Migrations
This document describes breaking changes and migrations between Constellation releases.
Use constellation config migrate to automatically update an old config file to a new format.
Migrating from Azure's service principal authentication to managed identity authentication
- The provider.azure.appClientIDandprovider.azure.appClientSecretfields are no longer supported and should be removed.
- To keep using an existing UAMI, add the Ownerpermission with the scope of yourresourceGroup.
- Otherwise, simply create new Constellation IAM credentials and use the created UAMI.
- To migrate the authentication for an existing cluster on Azure to an UAMI with the necessary permissions:
- Remove the aadClientIdandaadClientSecretfrom the azureconfig secret.
- Set useManagedIdentityExtensiontotrueand use theuserAssignedIdentityfrom the Constellation config for the value ofuserAssignedIdentityID.
- Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods.
 
- Remove the 
Migrating from CLI versions before 2.9
- The provider.azure.appClientIDandprovider.azure.clientSecretValuefields were removed to enforce migration to managed identity authentication
Migrating from CLI versions before 2.8
- The measurementsfield for each cloud service provider was replaced with a globalattestationfield.
- The confidentialVM,idKeyDigest, andenforceIdKeyDigestfields for the Azure cloud service provider were removed in favor of using the globalattestationfield.
- The optional global field attestationVariantwas replaced by the now requiredattestationfield.
Migrating from CLI versions before 2.3
- 
The sshUsersfield was deprecated in v2.2 and has been removed from the configuration in v2.3. As an alternative for SSH, check the workflow section Connect to nodes.
- 
The imagefield for each cloud service provider has been replaced with a globalimagefield. Use the following mapping to migrate your configuration:Show all
- 
The enforcedMeasurementsfield has been removed and merged with themeasurementsfield.- 
To migrate your config containing a new image ( v2.3or greater), remove the oldmeasurementsandenforcedMeasurementsentries from your config and runconstellation fetch-measurements
- 
To migrate your config containing an image older than v2.3, remove theenforcedMeasurementsentry and replace the entries inmeasurementsas shown in the example below:measurements:
 - 0: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8=
 + 0:
 + expected: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8=
 + warnOnly: true
 - 8: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
 + 8:
 + expected: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
 + warnOnly: false
 -enforcedMeasurements:
 - - 8
 
- 
