Release Notes

Version 1.5.12

Bug fixes and Improvements

• Improved propagation strategy behavior that the propagation strategy set for a resource will now only be enforced for the resource's descendants, rather than the resource itself.
• Fixed OpenAPI service parsing when using namespace scope LOCAL in service registry.
• Fixed error when removing service with type load balancer from Application.

Security fixes

• Update TSB component images to address CVEs.
• Some vulnerability scanners may report that images included in this version of TSB are vulnerable to CVE-2023-29402, CVE-2023-29403, CVE-2023-29404 and CVE-2023-29405.

These CVEs are false positives and TSB is not vulnerable to these CVEs.

• CVE-2023-29402 - Only exploitable at build time, and all the TSB build process only uses go get which is not affected
• CVE-2023-29403 - setuid / setguid is not used
• CVE-2023-29404 and CVE-2023-29405 - Only exploitable at build time and go is not used in the TSB build

Version 1.5.11

Bug fixes and Improvements

• By default, the synchronization of TelemetrySources and TelemetryMetrics is disabled to enhance resource consumption efficiency.
• Edge statuses are now consistently propagated when they are available.
• Resolved user interface bugs that occurred during the editing of APIs.
• Improved the accessibility of certain user interface components for an enhanced user experience.
• Partitioned the single, monolithic gateway IOP configuration into multiple individual gateway configs.
• Added functionality for North/South gateway to handle exposed host HTTPS multicluster calls from mesh clients, assisting in the migration process to ISTIO_MTLS.

Security fixes

• Update TSB component images to address CVEs.

Version 1.5.10

Bug fixes and Improvements

• Fixed an issue to set webhook failure policy to ignore when gitops is disabled.
• tctl get all now support parallel requests.
• Fixed UI bugs to improve the user experience.
• Zero traffic downtime for cross cluster communication during node draining or downscaling.
• Enhancement to internal webhook cert-handling.

Security fixes

• Update TSB component images to address CVEs.

Version 1.5.9

Bug fixes and Improvements

• Improved OpenShift platform detection using annotations.
• Fixed an issue with the maximum gRPC stream message size for MP components, ensuring reliable and consistent communication.
• Fixed inclusion of meshConfig for data plane IstioOperator resources.
• Fixed the NGAC agent configuration and enabled the NGAC PDP API only if the component is enabled.
• Updated the TSB packaged cert-manager to v1.11.0.
• Fixed UI bugs to improve the user experience.
• Updated the default Egress gateway service type to ClusterIP.

Security fixes

• Update TSB component images to address CVEs.

Version 1.5.8

Bug fixes and Improvements

• Improved topology view in the user interface for better visualization of the services.
• Optimized data fetching in the Application list page to reduce page load time and improve user experience.
• Implemented rate limit image to use the configured hub in installation CR.
• Fixed memory issue that caused crashes and slowdowns in the system.
• Resolved service entry deletion on edge reboot case, ensuring that service entries are properly removed when necessary.
• Fixed namespace selector resolver in case of workspace not existing and group selecting explicit cluster, ensuring proper namespace selection.
• Improved direct mode host port and protocol validation for more reliable and secure network connections.
• Enhanced config push stability to prevent data loss and ensure data integrity during configuration changes.
• Optimized cluster state local cache to improve data retrieval speed and reduce resource utilization.

Security fixes

• Update TSB component images to address CVEs.

Version 1.5.7

Bug fixes and Improvements

• Addressed user interface (UI) issues to improve overall usability.
• Fixed an issue with the strict Authorization (AuthZ) mode propagation for improved security.
• Improved the XCP central-to-edge handshake process, including the exchange of configurations and cluster states for enhanced performance.

Security fixes

• Update TSB component images to address CVEs.

Version 1.5.5

Bug fixes and Improvements

• Improved the process of upgrading to version 1.5.x
• Added more detailed audit logging for policy changes
• Fixed memory leaks that were occurring in certain scenarios with xcp edge
• Improved support for Openshift environments, eliminating the need for additional overlays
• Enhanced the exchange of cluster state information between control plane clusters
• Implemented a fix to prevent requests with different hostnames from sharing the same ratelimit configuration

Security fixes

• Update TSB component images to address CVEs.

Version 1.5.4

Bug fixes and Improvements

• IngressGateway paths are now ordered when translated from OpenAPI spec in API resource.
• Improvements to Cluster delete handling.
• Fix operator to remove initContainers fields properly.
• Improvements in handling cross cluster states
• Enhancements to config status reporting
• Optimization in DNS resolution calls needed for TSB managed DNS addresses

Security fixes

• Update TSB component images to address CVEs.

Version 1.5.3

Bug fixes and Improvements

• Add support for root and RBAC global policies in AccessBinding
• Add shutdown delay in workload onboarding agent to avoid traffic downtime during VM scale down
• Add sidecar latency and TCP metrics in UI.
• Add member uniqueness validation in teams API.
• Show team members in permissions UI.
• Update Istio to reorder metadata exchange and RBAC filters.
• Fix missing sidecar metrics aggregation.
• Fix more UI issues related to wildcard suffix in namespace selector.
• Fix Tier1 locality based failover.

Security fixes

• Update Zipkin image to address CVEs.

Version 1.5.2

What’s New

• ServiceRoute now supports advanced traffic shifting subset selection via HTTPRoutes and TCPRoutes fields.
• Support configuring cluster external addresses through xcp.tetrate.io/cluster-external-addresses annotation in TSB IngressGateway or Tier1Gateway installation CR. Go to Configure cluster external addresses for an example.
• Streaming log viewer now support showing logs as table with filtering capability.
• UI now support Allow/Deny rules in SecuritySettings.
• UI now support HTTP -> HTTPS redirect in TSB Tier1 and IngressGateway resources.

Bug fixes and Improvements

• Improved TSB memory consumption.
• Allow to set replicas to 0 in Data Plane operator.
• Added CRDs for TSB roles.
• Fix issues in Helm uninstallation where the process got stuck sometimes.
• Fix UI issues related to wildcard suffix in namespace selector.
• Fix UI does not show HttpMatch rule in IngressGateway configuration.
• Fix UI saving invalid payload in direct mode configuration.
• Fix installation issues in OpenShift.

Security fixes

• The following CVEs have been addressed as part of this release: CVE-2022-27664, CVE-2022-37434, CVE-2021-38561, CVE-2021-3999, CVE-2021-44716, CVE-2022-37734, CVE-2022-25857, CVE-2022-21698.

Version 1.5.1

What’s New

• Support Allow/Deny rules in SecuritySettings.
  • Security Settings
• Support wildcard as suffix for namespace selectors in workspace and config groups.
• Support HTTP -> HTTPS redirect in TSB Tier1 and IngressGateway resources.
  • Ingress Gateway
  • Tier1 Gateway
• Support in-place gateway upgrade when using revisioned control plane. In-place gateway upgrade is the default behaviour. If you want to use canary gateway upgrade you need to set ENABLE_INPLACE_GATEWAY_UPGRADE=false in your control plane custom resource at xcp component. Go to Revisioned Istio Control Plane for more details.
• Support generic access binding by specifying resource fully qualified name.

Bug fixes

• Fix config status propagation when deleting last child.
• Improve config status for runtime resources.
• Fix UI cluster connectivity warning based on last sync time.
• Fix installation issue for OCP.
• Fix HTTPRetry.RetryOn validation.

Version 1.5.0

What’s New

• Seamless integration with GitOps workflows and CI/CD solutions.
  • How it works
  • How to enable GitOps in your clusters
  • Configure Flux CD with TSB
• Helm charts to deploy the TSB Management Plane, Control Plane and Data Plane.
• Support fine-grained control on how hierarchical security policies propagate. Now privileged users can configure default security policies that cannot be replaced and can only be made more restrictive in lower levels of the hierarchy by using the STRICTER propagation strategy.
• Added the Istio internal configuration group to allow using Istio EnvoyFilter and ServiceEntry objects in DIRECT mode.
• Added a new flag to image-sync command that only outputs the image names, one per line.
• XCP edges are not required to be run as Kubernetes nodeport services or loadbalancer services anymore.
• tctl experimental es-validate command has been added to assist with troubleshooting and testing Elasticsearch configurations. More details in the command reference.
• Streaming pod logs support on existing OAP cluster model, not required oap-logs deployment anymore.
• On-demand envoy metrics. The flag onDemandEnvoyMetricsEnabled is false by default. If enabled, the envoy proxy will emit a set of metrics and OAP will provide a query API that can be used to collect envoy proxy metrics for specific pods. Notice: This won't affect the already running pods. You will need to restart the application pods for the new config to apply (and it does not apply to gateways). This is only for temporary and real-time queries that can be used, for example, for application troubleshooting use cases. These metrics are not persisted.
• Control plane tokens can now be automatically rotated. To enable this, a cluster service account needs to be created as described here.
• Workload Onboarding Operator now supports AWS ECS and on-premises VM workloads.
• Added the support for routing TCP traffic in gateways (for both Tier 1 and Ingress gateways) and also for services (via ServiceRoute).
• Config protection to prevent accidental overwrites of TSB configurations in the control planes.
• Deploy Envoy proxy as a gateway in a VM.

Upgrade notes

• Due to Istio and xcp incompatibility issues, when upgrading control plane to version 1.5 all other control planes must be at version 1.4 or above.
• Delete xcp edge loadbalancer type or nodeport type kubernetes service object from control plane clusters. Remove any overlays from ControlPlane CR which are for configuring edge svc as nodeport type.
• If OAP already enabled streamingLogEnabled, set it false and delete oap-logs deployment. After upgrade set streamingLogEnabled back to true.
• Default authentication mode configuration for XCP changes from mutual TLS to JWT.
• The Istio configurations generated for DIRECT mode resources will now have a td- prefix to avoid name collisions when using GitOps features in the application clusters. When upgrading to this release, existing DIRECT mode generated configurations will be updated in the application clusters, even if GitOps is not enabled.
• The Management and Control Plane installation allows to customize the certificate provider used to issue internal TSB certificates. By default, it will install cert-manager and use it internally to issue its internal certificates. If there is already an existing installation of cert-manager in the cluster, the ManagementPlane and ControlPlane resource must be configured as follows:

    internalCertProvider:
    certManager:
      managed: EXTERNAL
  Also, the version of cert-manager must support the Kubernetes CertificateSigningRequests and have it enabled. The --feature-gates=ExperimentalCertificateSigningRequestControllers=true startup flag needs to be present in the cert-manager container.
• Clusters using mTLS to authenticate with the global control plane are recommended to migrate to JWT authentication. For more details and upgrade steps, see here.
• For internal communication between XCP central, edge and MPC, SHA-1 signed certificates are considered insecure and will be rejected. Use SHA-256, SHA-384 or SHA-512 when signing your certificates. For example, you need to pass -sha256 when using openssl.

Deprecation Notices

• The behaviour of tctl install image-sync --just-print will change to be the one introduced with the new raw flag. If you are relying in the output of such command in any integration script or otherwise, please adapt those to match the new expected behaviour starting in TSB 1.6.0.

Security Updates

• Upgraded the version of Postgres bundled with the demo profile to 14.2 to fix various CVEs