v1.2.0

What's Changed

🎁 New features

• platforms: introduce generic bare-metal platform by @katexochen in #1056

🐛 Bug fixes

• node-installer: has too little memory by @blenessy in #943
• node-installer: remove resource limits by @Freax13 in #948
• packages/contrast: prefix version string with v by @davidweisse in #954
• scripts: use coordinator rules/settings for bare metal by @katexochen in #999
• cli: pass environment variables to genpolicy by @burgerdev in #1033
• kata-msft: support images with VOLUME directives by @miampf in #996
• cli: fix nondeterministic policy generation by @elchead in #1053
• cli/genpolicy: never log existing policy annotation on 'debug' + handle missing log prefix by @jmxnzo in #1061

🔧 Other changes

• erofs: improve reproducibility of podvm images by @katexochen in #964
• kata: 3.9.0 -> 3.10.1 by @fidencio in #970
• cli: genpolicy logging: Add debug log level and repository reference to auth failure by @jmxnzo in #1044
• Add NixOS image for bare-metal Kata by @msanft in #1019
• kds-cache: add fallback cache for CRLs on request failure by @jmxnzo in #1050
• kata: support large ConfigMaps by @burgerdev in #1023

📖 Documentation

• docs: describe secure persistent volumes by @burgerdev in #932
• docs: add demo for workload secrets by @davidweisse in #1045

New Contributors

• @fidencio made their first contribution in #951
• @jmxnzo made their first contribution in #997
• @elchead made their first contribution in #1037
• @derpsteb made their first contribution in #1030

Full Changelog: v1.1.1...v1.2.0

v1.1.1

What's Changed

🐛 Bug fixes

• [release/v1.1] node-installer: remove resource limits by @katexochen in #1001
• [release/v1.1] scripts: use coordinator rules/settings for bare metal by @katexochen in #1000
• [release/v1.1] packages/contrast: prefix version string with v by @davidweisse in #1003

Full Changelog: v1.1.0...v1.1.1

v1.1.0

This release adds support for two new platforms: bare-metal SNP and bare-metal TDX, both for k3s. Checkout out the documentation on how to get started with Contrast on bare metal!

Also part of this release: workload secrets. These are provided by the Coordinator for each workload and can be used to secure state.

What's Changed

🛠 Breaking changes

• manifest: add CPU model (aka product name) to reference values by @Freax13 in #817
• Derive and pass workload secrets to initializer by @3u13r in #788
• Align policy hash verification between SNP and TDX by @burgerdev in #901
• allow reading logs by default by @Freax13 in #918

🎁 New features

• node-installer: run nydus snapshotter on bare metal platforms by @katexochen in #798
• treewide: allow multiple validators by @msanft in #783

🔧 Other changes

• microsoft.kata*: update to 3.2.0.azl2 / AKS 202406.19.0 by @katexochen in #823
• microsoft.kata-kernel-uvm: 6.1.0.mshv16 -> 6.1.58-mshv4 by @katexochen in #824
• kata.{kata-runtime,kata-agent,kata-image,genpolicy}: 3.7.0 -> 3.8.0 by @katexochen in #844
• AKS: use k8s version 1.30 by @blenessy in #880
• kata: 3.8.0 -> 3.9.0 by @katexochen in #896

📖 Documentation

• docs: update docs to include bare metal SNP by @Freax13 in #846
• docs: add instructions for bare-metal TDX by @Freax13 in #866
• docs: add security considerations by @burgerdev in #909

Upgrading

Contrast currently doesn't come with an upgrade path. To use the newest version of Contrast, undeploy your existing Contrast deployment, install the new CLI and setup a fresh Contrast deployment.

Full Changelog: v1.0.0...v1.1.0

v1.0.0

This release has feature parity with v0.9.0.

Full Changelog: v0.9.0...v1.0.0

v0.9.0

What's Changed

🛠 Breaking changes

• meshapi: follow best practice for metric names by @katexochen in #722
• genpolicy: hide logs by default by @Freax13 in #771
• manifest: add WorkloadSecretID field by @3u13r in #785

🎁 New features

• node-installer: configure and run tardev-snapshotter by @katexochen in #697

🐛 Bug fixes

• coordinator: use random key for intermediate CA by @burgerdev in #732
• telemetry: only send cli version by @miampf in #751
• cli: always write the coordinator policy hash file by @burgerdev in #763
• coordinator: correct shutdown, report serve errors by @katexochen in #779

📖 Documentation

• docs: update persistent volume limitation by @burgerdev in #737

Upgrading

Contrast currently doesn't come with an upgrade path. To use the newest version of Contrast, undeploy your existing Contrast deployment, install the new CLI and setup a fresh Contrast deployment.

Full Changelog: v0.8.1...v0.9.0

v0.8.1

What's Changed

🐛 Bug fixes

• [release/v0.8] coordinator: use random key for intermediate CA by @edgelessci in #733

Full Changelog: v0.8.0...v0.8.1

v0.8.0

What's Changed

🛠 Breaking changes

• treewide: rename environment variables from EDG_* to CONTRAST_* by @miampf in #572
• generate: add flag for aks reference values by @davidweisse in #612
• cli: remove runtime subcommand by @davidweisse in #626
• generate: rename --workload-owner-key to --add-workload-owner-key by @Freax13 in #670

🎁 New features

• cli: add recover command by @katexochen in #634

🐛 Bug fixes

• cli: fix autocomplete by @m1ghtym0 in #597
• atls: fix CommonName of temporary cert by @blenessy in #599
• genpolicy-msft: revert problematic tarindex commit by @burgerdev in #619
• ca: include SubjectKeyId and AuthorityKeyId in certificates by @burgerdev in #655
• microsoft.genpolicy: drop revert tarindex symlink handling patch by @katexochen in #667
• cli: change key file permissions to 0600 by @burgerdev in #709

🔧 Other changes

• genpolicy: allow contrast env vars for coordinator by @davidweisse in #587
• coordinator: uniform gRPC metric prefix by @burgerdev in #583
• cli: use manifest reference values for attestation by @davidweisse in #608
• cli/version: print launch digest, images and other version information by @miampf in #542
• generate: translate genpolicy logs, show warnings by @katexochen in #633
• verify: verify active manifest at Coordinator by @davidweisse in #615

📖 Documentation

• docs: add troubleshooting page by @davidweisse in #571
• docs: verify command takes in manifest file by @davidweisse in #625
• docs: extend troubleshooting guide by @katexochen in #614
• docs: add recovery by @burgerdev in #696

New Contributors

• @Freax13 made their first contribution in #656
• @daniel-weisse made their first contribution in #710

Upgrading

Contrast currently doesn't come with an upgrade path. To use the newest version of Contrast, undeploy your existing Contrast deployment, install the new CLI and setup a fresh Contrast deployment.

Full Changelog: v0.7.3...v0.8.0

v0.7.3

What's Changed

🐛 Bug fixes

• [release/v0.7] microsoft.genpolicy: drop revert tarindex symlink handling patch by @edgelessci in #669

Compatibility

This Contrast release is compatible with AKS node image version AKSCBLMariner-V2katagen2-202406.19.0. There is a breaking change between this node image and earlier node image versions. The node image version can be requested with the following command:

az aks nodepool show \
    --resource-group "<resource-group-name>" \
    --cluster-name "<cluster-name>" \
    --name "<node-pool-name>" \
    | jq -r '.nodeImageVersion'

If you observe a lower node image version, either upgrade the node manually or use the previous version of Contrast. This version does not include any changes beside providing compatibility to the new node image.

Full Changelog: v0.7.2...v0.7.3

v0.7.2

What's Changed

🐛 Bug fixes

• [release/v0.7] ca: include SubjectKeyId and AuthorityKeyId in certificates by @edgelessci in #657

Full Changelog: v0.7.1...v0.7.2

v0.7.1

What's Changed

🐛 Bug fixes

• [release/v0.7]: genpolicy-msft: revert problematic tarindex commit by @katexochen in #621

Full Changelog: v0.7.0...v0.7.1