Skip to main content
logoTetrate Service BridgeVersion: 1.13.x

Release Notes

Version 1.13.2

  • Fixed config status events duplication detection for reverted configurations. This may produce some duplicated events in the event timeline.
  • Fixed the following CVEs: CVE-2025-61727, CVE-2024-25621, CVE-2025-64329, CVE-2025-47914, CVE-2025-58181, CVE-2024-58251, CVE-2025-46394, CVE-2025-58187, CVE-2025-61724,CVE-2025-47912, CVE-2025-58183, CVE-2025-58188, CVE-2025-58186, CVE-2025-61725, CVE-2025-58185, CVE-2025-61723, CVE-2025-58189, CVE-2025-11579
  • Fixed issue: The MPC cache was not properly updated when existing objects in the model were modified. This led to temporary deletion of a user-defined Install Gateway when templates were removed.
  • Fixed MPC model when updating a resource without metadata.
  • Fixed race condition in serviceActivationWrapper causing non-deterministic test failures.
  • Feature enhancement: Add --until flag for audit logs to support time range queries.
  • Fixed(tsboperator) volumeMounts of postgres-exporter by using kubegres version v1.16.0-tetrate-v24 that contains the fix.
  • Feature enhancement[ambient topology] Propagate service labels and annotations from cluster state to MP
  • Fixed profile impact analysis to show correct counts per resource type
  • Enhancement: Build xcp and api to support new composer API
  • Fixed issue: Delete a cluster now unregisters its services from the service registry.
  • GitOps reconciliation improved: so when a TSB Group config is applied, if the parent workspace was in a failing state its reconciliation is triggered now. This helps solve issues like adding new namespace selectors in workspaces and groups at once.
  • Improvement: Decouple IAM component from Postgres database.
  • Feature enhancement: TSB Config Status now provides ACCEPTED_COMPOSED and READY_COMPOSED for configs that are a result of profiles and legacy settings (like tenant or workspace settings)
  • Feature enhancement: Add ArgoRollouts integration to ServiceRoute. Argo rollouts will be used to control the weights between subsets. XCP will monitor the weights set by Argo Rollouts and sync them to all VirtualServices that are created for the ServiceRoute.
  • TSB self-observability dashboards now accept a datasource ID when they are imported or generated. Example command tctl x grafana upload --datasource-uid <uid>.
  • Feature: Add jwt auth settings to require strict JWT enforcement only when JWT config (not OIDC) is present.
  • Feature: Adds cleanup resources endpoint.
  • Internal change to coordinate supported minor/release releases during releases through configmap. Configmap name is xcp-releases. After upgrade verify that current xcp release version is updated in the configmap.
  • Improvement: Support SharedGatewayReferenceGrant to all gateways. A SharedGatewayReferenceGrant without a gateway deployment workload selector applies to all shared gateway deployments found in the same gateway group.
  • Feature: Allow users to use Replication Slots for Embedded Postgres to improve replication reliability. To enable this feature set spec.dataStore.embeddedPostgres.replicationSlots.enabled in the ManagementPlane spec: Caveat: maximum number of replicas with replication slots enabled is 2. This limitation will be removed in future releases.
  • Feature: Add ability to archive WAL files for Embedded Postgres to support point-in-time recovery (PITR). To enable this feature set spec.dataStore.embeddedPostgres.walArchiveStorageSize in the ManagementPlane spec.
  • Fixed HTTP bindings to list shared gateways from ws, tenant and org.
  • Minor install MP and CP CRD improvements.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • PRISMA-2022-0168 - No fix available.
  • CVE-2025-8941 - No fix available.
  • CVE-2025-29481 - No fix available.
  • CVE-2021-31879 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2025-14104 - No fix available.
  • CVE-2025-66382 - No fix available.
  • CVE-2025-45582 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2024-52005 - No fix available.
  • CVE-2025-7709 - No fix available.
  • CVE-2022-3219 - No fix available.
  • CVE-2025-0167 - No fix available.
  • CVE-2019-9192 - No fix available.
  • CVE-2017-11164 - No fix available.
  • CVE-2023-31439 - No fix available.
  • CVE-2010-4756 - No fix available.
  • CVE-2019-1010023 - No fix available.
  • CVE-2025-9086 - No fix available.
  • CVE-2025-6141 - No fix available.
  • CVE-2019-1010022 - No fix available.
  • CVE-2022-0563 - No fix available.
  • CVE-2024-41996 - No fix available.
  • CVE-2011-4116 - No fix available.
  • CVE-2025-1376 - No fix available.
  • CVE-2025-27587 - No fix available.
  • CVE-2019-1010025 - No fix available.
  • TEMP-0290435-0B57B5 - No fix available.
  • CVE-2025-1352 - No fix available.
  • CVE-2024-56433 - No fix available.
  • CVE-2018-20796 - No fix available.
  • CVE-2023-31438 - No fix available.
  • CVE-2025-10148 - No fix available.
  • TEMP-0628843-DBAD28 - No fix available.
  • CVE-2019-1010024 - No fix available.
  • CVE-2025-5278 - No fix available.
  • CVE-2016-2781 - No fix available.
  • CVE-2019-20838 - No fix available.
  • CVE-2024-2236 - No fix available.
  • TEMP-0841856-B18BAF - No fix available.
  • CVE-2011-3374 - No fix available.
  • CVE-2013-4392 - No fix available.
  • CVE-2017-18018 - No fix available.
  • CVE-2007-5686 - No fix available.
  • CVE-2023-31437 - No fix available.
  • CVE-2005-2541 - No fix available.
  • TEMP-0517018-A83CE6 - No fix available.
  • CVE-2021-45346 - No fix available.

Version 1.13.1

  • Fixed config status reporting issue, where a change that reverted back to a previous state was sometimes not reported, resulting in incorrect status. Note: this fix may report occasional duplicate events
  • Replaced OpenCensus with Otel for metrics transfer from controlplane to management plane. Important: Please refer to Upgrade instructions in documentation This change is available from TSB 1.13.1, 1.12.7 and 1.11.5. If you have any CP with older versions, you must enable the backwards compatibility setting in the MP spec: 
    spec:
      components:
        collector:
          enableOpencensusBackwardsCompatibility: true
  • Improve (reduce) memory usage of TSB operator with large configurations
  • Embedded Postgres can now be configured to use Replication Slots to improve replication reliability. To enable this feature set spec.dataStore.embeddedPostgres.replicationSlots.enabled in the ManagementPlane spec: 
    spec:
      dataStore:
        embeddedPostgres:
          replicationSlots:
            enabled: true
    Note that enabling replication slots may lead to increased disk space usage on the Management Plane nodes, as slots retain WAL files until they are consumed by replicas. It is recommended to monitor disk space usage and configure appropriate alerts when enabling this feature. Caveat: maximum number of replicas with replication slots enabled is 2. This limitation will be removed in future releases.
  • Disable all segmentation-related features (experimental capability) by default
  • Fixed CVE-2025-62409, CVE-2025-62504, CVE-2025-0913, CVE-2025-4673, CVE-2025-47906, CVE-2025-22872, CVE-2025-22871, CVE-2025-22870, CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, CVE-2025-8715, CVE-2025-8714, CVE-2025-4207, CVE-2025-8713, CVE-2025-55199, CVE-2025-58058, CVE-2025-4802, CVE-2025-8058, CVE-2025-48924, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-8916, GHSA-2464-8j7c-4cjm.

Upgrade Notes

When upgrading the Control Plane (CP) components on an OpenShift 4.19 or later cluster, refer to the comment concerning DISABLE_K8S_GATEWAY_API_CRD_CREATION in the Upgrade notes in the documentation.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2025-22227 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2023-42363 - No fix available.
  • CVE-2025-9086 - No fix available.
  • CVE-2025-46394 - No fix available.
  • CVE-2025-1376 - No fix available.
  • TEMP-0290435-0B57B5 - No fix available.
  • CVE-2025-1352 - No fix available.
  • CVE-2025-8114 - No fix available.
  • CVE-2019-1010024 - No fix available.
  • CVE-2025-5278 - No fix available.
  • CVE-2016-2781 - No fix available.
  • CVE-2025-6297 - No fix available.
  • CVE-2019-20838 - No fix available.
  • TEMP-0841856-B18BAF - No fix available.
  • CVE-2017-18018 - No fix available.
  • CVE-2023-31439 - No fix available.
  • CVE-2007-5686 - No fix available.

Version 1.13.0

  • Starting from 1.13, the permissions to create clusters and retrieve the cluster install templates have changed. These operations now require organization admin privileges (that is, permission to SetPolicy at the organization level and Create cluster permission). This does not affect the normal operation of existing clusters; the new permissions are only required to create new clusters and to retrieve the cluster install templates.
  • Management Plane now automatically creates and manages the xcp-central-cert secret so there is no need for users to manage this secret. Any existing secret will be updated, and the options for configuring the secret have been removed from the helm charts. If cert-manager was being used to manage this secret, there may be a conflict after upgrading. To resolve this, remove the cert-manager resources for this secret, e.g., Certificate CRD, and delete the Secret, then the new automatically managed certificate will be created.
  • Fixed CVE-2025-22868, CVE-2025-47907, CVE-2025-55163, CVE-2025-48924.
  • Fixes an issue where the IAM component required a restart for Control Plane clusters to report their status. IAM now automatically updates by subscribing to TSB Service Account events.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • PRISMA-2022-0168 - No fix available.
  • CVE-2024-10963 - No fix available.
  • CVE-2025-8114 - No fix available.
  • CVE-2024-10041 - No fix available.
  • CVE-2025-29481 - No fix available.
  • CVE-2021-31879 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2025-45582 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2024-52005 - No fix available.
  • CVE-2022-3219 - No fix available.
  • CVE-2025-0167 - No fix available.
  • CVE-2019-9192 - No fix available.
  • CVE-2017-11164 - No fix available.
  • CVE-2010-4756 - No fix available.
  • CVE-2019-1010023 - No fix available.
  • CVE-2025-6141 - No fix available.
  • CVE-2019-1010022 - No fix available.
  • CVE-2013-4392 - No fix available.
  • CVE-2024-41996 - No fix available.
  • CVE-2022-0563 - No fix available.
  • CVE-2011-4116 - No fix available.
  • CVE-2023-31437 - No fix available.
  • CVE-2025-1376 - No fix available.
  • CVE-2016-2781 - No fix available.
  • CVE-2025-27587 - No fix available.
  • CVE-2019-1010025 - No fix available.
  • CVE-2025-1352 - No fix available.
  • CVE-2024-56433 - No fix available.
  • CVE-2018-20796 - No fix available.
  • CVE-2019-1010024 - No fix available.
  • CVE-2025-5278 - No fix available.
  • CVE-2025-7709 - No fix available.
  • CVE-2019-20838 - No fix available.
  • CVE-2024-2236 - No fix available.
  • CVE-2011-3374 - No fix available.
  • CVE-2017-18018 - No fix available.
  • CVE-2023-31439 - No fix available.
  • CVE-2007-5686 - No fix available.
  • CVE-2005-2541 - No fix available.
  • CVE-2023-31438 - No fix available.
  • CVE-2021-45346 - No fix available.