Release Notes
Version 1.10.5
- Fixed CVE-2024-45337.
- Added support for subjectAltNames in OPTIONAL_MUTUAL mode for gateway configurations.
- Datastore: Updated the default behavior for the backup storage class on the ManagementPlane CR to inherit the storage class value when not explicitly set.
- Datastore: Enhanced the Kubegres component spec on the ManagementPlane CR to support backup job configuration.
- New support is added to allow t1/t2 traffic routing for t2 gateways which are configured in direct mode and several apps share same gateway workload to attach their gateway config. This feature is disabled by default.
UI
- Resolved several bugs in the Blame view and ensured consistent ordering of YAML fields displayed.
- Fixed missing fromHeaders and fromCookies in Authentication settings.
Outstanding CVEs
At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.
- PRISMA-2021-0153 - No fix available.
- CVE-2024-10963 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2023-4039 - No fix available.
- CVE-2019-25210 - No fix available.
- CVE-2024-10041 - No fix available.
- CVE-2024-6119 - No fix available.
- CVE-2024-28180 - No fix available.
- CVE-2021-31879 - No fix available.
- CVE-2022-40735 - No fix available.
- CVE-2024-0406 - No fix available.
- CVE-2024-26458 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2022-3219 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2023-6129 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2023-6237 - No fix available.
- CVE-2016-20013 - No fix available.
- CVE-2016-2781 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2024-4603 - No fix available.
- CVE-2010-4756 - No fix available.
- CVE-2023-26604 - No fix available.
- CVE-2024-41996 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2017-11164 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2024-0727 - No fix available.
- CVE-2019-1010023 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2018-20796 - No fix available.
- CVE-2024-2236 - No fix available.
- CVE-2019-1010022 - No fix available.
- CVE-2022-41409 - No fix available.
- CVE-2013-4235 - No fix available.
- CVE-2023-5678 - No fix available.
- CVE-2024-2511 - No fix available.
- CVE-2019-9192 - No fix available.
- CVE-2024-5535 - No fix available.
- CVE-2024-4741 - No fix available.
- CVE-2019-1010025 - No fix available.
- CVE-2019-1010024 - No fix available.
Version 1.10.4
- Fixed the following CVEs: CVE-2024-51744, CVE-2023-42365, CVE-2023-42363, CVE-2023-42364, CVE-2023-42366, CVE-2024-5535, CVE-2024-9143, CVE-2024-47535, CVE-2024-7254, CVE-2024-9681, CVE-2024-41110.
Outstanding CVEs
At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.
- PRISMA-2021-0153 - No fix available.
- CVE-2024-10963 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2023-4039 - No fix available.
- CVE-2019-25210 - No fix available.
- CVE-2024-10041 - No fix available.
- CVE-2024-6119 - No fix available.
- CVE-2024-28180 - No fix available.
- CVE-2021-31879 - No fix available.
- CVE-2022-40735 - No fix available.
- CVE-2024-0406 - No fix available.
- CVE-2024-26458 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2022-3219 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2023-6129 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2023-6237 - No fix available.
- CVE-2016-20013 - No fix available.
- CVE-2016-2781 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2024-4603 - No fix available.
- CVE-2010-4756 - No fix available.
- CVE-2023-26604 - No fix available.
- CVE-2024-41996 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2017-11164 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2024-0727 - No fix available.
- CVE-2019-1010023 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2018-20796 - No fix available.
- CVE-2024-2236 - No fix available.
- CVE-2019-1010022 - No fix available.
- CVE-2022-41409 - No fix available.
- CVE-2013-4235 - No fix available.
- CVE-2023-5678 - No fix available.
- CVE-2024-2511 - No fix available.
- CVE-2019-9192 - No fix available.
- CVE-2024-5535 - No fix available.
- CVE-2024-4741 - No fix available.
- CVE-2019-1010025 - No fix available.
- CVE-2019-1010024 - No fix available.
Version 1.10.3
- Added ability to refresh access token using refresh token in OIDC response. This is disabled by default. To enable the same set
USE_OIDC_REFRESH_TOKEN
environment variable in xcp-edge deployment totrue
. Using controlplane resource:xcp:
kubeSpec:
deployment:
env:
- name: USE_OIDC_REFRESH_TOKEN
value: "true" - When enabling isolation boundaries for the first time on an existing TSB installation, the istio-gateway namespace will no longer be automatically deleted. If this namespace is unnecessary, users are advised to delete it manually.
If manual deletion is required, you must first clean up any terminating resources by removing the finalizers with the following command:
kubectl get iop -n istio-gateway -o name | xargs -I % kubectl patch % -n istio-gateway -p '{"metadata":{"finalizers":null}}' --type=merge;
. Once the finalizers are removed, the namespace can be deleted as usual. For more details, refer to the isolation boundaries post upgrade cleanup steps. - Fixed an issue where Management Plane kubespec and overlays were propagated to the Control Plane cluster onboarding templates.
- Added validation to check that DIRECT mode resources always have the namespace properly set.
- Fixed an error that prevented the embedded Postgres cleanup job from removing unused PVCs.
- Cloned Ports and Labels to avoid unintended changes when merging endpoints during service entry generation.
- Converted SNI match handling to filter chain match; header match is now required only for plain-text traffic.
- Enhanced gateway authorization to allow host header matching with the host and workload port combination.
- Fixed workload entry generation issues when older versions of the control plane advertise east-west services.
UI
- Added workspace columns to the Dashboard.
- Added Dependency view to Topology.
- Hide Grafana embed.
- Refactored Topology Drawer and Popup.
- Fixed popup positioning in Topology.
- Refactored Start Drawer to resolve scroll issues.
- Updated Autocomplete to suggest 'Add New' for new options.
- Updated Profiles API to display and allow manual deletion of unavailable profiles from parent resources, resolving ordering issues in the "In Use" table.
- Populate workspace column for Subset rows.
Outstanding CVEs
At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.
- CVE-2023-42365 - No fix available.
- CVE-2024-2236 - No fix available.
- PRISMA-2021-0153 - No fix available.
- CVE-2023-42366 - No fix available.
- CVE-2024-6119 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2021-31879 - No fix available.
- CVE-2022-40735 - No fix available.
- CVE-2023-42363 - No fix available.
- CVE-2024-0406 - No fix available.
- CVE-2023-42364 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2023-6129 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2023-6237 - No fix available.
- CVE-2016-2781 - No fix available.
- CVE-2024-4603 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2024-0727 - No fix available.
- CVE-2024-41996 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2023-5678 - No fix available.
- CVE-2024-2511 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2013-4235 - No fix available.
- CVE-2022-3219 - No fix available.
- CVE-2023-26604 - No fix available.
- CVE-2024-5535 - No fix available.
- CVE-2024-4741 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2022-41409 - No fix available.
Version 1.10.2
- Fixed an issue where enabling isolation boundary used to get stuck at migrating gateways if
istio-gateway
namespace existed without dataplane components. - Fixed an issue with duplicate hostname validation for gateway objects that prevented modifications to gateways when duplicates existed within the same Gateway Group.
- Fixed Azure AD group synchronization where the same group was nested on different groups.
- The expiration of the Embedded Postgres certificate can now be configured through the ManagementPlane resource.
- Embedded Postgres will now automatically restart when the TLS certificates are renewed.
- Added validations to WAF rules and WASM extension in Configuration Profiles.
Outstanding CVEs
At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.
- CVE-2023-42365 - No fix available.
- CVE-2024-2236 - No fix available.
- PRISMA-2021-0153 - No fix available.
- CVE-2023-42366 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2024-28180 - No fix available.
- CVE-2023-42363 - No fix available.
- CVE-2024-0406 - No fix available.
- CVE-2023-42364 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2024-5535 - No fix available.
- CVE-2024-2511 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2024-4741 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2013-4235 - No fix available.
- CVE-2023-26604 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2016-2781 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2022-3219 - No fix available.
- CVE-2024-4603 - No fix available.
Version 1.10.1
- Multiple CVEs fixed.
- Fixed an issue with Istio CNI not updating when using Isolation Boundaries in a openshift environment with
default
revision. - Fixed an issue where providing overlays for
default
revision under.spec.xcp.isolationBoundaries
didn't take effect. - Fixed an issue where
edge
panics if a service exists in the mesh without service selectors and security settings are configured for it. - Fixed an issue where the
teamsync-first-run
job was being recreated after successful execution. - Fixed an issue with the audit logs periodical cleanup feature, which was unable to receive the credentials needed to interact with Azure PostgreSQL.
- Improved validation of Istio Objects names at creation time:
- Names must conform to RFC 1123 and be between 1 and 60 characters.
- Istio Objects created via gRPC API now require coherence between the name provided in
CreateIstioObjectRequest
and thename
field in the metadata of the object.
- Added the dry-run option to the TSB API that allows to check an operation without impacting the current state of the platform.
- tctl:
tctl apply -f <my-config.yaml> --dry-run server-side
. - http: Add the following header to the request:
x-tetrate-dry-run: server-side
. - grpc: Add the following key value metadata pair. How metadata is added to the client request is dependent on the language used in client grpc library: key
x-tetrate-dry-run
, valueserver-side
.
- tctl:
- Added the ability to check the final configuration that applies to a resource affected by multiple configuration profiles.
Ex:
tctl x profiles blame profile --org tetrate --tenant tetrate --workspace bookinfo trafficgroup bookinfo
UI
- Added Blame view to Config Profile UI.
- Fixed sidebar menu expand/collapse bug.
- Fixed select box issue in Permissions table.
- Fixed metrics query failure in ServiceRegistry UI.
- Fixed minor style bug in Resource Status Drawer.
- Added Inbound and Outbound traffic settings to Profile Config.
- Fixed traffic animation bug.
- Fixed issue preventing new role creation in RoleForm.
Outstanding CVEs
At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.
- CVE-2024-40094 - No fix available.
- CVE-2024-37370 - No fix available.
- CVE-2024-6104 - No fix available.
- CVE-2023-42365 - No fix available.
- CVE-2024-2236 - No fix available.
- PRISMA-2021-0153 - No fix available.
- CVE-2023-42366 - No fix available.
- CVE-2024-37371 - No fix available.
- CVE-2024-28180 - No fix available.
- CVE-2023-42363 - No fix available.
- CVE-2024-0406 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2023-42364 - No fix available.
- CVE-2018-20796 - No fix available.
- CVE-2016-20013 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2024-24791 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2024-26458 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2024-4741 - No fix available.
- CVE-2024-4603 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2024-5535 - No fix available.
- CVE-2024-2511 - No fix available.
- GO-2024-2978 - No fix available.
- CVE-2017-11164 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2010-4756 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2013-4235 - No fix available.
- CVE-2023-26604 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2016-2781 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2022-3219 - No fix available.
Version 1.10.0
- The
hpaadapter
component of the Control Plane has been disabled by default. This component implemented the Kubernetes external metrics API to allow scaling workloads based Skywalking metrics. This was conflicting with some existing setups and could not be easily disabled. Starting from 1.10 it will be disabled by default, but it can be still easily enabled by configuring thehpaAdapter
component as follows in theControlPlane
resource:components:
hpaAdapter:
enabled: true - Management Plane and Control Plane resources have GitOps enabled by default.
- The TSB operators will prevent deletion of important Kubernetes resources so that they cannot be accidentally deleted.
This can be disabled by adding the annotation
tsb.tetrate.io/deletion-protection: disabled
to the Management, Control and Data plane operator deployments, or setting the following in the helm charts:This will block TSB uninstallation, so must be disabled before uninstalling TSB.operator:
deletionProtection: disabled - The
tetrate-troubleshoot
image has been deprecated and no new versions of it will be provided.
Configuration Profiles
Configuration Profiles are a new feature designed to simplify and enhance traffic configuration management in TSB, addressing key issues identified in the existing hierarchical model. These profiles allow for the creation of pre-set configuration templates that can be defined and attached at various hierarchy levels (Organization, Tenant, Workspace, Group) and serve as default settings until overridden by more specific configurations. See the Configuration Profiles page for more details.
Hierarchical Access Control Policies compatibility notes:
- The previous STRICTER propagation for WASM extensions from all Security Settings has been changed so that it is not accumulative. Instead, the WASM Extension collection applied in a parent resource will overwrite their children's.
Egress Authorization
EgressAuthorizationSettings
has been enhanced to support configuring TSBresources
in thefrom
construct.EgressAuthorizationSettings
now supports TCP traffic as well. By default, traffic will be denied. An explicit egress allow rule is required for traffic to go through.
Service Level Traffic Settings
The existing TrafficSetting
API has been updated. Older settings are now moved to either Inbound
or Outbound
based on their behaviour, and the legacy configuration is set for deprecation. This makes it clear which settings apply when a service acts as a server (inbound) or as a client (outbound).
RateLimiting
setting has been moved toInbound.RateLimiting
Egress
setting has been moved toOutbound.Egress
Reachability
setting has been moved toOutbound.Reachability
Resilience
setting has been moved toOutbound.UpstreamTrafficSettings
UpstreamTrafficSetting
has been moved toOutbound.UpstreamTrafficSetting
- TCP Downstream keep alive can be now configured using
Inbound.Resilience.ConnectionPool.Tcp.KeepAlive
Similar changes can be observed in group wide traffic settings. The same change applies to Organization
, Tenant
and Workspace
level traffic settings.
With this change, we have introduced a hierarchical extension for the TrafficSetting
API called ServiceTrafficSetting
. This allows you to specify the settings for individual services rather than applying them to all services within a TrafficGroup
.
All settings in the hierarchy get merged with preference to most granular setting.
For example - Suppose, rate limiting is defined through the TrafficSetting
API and you define a ServiceTrafficSetting
with rate limiting for a service in the same TrafficGroup
. The final rate limit settings that apply on the service will be the merge of rate limit settings from the TrafficSetting
and ServiceTrafficSetting
.
Failover Setting
With the new ServiceTrafficSetting
API it is now possible to configure failover for a specific service or for all services in a TrafficGroup
.
RateLimiting Setting
With the new ServiceTrafficSetting
API it is now possible to configure rate limiting for a specific service or for all services in a TrafficGroup
.
Authentication Setting
This feature allows the enforcement of mutual TLS connections to upstream services that do not have a sidecar. This ensures that gateways or mesh workloads do not communicate in plain text with services outside the mesh.
📝 Fields set for deprecation will continue to work in 1.10.x. But will be deprecated in future major releases.
Egress Gateway
DEPRECATION: The functionality previously offered by the EgressGateway
is now integrated into the Gateway
object, which is the recommended approach. The EgressGateway
resource will be deprecated in future releases.
tctl improvements
- Added the
tctl experimental grafana dashboard
to generate the Grafana dashboards used to monitor TSB. It lists all the available dashboards and allows the user to generate them in JSON format so that they can be imported into Grafana. - Added the
tctl experimental grafana upload
command to facilitate uploading the TSB Grafana dashboards to a Grafana instance. - Added the
tctl experimental getall
command to replace thetctl get all
, now deprecated. This command will use a server-side list and is faster and more reliable. It is recommended to use this command instead of the deprecated one.
Known issues
- GitOps: When a TSB K8s resource contains a condition in the
Status
subresource with aReason
ofTSBApplyError
and the underlying error changes (e.g., fromNotFound
toPermissionDenied
), the condition might not be updated. This can cause confusion during troubleshooting, as the engineer might see a different error in theStatus
subresource than what is reported in thetsb-operator
logs. The error shown in the logs is the actual one. This issue does not impact functionality. TheStatus
subresource will be updated after the error is resolved. Issue will be fixed in 1.10.1. - TSB Web UI: The topology features of TSB Web UI require WebGL-supported browsers. Topology using Canvas API is considered to be supported in future releases based on usage data.
Outstanding CVEs
At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.
- CVE-2023-42365 - No fix available.
- CVE-2024-2236 - No fix available.
- PRISMA-2021-0153 - No fix available.
- CVE-2023-42366 - No fix available.
- CVE-2021-31879 - No fix available.
- CVE-2024-28180 - No fix available.
- CVE-2023-42363 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2024-0406 - No fix available.
- CVE-2023-42364 - No fix available.
- CVE-2018-20796 - No fix available.
- CVE-2016-20013 - No fix available.
- CVE-2024-2511 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2024-26458 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2024-4741 - No fix available.
- CVE-2024-4603 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2024-5535 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2017-11164 - No fix available.
- CVE-2016-2781 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2010-4756 - No fix available.
- CVE-2013-4235 - No fix available.
- CVE-2023-26604 - No fix available.
- CVE-2022-3857 - No fix available.
- CVE-2022-3219 - No fix available.