- Fix for CVE-2021-39155
- Fix for CVE-2021-39156
- Fix for CVE-2022-23635
- Fix for CVE-2022-24726
- Fix for CVE-2022-24921
- Fix for CVE-2021-32780
- Fix for CVE-2021-32777
- Fix for CVE-2021-32778
- Fix for CVE-2021-32779
The following CVEs were evaluated and this version of TSB found not to be affected:
- Allow to set the max gRPC message size in the connections between MPC and XCP central.
- Fixed an error that prevented the control plane observability agents to connect to a mangement plane running with minimum TLS version 1.3.
- Fixed an issue that caused
tctl get allcommand to return
*AccessBindingobjects within a direct mode group with the wrong metadata.
- Fixed an issue in OAP which was incorrectly identitying outbound traffic.
- Fix for CVE-2021-45105.
- Fix for CVE-2021-45046
- Fix for critical vulnerability (CVE-2021-44228, CVSS score 10) in the Java logging library Apache Log4j 2.
- Starting from 1.2.4 the MPC component needs a certificate to authenticate with XCP Central using mutual TLS. When upgrading, a certificate
for MPC must be created and stored in a secret named
mpc-certs. The following example shows how to create the certificate using cert-manager. Note that example certificates can also be created by using the
tctl install manifest management-plane-secretswith the
- client auth
- server auth
- Fix an issue in XCP when
Clusterobject becomes bigger than 3MB.
TSB 1.2.3 is a patch release and does not include any new features
- Improve DB connection handling to improve performance and decrease the number of used connections.
- Expose new settings in TSB operator for
connection_max_opento limit the number of open connections to Postgres.
connection_idle_max_opento limit the number of idle connections to Postgres.
connection_idle_lifetimeto limit the amount of time an idle connection will be kept open.
- We are introducing the Application and API as Alpha features.
- Applications are logical groupings of services that are related to each other, typically within a trusted group. A common example are three tier applications composed of a frontend, a backend and a datastore service.
- Configuring API at Application Ingress Gateway with OpenAPI specs. We added support for configuring CORS, Authentication and Authorization. We will add more configuration in the future.
- This capability is available via tctl. UI will be available in the next release.
- Native Tracing UI as a replacement for the Zipkin Lens UI.
- Organization Settings API to allow configuring network reachability and regional failover.
- UI: Ability to view sidecars errors
- UI: Topology offers Circular Layout, Auto Layout, Zoom to fit.
- UI: Context sensitive role selection in policies
- UI: Dashboard - Services view offers subset level metrics
- UI: Auto refresh and partial rendering of UI for graphs and metrics
- Relax virtual service validation so that VirtualServices in TrafficGroup can bound to Gateway in GatewayGroup
- Periodic config sync between xcp central and xcp edges
- Fix Direct mode gateways not considered load balancer in service registry
- Detect service mesh external change
- Fix error when import YAML with UI
- Fix UI crashing because PassthroughServers are not resolved
- Fix xcp operator crashed when using overlays
- Fix nodeport services not working properly with private node ips
This release fixes the following Envoy security vulnerabilities:
- CVE-2021-28683 (CVSS score 7.5, High): Envoy contains a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received.
- CVE-2021-28682 (CVSS score 7.5, High): Envoy contains a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.
- CVE-2021-29258 (CVSS score 7.5, High): Envoy contains a remotely exploitable vulnerability where an HTTP2 request with an empty metadata map can cause Envoy to crash.
In this release the SkyWalking version adds some performance improvements for the Elasticsearch storage. For them to apply it is imperative to delete the SkyWalking related Elasticsearch indexes and templates. Please follow the procedure described in the Elasticsearch wipe procedure page to delete the appropriate data from Elasticsearch.
If you are upgrading from a TSB version 1.0.x or higher and you are using XCP's
to set the reachability between control planes, you need to migrate the
to the new
OrganizationSettings in TSB.
For instance, a
GlobalSettings like this one:
Note also that whereas
GlobalSetting is applied to the cluster via
need to be applied to the management plane via
tctl. Since this change has to be done after upgrading
to 1.2.0, you can expect a brief network disruption between the management plane upgrade and the creation
These notices describe functionality that will be removed in a future release. Please consider upgrading your environment to remove the deprecated functionality.
- Deprecated the ability to attach VirtualService in a TrafficGroup to a Gateway in a GatewayGroup.
- Traffic Groups and Gateway Groups are independent resources that could have a set of disjoint selectors. When those selectors do not match exactly, configuring ingresses via VirtualServices in traffic groups could lead to configuration inconsistencies, and VirtualServices getting pushed to namespaces or clusters where the gateway objects don't even exist.
- One of the objectives of the TSB APis is to provide configuration safety, and in future releases, the traffic (east/west) and gateway (north/south) semantics will be enforced at the group level to prevent the mentioned misconfiguration issues.
- Deprecated the ability to reference the
meshgateway or no gateway at all from VirtualServices in GatewayGroups.
- Gateway groups will only allow VirtualServices that configure north/south, and traffic groups will only allow VirtualServices for east/west
- VM Onboarding: If you use an "offline" onboarding flow, i.e. manually copy a
*.tgzfile with security token and seed configuration generated by
tctl x sidecar-bootstraponto a VM, you must run the
bin/start-istio-proxy.shscript while the security token is still valid (
24hby default). If you run the script after the token expired, Istio Proxy running on the VM will no longer be able to authenticate to the Istio CA and will lose connectivity to the mesh.
- VM Onboarding: Istio Proxy installed on a VM always binds to
0.0.0.0:15021(health status endpoint). If you have other services in the mesh that use port
15021, Istio Proxy running on a VM will not be able to proxy outgoing requests to them.
- UI: (6564) Tier1 gateways are not correctly identified as gateway type,
therefore they are not shown in the dashboard's
Gatewaystab. In order to check for Tier1 gateway metrics, you can navigate to the
Servicesmenu and select the corresponding service from the list. Once on the details page, you will find the desired metrics in the
- Data plane operator: (6002) Removing the last gateway in the cluster is not
working properly. The operator fails to delete the last remaining ingress, tier1
or egress gateway in the cluster. To workadound this you can delete the
tsb-gatewaysfrom the data plane operator namespace (
kubectl delete istiooperator -n istio-gateway tsb-gateways).