v1.1.0

This release adds support for two new platforms: bare-metal SNP and bare-metal TDX, both for k3s. Checkout out the documentation on how to get started with Contrast on bare metal!

Also part of this release: workload secrets. These are provided by the Coordinator for each workload and can be used to secure state.

What's Changed

🛠 Breaking changes

• manifest: add CPU model (aka product name) to reference values by @Freax13 in #817
• Derive and pass workload secrets to initializer by @3u13r in #788
• Align policy hash verification between SNP and TDX by @burgerdev in #901
• allow reading logs by default by @Freax13 in #918

🎁 New features

• node-installer: run nydus snapshotter on bare metal platforms by @katexochen in #798
• treewide: allow multiple validators by @msanft in #783

🔧 Other changes

• microsoft.kata*: update to 3.2.0.azl2 / AKS 202406.19.0 by @katexochen in #823
• microsoft.kata-kernel-uvm: 6.1.0.mshv16 -> 6.1.58-mshv4 by @katexochen in #824
• kata.{kata-runtime,kata-agent,kata-image,genpolicy}: 3.7.0 -> 3.8.0 by @katexochen in #844
• AKS: use k8s version 1.30 by @blenessy in #880
• kata: 3.8.0 -> 3.9.0 by @katexochen in #896

📖 Documentation

• docs: update docs to include bare metal SNP by @Freax13 in #846
• docs: add instructions for bare-metal TDX by @Freax13 in #866
• docs: add security considerations by @burgerdev in #909

Upgrading

Contrast currently doesn't come with an upgrade path. To use the newest version of Contrast, undeploy your existing Contrast deployment, install the new CLI and setup a fresh Contrast deployment.

Full Changelog: v1.0.0...v1.1.0

v1.0.0

This release has feature parity with v0.9.0.

Full Changelog: v0.9.0...v1.0.0

v0.9.0

What's Changed

🛠 Breaking changes

• meshapi: follow best practice for metric names by @katexochen in #722
• genpolicy: hide logs by default by @Freax13 in #771
• manifest: add WorkloadSecretID field by @3u13r in #785

🎁 New features

• node-installer: configure and run tardev-snapshotter by @katexochen in #697

🐛 Bug fixes

• coordinator: use random key for intermediate CA by @burgerdev in #732
• telemetry: only send cli version by @miampf in #751
• cli: always write the coordinator policy hash file by @burgerdev in #763
• coordinator: correct shutdown, report serve errors by @katexochen in #779

📖 Documentation

• docs: update persistent volume limitation by @burgerdev in #737

Upgrading

Contrast currently doesn't come with an upgrade path. To use the newest version of Contrast, undeploy your existing Contrast deployment, install the new CLI and setup a fresh Contrast deployment.

Full Changelog: v0.8.1...v0.9.0

v0.8.1

What's Changed

🐛 Bug fixes

• [release/v0.8] coordinator: use random key for intermediate CA by @edgelessci in #733

Full Changelog: v0.8.0...v0.8.1

v0.8.0

What's Changed

🛠 Breaking changes

• treewide: rename environment variables from EDG_* to CONTRAST_* by @miampf in #572
• generate: add flag for aks reference values by @davidweisse in #612
• cli: remove runtime subcommand by @davidweisse in #626
• generate: rename --workload-owner-key to --add-workload-owner-key by @Freax13 in #670

🎁 New features

• cli: add recover command by @katexochen in #634

🐛 Bug fixes

• cli: fix autocomplete by @m1ghtym0 in #597
• atls: fix CommonName of temporary cert by @blenessy in #599
• genpolicy-msft: revert problematic tarindex commit by @burgerdev in #619
• ca: include SubjectKeyId and AuthorityKeyId in certificates by @burgerdev in #655
• microsoft.genpolicy: drop revert tarindex symlink handling patch by @katexochen in #667
• cli: change key file permissions to 0600 by @burgerdev in #709

🔧 Other changes

• genpolicy: allow contrast env vars for coordinator by @davidweisse in #587
• coordinator: uniform gRPC metric prefix by @burgerdev in #583
• cli: use manifest reference values for attestation by @davidweisse in #608
• cli/version: print launch digest, images and other version information by @miampf in #542
• generate: translate genpolicy logs, show warnings by @katexochen in #633
• verify: verify active manifest at Coordinator by @davidweisse in #615

📖 Documentation

• docs: add troubleshooting page by @davidweisse in #571
• docs: verify command takes in manifest file by @davidweisse in #625
• docs: extend troubleshooting guide by @katexochen in #614
• docs: add recovery by @burgerdev in #696

New Contributors

• @Freax13 made their first contribution in #656
• @daniel-weisse made their first contribution in #710

Upgrading

Contrast currently doesn't come with an upgrade path. To use the newest version of Contrast, undeploy your existing Contrast deployment, install the new CLI and setup a fresh Contrast deployment.

Full Changelog: v0.7.3...v0.8.0

v0.7.3

What's Changed

🐛 Bug fixes

• [release/v0.7] microsoft.genpolicy: drop revert tarindex symlink handling patch by @edgelessci in #669

Compatibility

This Contrast release is compatible with AKS node image version AKSCBLMariner-V2katagen2-202406.19.0. There is a breaking change between this node image and earlier node image versions. The node image version can be requested with the following command:

az aks nodepool show \
    --resource-group "<resource-group-name>" \
    --cluster-name "<cluster-name>" \
    --name "<node-pool-name>" \
    | jq -r '.nodeImageVersion'

If you observe a lower node image version, either upgrade the node manually or use the previous version of Contrast. This version does not include any changes beside providing compatibility to the new node image.

Full Changelog: v0.7.2...v0.7.3

v0.7.2

What's Changed

🐛 Bug fixes

• [release/v0.7] ca: include SubjectKeyId and AuthorityKeyId in certificates by @edgelessci in #657

Full Changelog: v0.7.1...v0.7.2

v0.7.1

What's Changed

🐛 Bug fixes

• [release/v0.7]: genpolicy-msft: revert problematic tarindex commit by @katexochen in #621

Full Changelog: v0.7.0...v0.7.1

v0.7.0

What's Changed

🎁 New features

• coordinator: export grpc prometheus metrics by @davidweisse in #460
• genpolicy-msft: add support for volumeDevices by @burgerdev in #496
• cli: inject initializer with contrast generate by @davidweisse in #510
• cli: inject service mesh with contrast generate by @davidweisse in #529

🐛 Bug fixes

• kuberesource: remove namespace when patching with empty string by @katexochen in #465
• resourcegen: use docker.io registry for emojivoto images by @katexochen in #540
• cli: wait 180s for the coordinator on contrast set by @blenessy in #544

🔧 Other changes

• cmd/generate: decrease RUST_LOG to info by @katexochen in #459
• coordinator: add manifest generation metric by @davidweisse in #477
• coordinator: add metric for attestation failures with error string by @davidweisse in #484
• coordinator: add grpc latency metrics by @davidweisse in #501
• coordinator: make metrics endpoint configurable by @davidweisse in #491
• logging: enable subsystem warn level by default by @davidweisse in #565

📖 Documentation

• docs: removed all mentions of the preview bundle by @miampf in #461
• docs: harden curl invocation in installation instruction by @blenessy in #498
• docs: better error message when forgetting to set variables by @blenessy in #515

New Contributors

• @laralaske made their first contribution in #481
• @blenessy made their first contribution in #498
• @flxflx made their first contribution in #513

Upgrading

Contrast currently doesn't come with an upgrade path. To use the newest version of Contrast, undeploy your existing Contrast deployment, install the new CLI and setup a fresh Contrast deployment.

Full Changelog: v0.6.1...v0.7.0

v0.6.1

What's Changed

🐛 Bug fixes

• [release/v0.6] kuberesource: remove namespace when patching with empty string by @edgelessci in #467

🔧 Other changes

• [release/v0.6] release: publish emojivoto-demo with prepared service mesh by @katexochen in #469

Full Changelog: v0.6.0...v0.6.1