Constellation - v2.6.0

What's Changed

🛡 Security improvements

  • Fix a vulnerability where an attacker with access to the victim's cloud subscription could gain code execution on a booting node through the initramfs emergency shell. See the accompanying security advisory for more information.

🎁 New features

  • cli: refactor upgrade commands to support Kubernetes, microservice and image upgrades. Previously only supported image upgrades by @derpsteb in,
  • cli: add iam destroy command to delete resources created by iam create by @miampf in
  • cli: add basic support for constellation create on OpenStack by @malt3 in
  • Enable cryptsetup read/write workqueue bypass by @daniel-weisse in
  • cli: add option to automatically merge new Constellation kubeconfig file into default configuration at $HOME/.kube/config on init by @daniel-weisse in
  • init: create kubeconfig file with unique user/cluster name by @daniel-weisse in
  • cli: add --kubernetes flag to config generate to let CLI extend the correct Kubernetes patch version by @derpsteb in
  • cli: add --kubernetes flag to iam create (when used with --create-config) by @Nirusu in
  • cli: add config kubernetes-versions subcommand to print supported Kubernetes versions by @derpsteb in
  • ci: build microservices reproducibly using ko by @leongross in
  • apko: build apko base images with fixed packages by @katexochen in
  • join-service: more logging on error by @daniel-weisse in
  • cli: add debug logging to iam create command by @msanft in
  • cli: add name of build type to version cmd output by @katexochen in
  • cli: option to disable spinner via environment variable by @datosh in
  • cli: add support for GCP C2D confidential VMs by @Nirusu in
  • cli: add debug logging to attestation validator/issuer by @daniel-weisse in,
  • image: add verbose service logging for debug images by @leongross in
  • attestation: validate GCP machine state instead of PCR 0 by @thomasten in

🐛 Bug fixes

  • config: fix digest naming by @3u13r in
  • cli: set uid output for QEMU / MiniConstellation so Constellation on QEMU can be created correctly by @malt3 in
  • terraform: make control-planes stateful on gcp so the control-plane does not break when VMs are stopped and later restarted by @3u13r in
  • bootstrapper: retry helm chart installation so slow Konnectivity startup does not break cluster initialization by @derpsteb in
  • cli: error when executing iam create twice in the same workspace. This prevents cases where existing IAM resources are mistakenly rolled back by @msanft in
  • cli: print previously hidden, but required GCP values (zone, region, projectID) to config/stdout when running iam create by @msanft in
  • cli: fix pluralization in create output by @daniel-weisse in
  • iam: correctly assign uami role to base resource group by @3u13r in
  • bootstrapper: retry helm chart installation on connection refused errors by @3u13r in
  • cli: allow existing config for IAM creation without --generate-config by @Nirusu in
  • cli: upgrade libtpms in libvirt container by @malt3 in
  • bootstrapper: stop join-client earlier by @daniel-weisse in
  • bootstrapper: make sure InitServer is only shut down after Init has returned by @daniel-weisse in

🔧 Other changes

  • versions: remove Kubernetes v1.23 by @katexochen in
  • azure: add new idkeydigest by @3u13r in
  • cli: enable jumbo frames for GCP VPCs by @Nirusu in
  • cli: use pseudoversion and forward it into helm charts by @derpsteb in
  • docs: add docs on general Terraform usage by @msanft in
  • docs: adjust wording for resource provider troubleshooting by @Nirusu in
  • docs: upgrade docs now reflect the new upgrade commands by @derpsteb in

New Contributors

  • @miampf made their first contribution in

Full Changelog:


March 9, 2023, 8:51 a.m.
Register or login to:
  • 🔍View and search all Constellation releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google