Skip to main content
logoTetrate Service BridgeVersion: 1.11.x

Release Notes

Version 1.11.0

  • In the Service Registry, values previously found in the ExternalAddresses and Hostnames fields are now returned in the Hostnames and InternalHostnames fields, respectively. The ExternalAddresses field now contains a list of IPs or load balancer hostnames that can be used to reach the service from outside the mesh.
  • The STRICTER propagation for WASM extensions from all Security Settings has been changed so that it is not accumulative. Instead, the WASM Extension collection applied in a parent resource will overwrite their children's. This is more secure and gives more control to privileged users on the extensions that can be used in the different workspaces.
  • By default, new clusters will use LOCAL namespace scoping if no other scope is specified. This default setting is chosen because most use cases do not involve cross-cluster applications. As a result, the service registry will provide a more accurate view of the services within the mesh. Note: You can always update the namespace scoping by modifying the Cluster resource.
  • Added a new metric service_relation_mtls_percentage for service relation (tcp_service_relation_mtls_percentage for TCP service relation) to reflect the percentage of calls that use mutual TLS, the percentage is multiplied by 100 and is in range [0, 10000], e.g. 500 means 5.00% and 1234 means 12.34%.
  • Minimum length is now enforced for the HMAC keys. A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with this algorithm. This requirement is based on Section 5.3.4 (Security Effect of the HMAC Key) of NIST SP 800-117 [NIST.800-107], which states that the effective security strength is the minimum of the security strength of the key and two times the size of the internal hash value.
  • This release bumps the Istio version to 1.22. Please check the upgrade notes to understand the implications of the upgrade.
  • Added a configuration to set the retention period days for traces data, the default value is 3 days. This can be configured in the ManagementPlane resource: 
    telemetryStore:
      tracesRetentionPeriodDays: 5
  • When isolation boundaries are enabled for the first time on an existing TSB install, the istio-gateway namespace will not be deleted automatically anymore. If this namespace is not required, users are advised to delete this namespace manually. If it is required to delete this namespace, one needs to cleanup the terminating resources by removing finalizers using kubectl get iop -n istio-gateway -o name | xargs -I % kubectl patch % -n istio-gateway -p '{"metadata":{"finalizers":null}}' --type=merge;. After which the namespace can be deleted normally. Read more on isolation boundaries post upgrade cleanup steps.
  • Enabled automatically refreshing access token using refresh token in OIDC response by default. To toggle this option use useRefreshToken option in gateway authentication: 
    authentication:
      oidc:
        clientId: "example-client"
        clientTokenSecret: "example-secret"
        redirectUri: http://httpbin.example.com/bearer
        provider:
          issuer: https://example.com/issuer
          authorizationEndpoint: https://example.com/authorize/v1
          tokenEndpoint: https://example.com/authorize/v1/token
          jwksUri: https://example.com/authorize/v1/jwks
        useRefreshToken: false
  • TSB can run kong plugins as an extension. This needs a sidecar to be injected in TSB called tetrate-kong-extender. The image for this sidecar is currently not supported for FIPS mode and will fail to install. Please refer HowTos to know about extending TSB in detail.

Upgrade notes

  • If the Management Plane runs on Azure and uses a managed database with Azure AD credentials, you will need to create an additional federated credential for the new tsb-n2ac service account introduced in TSB 1.11. Further details can be found in the Configuring Azure AD with PostgreSQL in TSB guide.