v1.11.0

What's Changed

🐛 Bug fixes

• attestation/certcache: always fetch for TDX requests by @davidweisse in #1599

🔧 Other changes

• release: fix node-installer-kata-gpu image name by @katexochen in #1572
• microsoft.kata-runtime: 3.2.0.azl5 -> 3.15.0.aks0 by @katexochen in #1566
• kata.kata-runtime: 3.17 -> 3.18 by @katexochen in #1558
• initializer: wait less between cert requests by @katexochen in #1624
• docs: how to retrieve reference values on SNP by @katexochen in #1632

📖 Documentation

• docs: restructuring by @david-crypto in #1436
• docs/architecture: remove FAQ from attestation by @flxflx in #1536
• docs: remove v1.0, v1.1, v1.2 by @katexochen in #1577
• docs: revise features and limitations by @katexochen in #1578
• docs: warn about containerd config modifications by @katexochen in #1586
• docs: clarify expectations on Coordinator readiness by @burgerdev in #1581
• docs: expand peer recovery description and how-to by @burgerdev in #1587
• docs: move supported kinds to policy page by @burgerdev in #1588
• docs: add supported processor families by @katexochen in #1590
• docs: list supported GPU models by @katexochen in #1589
• docs: add network usage recommendations by @burgerdev in #1607
• docs: warn about leaks through policy by @burgerdev in #1616
• docs: volume support by @burgerdev in #1611
• docs: CPU limit usage by @miampf in #1610
• docs: update manifest history description by @burgerdev in #1621
• docs: integrate Vault docs into new structure by @burgerdev in #1605

Full Changelog: v1.10.0...v1.11.0

v1.10.0

What's Changed

⚠️ Security fixes

• Fixes GHSA-phhq-63jg-fp7r
  Please read the advisory to check if your existing Contrast deployment is affected. If so, upgrade to v1.10.0 or apply the workarounds described in the advisory.

🎁 New features

• transitengineapi: add user-managed Vault deployment by @jmxnzo in #1393

🐛 Bug fixes

• cli: first invocation of generate should fail if resource does not have a coordinator by @charludo in #1507
• generate: allow ConfigMaps and Secrets in separate files by @3u13r in #1273
• fix: correct policy generation for ReplicationController by @miampf in #1516
• kata: add patch preventing corruption of genpolicy's layer cache file by @charludo in #1519
• coordinator: don't fail liveness probe if Kubernetes API server is unavailable by @burgerdev in #1542
• kata.genpolicy: fix EphemeralVolumeSource by @katexochen in #1544

🔧 Other changes

• nixos: unpin nvidia driver by @katexochen in #1545
• node-installer: disable config overrides via annotations by @katexochen in #1555
• nixos: enforce cgroupv2 by @katexochen in #1556
• coordinator: don't allow user recovery when ready peers are present by @burgerdev in #1563
• kata: don't add storage for implicit VOLUME mounts by @burgerdev in d42ebbd

📖 Documentation

• docs: add --no-ssh-key flag to AKS cluster create by @charludo in #1514
• docs: update links to canonical/tdx by @katexochen in #1534
• docs: Vault deployment by @jmxnzo in #1503

New Contributors

• @charludo made their first contribution in #1514

Full Changelog: v1.9.0...v1.10.0

v1.9.1

What's Changed

⚠️ Security fixes

• Fixes GHSA-phhq-63jg-fp7r
  Please read the advisory to check if your existing Contrast deployment is affected. If so, upgrade to v1.9.1 or apply the workarounds described in the advisory.

🐛 Bug fixes

• [release/v1.9] kata: don't add storage for implicit VOLUME mounts by @burgerdev in #1574

Full Changelog: v1.9.0...v1.9.1

v1.9.0

What's Changed

🛠 Breaking changes

• coordinator: consider instances with stale or no manifests unready by @burgerdev in #1467

🎁 New features

• coordinator: distributed deployment with auto-recovery by @burgerdev in #1373

🐛 Bug fixes

• cli: correct manifest generation for CronJob by @miampf in #1452
• microsoft.genpolicy: fix sandbox-name policy for pod controllers by @burgerdev in #1477
• initializer: safer data handling for encrypted mount by @burgerdev in #1490
• kata.kata-runtime: genpolicy fix svc_name by @katexochen in #1491

🔧 Other changes

• attestation: add cached HTTPSGetter to TDX validator by @davidweisse in #1439
• relicense with BUSL-1.1; remove enterprise by @katexochen in #1472
• coordinator: remove state volume by @katexochen in #1486
• kata.kata-runtime: 3.16.0 -> 3.17.0 by @katexochen in #1479
• attestation/certcache: treat malformed cache entries as cache miss by @davidweisse in #1505

📖 Documentation

• docs: link to DCAP setup for TDX bare metal hosts by @katexochen in #1458
• docs: multiple CPUs are not supported on bare metal by @burgerdev in #1511

Full Changelog: v1.8.0...v1.9.0

v1.8.1

What's Changed

⚠️ Security fixes

• Fixes GHSA-h5f8-crrq-4pw8
  Please read the advisory to check if your existing Contrast deployment is affected. If so, upgrade to v1.8.1 or apply the workarounds described in the advisory.

🐛 Bug fixes

• [release/v1.8] cli: correct manifest generation for CronJob by @edgelessci in #1454
• [release/v1.8] microsoft.genpolicy: fix sandbox-name policy for pod controllers by @edgelessci in #1478
• [release/v1.8] initializer: safer data handling for encrypted mount by @edgelessci in #1492
• [release/v1.8] kata.kata-runtime: genpolicy fix svc_name by @edgelessci in #1494
• [release/v1.8] initializer: don't log full response by @burgerdev in 5041d52

Full Changelog: v1.8.0...v1.8.1

v1.8.0

What's Changed

🛠 Breaking changes

• coordinator: add startup, liveness and readiness probes by @miampf in #1285

🎁 New features

• manifest: add and validate SNP PlatformInfo by @katexochen in #1372
• kata-image: add default-deny systemd unit by @3u13r in #1374
• runtime: remove nydus-snapshotter, force guest pull via config by @katexochen in #1434

🐛 Bug fixes

• node-installer: fix timestamp precision in unit restart detection by @katexochen in #1364

🔧 Other changes

• manifest: validate guest policy by @katexochen in #1347
• attestation: get product from report if available by @thomasten in #1377
• nodeinstaller: backup existing containerd config by @davidweisse in #1343
• treewide: print unified preface string on startup by @katexochen in #1405
• kata.kata-runtime: 3.15.0 -> 3.16.0 by @katexochen in #1415
• microsoft.kata-runtime: 3.2.0.azl2 -> 3.2.0.azl3 by @katexochen in #1137
• microsoft.kata-runtime: 3.2.0.azl3 -> 3.2.0.azl4 by @katexochen in #1164
• microsoft.kata-runtime: 3.2.0.azl4 -> 3.2.0.azl5 by @katexochen in #1423
• microsoft.genpolicy: allow ReadStreamRequest by default by @katexochen in #1432
• microsoft.genpolicy: fail when layer can't be processed by @katexochen in #1433
• nixos: exclude non-deterministic dates from NVIDIA man pages by @burgerdev in #1450

📖 Documentation

• docs: troubleshoot containerd pulling wrong image refs by @burgerdev in #1369
• docs: configure GPU operator for CC mode by @burgerdev in #1409

New Contributors

• @david-crypto made their first contribution in #1314

Full Changelog: v1.7.0...v1.8.0

v1.7.0

What's Changed

🛠 Breaking changes

• cli: remove embedded coordinator policy hashes, use coordinator policy hash from manifest by @katexochen in #1280

🎁 New features

• grpc: use default dialer implementation that supports HTTP CONNECT by @thomasten in #1318
• microsoft.kata-igvm: add constant signature IDBlock; snp: verify id key hash by @katexochen in #1319

🐛 Bug fixes

• grpc: fix backoff by @thomasten in #1321
• cli/generate: validate existing manifest by @davidweisse in #1344

🔧 Other changes

• atls: encode nonce in ALPN protos by @burgerdev in #1301
• manifest: join validation errors and return late by @davidweisse in #1282
• kata.kata-runtime: 3.14.0 -> 3.15.0 by @katexochen in #1334

📖 Documentation

• docs: correct sysctl setting recommendation by @burgerdev in #1320
• docs: load balancer and registry authentication by @burgerdev in #1316
• docs: SNP attestation documentation by @3u13r in #1333

Full Changelog: v1.6.0...v1.7.0

v1.6.0

What's Changed

Important: We overhauled our approach to VM sizing in order to reduce resource waste and better align with Kubernetes resource management. This means that VMs on bare metal will be much smaller than they used to, which in turn might lead to OOM errors if the container resource limits are not sufficient. See the docs and #1196 for more details.

🎁 New features

• cli/generate: automatic cryptsetup configuration by @davidweisse in #1223

🐛 Bug fixes

• nodeinstaller: align default_memory and overhead to actual usage by @burgerdev in #1196
• grpc: retry connecting to coordinator on EOF by @burgerdev in #1239
• genpolicy: support ephemeral volume source on bare metal by @burgerdev in #1254
• nodeinstaller: support containerd config v3 by @burgerdev in #1276
• cli: fix panic on set without workload owner key by @thomasten in #1251

🔧 Other changes

• attestation: get product from attestation instead of report by @3u13r in #1238
• kata.kata-runtime: 3.13.0 -> 3.14.0 by @katexochen in #1243
• SNP anonymous IDBlock signature on bare metal by @3u13r in #1232
• cli: propagate last error from setLoop on timeout by @burgerdev in #1244
• kata.genpolicy: fail when layer can't be processed by @katexochen in #1247
• kuberesource: add coordinator anti-affinity by @davidweisse in #1266
• manifest: add role to policy entry by @katexochen in #1268
• cli: only print to stdout if it is a tty by @davidweisse in #1271

📖 Documentation

• docs: troubleshooting CLI connection errors by @burgerdev in #1245
• docs: remove mention of kernel 6.11 rcs by @katexochen in #1289

Full Changelog: v1.5.0...v1.6.0

v1.5.1

What's Changed

🐛 Bug fixes

• [release/v1.5] grpc: retry connecting to coordinator on EOF by @edgelessci in #1241

🔧 Other changes

• [release/v1.5] attestation: get product from attestation instead of report by @edgelessci in #1240

Full Changelog: v1.5.0...v1.5.1

v1.5.0

What's Changed

🐛 Bug fixes

• nodeinstaller: ignore absence of containerd config template by @burgerdev in #1206
• runtime: derive handler from version by @burgerdev in #1224
• cli: don't panic on absent pod spec annotations by @burgerdev in #1230
• coordinator: enforce stability of seedshare owner keys by @burgerdev in a6de3ee

🔧 Other changes

• kata: enable blocking logs access by @burgerdev in #1193
• kata.kata-runtime: 3.12.0 -> 3.13.0 by @katexochen in #1182
• release: commit state on which containers are built by @katexochen in #1203
• cli/generate: add flag for output file by @davidweisse in #1209
• atls: send VCEK and CRL by @katexochen in #1220

📖 Documentation

• docs: guidance for pod memory allocation by @burgerdev in #1195
• docs: document incompatibility with non-CC GPUs by @msanft in #1222
• docs: highlight importance of seedshare owner key by @burgerdev in 661ea36

Full Changelog: v1.4.0...v1.5.0