Tetrate Service Bridge 1.8

Introducing Tetrate Service Bridge (TSB) version 1.8.0 – the latest evolution in application connectivity platforms. TSB continues to redefine the landscape by providing a comprehensive solution for seamlessly connecting services across diverse Kubernetes clusters, virtual machines, and bare-metal workloads.

Building upon the success of the 1.7 release, TSB 1.8.0 reaches a milestone by introducing the General Availability (GA) of IsolationBoundary and by improving internal WASM plugin management for IdentityPropagation. This significant advancement enhances multi cluster connectivity, security, observability & network isolation for the enterprise applications. This not only streamlines administrative tasks but also facilitates scalable operations with unparalleled efficiency.

New Features and Improvements

• OIDC in TSB Gateway: OIDC Integration in TSB Gateways to authenticate users using an external OIDC provider while accessing applications exposed via Gateway.

  • Currently, TSB only supports the authorization code flow for OIDC.

• Isolation Boundary now GA: Network Isolation by running multiple Istio ControlPlane installations in a single K8s cluster and seamless Controlplane revisioned upgrades using IsolationBoundary is in GA Phase.

  • Ability to configure multiple Istio ControlPlane Installations in a single k8s cluster, by achieving env segregation and network isolation in a single cluster.
  • Ability to extend service discovery and traffic distribution for VM workloads under a single revision using Mesh Expansion
  • Ability to configure revision specific Istio controlplane configurations under an Isolation boundary.

• Identity Propagation Improvements:

  • Ability to configure multi cluster access control policies and validate the identity of each request through the gateway hops using internal WASM plugins.
  • Improved the internal WASM plugin management by automatically mounting required plugins to proxies and gateways that runs in Kubernetes.

• Multiple UI improvements: We have made several UI improvements to enhance user experience, including:

  • OIDC in TSB Gateway: Added OIDC support in Gateway Settings UI.
  • Enhancements in Organization Settings: Moved Network Reachability & Regional Failover settings under a common ui in Organization Settings Config.
  • Sidecar-Less service metrics: Added support for eBPF sidecar less service metrics.
  • Improved Metrics UI: Improved metrics querying performance by splitting queries in to smaller chunks.
  • MQE Migration: Migrated to MQE from old Skywalking queries.

• Resource Naming Constraints: TSB resource name must follow DNS label standard as defined in RFC 1123. This means the name must:

  • contain at most 63 characters
  • contain only lowercase alphanumeric characters or '-'
  • start with an alphanumeric character
  • end with an alphanumeric character

  This validation is enforced only when creating new resource. You still be able to update or delete existing resource that not conform to these constraints. It is recommended to update the resource name to conform to the constraints.

Upgrade Notes

Following are important changes to consider when upgrading to TSB 1.8:

• Removal of EstimatedConcurrency from the Istio Injection Template: The Istio proxy concurrency configuration has been standardized across sidecars and gateways. As part of this update, the EstimatedConcurrency field has been removed from the Istio injection template.

  It is crucial to restart the Istio operator pod after the control plane upgrade is complete to ensure that the istio-sidecar-injector config map is updated. Should the config map still contain the EstimatedConcurrency field, you may encounter the following error during sidecar injection:

  Error from server: admission webhook "namespace.sidecar-injector.istio.io" denied the request: failed to run injection template: template: inject:211:12: executing "inject" at <.EstimatedConcurrency>: can't evaluate field EstimatedConcurrency in type *inject.SidecarTemplateData

  This error indicates that the sidecar injector template still references the deprecated field, and the config map needs updating.

Additional Enhancement

Refer to TSB 1.8 Release Notes for complete list of additional improvements in TSB 1.8

Get Started with Tetrate Service Bridge

To get started with Tetrate Service Bridge:

• Review the Initial Requirements and identify the target platform
• Determine if you wish to:
  • follow a quick demo installation
  • perform a more-involved production-ready installation (Management Plane, Cluster Onboarding)
  • apply an upgrade to an existing Tetrate Service Bridge deployment

Don't hesitate to reach out to your Tetrate support contact if you have any questions.

📄️ Release Notes

Version 1.8.5

📄️ Feature Status

Status of included features.

📄️ TSB Support Policy

TSB support policy, release schedule, and component version matrix.