Skip to main content
Version: 1.4.x

Release Notes

Version 1.4.7

Bug fixes

  • Removed the restriction for workspace name to be unique in XCP even across tenants
  • Fixed east/west AuthZ issue that allowed cross cluster calls even when authorization restriction was in place
  • Added secure naming for cross cluster communication
  • Fixed an issue in tctl get all where bindings for Direct Mode groups were incorrectly rendered
  • Fixed an issue with cluster state reporting in TSB for large clusters
  • Fixed an issue with XCP Central certification parsing

Performance Improvement

  • An improvement to edges' performance and resource reduction by enhancing cluster state filter for edges

Version 1.4.6

Bug fixes

  • Fixed an issue with some web UI component not being able to start in IPv4 only environment.
  • Fixed an issue for which a control plane could not connect to a management plane that allowed TLS v1.3 only.

Version 1.4.5

Security fixes

  • Fix CVE-2021-44832 in the Java logging library Apache Log4j 2.

Bug fixes

  • Fixed an issue with some TSB components not being able to start in IPv4 only environment
  • Minor fixes to App Ingress watcher and use of hard coded tags

Version 1.4.4

Security fixes

  • Fix CVE-2021-45105 in the Java logging library Apache Log4j 2.

Bug fixes

  • Fixed TLS certificate issues associated with App Ingress

What's New

  • Remove restriction that cluster names have to be valid dns1123 names
  • App Ingress to use kubernetes provided dns cert for controlplane communication
  • Added 'install' command to AppIngress

Version 1.4.3

Security fixes

  • Fix CVE-2021-45046 in the Java logging library Apache Log4j 2.

Version 1.4.2

Security fixes

  • Fix for critical vulnerability (CVE-2021-44228, CVSS score 10) in the Java logging library Apache Log4j 2.

Version 1.4.1

What's New

  • The status of configuration rollout for TSB objects can now be tracked with tctl. Two experimental commands have been added in this release:
    • tctl experimental status - Allows retrieving the status of a given resource. This will show if the configuration has been accepted, sent to XCP, if there are validation errors, and in future releases it will also show if it has been fully deployed to all the target clusters.
    • tctl experimental wait - This command allows waiting until a resource reaches a desired status. This is useful to wait until the configuration has been deployed and is ready to be used. The available statuses this command supports are the ones that are made available by the tctl experimental status command.
  • Enhanced troubleshooting for the Management Plane:
    • tctl experimental debug log-level - This command allows to directly see and modify the logging levels of the TSB components without having to restart them.
    • tctl experimental debug dashboard - This can be used to open a web console for a TSB component. The new debug dashboard provides access to some insights of the TSB services, such as environment variables, logging levels, available metrics, and even profiling information.
    • tctl experimental audit - Allows querying the audit logs for a given resource. This provides detailed information to understand who changed what and when, for any TSB-managed resource.

Upgrade notes

  • The PostgreSQL image that comes with the demo profile has been upgraded from version 11.1 to 14.1 to fix many CVEs that were present in the older version. Note that the demo profile is not meant for production use and demo installations and environments are not expected to be upgraded the same way as production releases. Upgrading a demo PostgreSQL container that already contains data is not supported and extra caution needs to be taken to prevent data loss. It is recommended that you take backups of all your data and follow the migration instructions on the PostgreSQL website if you plan to upgrade a demo environment to this release.

Security fixes

  • The following CVEs have been addressed as part of this release: CVE-2009-5155, CVE-2016-2779, CVE-2016-9427, CVE-2017-1000408, CVE-2017-1000409, CVE-2017-14062, CVE-2017-16932, CVE-2017-16997, CVE-2017-18269, CVE-2017-8872, CVE-2018-1000001, CVE-2018-1000858, CVE-2018-14632, CVE-2018-15686, CVE-2018-20346, CVE-2018-20406, CVE-2018-20506, CVE-2018-20843, CVE-2018-6485, CVE-2018-6551, CVE-2018-8740, CVE-2019-10149, CVE-2019-12900, CVE-2019-13917, CVE-2019-1543, CVE-2019-15846, CVE-2019-15903, CVE-2019-17455, CVE-2019-18218, CVE-2019-19956, CVE-2019-20367, CVE-2019-20388, CVE-2019-20907, CVE-2019-3829, CVE-2019-3842, CVE-2019-5010, CVE-2019-8457, CVE-2019-8905, CVE-2019-8907, CVE-2019-9169, CVE-2019-9636, CVE-2019-9936, CVE-2019-9937, CVE-2020-10531, CVE-2020-11655, CVE-2020-12783, CVE-2020-13871, CVE-2020-26160, CVE-2020-28007, CVE-2020-28008, CVE-2020-28009, CVE-2020-28011, CVE-2020-28012, CVE-2020-28013, CVE-2020-28015, CVE-2020-28017, CVE-2020-28019, CVE-2020-28020, CVE-2020-28021, CVE-2020-28022, CVE-2020-28023, CVE-2020-28024, CVE-2020-28025, CVE-2020-28026, CVE-2020-29652, CVE-2020-7595, CVE-2020-9283, CVE-2021-29482, CVE-2021-3121, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-38371.

Version 1.4.0

What's New

  • Application and API features with OpenAPI annotations for developer centric experience.
  • Single sign-on (SSO) with OIDC.
  • Automatic synchronization of users and teams from Azure AD.
  • JWT Support for XCP Edge to XCP Central communication, for new Management Plane installations. (1)
  • Adds Egress Gateway.
  • Configurable retention period for metrics (OAP/SkyWalking) and traces (Zipkin).
  • Ratelimiting support at Tier1Gateway, IngressGateway, and Sidecars.
  • External AuthZ Support at Tier1Gateway, IngressGateway, and Sidecars.
  • Performance improvements in the config propagation and cluster state reporting.
  • Important Component upgrades
    • Istio 1.9.8.
    • Envoy 1.17.1.
    • SkyWalking 8.7.
    • Zipkin 2.23.4.
    • OpenTelemetry Collector 0.36.0.
  • Streaming service logs (alpha feature).
  • Autoscaling VM onboarding (alpha feature).
(1) Concurrent support of JWT and mTLS for XCP communications is planned for the next release, which is required to allow for a rolling upgrade from mTLS to JWT.

Upgrade Notes

  • We have increased the resource defaults for OpenTelemetry collector as newer versions have become more resource hungry. The new request default is 400m cpu, 500Mi memory. The new limit default is 800m cpu, 1000Mi memory.
  • If your Elasticsearch control plane settings are protocol: https and selfSigned: false, TSB didn't previously validate that cert against the system CA bundle. This validation now happens so if your Elasticsearch uses a self-signed cert, but you haven't set selfSigned: true in the settings, you will need to do so and create the relevant Kubernetes secret. See control plane onboarding for more details.
  • Starting from 1.4, the MPC component needs a certificate to authenticate with XCP Central when using mutual TLS. When upgrading, a certificate for MPC must be created and stored in a secret named mpc-certs. The following example shows how to create the certificate using cert-manager. This step is not needed for new installations which default to JWT based authentication. Note that example certificates can also be created by using the tctl install manifest management-plane-secrets with the --xcp-certs flag.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mpc-certs
namespace: tsb
spec:
secretName: mpc-certs
issuerRef:
name: xcp-identity-issuer
kind: Issuer
duration: 30000h
isCA: false
dnsNames:
- "mpc.tsb.svc.cluster.local"
uris:
- spiffe://xcp.tetrate.io/mpc
usages:
- client auth
- server auth