v2.10.0

What's Changed

🛠 Breaking changes

• Use new aws-load-balancer-controller to fix SecurityGroup cleanup on K8s service deletion by @elchead in #2090
• cli: add --workspace flag to set base directory for Constellation workspace by @daniel-weisse in #2148

🎁 New features

• Create additional node groups with custom instance types, disk settings and independent scaling #2152
• Placement of node groups in different zones for high availability #2152
• Enable volume snapshot support if CSI drivers are deployed to the cluster by @daniel-weisse in #1964
• bootstrapper: add fallback endpoint and custom endpoint to apiserver certificate SAN field by @malt3 in #2108
• cli: add iam upgrade apply by @elchead in #2132
• cli: output CSI driver versions on status by @daniel-weisse in #2128
• cli: print vcek certificate extensions and snp attestation report during verify by @katexochen in #2140
• cli: add maa token to the output of verify command by @katexochen in #2172

🐛 Bug fixes

• cli: do not recreate os disk during upgrade by keeping Azure ConfidentialVM setting during upgrade by @malt3 in #2113
• image: fix deadlock on boot by using AWS linux kernel by @daniel-weisse in #2115
• disk-mapper: allow rebooted but uninitialized node to join the cluster by @daniel-weisse in #2083
• cli: do not recreate LB IP during 2.9 upgrade on Azure by @derpsteb in #2117
• image: synchronize time via ntp by @malt3 in #2118
• cli: retry during upgrade when node image update fails due to conflict error by @elchead in #2123
• cli: fix version check for CSI chart by @daniel-weisse in #2209

🔧 Other changes

• doc: add iam:DeletePolicyVersion by @elchead in #2111

Full Changelog: v2.9.0...v2.10.0

v2.9.1

What's Changed

🐛 Bug fixes

• cli: do not recreate os disk during upgrade by keeping Azure ConfidentialVM setting during upgrade by @malt3 in #2113
• image: fix deadlock on boot by using AWS linux kernel on AWS by @daniel-weisse in #2115
• cli: do not recreate LB IP during 2.9 upgrade on Azure by @derpsteb in #2117
• image: synchronize time via ntp by @malt3 in #2118

Full Changelog: v2.9.0...v2.9.1

v2.9.0

What's Changed

🛠 Breaking changes

• config: drop support for deprecated Azure's service principal authentication by @elchead in #1906
• cli: change generate-config flag to update-config flag by @miampf in #1897

🎁 New features

• attestation: add awsSEVSNP as new variant by @derpsteb in #1900
• cli: status shows attestation config by @elchead in #2056
• experimental Windows variant of the Constellation cli by @malt3 in #2075
• config: support 'latest' as TCB version value for Azure SEV-SNP by @elchead in #1899

🐛 Bug fixes

• bootstraper: fix 'cannot re-use a name that is still in use' error during init by @daniel-weisse in #1977

🔧 Other changes

• cli: store upgrade files in versioned folders by @msanft in #1929
• cli: upgrade apply --force skips all compatibility checks by @elchead in #1940
• cli: deploy aws csi driver per default by @msanft in #1981
• csi: add required policies for aws csi driver by @msanft in #1945
• cli: fail fast when CLI and Constellation versions don't match by @elchead in #1972
• docs: explain the role of PCR[10] and why it is not reproducible by @malt3 in #2011

Full Changelog: v2.8.0...v2.9.0

v2.8.0

What's Changed

🛠 Breaking changes

• config: add separate option for handling attestation parameters by @daniel-weisse in #1623

🎁 New features

• Terraform log support by @msanft in #1620
• OpenStack service type loadbalancer (yawol) by @malt3 in #1705
• deps: add Kubernetes v1.27, remove Kubernetes v1.24 by @katexochen in #1669
• cli: OpenStack encrypted csi block storage (cinder) by @m1ghtym0 in #1771
• cli: new flag to set the attestation type for config generate by @elchead in #1769
• Add autoscaling and cluster upgrade support for AWS by @3u13r in #1758
• cli: Terraform migrations on upgrade by @msanft in #1685

🐛 Bug fixes

• cli: fix misleading error while applying kubernetes-only upgrade by @derpsteb in #1630

🔧 Other changes

• docs: add short explanation on attestation config options by @daniel-weisse in #1654
• docs: update state of clouds by @m1ghtym0 in #1732

New Contributors

• @elchead made their first contribution in #1769

Full Changelog: v2.7.1...v2.8.0

v2.7.1

What's Changed

🐛 Bug fixes

• fix broken configuration generation in the macOS CLI by @malt3 in #1632
• cli: fix misleading error while applying kubernetes-only upgrade by @derpsteb in #1630
• cli: fix constellation iam destroy error on Azure by force-deleting resource group by @msanft in #1667
• upgrade: fix 2.6 -> 2.7 migration for 2.7.1 patch by @derpsteb in #1649
• cli: create namespaced folders for upgrade backups in upgrade apply by @derpsteb in #1702

Full Changelog: v2.7.0...v2.7.1

v2.7.0

What's Changed

🛠 Breaking changes

• config: remove deprecated upgradeConfig and require name and microserviceVersion fields by @daniel-weisse in #1541

🎁 New features

• attestation: add options to the EnforceIDKeyDigest config field to enable Microsoft Azure Attestation fallback when verifying AMD SNP-SEV id key digest by @daniel-weisse in #1257
• cli: upgrade apply now allows upgrading measurements only by @derpsteb in #1432
• config: deprecate confidentialVM config option for Azure clusters in favor of attestationVariant by @daniel-weisse in #1539
• docs: list minimal permissions set required for Constellation setup by @msanft in #1442
• cli: add status command to print upgrade and version status of cluster by @derpsteb in #1520
• cli: show available cli upgrades with upgrade check command by @msanft in #1394
• cli: print attestation document during verification with constellation verify by @msanft in #1577

🐛 Bug fixes

• bootstrapper: mitigate timeout issue during Cilium deployment by @Nirusu in #1403
• cli: prevent double initialization in cases where an error was mistakenly retried by @Nirusu in #1404
• cli: fix upgrade apply for image-only upgrades by @derpsteb in #1468
• ci: correctly determine PCR5 value by measuring it during build time by @derpsteb in #1521

🔧 Other changes

• attestation: create issuer based on kernel cmd line by @daniel-weisse in #1355
• docs: embedd asciinema casts by @datosh in #1154
• cli: only create resource backups if upgrade is executed by @derpsteb in #1437
• cli: grant Azure user-assigned managed identities all permissions previously granted to app registration by @malt3 in #1334
• experimental support for OpenStack by @malt3 in #1443
• cli: warn about missing support for upgrades on AWS, OpenStack, QEMU by @derpsteb in #1518

Full Changelog: v2.6.0...v2.7.0

v2.6.0

What's Changed

🛡 Security improvements

• Fix a vulnerability where an attacker with access to the victim's cloud subscription could gain code execution on a booting node through the initramfs emergency shell. See the accompanying security advisory for more information.

🎁 New features

• cli: refactor upgrade commands to support Kubernetes, microservice and image upgrades. Previously only supported image upgrades by @derpsteb in #1109, #1160
• cli: add iam destroy command to delete resources created by iam create by @miampf in #946
• cli: add basic support for constellation create on OpenStack by @malt3 in #1283
• Enable cryptsetup read/write workqueue bypass by @daniel-weisse in #1150
• cli: add option to automatically merge new Constellation kubeconfig file into default configuration at $HOME/.kube/config on init by @daniel-weisse in #1136
• init: create kubeconfig file with unique user/cluster name by @daniel-weisse in #1133
• cli: add --kubernetes flag to config generate to let CLI extend the correct Kubernetes patch version by @derpsteb in #1226
• cli: add --kubernetes flag to iam create (when used with --create-config) by @Nirusu in #1326
• cli: add config kubernetes-versions subcommand to print supported Kubernetes versions by @derpsteb in #1224
• ci: build microservices reproducibly using ko by @leongross in #1108
• apko: build apko base images with fixed packages by @katexochen in #1090
• join-service: more logging on error by @daniel-weisse in #1076
• cli: add debug logging to iam create command by @msanft in #1127
• cli: add name of build type to version cmd output by @katexochen in #1179
• cli: option to disable spinner via environment variable by @datosh in #1207
• cli: add support for GCP C2D confidential VMs by @Nirusu in #1225
• cli: add debug logging to attestation validator/issuer by @daniel-weisse in #1262, #1264
• image: add verbose service logging for debug images by @leongross in #1159
• attestation: validate GCP machine state instead of PCR 0 by @thomasten in #1343

🐛 Bug fixes

• config: fix digest naming by @3u13r in #1064
• cli: set uid output for QEMU / MiniConstellation so Constellation on QEMU can be created correctly by @malt3 in #1069
• terraform: make control-planes stateful on gcp so the control-plane does not break when VMs are stopped and later restarted by @3u13r in #1087
• bootstrapper: retry helm chart installation so slow Konnectivity startup does not break cluster initialization by @derpsteb in #1151
• cli: throw an error when executing iam create twice in the same workspace. This prevents cases where existing IAM resources are mistakenly rolled back by @msanft in #1148
• cli: print previously hidden, but required GCP values (zone, region, projectID) to config/stdout when running iam create by @msanft in #1149
• cli: fix pluralization in create output by @daniel-weisse in #1209
• iam: correctly assign uami role to base resource group by @3u13r in #1247
• bootstrapper: retry helm chart installation on connection refused errors by @3u13r in #1245
• cli: allow existing config for IAM creation without --generate-config by @Nirusu in #1285
• cli: upgrade libtpms in libvirt container by @malt3 in #1338
• bootstrapper: stop join-client earlier by @daniel-weisse in #1268
• bootstrapper: make sure InitServer is only shut down after Init has returned by @daniel-weisse in #1347

🔧 Other changes

• versions: remove Kubernetes v1.23 by @katexochen in #1080
• azure: add new idkeydigest by @3u13r in #1094
• cli: enable jumbo frames for GCP VPCs by @Nirusu in #1146
• cli: use pseudoversion and forward it into helm charts by @derpsteb in #1281
• docs: add docs on general Terraform usage by @msanft in #1263
• docs: adjust wording for resource provider troubleshooting by @Nirusu in #1317
• docs: upgrade docs now reflect the new upgrade commands by @derpsteb in #1331

New Contributors

• @miampf made their first contribution in #946

Full Changelog: v2.5.0...v2.6.0

v2.5.3

What's Changed

🐛 Bug fixes

• bootstrapper: retry helm chart installation on connection refused errors by @3u13r in #1245
• bootstrapper: retry helm chart installation on timeout errors by @derpsteb in #1151
• cli: check local dir before executing iam create to prevent erroneous rollback by @msanft in #1148
• cli: print gcp values to stdout and config (optionally) when running iam create by @msanft in #1149
• cli: correctly assign uami role to base resource group by @3u13r in #1247
• cli: make control-planes stateful on gcp by @3u13r in #1087
• cli: set required uid output for QEMU / MiniConstellation by @malt3 in #1069

Full Changelog: v2.5.2...v2.5.3

v2.5.2

What's Changed

🔒 Security

• aTLS: a bug was fixed where a malicious CSP insider could have used a MITM attack to gain control over the cluster during initialization. See the accompanying security advisory for more information.

Full Changelog: v2.5.1...v2.5.2

v2.5.1

What's Changed

🐛 Bug fixes

• config: fix digest naming by @3u13r in #1068
• cli: set placeholder uid for QEMU / MiniConstellation by @3u13r in #1072

🔧 Other changes

• azure: add new idkeydigest (#1094) by @3u13r in #1095

Full Changelog: v2.5.0...v2.5.1