v1.16.1

What's Changed

🐛 Bug fixes

• [release/v1.16] sdk: return exported type by @edgelessci in #2113

Full Changelog: v1.16.0...v1.16.1

v1.16.0

What's Changed

🛠 Breaking changes

• imagestore: make opt-in instead of opt-out by @charludo in #2005
• docs: use pGPU alias by @katexochen in #2070
• tdx: remove TDATTRIBUTES from manifest by @burgerdev in #2072

🎁 New features

• manifest: add AllowedChipIDs for SNP by @katexochen in #1952
• tdx: allow limiting verification to explicit PIIDs by @burgerdev in #2048

🐛 Bug fixes

• ci/release-artifacts: fix debugshell container name by @katexochen in #1973
• kuberesource: always set resource limit for containers by @katexochen in #1971
• kuberesource: fix AddImageStore with absent metadata by @burgerdev in #1985
• kuberesource: make debug-shell a sidecar by @burgerdev in #1993
• node-installer: add src into runtime hash by @katexochen in #1997
• cryptsetup: allow volumes below 150MiB by @burgerdev in #2033
• atls: explicitly configure TLS 1.3 by @burgerdev in #2054
• imagepuller: clean up after failed pull by @burgerdev in #2052

🔧 Other changes

• cli/generate: support coordinator in different namespace by @davidweisse in #1946
• kata.runtime: 3.22.0 -> 3.23.0 by @katexochen in #1943
• tdx: support mainline host kernel / QEMU by @msanft in #1977
• overlays: unpin edk2 for OVMF-TDX, update tdx-measure by @katexochen in #1991
• sdk: allow offline verification of evidence by @burgerdev in #1979
• qemu-cc: init from qemu-{tdx,snp} by @msanft in #2004
• nixos/nvidia-driver: 580.105.08 -> 590.48.01 by @katexochen in #2058
• node-installer: refactor containerd config manipulation by @katexochen in #2064
• runtime: use contrast-system namespace by default by @davidweisse in #2060
• OVMF-SNP: unpin src by @katexochen in #2090

📖 Documentation

• docs: add reference for the manifest by @katexochen in #1951
• docs/getting-started: simplify overview by @flxflx in #1972
• docs: update TDX setup by @msanft in #1981
• docs: limitations of encrypted storage size by @burgerdev in #2036
• kuberesource: use memory-backed emptyDir for MySQL by @burgerdev in #2037
• docs: update GPU setup notes by @msanft in #2040

New Contributors

• @sespiros made their first contribution in #2063

Full Changelog: v1.15.0...v1.16.0

v1.15.1

What's Changed

🐛 Bug fixes

• [release/v1.15] ci/release-artifacts: fix debugshell container name by @edgelessci in #1974
• [release/v1.15] kuberesource: always set resource limit for containers by @edgelessci in #1975
• [release/v1.15] kuberesource: fix AddImageStore with absent metadata by @edgelessci in #1987
• [release/v1.15] kuberesource: make debug-shell a sidecar by @edgelessci in #1994

Full Changelog: v1.15.0...v1.15.1

v1.15.0

What's Changed

🎁 New features

• cli/generate: add flag for insecure debug shell access by @katexochen in #1894
• manifest: support URI address as SAN by @burgerdev in #1822
• docs: registry authentication by @charludo in #1900

🐛 Bug fixes

• atls: add timeout for optional endorsement fetching by @katexochen in #1904
• kata/runtime: assign GPU devices to multiple containers by @charludo in #1903

🔧 Other changes

• cli: print AMD product name in version command by @katexochen in #1873
• coordinator: reduce log level of non-critical errors by @burgerdev in #1879
• cli/generate: ignore unsupported resources by @davidweisse in #1842
• nodeinstaller: remove serviceaccount and clusterrole by @davidweisse in #1889
• kata.runtime: 3.21.0 -> 3.22.0 by @katexochen in #1902
• nixos/nvidia-driver: 580.95.05 -> 580.105.08 by @katexochen in #1908
• kata.runtime: support full DeploymentSpec, JobSpec by @katexochen in #1912
• resources: ensure emptyDir for secrets is memory-backed by @katexochen in #1939

📖 Documentation

• docs: update resources that influence policy by @katexochen in #1874
• docs: add 'immutable deployment' howto by @charludo in #1840
• docs: mention terminationMessagePath limitation by @burgerdev in #1920
• docs: update supported CC GPUs by @katexochen in #1924
• docs: use reported TCB in manifest by @katexochen in #1925
• docs: update how to obtain TDX MrSeam by @katexochen in #1926
• docs: update how to obtain AMD TCB SVNs by @katexochen in #1927

Full Changelog: v1.14.0...v1.15.0

v1.14.0

What's Changed

🛠 Breaking changes

• tdx: fix --version output of RTMRs by @burgerdev in #1821
• kata: upgrade to 3.21, switch to initdata by @burgerdev in #1833

🐛 Bug fixes

• kata: support podSecurityContext.fsGroup by @burgerdev in #1850
• imagepuller: fix error propagation by @burgerdev in #1870

🔧 Other changes

• kata: upgrade to 3.19.1 by @burgerdev in #1752
• kata: reject pods without policy by @burgerdev in #1781
• kata-runtime: upgrade to 3.20.0 by @burgerdev in #1796
• cli/verifier: add VersionsMatch by @charludo in #1797
• nixos/nvidia-driver: 570.172.08 -> 580.95.05 by @katexochen in #1817
• internal: use CDI instead of guest-hook for GPU support by @charludo in #1835

📖 Documentation

• docs: remove references to incorrect vm size calculation by @davidweisse in #1773
• docs: some clarifications and minor refactors in vault howto by @charludo in #1777
• docs: refactor encrypted storage tutorial into how-to by @charludo in #1758
• docs: quote numerical annotation values to prevent parsing as int by @charludo in #1832
• docs: reference registry auth in sidebar by @burgerdev in #1836
• docs: dedup 'connect to coordinator' sections by @charludo in #1837
• docs: describe initdata flow by @burgerdev in #1863
• docs: remove all references to the coco project by @katexochen in #1868
• docs/runtime: update podvm image sec by @katexochen in #1867

Full Changelog: v1.13.0...v1.14.0

v1.13.0

What's Changed

⚠️ Security fixes

• Fixes GHSA-f5p4-p5q5-jv3h.

🛠 Breaking changes

• node-installer: target configuration via configMap; remove K3s and RKE2 platforms by @katexochen in #1692
• platforms: remove AKS-CLH-SNP by @katexochen in #1701
• kuberesource: change annotation position to pod template by @davidweisse in #1707
• cryptsetup: detached header verification, refactor by @katexochen in #1731

🎁 New features

• internal/cryptsetup: use integrity by @katexochen in #1734
• service-mesh: allow egress without ingress by @burgerdev in #1725
• secure image store: init by @charludo in #1685

🐛 Bug fixes

• initializer: don't log NewMeshCert response by @katexochen in #1735
• kata.kata-runtime: pass imagepuller error to kata by @charludo in #1745
• cli/verify: unzip policy files by @katexochen in #1755

🔧 Other changes

• overlays/cryptsetup: 2.8.0 -> 2.8.1 by @katexochen in #1712
• meshapi: add pod ip to mesh cert SANs by @davidweisse in #1708
• cli/verifier: add NoSharedFSMount verifier by @miampf in #1696
• cli/verifier: ensure that image references are pinned by @charludo in #1727
• cli/verifier: check servicemesh-egress annotation isn't empty by @miampf in #1717

📖 Documentation

• docs: update runtime graphic for bare metal by @katexochen in #1709
• docs: describe imagepuller by @charludo in #1718
• docs: remove manual cryptsetup via initializer by @katexochen in #1720
• docs: clarify significance of mesh annotations by @burgerdev in #1662
• docs: warn about usage of kubectl apply -n by @katexochen in #1751

Full Changelog: v1.12.0...v1.13.0

v1.12.2

What's Changed

⚠️ Security fixes

• Fixes GHSA-vxg3-w9rv-rhr2
  Please read the advisory to check if your existing Contrast deployment is affected. If so, upgrade to v1.12.2 or apply the workarounds described in the advisory.

🐛 Bug fixes

• [release/v1.12] initializer: don't log NewMeshCert response by @edgelessci in #1736

Full Changelog: v1.12.1...v1.12.2

v1.12.1

What's Changed

⚠️ Security fixes

• [release/v1.12] overlays/cryptsetup: 2.8.0 -> 2.8.1 by @edgelessci in #1714
  Fixes GHSA-f5p4-p5q5-jv3h.

Full Changelog: v1.12.0...v1.12.1

v1.12.0

What's Changed

🛠 Breaking changes

• manifest: remove TDX SVNs by @katexochen in #1661

🔧 Other changes

• gpu/nvidia-driver: 570.158.01 -> 570.172.08 by @katexochen in #1648
• logger: configure google/logger by @katexochen in #1653
• kata: gzip policy annotation by @burgerdev in #1651
• genpolicy: support AddARPNeighbors by @burgerdev in #1674
• snp: add support for attestation report v5 by @katexochen in #1688

📖 Documentation

• docs: add page for aTLS by @burgerdev in #1647
• docs: install tdx-module from intel GitHub release; how to retrieve reference values on TDX by @katexochen in #1656
• docs: fix broken platformInfo struct table by @katexochen in #1680

Full Changelog: v1.11.0...v1.12.0

v1.11.0

What's Changed

🐛 Bug fixes

• attestation/certcache: always fetch for TDX requests by @davidweisse in #1599

🔧 Other changes

• release: fix node-installer-kata-gpu image name by @katexochen in #1572
• microsoft.kata-runtime: 3.2.0.azl5 -> 3.15.0.aks0 by @katexochen in #1566
• kata.kata-runtime: 3.17 -> 3.18 by @katexochen in #1558
• initializer: wait less between cert requests by @katexochen in #1624
• docs: how to retrieve reference values on SNP by @katexochen in #1632

📖 Documentation

• docs: restructuring by @david-crypto in #1436
• docs/architecture: remove FAQ from attestation by @flxflx in #1536
• docs: remove v1.0, v1.1, v1.2 by @katexochen in #1577
• docs: revise features and limitations by @katexochen in #1578
• docs: warn about containerd config modifications by @katexochen in #1586
• docs: clarify expectations on Coordinator readiness by @burgerdev in #1581
• docs: expand peer recovery description and how-to by @burgerdev in #1587
• docs: move supported kinds to policy page by @burgerdev in #1588
• docs: add supported processor families by @katexochen in #1590
• docs: list supported GPU models by @katexochen in #1589
• docs: add network usage recommendations by @burgerdev in #1607
• docs: warn about leaks through policy by @burgerdev in #1616
• docs: volume support by @burgerdev in #1611
• docs: CPU limit usage by @miampf in #1610
• docs: update manifest history description by @burgerdev in #1621
• docs: integrate Vault docs into new structure by @burgerdev in #1605

Full Changelog: v1.10.0...v1.11.0