v0.6.1

Fixes

• fix CLI version parsing
• fix DCAP QPL selection in Helm chart
• fix era config loading by @jcsora in #308

Additions

• allow setting a manifest from env on startup by @aep in #305
• implement a log of events queriable from the metrics endpoint by @aep in #306

Misc

• update Go dependencies

v0.6.0

• Security
  • Upgrade EGo and Edgeless RT dependencies for mitigations for INTEL-SA-00615
• premain
  • Updates to support Occlum v0.27
• Coordinator
  • HTTP-API endpoint to retrieve the a ECDSA signature of the set manifest, by @lead4good (#291)

v0.5.1

• CLI:

  • Removed namespace command

• Injector:

  • Pods with the marblerun/marbletype label will be automatically injected. Use the label marblerun/resource-injection=disabled to disable injection for a Pod.
  • Fix injecting DNS names with uppercase letters

• Coordinator:

  • Throw an error when the Coordinator is unable to generate a quote in SGX mode. Use the EDG_COORDINATOR_DEV_MODE=1 env variable to ignore this error.

• Samples:

  • Graphene was renamed to Gramine. Use their binary release to run our samples!
  • Update Occlum sample to use release v0.24.1

• Repository:

  • Add ROADMAP.md
  • Add MarbleRun helm chart

v0.5.0

• Rename Marblerun to MarbleRun
• New logo
• Enhance SGX DCAP support:
  • Add support for Intel's default DCAP implementation
  • Add support for Alibaba's DCAP infrastructure
  • Allow users to configure DCAP backend
• Manifest:
  • Breaking change due to renaming all secrets below .Marblerun. -> .MarbleRun.
  • Enhance manifest's Parameters section:
    • Extend encoding support for Files
    • Make sure Env values are valid c-strings
  • Remove never implemented Clients section
• CLI
  • Generalize sgxsdk-package-info command into package-info supporting Open Enclave / Graphene / Occlum / EGo / Edgeless RT enclaves
• Add OpenAPI/Swagger annotations for ClientAPI
  • Add GitHub actions to automatically validate annotations and generate swagger.json for the docs

v0.4.0

Changelog:

• CLI:

  • Add manifest verify command
  • Add manifest log command showing manifest updates
  • Add option to manifest command to show the installed manifest with applied updates
  • Return 1 on errors for better scripting integration
  • Fix installation with Intel's SGX device plugin for Kubernetes

• Coordinator:

  • Refactor storage and state implementation:
    • Use key-value storage interface instead of internal map
    • Keep Coordinator state in storage-backend only
    • Add plugin support for storage-backend
    • Add simple local-disk default storage-backend plugin
  • Add a log for manifest updates
  • Fix and enrich Prometheus metrics
    • Collect and serve Marblerun specific metrics
      • Core metrics: Coordinator state
      • MarbleAPI metrics: Number of Marble activation attempts/successes.
  • Fix lost metadata bug of private certs after restarts

• Marbles:

  • Use cross-signed certificates for Marble's root certificates:
    • Marbles see self-signed root certificate compatible with OpenSSL
    • 3rd-parties see intermediate certificate signed by Marblerun's root certificate
    • Manifest updates replace the intermediate certificate, invalidating old Marbles and notifying clients pinning the intermediate cert
  • Unify Graphene and Occlum premains into a single LibOS premain

• Manifest:

  • Add TTLS support:
    • Allow specifying transparent TLS configurations for EGo Marbles
  • Add RBAC support:
    • Add roles to manifest. Roles whitelist actions on resources.
    • Associate users with roles
  • Allow Coordinator generated certificates to be CA certificates

• Secrets:

  • Allow users to upload and download secrets directly via the Coordinator

• Repository:

  • Add CONTRIBUTION.md and CODE_OF_CONDUCT.md
  • Add Issue and PullRequest templates

v0.3.2

Changelog:

• CLI:
  • Add auto-complete support
  • Kubernetes SGX-device-plugin refactoring
    • Don't install device-plugin with Marblerun
    • Auto-detect installed device-plugin
    • Add support for Intel's device-plugin
• Marbles:
  • EGo:
    • Let EGo handle filesystem mounts
  • Occlum:
    • Add support for Occlum workloads
  • Graphene:
    • Use execve instead of posix_spawn due to performance
    • Remove obsolete preload option for premain
• Cleanup BUILD.md
• Cleanup and improve examples

v0.3.1

• Fix a bug in the marble-injector Kubernetes MutatingAdmissionController deployment. Not setting the CABundle for Kubernetes version 1.19 and higher resulted in failed authentication of the webhook in the Kubernetes API server. Ultimately, this is leading to failing deployments of Marble pods.
• Add CLI features:
  • check: Check the status of Marbleruns control plane
  • graphene-prepare Modifies a Graphene manifest for use with Marblerun
  • precheck: Check if your Kubernetes cluster supports SGX
  • uninstall Removes Marblerun from a Kubernetes cluster
  • version: Display version of this CLI and (if running) the Marblerun coordinator

v0.3.0

• Add support for privileged Client API endpoints
• Allow increasing the minimum required SecurityVersion for packages after a manifest has been set initially (also referred to as 'Manifest Update')
• Add an intermediate certificate to the Marblerun certificate chain. Keep the root certificate permanent and change the intermediate with each manifest update. Return the whole cert-chain on the client API. Clients can pin the intermediate for automatically catching a manifest update. Alternatively, they can pin the root certificate that will be valid for the lifetime of the service mesh.
• Add a command-line interface (CLI) for administrating Marblerun
• Add integration for Graphene-based Marbles
• Add a Kubernetes mutating admission webhook as marble-injector service for automatically providing Pods with their Marble configuration
• Refactor the client API as an HTTP-REST interface with responses following the JSend style
• Use EGo for the Golang helloworld samples
• Move libertmeshpremain into EdgelessRT

v0.2.0

• Switch from simple $$ placeholders to more versatile Go Templates for secrets injection in the Manifest.
• Add Secrets section to Manifest for the definition of custom keys and certificates.
• Add a recovery API
• Add a prometheus metrics endpoint
• Use ertgolib's new feature for retrieving Marblerun TLS credentials transparently

v0.1.0

Update Dockerfile