- Removed the restriction for workspace name to be unique in XCP even across tenants
- Fixed east/west AuthZ issue that allowed cross cluster calls even when authorization restriction was in place
- Added secure naming for cross cluster communication
- Fixed an issue in
tctl get allwhere bindings for Direct Mode groups were incorrectly rendered
- Fixed an issue with cluster state reporting in TSB for large clusters
- Fixed an issue with XCP Central certification parsing
- An improvement to edges' performance and resource reduction by enhancing cluster state filter for edges
- Fixed an issue with some web UI component not being able to start in IPv4 only environment.
- Fixed an issue for which a control plane could not connect to a management plane that allowed TLS v1.3 only.
- Fix CVE-2021-44832 in the Java logging library Apache Log4j 2.
- Fixed an issue with some TSB components not being able to start in IPv4 only environment
- Minor fixes to App Ingress watcher and use of hard coded tags
- Fix CVE-2021-45105 in the Java logging library Apache Log4j 2.
- Fixed TLS certificate issues associated with App Ingress
- Remove restriction that cluster names have to be valid dns1123 names
- App Ingress to use kubernetes provided dns cert for controlplane communication
- Added 'install' command to AppIngress
- Fix CVE-2021-45046 in the Java logging library Apache Log4j 2.
- Fix for critical vulnerability (CVE-2021-44228, CVSS score 10) in the Java logging library Apache Log4j 2.
- The status of configuration rollout for TSB objects can now be tracked with
tctl. Two experimental commands have been added in this release:
- tctl experimental status - Allows retrieving the status of a given resource. This will show if the configuration has been accepted, sent to XCP, if there are validation errors, and in future releases it will also show if it has been fully deployed to all the target clusters.
- tctl experimental wait - This command allows waiting until a resource reaches a desired status. This is useful to wait until
the configuration has been deployed and is ready to be used. The available statuses this command supports are the ones that are
made available by the
tctl experimental statuscommand.
- Enhanced troubleshooting for the Management Plane:
- tctl experimental debug log-level - This command allows to directly see and modify the logging levels of the TSB components without having to restart them.
- tctl experimental debug dashboard - This can be used to open a web console for a TSB component. The new debug dashboard provides access to some insights of the TSB services, such as environment variables, logging levels, available metrics, and even profiling information.
- tctl experimental audit - Allows querying the audit logs for a given resource. This provides detailed information to understand who changed what and when, for any TSB-managed resource.
- The PostgreSQL image that comes with the
demoprofile has been upgraded from version
14.1to fix many CVEs that were present in the older version. Note that the
demoprofile is not meant for production use and demo installations and environments are not expected to be upgraded the same way as production releases. Upgrading a demo PostgreSQL container that already contains data is not supported and extra caution needs to be taken to prevent data loss. It is recommended that you take backups of all your data and follow the migration instructions on the PostgreSQL website if you plan to upgrade a demo environment to this release.
- The following CVEs have been addressed as part of this release: CVE-2009-5155, CVE-2016-2779, CVE-2016-9427, CVE-2017-1000408, CVE-2017-1000409, CVE-2017-14062, CVE-2017-16932, CVE-2017-16997, CVE-2017-18269, CVE-2017-8872, CVE-2018-1000001, CVE-2018-1000858, CVE-2018-14632, CVE-2018-15686, CVE-2018-20346, CVE-2018-20406, CVE-2018-20506, CVE-2018-20843, CVE-2018-6485, CVE-2018-6551, CVE-2018-8740, CVE-2019-10149, CVE-2019-12900, CVE-2019-13917, CVE-2019-1543, CVE-2019-15846, CVE-2019-15903, CVE-2019-17455, CVE-2019-18218, CVE-2019-19956, CVE-2019-20367, CVE-2019-20388, CVE-2019-20907, CVE-2019-3829, CVE-2019-3842, CVE-2019-5010, CVE-2019-8457, CVE-2019-8905, CVE-2019-8907, CVE-2019-9169, CVE-2019-9636, CVE-2019-9936, CVE-2019-9937, CVE-2020-10531, CVE-2020-11655, CVE-2020-12783, CVE-2020-13871, CVE-2020-26160, CVE-2020-28007, CVE-2020-28008, CVE-2020-28009, CVE-2020-28011, CVE-2020-28012, CVE-2020-28013, CVE-2020-28015, CVE-2020-28017, CVE-2020-28019, CVE-2020-28020, CVE-2020-28021, CVE-2020-28022, CVE-2020-28023, CVE-2020-28024, CVE-2020-28025, CVE-2020-28026, CVE-2020-29652, CVE-2020-7595, CVE-2020-9283, CVE-2021-29482, CVE-2021-3121, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-38371.
- Application and API features with OpenAPI annotations for developer centric experience.
- Single sign-on (SSO) with OIDC.
- Automatic synchronization of users and teams from Azure AD.
- JWT Support for XCP Edge to XCP Central communication, for new Management Plane installations. (1)
- Adds Egress Gateway.
- Configurable retention period for metrics (OAP/SkyWalking) and traces (Zipkin).
- Ratelimiting support at Tier1Gateway, IngressGateway, and Sidecars.
- External AuthZ Support at Tier1Gateway, IngressGateway, and Sidecars.
- Performance improvements in the config propagation and cluster state reporting.
- Important Component upgrades
- Istio 1.9.8.
- Envoy 1.17.1.
- SkyWalking 8.7.
- Zipkin 2.23.4.
- OpenTelemetry Collector 0.36.0.
- Streaming service logs (alpha feature).
- Autoscaling VM onboarding (alpha feature).
- We have increased the resource defaults for OpenTelemetry collector as newer versions have become more resource hungry. The new request default is 400m cpu, 500Mi memory. The new limit default is 800m cpu, 1000Mi memory.
- If your Elasticsearch control plane settings are
selfSigned: false, TSB didn't previously validate that cert against the system CA bundle. This validation now happens so if your Elasticsearch uses a self-signed cert, but you haven't set
selfSigned: truein the settings, you will need to do so and create the relevant Kubernetes secret. See control plane onboarding for more details.
- Starting from 1.4, the MPC component needs a certificate to authenticate with
XCP Central when using mutual TLS. When upgrading, a certificate for MPC must
be created and stored in a secret named
mpc-certs. The following example shows how to create the certificate using cert-manager. This step is not needed for new installations which default to JWT based authentication. Note that example certificates can also be created by using the
tctl install manifest management-plane-secretswith the
- client auth
- server auth