Skip to main content
logoTetrate Service BridgeVersion: 1.10.x

Release Notes

Version 1.10.3

  • Added ability to refresh access token using refresh token in OIDC response. This is disabled by default. To enable the same set USE_OIDC_REFRESH_TOKEN environment variable in xcp-edge deployment to true. Using controlplane resource: 
    xcp:
      kubeSpec:
        deployment:
          env:
          - name: USE_OIDC_REFRESH_TOKEN
            value: "true"
  • When enabling isolation boundaries for the first time on an existing TSB installation, the istio-gateway namespace will no longer be automatically deleted. If this namespace is unnecessary, users are advised to delete it manually. If manual deletion is required, you must first clean up any terminating resources by removing the finalizers with the following command: kubectl get iop -n istio-gateway -o name | xargs -I % kubectl patch % -n istio-gateway -p '{"metadata":{"finalizers":null}}' --type=merge;. Once the finalizers are removed, the namespace can be deleted as usual. For more details, refer to the isolation boundaries post upgrade cleanup steps.
  • Fixed an issue where Management Plane kubespec and overlays were propagated to the Control Plane cluster onboarding templates.
  • Added validation to check that DIRECT mode resources always have the namespace properly set.
  • Fixed an error that prevented the embedded Postgres cleanup job from removing unused PVCs.
  • Cloned Ports and Labels to avoid unintended changes when merging endpoints during service entry generation.
  • Converted SNI match handling to filter chain match; header match is now required only for plain-text traffic.
  • Enhanced gateway authorization to allow host header matching with the host and workload port combination.
  • Fixed workload entry generation issues when older versions of the control plane advertise east-west services.

UI

  • Added workspace columns to the Dashboard.
  • Added Dependency view to Topology.
  • Hide Grafana embed.
  • Refactored Topology Drawer and Popup.
  • Fixed popup positioning in Topology.
  • Refactored Start Drawer to resolve scroll issues.
  • Updated Autocomplete to suggest 'Add New' for new options.
  • Updated Profiles API to display and allow manual deletion of unavailable profiles from parent resources, resolving ordering issues in the "In Use" table.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2023-42365 - No fix available.
  • CVE-2024-2236 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2023-42366 - No fix available.
  • CVE-2024-6119 - No fix available.
  • CVE-2024-26462 - No fix available.
  • CVE-2021-31879 - No fix available.
  • CVE-2022-40735 - No fix available.
  • CVE-2023-42363 - No fix available.
  • CVE-2024-0406 - No fix available.
  • CVE-2023-42364 - No fix available.
  • CVE-2023-34969 - No fix available.
  • CVE-2023-6129 - No fix available.
  • CVE-2023-50495 - No fix available.
  • CVE-2023-6237 - No fix available.
  • CVE-2016-2781 - No fix available.
  • CVE-2024-4603 - No fix available.
  • CVE-2023-7008 - No fix available.
  • CVE-2024-0727 - No fix available.
  • CVE-2024-41996 - No fix available.
  • CVE-2024-26461 - No fix available.
  • CVE-2022-27943 - No fix available.
  • CVE-2023-5678 - No fix available.
  • CVE-2024-2511 - No fix available.
  • CVE-2023-45918 - No fix available.
  • CVE-2013-4235 - No fix available.
  • CVE-2022-3219 - No fix available.
  • CVE-2023-26604 - No fix available.
  • CVE-2024-5535 - No fix available.
  • CVE-2024-4741 - No fix available.
  • CVE-2023-29383 - No fix available.
  • CVE-2022-4899 - No fix available.
  • CVE-2022-41409 - No fix available.

Version 1.10.2

  • Fixed an issue where enabling isolation boundary used to get stuck at migrating gateways if istio-gateway namespace existed without dataplane components.
  • Fixed an issue with duplicate hostname validation for gateway objects that prevented modifications to gateways when duplicates existed within the same Gateway Group.
  • Fixed Azure AD group synchronization where the same group was nested on different groups.
  • The expiration of the Embedded Postgres certificate can now be configured through the ManagementPlane resource.
  • Embedded Postgres will now automatically restart when the TLS certificates are renewed.
  • Added validations to WAF rules and WASM extension in Configuration Profiles.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2023-42365 - No fix available.
  • CVE-2024-2236 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2023-42366 - No fix available.
  • CVE-2024-26462 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2023-42363 - No fix available.
  • CVE-2024-0406 - No fix available.
  • CVE-2023-42364 - No fix available.
  • CVE-2023-34969 - No fix available.
  • CVE-2023-50495 - No fix available.
  • CVE-2023-7008 - No fix available.
  • CVE-2024-5535 - No fix available.
  • CVE-2024-2511 - No fix available.
  • CVE-2022-27943 - No fix available.
  • CVE-2024-4741 - No fix available.
  • CVE-2023-45918 - No fix available.
  • CVE-2013-4235 - No fix available.
  • CVE-2023-26604 - No fix available.
  • CVE-2023-29383 - No fix available.
  • CVE-2016-2781 - No fix available.
  • CVE-2024-26461 - No fix available.
  • CVE-2022-4899 - No fix available.
  • CVE-2022-3219 - No fix available.
  • CVE-2024-4603 - No fix available.

Version 1.10.1

  • Multiple CVEs fixed.
  • Fixed an issue with Istio CNI not updating when using Isolation Boundaries in a openshift environment with default revision.
  • Fixed an issue where providing overlays for default revision under .spec.xcp.isolationBoundaries didn't take effect.
  • Fixed an issue where edge panics if a service exists in the mesh without service selectors and security settings are configured for it.
  • Fixed an issue where the teamsync-first-run job was being recreated after successful execution.
  • Fixed an issue with the audit logs periodical cleanup feature, which was unable to receive the credentials needed to interact with Azure PostgreSQL.
  • Improved validation of Istio Objects names at creation time:
    • Names must conform to RFC 1123 and be between 1 and 60 characters.
    • Istio Objects created via gRPC API now require coherence between the name provided in CreateIstioObjectRequest and the name field in the metadata of the object.
  • Added the dry-run option to the TSB API that allows to check an operation without impacting the current state of the platform.
    • tctl: tctl apply -f <my-config.yaml> --dry-run server-side.
    • http: Add the following header to the request: x-tetrate-dry-run: server-side.
    • grpc: Add the following key value metadata pair. How metadata is added to the client request is dependent on the language used in client grpc library: key x-tetrate-dry-run, value server-side.
  • Added the ability to check the final configuration that applies to a resource affected by multiple configuration profiles. Ex: tctl x profiles blame profile --org tetrate --tenant tetrate --workspace bookinfo trafficgroup bookinfo

UI

  • Added Blame view to Config Profile UI.
  • Fixed sidebar menu expand/collapse bug.
  • Fixed select box issue in Permissions table.
  • Fixed metrics query failure in ServiceRegistry UI.
  • Fixed minor style bug in Resource Status Drawer.
  • Added Inbound and Outbound traffic settings to Profile Config.
  • Fixed traffic animation bug.
  • Fixed issue preventing new role creation in RoleForm.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2024-40094 - No fix available.
  • CVE-2024-37370 - No fix available.
  • CVE-2024-6104 - No fix available.
  • CVE-2023-42365 - No fix available.
  • CVE-2024-2236 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2023-42366 - No fix available.
  • CVE-2024-37371 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2023-42363 - No fix available.
  • CVE-2024-0406 - No fix available.
  • CVE-2024-26462 - No fix available.
  • CVE-2023-42364 - No fix available.
  • CVE-2018-20796 - No fix available.
  • CVE-2016-20013 - No fix available.
  • CVE-2023-34969 - No fix available.
  • CVE-2024-24791 - No fix available.
  • CVE-2023-50495 - No fix available.
  • CVE-2024-26458 - No fix available.
  • CVE-2024-26461 - No fix available.
  • CVE-2024-4741 - No fix available.
  • CVE-2024-4603 - No fix available.
  • CVE-2023-7008 - No fix available.
  • CVE-2024-5535 - No fix available.
  • CVE-2024-2511 - No fix available.
  • GO-2024-2978 - No fix available.
  • CVE-2017-11164 - No fix available.
  • CVE-2022-27943 - No fix available.
  • CVE-2010-4756 - No fix available.
  • CVE-2023-45918 - No fix available.
  • CVE-2013-4235 - No fix available.
  • CVE-2023-26604 - No fix available.
  • CVE-2023-29383 - No fix available.
  • CVE-2016-2781 - No fix available.
  • CVE-2022-4899 - No fix available.
  • CVE-2022-3219 - No fix available.

Version 1.10.0

  • The hpaadapter component of the Control Plane has been disabled by default. This component implemented the Kubernetes external metrics API to allow scaling workloads based Skywalking metrics. This was conflicting with some existing setups and could not be easily disabled. Starting from 1.10 it will be disabled by default, but it can be still easily enabled by configuring the hpaAdapter component as follows in the ControlPlane resource: 
    components:
      hpaAdapter:
        enabled: true
  • Management Plane and Control Plane resources have GitOps enabled by default.
  • The TSB operators will prevent deletion of important Kubernetes resources so that they cannot be accidentally deleted. This can be disabled by adding the annotation tsb.tetrate.io/deletion-protection: disabled to the Management, Control and Data plane operator deployments, or setting the following in the helm charts: 
    operator:
      deletionProtection: disabled
    This will block TSB uninstallation, so must be disabled before uninstalling TSB.
  • The tetrate-troubleshoot image has been deprecated and no new versions of it will be provided.

Configuration Profiles

Configuration Profiles are a new feature designed to simplify and enhance traffic configuration management in TSB, addressing key issues identified in the existing hierarchical model. These profiles allow for the creation of pre-set configuration templates that can be defined and attached at various hierarchy levels (Organization, Tenant, Workspace, Group) and serve as default settings until overridden by more specific configurations. See the Configuration Profiles page for more details.

Hierarchical Access Control Policies compatibility notes:

  • The previous STRICTER propagation for WASM extensions from all Security Settings has been changed so that it is not accumulative. Instead, the WASM Extension collection applied in a parent resource will overwrite their children's.

Egress Authorization

  • EgressAuthorizationSettings has been enhanced to support configuring TSB resources in the from construct.
  • EgressAuthorizationSettings now supports TCP traffic as well. By default, traffic will be denied. An explicit egress allow rule is required for traffic to go through.

Service Level Traffic Settings

The existing TrafficSetting API has been updated. Older settings are now moved to either Inbound or Outbound based on their behaviour, and the legacy configuration is set for deprecation. This makes it clear which settings apply when a service acts as a server (inbound) or as a client (outbound).

  • RateLimiting setting has been moved to Inbound.RateLimiting
  • Egress setting has been moved to Outbound.Egress
  • Reachability setting has been moved to Outbound.Reachability
  • Resilience setting has been moved to Outbound.UpstreamTrafficSettings
  • UpstreamTrafficSetting has been moved to Outbound.UpstreamTrafficSetting
  • TCP Downstream keep alive can be now configured using Inbound.Resilience.ConnectionPool.Tcp.KeepAlive

Similar changes can be observed in group wide traffic settings. The same change applies to Organization, Tenant and Workspace level traffic settings.

With this change, we have introduced a hierarchical extension for the TrafficSetting API called ServiceTrafficSetting. This allows you to specify the settings for individual services rather than applying them to all services within a TrafficGroup. All settings in the hierarchy get merged with preference to most granular setting.

For example - Suppose, rate limiting is defined through the TrafficSetting API and you define a ServiceTrafficSetting with rate limiting for a service in the same TrafficGroup. The final rate limit settings that apply on the service will be the merge of rate limit settings from the TrafficSetting and ServiceTrafficSetting.

Failover Setting

With the new ServiceTrafficSetting API it is now possible to configure failover for a specific service or for all services in a TrafficGroup.

RateLimiting Setting

With the new ServiceTrafficSetting API it is now possible to configure rate limiting for a specific service or for all services in a TrafficGroup.

Authentication Setting

This feature allows the enforcement of mutual TLS connections to upstream services that do not have a sidecar. This ensures that gateways or mesh workloads do not communicate in plain text with services outside the mesh.

📝 Fields set for deprecation will continue to work in 1.10.x. But will be deprecated in future major releases.

Egress Gateway

DEPRECATION: The functionality previously offered by the EgressGateway is now integrated into the Gateway object, which is the recommended approach. The EgressGateway resource will be deprecated in future releases.

tctl improvements

  • Added the tctl experimental grafana dashboard to generate the Grafana dashboards used to monitor TSB. It lists all the available dashboards and allows the user to generate them in JSON format so that they can be imported into Grafana.
  • Added the tctl experimental grafana upload command to facilitate uploading the TSB Grafana dashboards to a Grafana instance.
  • Added the tctl experimental getall command to replace the tctl get all, now deprecated. This command will use a server-side list and is faster and more reliable. It is recommended to use this command instead of the deprecated one.

Known issues

  • GitOps: When a TSB K8s resource contains a condition in the Status subresource with a Reason of TSBApplyError and the underlying error changes (e.g., from NotFound to PermissionDenied), the condition might not be updated. This can cause confusion during troubleshooting, as the engineer might see a different error in the Status subresource than what is reported in the tsb-operator logs. The error shown in the logs is the actual one. This issue does not impact functionality. The Status subresource will be updated after the error is resolved. Issue will be fixed in 1.10.1.
  • TSB Web UI: The topology features of TSB Web UI require WebGL-supported browsers. Topology using Canvas API is considered to be supported in future releases based on usage data.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2023-42365 - No fix available.
  • CVE-2024-2236 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2023-42366 - No fix available.
  • CVE-2021-31879 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2023-42363 - No fix available.
  • CVE-2024-26462 - No fix available.
  • CVE-2024-0406 - No fix available.
  • CVE-2023-42364 - No fix available.
  • CVE-2018-20796 - No fix available.
  • CVE-2016-20013 - No fix available.
  • CVE-2024-2511 - No fix available.
  • CVE-2023-34969 - No fix available.
  • CVE-2023-50495 - No fix available.
  • CVE-2024-26461 - No fix available.
  • CVE-2024-26458 - No fix available.
  • CVE-2023-7008 - No fix available.
  • CVE-2024-4741 - No fix available.
  • CVE-2024-4603 - No fix available.
  • CVE-2022-4899 - No fix available.
  • CVE-2023-45918 - No fix available.
  • CVE-2024-5535 - No fix available.
  • CVE-2023-29383 - No fix available.
  • CVE-2017-11164 - No fix available.
  • CVE-2016-2781 - No fix available.
  • CVE-2022-27943 - No fix available.
  • CVE-2010-4756 - No fix available.
  • CVE-2013-4235 - No fix available.
  • CVE-2023-26604 - No fix available.
  • CVE-2022-3857 - No fix available.
  • CVE-2022-3219 - No fix available.