Tetrate Service BridgeVersion: 1.9.x

Release Notes

Version 1.9.4

Multiple CVEs fixed.
Fixed an issue where the TSB service account generated key didn't include the tsb.tetrate.io/ServiceAccountFQN claim, when it was generated via the command tctl x service-account gen-key.
Fixed an issue that caused tctl install cluster-service-account return the key in PEM format instead of JWK format.
Fixed an issue that caused duplicated short names for some TSB K8S CRDs. Conflicts resolved as:
- tib for IstioInternalAccessBindings.
- ttrb for TrafficAccessBindings.
- tts for TenantSetting.
- ttrs for TrafficSetting.
Fixed an issue that caused embedded Postgres to not restart at TLS cert renovation.
Fixed an issue introduced in version 1.9.3 that prevented the creation and deletion of certain audit logs from being properly saved to the database..
Added new settings in the ManagementPlane CR API that allows to configure embedded Postgres TLS certificates expirations.
Fixed an issue where ports 80 and 443 were automatically added by default to Gateway services, irrespective of user-defined service ports, when isolation boundaries were configured. Now, only the multicluster port (15443) is added by default, ensuring consistent behavior with environments where isolation boundary is not enabled.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

PRISMA-2021-0153 - No fix available.
CVE-2024-0406 - No fix available.
CVE-2024-26462 - No fix available.
CVE-2024-2236 - No fix available.
CVE-2023-42363 - No fix available.
CVE-2023-42366 - No fix available.
CVE-2024-26462 - No fix available.
CVE-2024-28180 - No fix available.
PRISMA-2021-0153 - No fix available.
PRISMA-2021-0153 - No fix available.
CVE-2024-2236 - No fix available.
PRISMA-2021-0153 - No fix available.
PRISMA-2021-0153 - No fix available.
PRISMA-2021-0153 - No fix available.
PRISMA-2021-0153 - No fix available.
PRISMA-2021-0153 - No fix available.
CVE-2024-26462 - No fix available.
CVE-2023-42364 - No fix available.
CVE-2024-2236 - No fix available.
PRISMA-2021-0153 - No fix available.
CVE-2023-42365 - No fix available.
CVE-2023-29383 - No fix available.
CVE-2023-50495 - No fix available.
CVE-2022-27943 - No fix available.
CVE-2023-29383 - No fix available.
CVE-2024-26461 - No fix available.
CVE-2023-26604 - No fix available.
CVE-2023-29383 - No fix available.
CVE-2016-2781 - No fix available.
CVE-2023-45918 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2023-45918 - No fix available.
CVE-2022-4899 - No fix available.
CVE-2023-34969 - No fix available.
CVE-2016-2781 - No fix available.
CVE-2023-34969 - No fix available.
CVE-2024-26461 - No fix available.
CVE-2023-7008 - No fix available.
CVE-2024-2511 - No fix available.
CVE-2016-2781 - No fix available.
CVE-2024-4741 - No fix available.
CVE-2024-26461 - No fix available.
CVE-2023-45918 - No fix available.
CVE-2023-50495 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2024-4603 - No fix available.
CVE-2023-7008 - No fix available.
CVE-2024-5535 - No fix available.
CVE-2022-4899 - No fix available.
CVE-2023-50495 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2022-27943 - No fix available.
CVE-2023-7008 - No fix available.
CVE-2013-4235 - No fix available.

Version 1.9.3

Multiple CVEs fixed.
Fixed an issue with Istio CNI not updating when using Isolation Boundaries in a openshift environment with default revision.
Fixed an issue where providing overlays for default revision under .spec.xcp.isolationBoundaries didn't take effect.
Fixed an issue where edge panics if a service exists in the mesh without service selectors and security settings are configured for it.
Fixed an issue where the teamsync-first-run job was being recreated after successful execution.
Fixed an issue with the audit logs periodical cleanup feature, which was unable to receive the credentials needed to interact with Azure PostgreSQL.
Improved validation of Istio Objects names at creation time:
- Names must conform to RFC 1123 and be between 1 and 60 characters.
- Istio Objects created via gRPC API now require coherence between the name provided in CreateIstioObjectRequest and the name field in the metadata of the object.
Added the dry-run option to the TSB API that allows to check an operation without impacting the current state of the platform.
- tctl: tctl apply -f <my-config.yaml> --dry-run server-side.
- http: Add the following header to the request: x-tetrate-dry-run: server-side.
- grpc: Add the following key value metadata pair. How metadata is added to the client request is dependent on the language used in client grpc library: key x-tetrate-dry-run, value server-side.
Added an option to have the TSB operators prevent deletion of important Kubernetes resources so that they cannot be accidentally deleted. This can be enabled by adding the annotation tsb.tetrate.io/deletion-protection: enabled to the Management, Control and Data plane operator deployments, and to the ManagementPlane and ControlPlane custom resources. This will block TSB uninstallation, so must be disabled before uninstalling TSB.

Known issues

User might see the following error in TSB Operators:

if kind is a CRD, it should be installed before calling Start%!(EXTRA []interface {}=[kind TrafficAccessBindings.rbac.tsb.tetrate.io], *meta.NoKindMatchError=no matches for kind "TrafficAccessBindings" in version "rbac.tsb.tetrate.io/v2")

This affects gitops functionalities for the CRDs istiointernalaccessbindingss.rbac.tsb.tetrate.io and trafficsettings.traffic.tsb.tetrate.io. As workaround user should change the shortNames for CRDs above to tib and ttrs respectively. This can be archived using following command:

kubectl patch crd istiointernalaccessbindingss.rbac.tsb.tetrate.io --type=json -p '[{"op": "replace", "path": "/spec/names/shortNames/0", "value": "tib"}]'
kubectl patch crd trafficsettings.traffic.tsb.tetrate.io --type=json -p '[{"op": "replace", "path": "/spec/names/shortNames/0", "value": "ttrs"}]'

This step needs to be after every restart of tsb-operator. This affects gitops functionalities for the CRDs specified above. Fixed in 1.9.4.

Outstanding CVEs

CVE-2024-40094 - No fix available.
CVE-2024-40094 - No fix available.
PRISMA-2021-0153 - No fix available.
CVE-2024-0406 - No fix available.
CVE-2024-2236 - No fix available.
CVE-2024-37371 - No fix available.
CVE-2024-37370 - No fix available.
CVE-2023-42363 - No fix available.
CVE-2023-42366 - No fix available.
CVE-2024-26462 - No fix available.
CVE-2024-28180 - No fix available.
PRISMA-2021-0153 - No fix available.
CVE-2024-26462 - No fix available.
PRISMA-2021-0153 - No fix available.
CVE-2021-31879 - No fix available.
CVE-2024-26462 - No fix available.
CVE-2024-37370 - No fix available.
CVE-2024-2236 - No fix available.
PRISMA-2021-0153 - No fix available.
PRISMA-2021-0153 - No fix available.
CVE-2024-37371 - No fix available.
CVE-2024-26462 - No fix available.
PRISMA-2021-0153 - No fix available.
PRISMA-2021-0153 - No fix available.
CVE-2021-31879 - No fix available.
PRISMA-2021-0153 - No fix available.
CVE-2024-26462 - No fix available.
CVE-2023-42364 - No fix available.
CVE-2024-37371 - No fix available.
CVE-2024-37370 - No fix available.
CVE-2024-37371 - No fix available.
CVE-2024-37370 - No fix available.
CVE-2024-2236 - No fix available.
PRISMA-2021-0153 - No fix available.
CVE-2024-6104 - No fix available.
CVE-2024-2236 - No fix available.
CVE-2024-37370 - No fix available.
CVE-2024-37371 - No fix available.
CVE-2023-42365 - No fix available.
CVE-2024-2236 - No fix available.
CVE-2023-50495 - No fix available.
CVE-2016-20013 - No fix available.
CVE-2023-29383 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2024-4741 - No fix available.
CVE-2024-4603 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2023-50495 - No fix available.
CVE-2023-50495 - No fix available.
CVE-2016-20013 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2024-26458 - No fix available.
CVE-2024-26461 - No fix available.
CVE-2024-4603 - No fix available.
CVE-2022-27943 - No fix available.
CVE-2023-29383 - No fix available.
CVE-2024-26461 - No fix available.
CVE-2023-26604 - No fix available.
CVE-2023-7008 - No fix available.
CVE-2024-4603 - No fix available.
CVE-2024-2511 - No fix available.
CVE-2016-20013 - No fix available.
CVE-2017-11164 - No fix available.
CVE-2017-11164 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2017-11164 - No fix available.
CVE-2023-29383 - No fix available.
CVE-2024-4741 - No fix available.
CVE-2016-2781 - No fix available.
GO-2024-2978 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2023-45918 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2022-3857 - No fix available.
CVE-2022-4899 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2024-26458 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2023-45918 - No fix available.
CVE-2024-4741 - No fix available.
CVE-2024-26458 - No fix available.
CVE-2022-4899 - No fix available.
CVE-2023-34969 - No fix available.
CVE-2024-26461 - No fix available.
CVE-2016-20013 - No fix available.
CVE-2016-2781 - No fix available.
CVE-2024-2511 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2017-11164 - No fix available.
CVE-2022-27943 - No fix available.
CVE-2024-4603 - No fix available.
CVE-2023-34969 - No fix available.
CVE-2024-26458 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2024-26461 - No fix available.
CVE-2024-26458 - No fix available.
CVE-2023-7008 - No fix available.
CVE-2023-7008 - No fix available.
CVE-2024-2511 - No fix available.
CVE-2016-20013 - No fix available.
CVE-2023-45918 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2016-2781 - No fix available.
CVE-2016-2781 - No fix available.
CVE-2024-4741 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2024-2511 - No fix available.
CVE-2022-4899 - No fix available.
CVE-2024-26461 - No fix available.
CVE-2022-3857 - No fix available.
CVE-2023-45918 - No fix available.
CVE-2022-27943 - No fix available.
CVE-2023-50495 - No fix available.
CVE-2023-29383 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2018-20796 - No fix available.
CVE-2024-4603 - No fix available.
CVE-2017-11164 - No fix available.
CVE-2023-45918 - No fix available.
CVE-2023-7008 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2024-5535 - No fix available.
CVE-2022-4899 - No fix available.
CVE-2023-50495 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2024-2511 - No fix available.
CVE-2023-29383 - No fix available.
CVE-2022-27943 - No fix available.
CVE-2010-4756 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2016-2781 - No fix available.
CVE-2024-4741 - No fix available.
CVE-2024-4741 - No fix available.
CVE-2024-2511 - No fix available.
CVE-2024-24791 - No fix available.
CVE-2023-7008 - No fix available.
CVE-2013-4235 - No fix available.

Version 1.9.2

TSB 1.9.2 is a patch release that includes stability and reliability updates.

Enhanced the Gateway install API to allow configuring the Envoy concurrency level. The concurrency can be configured by setting the concurrency field in the Gateway install API spec:
```
spec:
  concurrency: 4
```
There are 3 concurrency modes:
- unset (or 0): will use Istio's default (concurrency value will be based on CPU resource limits)
- -1: legacy's default. This will use all available cores on the machine
- n > 0: this will set the concurrency to n
Added support for TCP/TLS server SourceIP load balancing algorithm to improve traffic management.
Fixed config status reports for objects with the same group, version, kind, and name for clearer reporting.
Fixed an issue related to rendering multiline helm values when using overlays.
Fixed an issue related to the generation of authorization policies for mesh traffic when clusters are decommissioned or deleted.
Added and enhanced various metrics to xcp-edge to provide better insights into the system.
Fixes issue with TSB resources not being reliably deleted in the TSB API. TSB K8s resources now contain a finalizer managed by the GitOps operator.
Reduces TSB server load generated by GitOps by adding an exponential backoff rate limiter for the GitOps controller with a base delay of 3s and a max delay of 120s.
Improves error handling in the GitOps controller. The controller will now not retry on InvalidArgument errors.
The GitOps metric gitops_push_count_total now includes a gRPC status code label, and Grafana dashboards are updated to reflect this change.
The reconciliation interval now starts for each TSB K8s object that was successfully pushed to the TSB API. Previously, all objects were synced at the same time, which could cause periodic spikes in TSB API server load.
Improves TSB API performance by decreasing the number of requests sent to the TSB API server by not updating the status subresource if the condition in the status has not changed.
Fixes an issue that required restarting tsb-operator when changing the pushMode from ASYNC to SYNC.
Fixed an issue with istiod not able to come up if a service using NodePort with externalTrafficPolicy: Local exists in the cluster.

Known issues

When doing a new installation of the Management Plane in version 1.9.2 and Control Planes < 1.9.2, the OAP pods in the control plane clusters may enter a crash loop due to failed liveness checks. This can be fixed by setting the following in the ControlPlane resource:
```
components:
  oap:
    storageIndexMergingEnabled: true
```
Note that this only affects new installations and will NOT affect upgrades.

User might see the following error in TSB Operators:

if kind is a CRD, it should be installed before calling Start%!(EXTRA []interface {}=[kind TrafficAccessBindings.rbac.tsb.tetrate.io], *meta.NoKindMatchError=no matches for kind "TrafficAccessBindings" in version "rbac.tsb.tetrate.io/v2")

kubectl patch crd istiointernalaccessbindingss.rbac.tsb.tetrate.io --type=json -p '[{"op": "replace", "path": "/spec/names/shortNames/0", "value": "tib"}]'
kubectl patch crd trafficsettings.traffic.tsb.tetrate.io --type=json -p '[{"op": "replace", "path": "/spec/names/shortNames/0", "value": "ttrs"}]'

This step needs to be after every restart of tsb-operator. This affects gitops functionalities for the CRDs specified above. Fixed in 1.9.4.

Outstanding CVEs

CVE-2013-4235 - No fix available.
CVE-2016-2781 - No fix available.
CVE-2021-31879 - No fix available.
CVE-2022-27943 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2022-3857 - No fix available.
CVE-2022-4899 - No fix available.
CVE-2023-26604 - No fix available.
CVE-2023-29383 - No fix available.
CVE-2023-34969 - No fix available.
CVE-2023-42363 - No fix available.
CVE-2023-42364 - No fix available.
CVE-2023-42365 - No fix available.
CVE-2023-42366 - No fix available.
CVE-2023-45918 - No fix available.
CVE-2023-50495 - No fix available.
CVE-2023-7008 - No fix available.
CVE-2024-0406 - No fix available.
CVE-2024-2236 - No fix available.
CVE-2024-2236 - No fix available.
CVE-2024-2511 - No fix available.
CVE-2024-26461 - No fix available.
CVE-2024-26462 - No fix available.
CVE-2024-28180 - No fix available.
CVE-2024-4603 - No fix available.
CVE-2024-4603 - No fix available.
CVE-2024-4741 - No fix available.
CVE-2024-4741 - No fix available.
CVE-2024-5535 - No fix available.
CVE-2024-6104 - No fix available.
PRISMA-2021-0153 - No fix available.

Version 1.9.1

TSB 1.9.1 is a patch release that includes stability and reliability updates.

Fixed broken counter panels in the Grafana dashboards.
Improved the performance of LDAP queries by requesting only the attributes that are needed.
Fixed edge cases related to CRD deletion by the TSB operator finalizers.
Added the pip/sql/queries and pip/sql/results loggers to show the SQL queries that are being executed by TSB. This can be extremely verbose, but useful for debugging purposes. To enable the query logging, the mentioned loggers can be configured with: tctl x debug log-level management/apiserver --level pip/sql/queries:debug,pip/sql/results:debug
Fixed an issue associated with cross cluster port 15443 when configured as NodePort service when there are multiple gateway install objects
Enhancements to metrics captured by xcp-edge - for example, added metrics for Kubernetes events that xcp-edge receives
Fixed an issue related to delay in synchronizing cross cluster endpoints when the number of replicas of gateway pods of LoadBalancer service type goes to zero
Performance optimization to services processing in xcp-edge while generating cluster state
Allow setting httpRetries to '0' through TSB TrafficSetting APIs

Known issues

GitOps: changing pushMode from ASYNC to SYNC requires restarting tsb-operator to take effect. Fixed in 1.9.2.
GitOps: some objects might not be deleted form TSB API even if they are deleted in K8s, especially in environments with high load or network latency. Fixed in 1.9.2.

Outstanding CVEs

At the time of shipping, there are no Critical vulnerabilities flagged but 2 High CVE (CVE-2023-1370,GHSA-xpw8-rcwv-8f8p) exist in elasticsearch which can be ignored as the affected library is not used in TSB codepath. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.

GHSA-3m87-5598-2v4f - Not vulnerable - Advisory withdrawn
CVE-2024-26462 - No fix available.
CVE-2024-26458 - No fix available.
CVE-2024-28180 - No fix available.
CVE-2021-31879 - No fix available.
CVE-2024-26461 - No fix available.
CVE-2024-2236 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2023-50495 - No fix available.
CVE-2023-45918 - No fix available.
CVE-2023-29383 - No fix available.
CVE-2023-34969 - No fix available.
CVE-2022-4899 - No fix available.
CVE-2023-7008 - No fix available.
CVE-2021-31879 - No fix available.
CVE-2022-27943 - No fix available.
CVE-2022-3857 - No fix available.
CVE-2016-2781 - No fix available.

Version 1.9.0

What's New

The deprecated binding of a VirtualService in TrafficGroup to a non-mesh gateway in DIRECT mode is not allowed anymore.
Audit logs periodical cleanup AuditLogsCleanupRetention field has been added to dataStore under the ManagementPlane resource spec. If set, a cronjob will periodically clean up audit logs older than the specified duration. For more details, refer to the documentation.
Added support for fault injection (delays and aborts) in Service Route HTTP routes (see documentation).
Added support for traffic mirroring in Service Route HTTP routes (see documentation).
Added support to configure upstream host level traffic settings (see documentation).
Ingress and Egress Gateway deployments are not compatible anymore with namespaces labeled with istio-injection=disabled. This is due from now on they need to be injected with custom templates and this label at the namespace level will prevent that. If the namespace doesn't contain the label or the label is set to enabled, the deployment will work as expected. This can be easily identified by seeing the gateway deployment failing trying to pull the auto image. Additional reference from Istio: https://istio.io/v1.20/docs/setup/additional-setup/gateway/#deploying-a-gateway

Known issues

GitOps: changing pushMode from ASYNC to SYNC requires restarting tsb-operator to take effect. Fixed in 1.9.2.
GitOps: some objects might not be deleted form TSB API even if they are deleted in K8s, especially in environments with high load or network latency. Fixed in 1.9.2.

Outstanding CVEs

At the time of shipping, there are no Critical vulnerabilities flagged but 1 High CVE (CVE-2019-0190), which can be ignored as this is a false positive for TSB image(s). The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.

CVE-2019-0190 - Not vulnerable as the images do not include mod_ssl which is vulnerable to attack.
GHSA-3m87-5598-2v4f - Not vulnerable - Advisory withdrawn
PRISMA-2021-0153 - No fix available.
CVE-2024-28835 - No fix available.
CVE-2024-26462 - No fix available.
CVE-2024-28180 - No fix available.
CVE-2021-31879 - No fix available.
CVE-2024-28834 - No fix available.
CVE-2024-26461 - No fix available.
CVE-2024-26458 - No fix available.
CVE-2024-2236 - No fix available.
PRISMA-2023-0046 - No fix available.
CVE-2022-3219 - No fix available.
CVE-2023-50495 - No fix available.
CVE-2023-45918 - No fix available.
CVE-2023-29383 - No fix available.
CVE-2023-34969 - No fix available.
CVE-2022-4899 - No fix available.
CVE-2023-7008 - No fix available.
CVE-2023-35116 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
CVE-2024-28180 - No fix available.
CVE-2021-31879 - No fix available.
CVE-2024-28834 - No fix available.
CVE-2023-49240 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
CVE-2022-27943 - No fix available.
CVE-2022-3857 - No fix available.
CVE-2016-2781 - No fix available.

Release Notes

Version 1.9.4​

Outstanding CVEs​

Version 1.9.3​

Known issues​

Outstanding CVEs​

Version 1.9.2​

Known issues​

Outstanding CVEs​

Version 1.9.1​

Known issues​

Outstanding CVEs​

Version 1.9.0​

What's New​

Known issues​

Outstanding CVEs​

Version 1.9.4

Outstanding CVEs

Version 1.9.3

Known issues

Outstanding CVEs

Version 1.9.2

Known issues

Outstanding CVEs

Version 1.9.1

Known issues

Outstanding CVEs

Version 1.9.0

What's New

Known issues

Outstanding CVEs