Release Notes
Version 1.9.7
- Converted SNI match handling to filter chain match; header match is now required only for plain-text traffic.
- Enhanced gateway authorization to allow host header matching with the host and workload port combination.
Version 1.9.6
- When enabling isolation boundaries for the first time on an existing TSB installation, the istio-gateway namespace will no longer be automatically deleted. If this namespace is unnecessary, users are advised to delete it manually.
If manual deletion is required, you must first clean up any terminating resources by removing the finalizers with the following command:
kubectl get iop -n istio-gateway -o name | xargs -I % kubectl patch % -n istio-gateway -p '{"metadata":{"finalizers":null}}' --type=merge;
. Once the finalizers are removed, the namespace can be deleted as usual. For more details, refer to the isolation boundaries post upgrade cleanup steps. - Fixed an issue where Management Plane kubespec and overlays were propagated to the Control Plane cluster onboarding templates.
- Added validation to check that DIRECT mode resources always have the namespace properly set.
- Cloned Ports and Labels to avoid unintended changes when merging endpoints during service entry generation.
UI
- Added workspace columns to the Dashboard.
- Added Dependency view to Topology.
- Refactored Topology Drawer and Popup.
- Fixed popup positioning in Topology.
- Refactored Start Drawer to resolve scroll issues.
Outstanding CVEs
At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.
- PRISMA-2021-0153 - No fix available.
- CVE-2024-0406 - No fix available.
- CVE-2024-2236 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2023-42363 - No fix available.
- CVE-2023-42366 - No fix available.
- CVE-2021-31879 - No fix available.
- CVE-2023-42364 - No fix available.
- CVE-2024-6119 - No fix available.
- CVE-2023-42365 - No fix available.
- CVE-2022-40735 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2024-5535 - No fix available.
- CVE-2024-0727 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2022-41409 - No fix available.
- CVE-2023-6237 - No fix available.
- CVE-2016-2781 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2023-6129 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2022-3219 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2024-4603 - No fix available.
- CVE-2024-41996 - No fix available.
- CVE-2023-5678 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2024-4741 - No fix available.
- CVE-2023-26604 - No fix available.
- CVE-2024-2511 - No fix available.
- CVE-2013-4235 - No fix available.
Version 1.9.5
- Fixed several issues that caused XCP components to panic.
- Embedded Postgres: Added validation for TLS settings and fixed PVC cleanup job that was not deleting unused PVCs.
- Fixed validation of duplicated hostnames in Gateway objects.
- Fixed TSB high memory consumption when sending audit logs for large objects.
- Fixed the following CVEs: CVE-2024-4603, CVE-2024-2511, CVE-2024-4741, CVE-2024-7348, CVE-2024-6119.
- Added feature of traffic failover between gateway endpoints acting as tier2, when a gateway is configured with clusterDestinations and weights.
- Fixed the bug which may have prevented OAP from starting correctly in case of increased latency to its telemetry storage (e.g. in a cross-region topology).
Outstanding CVEs
At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.
- PRISMA-2021-0153 - No fix available.
- CVE-2024-0406 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2024-2236 - No fix available.
- CVE-2023-42363 - No fix available.
- CVE-2023-42366 - No fix available.
- CVE-2024-28180 - No fix available.
- CVE-2024-41996 - No fix available.
- CVE-2022-40735 - No fix available.
- CVE-2021-31879 - No fix available.
- CVE-2023-42364 - No fix available.
- CVE-2024-6119 - No fix available.
- CVE-2023-42365 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2024-4603 - No fix available.
- CVE-2023-5678 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2016-2781 - No fix available.
- CVE-2023-6129 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2024-0727 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2023-26604 - No fix available.
- CVE-2022-3857 - No fix available.
- CVE-2023-6237 - No fix available.
- CVE-2022-3219 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2024-4741 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2024-2511 - No fix available.
- CVE-2024-5535 - No fix available.
- CVE-2013-4235 - No fix available.
Version 1.9.4
- Multiple CVEs fixed.
- Fixed an issue where the TSB service account generated key didn't include the
tsb.tetrate.io/ServiceAccountFQN
claim, when it was generated via the commandtctl x service-account gen-key
. - Fixed an issue that caused
tctl install cluster-service-account
return the key in PEM format instead of JWK format. - Fixed an issue that caused duplicated short names for some TSB K8S CRDs.
Conflicts resolved as:
tib
forIstioInternalAccessBindings
.ttrb
forTrafficAccessBindings
.tts
forTenantSetting
.ttrs
forTrafficSetting
.
- Fixed an issue that caused embedded Postgres to not restart at TLS cert renovation.
- Fixed an issue introduced in version 1.9.3 that prevented the creation and deletion of certain audit logs from being properly saved to the database..
- Added new settings in the ManagementPlane CR API that allows to configure embedded Postgres TLS certificates expirations.
- Fixed an issue where ports
80
and443
were automatically added by default to Gateway services, irrespective of user-defined service ports, when isolation boundaries were configured. Now, only the multicluster port (15443
) is added by default, ensuring consistent behavior with environments where isolation boundary is not enabled.
Outstanding CVEs
At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.
- PRISMA-2021-0153 - No fix available.
- CVE-2024-0406 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2024-2236 - No fix available.
- CVE-2023-42363 - No fix available.
- CVE-2023-42366 - No fix available.
- CVE-2024-28180 - No fix available.
- CVE-2023-42364 - No fix available.
- CVE-2023-42365 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2023-26604 - No fix available.
- CVE-2016-2781 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2022-3219 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2024-2511 - No fix available.
- CVE-2024-4741 - No fix available.
- CVE-2024-4603 - No fix available.
- CVE-2024-5535 - No fix available.
- CVE-2013-4235 - No fix available.
Version 1.9.3
- Multiple CVEs fixed.
- Fixed an issue with Istio CNI not updating when using Isolation Boundaries in a openshift environment with
default
revision. - Fixed an issue where providing overlays for
default
revision under.spec.xcp.isolationBoundaries
didn't take effect. - Fixed an issue where
edge
panics if a service exists in the mesh without service selectors and security settings are configured for it. - Fixed an issue where the
teamsync-first-run
job was being recreated after successful execution. - Fixed an issue with the audit logs periodical cleanup feature, which was unable to receive the credentials needed to interact with Azure PostgreSQL.
- Improved validation of Istio Objects names at creation time:
- Names must conform to RFC 1123 and be between 1 and 60 characters.
- Istio Objects created via gRPC API now require coherence between the name provided in
CreateIstioObjectRequest
and thename
field in the metadata of the object.
- Added the dry-run option to the TSB API that allows to check an operation without impacting the current state of the platform.
- tctl:
tctl apply -f <my-config.yaml> --dry-run server-side
. - http: Add the following header to the request:
x-tetrate-dry-run: server-side
. - grpc: Add the following key value metadata pair. How metadata is added to the client request is dependent on the language used in client grpc library: key
x-tetrate-dry-run
, valueserver-side
.
- tctl:
- Added an option to have the TSB operators prevent deletion of important Kubernetes resources so that they cannot be accidentally deleted.
This can be enabled by adding the annotation
tsb.tetrate.io/deletion-protection: enabled
to the Management, Control and Data plane operator deployments, and to the ManagementPlane and ControlPlane custom resources. This will block TSB uninstallation, so must be disabled before uninstalling TSB.
Known issues
- User might see the following error in TSB Operators:
This affects gitops functionalities for the CRDs
if kind is a CRD, it should be installed before calling Start%!(EXTRA []interface {}=[kind TrafficAccessBindings.rbac.tsb.tetrate.io], *meta.NoKindMatchError=no matches for kind "TrafficAccessBindings" in version "rbac.tsb.tetrate.io/v2")
istiointernalaccessbindingss.rbac.tsb.tetrate.io
andtrafficsettings.traffic.tsb.tetrate.io
. As workaround user should change theshortNames
for CRDs above totib
andttrs
respectively. This can be archived using following command:This step needs to be after every restart of tsb-operator. This affects gitops functionalities for the CRDs specified above. Fixed in 1.9.4.kubectl patch crd istiointernalaccessbindingss.rbac.tsb.tetrate.io --type=json -p '[{"op": "replace", "path": "/spec/names/shortNames/0", "value": "tib"}]'
kubectl patch crd trafficsettings.traffic.tsb.tetrate.io --type=json -p '[{"op": "replace", "path": "/spec/names/shortNames/0", "value": "ttrs"}]'
Outstanding CVEs
At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.
- CVE-2024-40094 - No fix available.
- PRISMA-2021-0153 - No fix available.
- CVE-2024-0406 - No fix available.
- CVE-2024-2236 - No fix available.
- CVE-2024-37371 - No fix available.
- CVE-2024-37370 - No fix available.
- CVE-2023-42363 - No fix available.
- CVE-2023-42366 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2024-28180 - No fix available.
- CVE-2021-31879 - No fix available.
- CVE-2023-42364 - No fix available.
- CVE-2024-6104 - No fix available.
- CVE-2023-42365 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2016-20013 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2024-24791 - No fix available.
- CVE-2024-4741 - No fix available.
- CVE-2024-4603 - No fix available.
- CVE-2022-3219 - No fix available.
- CVE-2024-26458 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2023-26604 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2024-2511 - No fix available.
- CVE-2017-11164 - No fix available.
- CVE-2016-2781 - No fix available.
- GO-2024-2978 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2022-3857 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2018-20796 - No fix available.
- CVE-2024-5535 - No fix available.
- CVE-2010-4756 - No fix available.
- CVE-2013-4235 - No fix available.
Version 1.9.2
TSB 1.9.2 is a patch release that includes stability and reliability updates.
- Enhanced the Gateway install API to allow configuring the Envoy concurrency level. The concurrency can be configured by setting the
concurrency
field in the Gateway install API spec:There are 3 concurrency modes:spec:
concurrency: 4unset
(or 0): will use Istio's default (concurrency value will be based on CPU resource limits)-1
: legacy's default. This will use all available cores on the machinen
> 0: this will set the concurrency to n
- Added support for TCP/TLS server
SourceIP
load balancing algorithm to improve traffic management. - Fixed config status reports for objects with the same
group
,version
,kind
, andname
for clearer reporting. - Fixed an issue related to rendering multiline helm values when using overlays.
- Fixed an issue related to the generation of authorization policies for mesh traffic when clusters are decommissioned or deleted.
- Added and enhanced various metrics to
xcp-edge
to provide better insights into the system. - Fixes issue with TSB resources not being reliably deleted in the TSB API. TSB K8s resources now contain a finalizer managed by the GitOps operator.
- Reduces TSB server load generated by GitOps by adding an exponential backoff rate limiter for the GitOps controller with a base delay of 3s and a max delay of 120s.
- Improves error handling in the GitOps controller. The controller will now not retry on
InvalidArgument
errors. - The GitOps metric
gitops_push_count_total
now includes a gRPC status code label, and Grafana dashboards are updated to reflect this change. - The reconciliation interval now starts for each TSB K8s object that was successfully pushed to the TSB API. Previously, all objects were synced at the same time, which could cause periodic spikes in TSB API server load.
- Improves TSB API performance by decreasing the number of requests sent to the TSB API server by not updating the status subresource if the condition in the status has not changed.
- Fixes an issue that required restarting
tsb-operator
when changing thepushMode
fromASYNC
toSYNC
. - Fixed an issue with istiod not able to come up if a service using
NodePort
withexternalTrafficPolicy: Local
exists in the cluster.
Known issues
-
When doing a new installation of the Management Plane in version
1.9.2
and Control Planes< 1.9.2
, the OAP pods in the control plane clusters may enter a crash loop due to failed liveness checks. This can be fixed by setting the following in the ControlPlane resource:components:
oap:
storageIndexMergingEnabled: trueNote that this only affects new installations and will NOT affect upgrades.
-
User might see the following error in TSB Operators:
if kind is a CRD, it should be installed before calling Start%!(EXTRA []interface {}=[kind TrafficAccessBindings.rbac.tsb.tetrate.io], *meta.NoKindMatchError=no matches for kind "TrafficAccessBindings" in version "rbac.tsb.tetrate.io/v2")
This affects gitops functionalities for the CRDs
istiointernalaccessbindingss.rbac.tsb.tetrate.io
andtrafficsettings.traffic.tsb.tetrate.io
. As workaround user should change theshortNames
for CRDs above totib
andttrs
respectively. This can be archived using following command:kubectl patch crd istiointernalaccessbindingss.rbac.tsb.tetrate.io --type=json -p '[{"op": "replace", "path": "/spec/names/shortNames/0", "value": "tib"}]'
kubectl patch crd trafficsettings.traffic.tsb.tetrate.io --type=json -p '[{"op": "replace", "path": "/spec/names/shortNames/0", "value": "ttrs"}]'This step needs to be after every restart of tsb-operator. This affects gitops functionalities for the CRDs specified above. Fixed in 1.9.4.
Outstanding CVEs
At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.
- CVE-2013-4235 - No fix available.
- CVE-2016-2781 - No fix available.
- CVE-2021-31879 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2022-3219 - No fix available.
- CVE-2022-3857 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2023-26604 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2023-42363 - No fix available.
- CVE-2023-42364 - No fix available.
- CVE-2023-42365 - No fix available.
- CVE-2023-42366 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2024-0406 - No fix available.
- CVE-2024-2236 - No fix available.
- CVE-2024-2511 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2024-28180 - No fix available.
- CVE-2024-4603 - No fix available.
- CVE-2024-4741 - No fix available.
- CVE-2024-5535 - No fix available.
- CVE-2024-6104 - No fix available.
- PRISMA-2021-0153 - No fix available.
Version 1.9.1
TSB 1.9.1 is a patch release that includes stability and reliability updates.
- Fixed broken counter panels in the Grafana dashboards.
- Improved the performance of LDAP queries by requesting only the attributes that are needed.
- Fixed edge cases related to CRD deletion by the TSB operator finalizers.
- Added the
pip/sql/queries
andpip/sql/results
loggers to show the SQL queries that are being executed by TSB. This can be extremely verbose, but useful for debugging purposes. To enable the query logging, the mentioned loggers can be configured with:tctl x debug log-level management/apiserver --level pip/sql/queries:debug,pip/sql/results:debug
- Fixed an issue associated with cross cluster port 15443 when configured as NodePort service when there are multiple gateway install objects
- Enhancements to metrics captured by xcp-edge - for example, added metrics for Kubernetes events that xcp-edge receives
- Fixed an issue related to delay in synchronizing cross cluster endpoints when the number of replicas of gateway pods of LoadBalancer service type goes to zero
- Performance optimization to services processing in xcp-edge while generating cluster state
- Allow setting httpRetries to '0' through TSB TrafficSetting APIs
Known issues
- GitOps: changing
pushMode
fromASYNC
toSYNC
requires restartingtsb-operator
to take effect. Fixed in 1.9.2. - GitOps: some objects might not be deleted form TSB API even if they are deleted in K8s, especially in environments with high load or network latency. Fixed in 1.9.2.
Outstanding CVEs
At the time of shipping, there are no Critical vulnerabilities flagged but 2 High CVE (CVE-2023-1370,GHSA-xpw8-rcwv-8f8p) exist in elasticsearch which can be ignored as the affected library is not used in TSB codepath. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.
- GHSA-3m87-5598-2v4f - Not vulnerable - Advisory withdrawn
- CVE-2024-26462 - No fix available.
- CVE-2024-26458 - No fix available.
- CVE-2024-28180 - No fix available.
- CVE-2021-31879 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2024-2236 - No fix available.
- CVE-2022-3219 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2022-27943 - No fix available.
- CVE-2022-3857 - No fix available.
- CVE-2016-2781 - No fix available.
Version 1.9.0
What's New
- The deprecated binding of a VirtualService in TrafficGroup to a non-mesh gateway in DIRECT mode is not allowed anymore.
- Audit logs periodical cleanup
AuditLogsCleanupRetention
field has been added todataStore
under the ManagementPlane resource spec. If set, a cronjob will periodically clean up audit logs older than the specified duration. For more details, refer to the documentation. - Added support for fault injection (delays and aborts) in Service Route HTTP routes (see documentation).
- Added support for traffic mirroring in Service Route HTTP routes (see documentation).
- Added support to configure upstream host level traffic settings (see documentation).
- Ingress and Egress Gateway deployments are not compatible anymore with namespaces labeled with
istio-injection=disabled
. This is due from now on they need to be injected with custom templates and this label at the namespace level will prevent that. If the namespace doesn't contain the label or the label is set toenabled
, the deployment will work as expected. This can be easily identified by seeing the gateway deployment failing trying to pull theauto
image. Additional reference from Istio: https://istio.io/v1.20/docs/setup/additional-setup/gateway/#deploying-a-gateway
Known issues
- GitOps: changing
pushMode
fromASYNC
toSYNC
requires restartingtsb-operator
to take effect. Fixed in 1.9.2. - GitOps: some objects might not be deleted form TSB API even if they are deleted in K8s, especially in environments with high load or network latency. Fixed in 1.9.2.
Outstanding CVEs
At the time of shipping, there are no Critical vulnerabilities flagged but 1 High CVE (CVE-2019-0190), which can be ignored as this is a false positive for TSB image(s). The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.
- CVE-2019-0190 - Not vulnerable as the images do not include mod_ssl which is vulnerable to attack.
- GHSA-3m87-5598-2v4f - Not vulnerable - Advisory withdrawn
- PRISMA-2021-0153 - No fix available.
- CVE-2024-28835 - No fix available.
- CVE-2024-26462 - No fix available.
- CVE-2024-28180 - No fix available.
- CVE-2021-31879 - No fix available.
- CVE-2024-28834 - No fix available.
- CVE-2024-26461 - No fix available.
- CVE-2024-26458 - No fix available.
- CVE-2024-2236 - No fix available.
- PRISMA-2023-0046 - No fix available.
- CVE-2022-3219 - No fix available.
- CVE-2023-50495 - No fix available.
- CVE-2023-45918 - No fix available.
- CVE-2023-29383 - No fix available.
- CVE-2023-34969 - No fix available.
- CVE-2022-4899 - No fix available.
- CVE-2023-7008 - No fix available.
- CVE-2023-35116 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-49240 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2022-27943 - No fix available.
- CVE-2022-3857 - No fix available.
- CVE-2016-2781 - No fix available.