6.0...v2.7.0

What's Changed

🛡 Security improvements

• Fix a vulnerability where an attacker with access to the victim's cloud subscription could gain code execution on a booting node through the initramfs emergency shell. See the accompanying security advisory for more information.

🎁 New features

• cli: refactor upgrade commands to support Kubernetes, microservice and image upgrades. Previously only supported image upgrades by @derpsteb in https://github.com/edgelesssys/constellation/pull/1109, https://github.com/edgelesssys/constellation/pull/1160
• cli: add iam destroy command to delete resources created by iam create by @miampf in https://github.com/edgelesssys/constellation/pull/946
• cli: add basic support for constellation create on OpenStack by @malt3 in https://github.com/edgelesssys/constellation/pull/1283
• Enable cryptsetup read/write workqueue bypass by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1150
• cli: add option to automatically merge new Constellation kubeconfig file into default configuration at $HOME/.kube/config on init by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1136
• init: create kubeconfig file with unique user/cluster name by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1133
• cli: add --kubernetes flag to config generate to let CLI extend the correct Kubernetes patch version by @derpsteb in https://github.com/edgelesssys/constellation/pull/1226
• cli: add --kubernetes flag to iam create (when used with --create-config) by @Nirusu in https://github.com/edgelesssys/constellation/pull/1326
• cli: add config kubernetes-versions subcommand to print supported Kubernetes versions by @derpsteb in https://github.com/edgelesssys/constellation/pull/1224
• ci: build microservices reproducibly using ko by @leongross in https://github.com/edgelesssys/constellation/pull/1108
• apko: build apko base images with fixed packages by @katexochen in https://github.com/edgelesssys/constellation/pull/1090
• join-service: more logging on error by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1076
• cli: add debug logging to iam create command by @msanft in https://github.com/edgelesssys/constellation/pull/1127
• cli: add name of build type to version cmd output by @katexochen in https://github.com/edgelesssys/constellation/pull/1179
• cli: option to disable spinner via environment variable by @datosh in https://github.com/edgelesssys/constellation/pull/1207
• cli: add support for GCP C2D confidential VMs by @Nirusu in https://github.com/edgelesssys/constellation/pull/1225
• cli: add debug logging to attestation validator/issuer by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1262, https://github.com/edgelesssys/constellation/pull/1264
• image: add verbose service logging for debug images by @leongross in https://github.com/edgelesssys/constellation/pull/1159
• attestation: validate GCP machine state instead of PCR 0 by @thomasten in https://github.com/edgelesssys/constellation/pull/1343

🐛 Bug fixes

• config: fix digest naming by @3u13r in https://github.com/edgelesssys/constellation/pull/1064
• cli: set uid output for QEMU / MiniConstellation so Constellation on QEMU can be created correctly by @malt3 in https://github.com/edgelesssys/constellation/pull/1069
• terraform: make control-planes stateful on gcp so the control-plane does not break when VMs are stopped and later restarted by @3u13r in https://github.com/edgelesssys/constellation/pull/1087
• bootstrapper: retry helm chart installation so slow Konnectivity startup does not break cluster initialization by @derpsteb in https://github.com/edgelesssys/constellation/pull/1151
• cli: throw an error when executing iam create twice in the same workspace. This prevents cases where existing IAM resources are mistakenly rolled back by @msanft in https://github.com/edgelesssys/constellation/pull/1148
• cli: print previously hidden, but required GCP values (zone, region, projectID) to config/stdout when running iam create by @msanft in https://github.com/edgelesssys/constellation/pull/1149
• cli: fix pluralization in create output by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1209
• iam: correctly assign uami role to base resource group by @3u13r in https://github.com/edgelesssys/constellation/pull/1247
• bootstrapper: retry helm chart installation on connection refused errors by @3u13r in https://github.com/edgelesssys/constellation/pull/1245
• cli: allow existing config for IAM creation without --generate-config by @Nirusu in https://github.com/edgelesssys/constellation/pull/1285
• cli: upgrade libtpms in libvirt container by @malt3 in https://github.com/edgelesssys/constellation/pull/1338
• bootstrapper: stop join-client earlier by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1268
• bootstrapper: make sure InitServer is only shut down after Init has returned by @daniel-weisse in https://github.com/edgelesssys/constellation/pull/1347

🔧 Other changes

• versions: remove Kubernetes v1.23 by @katexochen in https://github.com/edgelesssys/constellation/pull/1080
• azure: add new idkeydigest by @3u13r in https://github.com/edgelesssys/constellation/pull/1094
• cli: enable jumbo frames for GCP VPCs by @Nirusu in https://github.com/edgelesssys/constellation/pull/1146
• cli: use pseudoversion and forward it into helm charts by @derpsteb in https://github.com/edgelesssys/constellation/pull/1281
• docs: add docs on general Terraform usage by @msanft in https://github.com/edgelesssys/constellation/pull/1263
• docs: adjust wording for resource provider troubleshooting by @Nirusu in https://github.com/edgelesssys/constellation/pull/1317
• docs: upgrade docs now reflect the new upgrade commands by @derpsteb in https://github.com/edgelesssys/constellation/pull/1331

New Contributors

• @miampf made their first contribution in https://github.com/edgelesssys/constellation/pull/946

Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.5.0...v2.6.0

What's Changed

🐛 Bug fixes

• bootstrapper: retry helm chart installation on connection refused errors by @3u13r in https://github.com/edgelesssys/constellation/pull/1245
• bootstrapper: retry helm chart installation on timeout errors by @derpsteb in https://github.com/edgelesssys/constellation/pull/1151
• cli: check local dir before executing iam create to prevent erroneous rollback by @msanft in https://github.com/edgelesssys/constellation/pull/1148
• cli: print gcp values to stdout and config (optionally) when running iam create by @msanft in https://github.com/edgelesssys/constellation/pull/1149
• cli: correctly assign uami role to base resource group by @3u13r in https://github.com/edgelesssys/constellation/pull/1247
• cli: make control-planes stateful on gcp by @3u13r in https://github.com/edgelesssys/constellation/pull/1087
• cli: set required uid output for QEMU / MiniConstellation by @malt3 in https://github.com/edgelesssys/constellation/pull/1069

Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.5.2...v2.5.3

What's Changed

:lock: Security

• aTLS: a bug was fixed where a malicious CSP insider could have used a MITM attack to gain control over the cluster during initialization. See the accompanying security advisory for more information.

Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.5.1...v2.5.2

What's Changed

🐛 Bug fixes

• config: fix digest naming by @3u13r in https://github.com/edgelesssys/constellation/pull/1068
• cli: set placeholder uid for QEMU / MiniConstellation by @3u13r in https://github.com/edgelesssys/constellation/pull/1072

🔧 Other changes

• azure: add new idkeydigest (#1094) by @3u13r in https://github.com/edgelesssys/constellation/pull/1095

Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.5.0...v2.5.1

Hints

• Azure is currently rolling out a new ID key on Azure CVMs. Therefore constellation-init may report an invalid idkeydigest. To circumvent the problem, add under the key idKeyDigest in your constellation-conf.yaml an additional value:
  934f68bd8ba01938eec21475c872e3a942b60c59fafc6df9e9a76ee66bc47f2d09c676f61c0315c578da26085fb13a71
  We're working on a permanent solution for this.

What's Changed

🎁 New features

• cli: add --generate-config flag to constellation iam create command, which creates a config file with IAM values filled in by @msanft in https://github.com/edgelesssys/constellation/pull/782
• image: enable serial console access for MiniConstellation to simplify troubleshooting by @malt3 in https://github.com/edgelesssys/constellation/pull/964
• azure: allow a set of idkeydigest values by @3u13r in https://github.com/edgelesssys/constellation/pull/991

🐛 Bug fixes

• upgrade: fix broken reference from constellation-os to constellation-version by @datosh in https://github.com/edgelesssys/constellation/pull/939
• cli: remove registry_auth for Docker Terraform module by @Nirusu in https://github.com/edgelesssys/constellation/pull/957
• cli: use non-authoritative methods to manage iam policy memberships by @malt3 in https://github.com/edgelesssys/constellation/pull/989
• image: fix "ignored null byte in input" warning on AWS by @Nirusu in https://github.com/edgelesssys/constellation/pull/998
• cli: fix Terraform resource group dependencies on Azure by @msanft in https://github.com/edgelesssys/constellation/pull/1048

🔧 Other changes

• ci: build reproducible container images with ko by @leongross in https://github.com/edgelesssys/constellation/pull/871
• kms: rename kms to keyservice by @derpsteb in https://github.com/edgelesssys/constellation/pull/943
• cli: debug: various improvements by @Nirusu in https://github.com/edgelesssys/constellation/pull/995
• docs: explain how to use Terraform for create/terminate by @3u13r in https://github.com/edgelesssys/constellation/pull/1037
• config: detailed validation errors for k8s version by @derpsteb in https://github.com/edgelesssys/constellation/pull/1018

Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.4.0...v2.5.0

Hints

• Azure is currently rolling out a new ID key on Azure CVMs. Therefore constellation-init may report an invalid idkeydigest. To circumvent the problem change the key idKeyDigest in your constellation-conf.yaml to the new value: 0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3
• The original SBOM for the CLI uploaded with this release is invalid. The SBOMs for container images in the registry are unaffected by this issue. We uploaded a corrected for the CLI SBOM with the extension .fixed. below. We keep the original ones uploaded with .original. to keep the provenance valid. In doubt, you can independently generate a SBOM of all components using Syft.

What's Changed

🎁 New features

• kubernetes: add support for v1.26; set default version to v1.25 by @katexochen in https://github.com/edgelesssys/constellation/pull/775
• cli: add verbose logging with --debug flag by @osintalex in https://github.com/edgelesssys/constellation/pull/809

🐛 Bug fixes

• join: make Azure instance names k8s compliant by @3u13r in https://github.com/edgelesssys/constellation/pull/807
• image: fix disk performance degradation on Azure by downgrading kernel by @malt3 in https://github.com/edgelesssys/constellation/pull/862

🔧 Other changes

• cli: add microservice upgrades behind hidden flags by @derpsteb in https://github.com/edgelesssys/constellation/pull/729
• Move Konnectivity socket to non-persistent /run by @Nirusu in https://github.com/edgelesssys/constellation/pull/819
• Add upgrade agent for automatic version updates by @stdoutput in https://github.com/edgelesssys/constellation/pull/745
• upgrade: support Kubernetes components by @3u13r in https://github.com/edgelesssys/constellation/pull/839
• operator: add kubernetes cluster version to constellation-version by @3u13r in https://github.com/edgelesssys/constellation/pull/865
• cli: create local backups before microservice upgrades by @derpsteb in https://github.com/edgelesssys/constellation/pull/847
• cli: ask user to confirm cert-manager upgrades by @derpsteb in https://github.com/edgelesssys/constellation/pull/853
• operator: reconcile Kubernetes cluster version by @3u13r in https://github.com/edgelesssys/constellation/pull/879

New Contributors

• @osintalex made their first contribution in https://github.com/edgelesssys/constellation/pull/809

Full Changelog: https://github.com/edgelesssys/constellation/compare/v2.3.0...v2.4.0

Changes

Added

• constellation iam create can be used to automatically create service accounts and set permissions for Constellation
• Automatic CSI driver deployment for Azure and GCP during Constellation init
• Release CLI with SLSA Level 3 requirements.
• Improve reproducibility by pinning the Kubernetes components.
• Client verification during constellation init
• Environment variable CONSTELL_AZURE_CLIENT_SECRET_VALUE as an alternative way to provide the configuration value provider.azure.clientSecretValue.

Changed

• Constellation operators are now deployed using Helm.
• Updated the config version to v2. Check how to migrate your config.
• OS images are now configured globally in the images field of the configuration file.
• The measurements entry in the CLI now uses an updated format, merging enforcedMeasurements and old measurements into one
• Expected measurements in the config and Constellation's Cluster-ID are now hex encoded by default. Base64 is still supported.

Removed

• access-manager was removed from code base. K8s native way to SSH into nodes documented.
• SSHUsers has been removed from the user configuration following the removal of access-manager.
• Azure Trusted Launch support. May come back in the future.

Fixed

• constellation create on GCP now always uses the local default credentials.

Fixed

• constellation create on GCP now always uses the local default credentials.
• A release process error encountered in v2.2.1. This led to a broken QEMU-based Constellation deployment, where PCR[8] didn't match.

Hint

• The original SBOM uploaded with this release lists more packages than shipped in the built version of the CLI. This may create false positives with vulnerability scanners. Please consider using the .new. SBOM file uploaded. In doubt, you can independently generate a SBOM of all components using Syft.

:warning: The default config for QEMU-based cluster creation is broken in this release. Please upgrade to v2.2.2.

Changed

• Increase timeout for constellation config fetch-measurements from 3 seconds to 60 seconds.
• Consistently log CLI warnings and errors to stderr.

Security

Vulnerabilities in kube-apiserver fixed by upgrading to v1.23.14, v1.24.8 and v1.25.4:

• CVE-2022-3162
• CVE-2022-3294