v1.5.1

What's Changed

🐛 Bug fixes

• [release/v1.5] grpc: retry connecting to coordinator on EOF by @edgelessci in #1241

🔧 Other changes

• [release/v1.5] attestation: get product from attestation instead of report by @edgelessci in #1240

Full Changelog: v1.5.0...v1.5.1

v1.5.0

What's Changed

🐛 Bug fixes

• nodeinstaller: ignore absence of containerd config template by @burgerdev in #1206
• runtime: derive handler from version by @burgerdev in #1224
• cli: don't panic on absent pod spec annotations by @burgerdev in #1230
• coordinator: enforce stability of seedshare owner keys by @burgerdev in a6de3ee

🔧 Other changes

• kata: enable blocking logs access by @burgerdev in #1193
• kata.kata-runtime: 3.12.0 -> 3.13.0 by @katexochen in #1182
• release: commit state on which containers are built by @katexochen in #1203
• cli/generate: add flag for output file by @davidweisse in #1209
• atls: send VCEK and CRL by @katexochen in #1220

📖 Documentation

• docs: guidance for pod memory allocation by @burgerdev in #1195
• docs: document incompatibility with non-CC GPUs by @msanft in #1222
• docs: highlight importance of seedshare owner key by @burgerdev in 661ea36

Full Changelog: v1.4.0...v1.5.0

v1.4.1

Important

This is a security patch release for GHSA-vqv5-385r-2hf8. Existing Contrast deployments should be replaced with v1.4.1 immediately.

What's Changed

🐛 Bug fixes

• nodeinstaller: ignore absence of containerd config template by @burgerdev in #1207
• coordinator: enforce stability of seedshare owner keys by @burgerdev in f1f06f1

📖 Documentation

• docs: highlight importance of seedshare owner key by @burgerdev in 916390d

Full Changelog: v1.4.0...v1.4.1

v1.4.0

What's Changed

🎁 New features

• Support bare-metal Kata GPU containers by @msanft in #1133

🐛 Bug fixes

• microsoft.kata-image: refactor, fix reproducibility issue by @katexochen in #1172
• cli: inject contrast-secrets mount into initcontainers by @burgerdev in #1183
• service-mesh: blackhole traffic destined for the TPROXY port by @3u13r in #1171

🔧 Other changes

• microsoft.cloud-hypervisor: 38.0.72 -> 38.0.72.3 by @katexochen in #1138
• manifest: allow disabling the workload secret by @burgerdev in #1130
• initializer: add cryptsetup subcommand by @jmxnzo in #1153

📖 Documentation

• docs: remove docs for v0.5, v0.6, v0.7 by @katexochen in #1166
• docs: disable SSH access to AKS nodes by @katexochen in #1173
• docs: add docs on GPU support by @msanft in #1174

Full Changelog: v1.3.0...v1.4.0

v1.3.0

What's Changed

🎁 New features

• generate: support cronjobs by @katexochen in #1129

🐛 Bug fixes

• kuberesource: pin container images for emojivoto/mysql demo by hash by @katexochen in #1081
• attestation.snp: reflect dependency of validators on productLine in verify.Options by @jmxnzo in #1082
• release: publish runtime.yml for metal platforms by @katexochen in #1107
• cli: make default WorkloadSecretIDs unique per k8s object by @burgerdev in #1127
• service-mesh: test readiness with exec probe by @burgerdev in #1142

🔧 Other changes

• kds-cache: adjust cache expiration time to 9 months by @jmxnzo in #1080
• nixos/image: use erofs-utils' --hard-dereference flag by @katexochen in #1096
• attestation: add name to Validator as unique identifier by @jmxnzo in #1095
• kata.kata-runtime: 3.10.1 -> 3.12.0 by @katexochen in #1102
• service-mesh: pass args to envoy, set log level to debug by @katexochen in #1124
• microsoft.genpolicy: 3.2.0.azl1.genpolicy0 -> 3.2.0.azl1.genpolicy1 by @katexochen in #1128
• generate: add flag to skip service mesh injection by @katexochen in #1122
• nodeinstaller: add nydus-pull container by @davidweisse in #1103
• initializer: move cryptsetup image into initializer by @jmxnzo in #1132
• runtime: allow installation of multiple Contrast runtimes side-by-side by @burgerdev in #1156

Full Changelog: v1.2.0...v1.3.0

v1.2.1

What's Changed

🐛 Bug fixes

• [release/v1.2] kuberesource: pin container images for emojivoto/mysql demo by hash by @katexochen in #1084
• [release/v1.2] attestation.snp: reflect dependency of validators on productLine in verify.Options by @jmxnzo in #1097
• [release/v1.2] release: publish runtime.yml for metal platforms by @katexochen in #1109

Full Changelog: v1.2.0...v1.2.1

v1.2.0

What's Changed

🎁 New features

• platforms: introduce generic bare-metal platform by @katexochen in #1056

🐛 Bug fixes

• node-installer: has too little memory by @blenessy in #943
• node-installer: remove resource limits by @Freax13 in #948
• packages/contrast: prefix version string with v by @davidweisse in #954
• scripts: use coordinator rules/settings for bare metal by @katexochen in #999
• cli: pass environment variables to genpolicy by @burgerdev in #1033
• kata-msft: support images with VOLUME directives by @miampf in #996
• cli: fix nondeterministic policy generation by @elchead in #1053
• cli/genpolicy: never log existing policy annotation on 'debug' + handle missing log prefix by @jmxnzo in #1061

🔧 Other changes

• erofs: improve reproducibility of podvm images by @katexochen in #964
• kata: 3.9.0 -> 3.10.1 by @fidencio in #970
• cli: genpolicy logging: Add debug log level and repository reference to auth failure by @jmxnzo in #1044
• Add NixOS image for bare-metal Kata by @msanft in #1019
• kds-cache: add fallback cache for CRLs on request failure by @jmxnzo in #1050
• kata: support large ConfigMaps by @burgerdev in #1023

📖 Documentation

• docs: describe secure persistent volumes by @burgerdev in #932
• docs: add demo for workload secrets by @davidweisse in #1045

New Contributors

• @fidencio made their first contribution in #951
• @jmxnzo made their first contribution in #997
• @elchead made their first contribution in #1037
• @derpsteb made their first contribution in #1030

Full Changelog: v1.1.1...v1.2.0

v1.1.1

What's Changed

🐛 Bug fixes

• [release/v1.1] node-installer: remove resource limits by @katexochen in #1001
• [release/v1.1] scripts: use coordinator rules/settings for bare metal by @katexochen in #1000
• [release/v1.1] packages/contrast: prefix version string with v by @davidweisse in #1003

Full Changelog: v1.1.0...v1.1.1

v1.1.0

This release adds support for two new platforms: bare-metal SNP and bare-metal TDX, both for k3s. Checkout out the documentation on how to get started with Contrast on bare metal!

Also part of this release: workload secrets. These are provided by the Coordinator for each workload and can be used to secure state.

What's Changed

🛠 Breaking changes

• manifest: add CPU model (aka product name) to reference values by @Freax13 in #817
• Derive and pass workload secrets to initializer by @3u13r in #788
• Align policy hash verification between SNP and TDX by @burgerdev in #901
• allow reading logs by default by @Freax13 in #918

🎁 New features

• node-installer: run nydus snapshotter on bare metal platforms by @katexochen in #798
• treewide: allow multiple validators by @msanft in #783

🔧 Other changes

• microsoft.kata*: update to 3.2.0.azl2 / AKS 202406.19.0 by @katexochen in #823
• microsoft.kata-kernel-uvm: 6.1.0.mshv16 -> 6.1.58-mshv4 by @katexochen in #824
• kata.{kata-runtime,kata-agent,kata-image,genpolicy}: 3.7.0 -> 3.8.0 by @katexochen in #844
• AKS: use k8s version 1.30 by @blenessy in #880
• kata: 3.8.0 -> 3.9.0 by @katexochen in #896

📖 Documentation

• docs: update docs to include bare metal SNP by @Freax13 in #846
• docs: add instructions for bare-metal TDX by @Freax13 in #866
• docs: add security considerations by @burgerdev in #909

Upgrading

Contrast currently doesn't come with an upgrade path. To use the newest version of Contrast, undeploy your existing Contrast deployment, install the new CLI and setup a fresh Contrast deployment.

Full Changelog: v1.0.0...v1.1.0

v1.0.0

This release has feature parity with v0.9.0.

Full Changelog: v0.9.0...v1.0.0