Releases: edgelesssys/contrast
Releases · edgelesssys/contrast
v1.4.0
What's Changed
🎁 New features
🐛 Bug fixes
- microsoft.kata-image: refactor, fix reproducibility issue by @katexochen in #1172
- cli: inject contrast-secrets mount into initcontainers by @burgerdev in #1183
- service-mesh: blackhole traffic destined for the TPROXY port by @3u13r in #1171
🔧 Other changes
- microsoft.cloud-hypervisor: 38.0.72 -> 38.0.72.3 by @katexochen in #1138
- manifest: allow disabling the workload secret by @burgerdev in #1130
- initializer: add cryptsetup subcommand by @jmxnzo in #1153
📖 Documentation
- docs: remove docs for v0.5, v0.6, v0.7 by @katexochen in #1166
- docs: disable SSH access to AKS nodes by @katexochen in #1173
- docs: add docs on GPU support by @msanft in #1174
Full Changelog: v1.3.0...v1.4.0
Contributors
burgerdev, 3u13r, and 3 other contributors
Assets 22
- 85.5 MB
2025-01-30T09:16:49Z - 75.4 KB
2025-01-30T09:16:49Z - 80.1 KB
2025-01-30T09:16:49Z - 80.1 KB
2025-01-30T09:16:49Z - 80.1 KB
2025-01-30T09:16:49Z - 80.1 KB
2025-01-30T09:16:49Z - 80.1 KB
2025-01-30T09:16:49Z - 80.1 KB
2025-01-30T09:16:49Z - 638 Bytes
2025-01-30T09:16:49Z - 80.1 KB
2025-01-30T09:16:49Z -
2025-01-30T09:16:51Z -
2025-01-30T09:16:51Z - Loading
v1.3.0
What's Changed
🎁 New features
- generate: support cronjobs by @katexochen in #1129
🐛 Bug fixes
- kuberesource: pin container images for emojivoto/mysql demo by hash by @katexochen in #1081
- attestation.snp: reflect dependency of validators on productLine in verify.Options by @jmxnzo in #1082
- release: publish runtime.yml for metal platforms by @katexochen in #1107
- cli: make default WorkloadSecretIDs unique per k8s object by @burgerdev in #1127
- service-mesh: test readiness with exec probe by @burgerdev in #1142
🔧 Other changes
- kds-cache: adjust cache expiration time to 9 months by @jmxnzo in #1080
- nixos/image: use erofs-utils' --hard-dereference flag by @katexochen in #1096
- attestation: add name to Validator as unique identifier by @jmxnzo in #1095
- kata.kata-runtime: 3.10.1 -> 3.12.0 by @katexochen in #1102
- service-mesh: pass args to envoy, set log level to debug by @katexochen in #1124
- microsoft.genpolicy: 3.2.0.azl1.genpolicy0 -> 3.2.0.azl1.genpolicy1 by @katexochen in #1128
- generate: add flag to skip service mesh injection by @katexochen in #1122
- nodeinstaller: add nydus-pull container by @davidweisse in #1103
- initializer: move cryptsetup image into initializer by @jmxnzo in #1132
- runtime: allow installation of multiple Contrast runtimes side-by-side by @burgerdev in #1156
Full Changelog: v1.2.0...v1.3.0
Contributors
burgerdev, katexochen, and 2 other contributors
Assets 18
v1.2.1
What's Changed
🐛 Bug fixes
- [release/v1.2] kuberesource: pin container images for emojivoto/mysql demo by hash by @katexochen in #1084
- [release/v1.2] attestation.snp: reflect dependency of validators on productLine in verify.Options by @jmxnzo in #1097
- [release/v1.2] release: publish runtime.yml for metal platforms by @katexochen in #1109
Full Changelog: v1.2.0...v1.2.1
Contributors
katexochen and jmxnzo
Assets 18
v1.2.0
What's Changed
🎁 New features
- platforms: introduce generic bare-metal platform by @katexochen in #1056
🐛 Bug fixes
- node-installer: has too little memory by @blenessy in #943
- node-installer: remove resource limits by @Freax13 in #948
- packages/contrast: prefix version string with v by @davidweisse in #954
- scripts: use coordinator rules/settings for bare metal by @katexochen in #999
- cli: pass environment variables to genpolicy by @burgerdev in #1033
- kata-msft: support images with VOLUME directives by @miampf in #996
- cli: fix nondeterministic policy generation by @elchead in #1053
- cli/genpolicy: never log existing policy annotation on 'debug' + handle missing log prefix by @jmxnzo in #1061
🔧 Other changes
- erofs: improve reproducibility of podvm images by @katexochen in #964
- kata: 3.9.0 -> 3.10.1 by @fidencio in #970
- cli: genpolicy logging: Add debug log level and repository reference to auth failure by @jmxnzo in #1044
- Add NixOS image for bare-metal Kata by @msanft in #1019
- kds-cache: add fallback cache for CRLs on request failure by @jmxnzo in #1050
- kata: support large ConfigMaps by @burgerdev in #1023
📖 Documentation
- docs: describe secure persistent volumes by @burgerdev in #932
- docs: add demo for workload secrets by @davidweisse in #1045
New Contributors
- @fidencio made their first contribution in #951
- @jmxnzo made their first contribution in #997
- @elchead made their first contribution in #1037
- @derpsteb made their first contribution in #1030
Full Changelog: v1.1.1...v1.2.0
Contributors
fidencio, burgerdev, and 9 other contributors
Assets 14
v1.1.1
What's Changed
🐛 Bug fixes
- [release/v1.1] node-installer: remove resource limits by @katexochen in #1001
- [release/v1.1] scripts: use coordinator rules/settings for bare metal by @katexochen in #1000
- [release/v1.1] packages/contrast: prefix version string with v by @davidweisse in #1003
Full Changelog: v1.1.0...v1.1.1
Contributors
katexochen and davidweisse
Assets 13
v1.1.0
This release adds support for two new platforms: bare-metal SNP and bare-metal TDX, both for k3s. Checkout out the documentation on how to get started with Contrast on bare metal!
Also part of this release: workload secrets. These are provided by the Coordinator for each workload and can be used to secure state.
What's Changed
🛠 Breaking changes
- manifest: add CPU model (aka product name) to reference values by @Freax13 in #817
- Derive and pass workload secrets to initializer by @3u13r in #788
- Align policy hash verification between SNP and TDX by @burgerdev in #901
- allow reading logs by default by @Freax13 in #918
🎁 New features
- node-installer: run nydus snapshotter on bare metal platforms by @katexochen in #798
- treewide: allow multiple validators by @msanft in #783
🔧 Other changes
- microsoft.kata*: update to 3.2.0.azl2 / AKS 202406.19.0 by @katexochen in #823
- microsoft.kata-kernel-uvm: 6.1.0.mshv16 -> 6.1.58-mshv4 by @katexochen in #824
- kata.{kata-runtime,kata-agent,kata-image,genpolicy}: 3.7.0 -> 3.8.0 by @katexochen in #844
- AKS: use k8s version 1.30 by @blenessy in #880
- kata: 3.8.0 -> 3.9.0 by @katexochen in #896
📖 Documentation
- docs: update docs to include bare metal SNP by @Freax13 in #846
- docs: add instructions for bare-metal TDX by @Freax13 in #866
- docs: add security considerations by @burgerdev in #909
Upgrading
Contrast currently doesn't come with an upgrade path. To use the newest version of Contrast, undeploy your existing Contrast deployment, install the new CLI and setup a fresh Contrast deployment.
Full Changelog: v1.0.0...v1.1.0
Contributors
burgerdev, blenessy, and 4 other contributors
Assets 13
v1.0.0
This release has feature parity with v0.9.0.
Full Changelog: v0.9.0...v1.0.0
v0.9.0
What's Changed
🛠 Breaking changes
- meshapi: follow best practice for metric names by @katexochen in #722
- genpolicy: hide logs by default by @Freax13 in #771
- manifest: add WorkloadSecretID field by @3u13r in #785
🎁 New features
- node-installer: configure and run tardev-snapshotter by @katexochen in #697
🐛 Bug fixes
- coordinator: use random key for intermediate CA by @burgerdev in #732
- telemetry: only send cli version by @miampf in #751
- cli: always write the coordinator policy hash file by @burgerdev in #763
- coordinator: correct shutdown, report serve errors by @katexochen in #779
📖 Documentation
- docs: update persistent volume limitation by @burgerdev in #737
Upgrading
Contrast currently doesn't come with an upgrade path. To use the newest version of Contrast, undeploy your existing Contrast deployment, install the new CLI and setup a fresh Contrast deployment.
Full Changelog: v0.8.1...v0.9.0
Contributors
burgerdev, Freax13, and 3 other contributors
Assets 6
v0.8.1
What's Changed
🐛 Bug fixes
- [release/v0.8] coordinator: use random key for intermediate CA by @edgelessci in #733
Full Changelog: v0.8.0...v0.8.1
Contributors
edgelessci
Assets 6
v0.8.0
What's Changed
🛠 Breaking changes
- treewide: rename environment variables from
EDG_*toCONTRAST_*by @miampf in #572 - generate: add flag for aks reference values by @davidweisse in #612
- cli: remove runtime subcommand by @davidweisse in #626
- generate: rename --workload-owner-key to --add-workload-owner-key by @Freax13 in #670
🎁 New features
- cli: add recover command by @katexochen in #634
🐛 Bug fixes
- cli: fix autocomplete by @m1ghtym0 in #597
- atls: fix CommonName of temporary cert by @blenessy in #599
- genpolicy-msft: revert problematic tarindex commit by @burgerdev in #619
- ca: include SubjectKeyId and AuthorityKeyId in certificates by @burgerdev in #655
- microsoft.genpolicy: drop revert tarindex symlink handling patch by @katexochen in #667
- cli: change key file permissions to 0600 by @burgerdev in #709
🔧 Other changes
- genpolicy: allow contrast env vars for coordinator by @davidweisse in #587
- coordinator: uniform gRPC metric prefix by @burgerdev in #583
- cli: use manifest reference values for attestation by @davidweisse in #608
- cli/version: print launch digest, images and other version information by @miampf in #542
- generate: translate genpolicy logs, show warnings by @katexochen in #633
- verify: verify active manifest at Coordinator by @davidweisse in #615
📖 Documentation
- docs: add troubleshooting page by @davidweisse in #571
- docs: verify command takes in manifest file by @davidweisse in #625
- docs: extend troubleshooting guide by @katexochen in #614
- docs: add recovery by @burgerdev in #696
New Contributors
- @Freax13 made their first contribution in #656
- @daniel-weisse made their first contribution in #710
Upgrading
Contrast currently doesn't come with an upgrade path. To use the newest version of Contrast, undeploy your existing Contrast deployment, install the new CLI and setup a fresh Contrast deployment.
Full Changelog: v0.7.3...v0.8.0
Contributors
burgerdev, blenessy, and 6 other contributors