Release Notes

Version 1.3.3

TBA

Version 1.3.2

TBA

Version 1.3.1

This is maintenance release that doesn't introduce any new features

Upgrade notes

• Patch application should follow the standard TSB process

Known Issues

• Currently, there are no issues registered that are associated with this Patch

Bug fixes

• Fix UI is not displaying services where name doesn't match app: label of the deployments
• Fix UI to display metrics for services with no subsets and not acting as load balancers
• Fix for TSB API high memory utilisation when compiling diffs for audit logs in cluster updates.
• Fix for the MPC issue where multiple gateways match a given VirtualService.
• Fix in TSB UI to handle lists containing a high number of items.
• Fix deadlock in TSB API for MPC connections.
• Fix in MPC to push config to XCP only if there are changes in the config received from TSB API.
• A fix to prevent XCP central entering a stalemate when edges abruptly disconnect during configuration push

Version 1.3.0

What's New

• TSB now uses Istio 1.8.5.
• Rate limit available in Ingress Gateway as Alpha feature. This feature is available using tctl.

Improvements

• UI - Organization Settings. This menu contains Reachability Setting, Regional Failover, and Organization Policy.
• UI - Regional Failover in Workspace Settings
• UI - System services removed from listing in Cluster Inventory

Upgrade notes

• There are some changes from Istio 1.7.3 to 1.8.5. Please check Istio Upgrade Notes for more details, particularly for the following:
  • Use the new filter names for EnvoyFilter
  • Connectivity issues among your proxies when updating from 1.7.x (where x < 5)
• TSB v1 APIs and tenant-rooted APIs have been removed. Previous 1.0, 1.1, and 1.2 releases are backwards-compatible, but starting from 1.3, the TSB v1 APIs and tenant-rooted APIs are no longer available. This means:
  • Starting with version 1.3.0, only the TSB v2 API is available.
  • TSB APIs are organization-based now. All resources must have the organization annotation in the metadata.
  • TSBD control planes (pre 1.0) are no longer supported. All control planes must be upgraded to XCP.
  • The ManagementPlane CR must not use the tenant element anymore; it must be updated to use organization instead. See Move Data To A New Organization for more details.
  • The ControlPlane CRs must not reference the tenant (it is a deprecated field that has simply been removed) nor tsbd in any overlay.
  • The name of Istio resources generated is deterministic and does not have random hash value. However, moving from non-deterministic to deterministic naming could cause some downtime. In order to avoid it, apply the following XCP overlay in ControlPlane CR before upgrading

    spec:
      components:
        xcp:
          kubeSpec:
            overlays:
            - apiVersion: install.xcp.tetrate.io/v1alpha1
              kind: EdgeXcp
              name: edge-xcp
              patches:
              - path: spec.components.edgeServer.kubeSpec.deployment.env
                value:
                - name: ENABLE_RESTORE_ORIGINAL_NAMES
                  value: "false"

Deprecation Notices

These notices describe functionality that will be removed in a future release. Please consider upgrading your environment to remove the deprecated functionality.

• Deprecated the ability to attach VirtualService in a TrafficGroup to a Gateway in a GatewayGroup.
  • Traffic Groups and Gateway Groups are independent resources that could have a set of disjoint selectors. When those selectors do not match exactly, configuring ingresses via VirtualServices in traffic groups could lead to configuration inconsistencies, and VirtualServices getting pushed to namespaces or clusters where the gateway objects don't even exist.
  • One of the objectives of the TSB APis is to provide configuration safety, and in future releases, the traffic (east/west) and gateway (north/south) semantics will be enforced at the group level to prevent the mentioned misconfiguration issues.
• Deprecated the ability to reference the mesh gateway or no gateway at all from VirtualServices in GatewayGroups.
  • Gateway groups will only allow VirtualServices that configure north/south, and traffic groups will only allow VirtualServices for east/west

Known Issues

• VM Onboarding: If you use an "offline" onboarding flow, i.e. manually copy a *.tgz file with security token and seed configuration generated by tctl x sidecar-bootstrap onto a VM, you must run the bin/start-istio-proxy.sh script while the security token is still valid (24h by default). If you run the script after the token expired, Istio Proxy running on the VM will no longer be able to authenticate to the Istio CA and will lose connectivity to the mesh.
• VM Onboarding: Istio Proxy installed on a VM always binds to 0.0.0.0:15021 (health status endpoint). If you have other services in the mesh that use port 15021, Istio Proxy running on a VM will not be able to proxy outgoing requests to them.
• UI: (6564) Tier1 gateways are not correctly identified as gateway type, therefore they are not shown in the dashboard's Gateways tab. In order to check for Tier1 gateway metrics, you can navigate to the Services menu and select the corresponding service from the list. Once on the details page, you will find the desired metrics in the Details and Service metrics tabs.
• Data plane operator: (6002) Removing the last gateway in the cluster is not working properly. The operator fails to delete the last remaining ingress, tier1 or egress gateway in the cluster. To workadound this you can delete the IstioOperator CR named tsb-gateways from the data plane operator namespace ( kubectl delete istiooperator -n istio-gateway tsb-gateways).