Feature Update

This release introduces five major features: Virtual Desktop Infrastructure (VDI), backup management, external authentication via OpenID Connect (OIDC), vTPM with secure boot support, and Kubernetes infrastructure enhancements.

Virtual Desktop Infrastructure (VDI)

VDI provides Windows desktop environments accessible from any location or device. Configurable VDI profiles allow provisioning and management of virtual desktops with full control over specifications, behavior, and access policies.

Each profile defines CPU cores, memory, boot disk size, and base template or image. Session behavior can be configured in two modes: single-use sessions provide a fresh VM for each connection that gets recycled after disconnect, while dedicated sessions assign the same VM consistently across multiple sessions.

Two connection modes are available. Agent mode uses WireGuard VPN to establish direct encrypted tunnels between devices and virtual desktops, with agents available for Windows, macOS, and Linux. RD Gateway mode uses Microsoft Remote Desktop Gateway as a proxy.

Pool management includes configurable standby pools, maximum pool sizes for concurrent session control, and recycle time settings. Access control operates through user roles and service accounts, with optional vGPU profiles supporting standard office work and graphics-intensive applications.

Backup Management

Data protection is integrated into the platform with a backup system built on Restic and S3-compatible storage. The system provides automated, encrypted, and deduplicated backups for virtual machines across all locations.

The architecture consists of backup targets and backup policies. Backup targets define S3-compatible storage locations, while backup policies specify scheduling, retention rules, and failure handling behavior. This separation enables reusable policies across multiple targets and locations.

Cloud administrators control backup behavior at the location level—whether customers can define their own policies and targets, and whether mandatory backup policies are enforced for newly created VMs.

External Authentication via OIDC

OIDC support enables integration with existing identity providers. The platform supports any OIDC-compliant provider including Google Workspace, Microsoft Azure AD/Entra ID, Okta, Auth0, Keycloak, and custom OAuth2/OIDC implementations.

Configuration requires specifying issuer URL, client ID, and client secret through the portal. Each provider can be independently activated or deactivated, supporting multiple authentication sources within a single organization.

Access control supports claim-based restrictions—limiting access to users from specific organizations or members of particular groups. Group-to-organization linking automatically adds users to internal organizations based on external group membership during login.

The implementation uses standard OIDC flows including authorization code flow for secure token handling. Traditional username/password login can remain available alongside OIDC authentication, or be disabled in favor of OIDC-only access.

vTPM with Secure Boot Support

Virtual machine security includes virtual Trusted Platform Module (vTPM) with UEFI Secure Boot support through a new boot type: uefi-secure-boot. This ensures VM integrity by allowing only signed, trusted software to load during the boot process.

The vTPM provides hardware-based security functions in a virtualized environment, enabling features like measured boot and cryptographic key storage.

Kubernetes & Rancher Enhancements

Kubernetes 1.32 is now supported for newly created clusters, including the latest upstream enhancements and security patches. Clusters deployed within a single Cloudspace automatically place master nodes in anti-affinity groups, improving availability by spreading nodes across different hosts.

Rancher has been updated to version 2.10.3, with VMs in management clusters also distributed using anti-affinity groups to reduce single points of failure in high-availability setups.

Local storage options are available for Kubernetes master node disks and Rancher data disks, improving performance for workloads requiring low-latency disk access.

Ingress and load balancer management now operates at the worker pool level—enabling optional deployment and the ability to add or remove controllers per pool. Load balancers support external Cloudspace IPs with the option to specify external networks via service annotations. Management and Kubernetes clusters can be deployed in nested Cloudspaces, with configurable external network selection for exposing the Rancher UI.

TL;DR

These five features address enterprise requirements while maintaining data sovereignty and customer control. VDI enables remote work infrastructure, backups protect against data loss, OIDC integration simplifies identity management, vTPM with secure boot enhances VM security, and Kubernetes enhancements improve orchestration capabilities.

Detailed documentation for all features is available in the admin guide.

Happy deploying! 🚀