Skip to main content
logoTetrate Service BridgeVersion: 1.11.x

Release Notes

Version 1.11.1

  • Added t1 support for direct mode shared t2 gateway.
  • Fixed the following CVEs: CVE-2024-5535, CVE-2024-9143, CVE-2024-47535, CVE-2024-7254, CVE-2024-41110, CVE-2024-9681, CVE-2024-41110, CVE-2024-45337.
  • Enhanced the configuration profiles blame output to better identify whether a configuration value originates from a profile default or a profile mandate. Additionally, added functionality to trace the specific profile attachment for each configuration value.
  • Enhanced the list of available profiles to exclude those already attached higher in the resource hierarchy.
  • Enhanced the Gateway HTTP JWT Authentication with the added fields for "fromHeaders" and "fromCookies".
  • Enhanced the usability of the Tree View in Tracing with zooming and panning.
  • Enhanced UX of profile configuration editor.
    • Made it easier to distinguish between set and unset values.
    • The defaults and mandates configurations are now displayed on the same tab, allowing for seamless editing.
    • Cleaned up YAML and JSON views to only show fields that have been set.
    • Display the JSON of the entire Profile object, making it easier to use in GitOps purpose.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2024-10041 - No fix available.
  • CVE-2024-26462 - No fix available.
  • CVE-2024-10963 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2021-31879 - No fix available.
  • CVE-2022-40735 - No fix available.
  • CVE-2023-4039 - No fix available.
  • CVE-2024-6119 - No fix available.
  • CVE-2024-0406 - No fix available.
  • CVE-2019-25210 - No fix available.
  • CVE-2024-26461 - No fix available.
  • CVE-2024-4603 - No fix available.
  • CVE-2016-20013 - No fix available.
  • CVE-2016-2781 - No fix available.
  • CVE-2022-3219 - No fix available.
  • CVE-2023-50495 - No fix available.
  • CVE-2023-45918 - No fix available.
  • CVE-2012-2663 - No fix available.
  • CVE-2024-2236 - No fix available.
  • CVE-2022-27943 - No fix available.
  • CVE-2010-4756 - No fix available.
  • CVE-2024-26458 - No fix available.
  • CVE-2024-5535 - No fix available.
  • CVE-2019-1010022 - No fix available.
  • CVE-2023-29383 - No fix available.
  • CVE-2023-34969 - No fix available.
  • CVE-2024-0727 - No fix available.
  • CVE-2018-20796 - No fix available.
  • CVE-2023-5678 - No fix available.
  • CVE-2024-41996 - No fix available.
  • CVE-2022-4899 - No fix available.
  • CVE-2022-41409 - No fix available.
  • CVE-2023-26604 - No fix available.
  • CVE-2023-7008 - No fix available.
  • CVE-2017-11164 - No fix available.
  • CVE-2019-1010025 - No fix available.
  • CVE-2018-1000021 - No fix available.
  • CVE-2019-9192 - No fix available.
  • CVE-2023-6129 - No fix available.
  • CVE-2019-1010023 - No fix available.
  • CVE-2024-4741 - No fix available.
  • CVE-2013-4235 - No fix available.
  • CVE-2023-6237 - No fix available.
  • CVE-2019-1010024 - No fix available.
  • CVE-2024-2511 - No fix available.

Version 1.11.0

  • In the Service Registry, values previously found in the ExternalAddresses and Hostnames fields are now returned in the Hostnames and InternalHostnames fields, respectively. The ExternalAddresses field now contains a list of IPs or load balancer hostnames that can be used to reach the service from outside the mesh.
  • The STRICTER propagation for WASM extensions from all Security Settings has been changed so that it is not accumulative. Instead, the WASM Extension collection applied in a parent resource will overwrite their children's. This is more secure and gives more control to privileged users on the extensions that can be used in the different workspaces.
  • By default, new clusters will use LOCAL namespace scoping if no other scope is specified. This default setting is chosen because most use cases do not involve cross-cluster applications. As a result, the service registry will provide a more accurate view of the services within the mesh. Note: You can always update the namespace scoping by modifying the Cluster resource.
  • Added a new metric service_relation_mtls_percentage for service relation (tcp_service_relation_mtls_percentage for TCP service relation) to reflect the percentage of calls that use mutual TLS, the percentage is multiplied by 100 and is in range [0, 10000], e.g. 500 means 5.00% and 1234 means 12.34%.
  • Minimum length is now enforced for the HMAC keys. A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with this algorithm. This requirement is based on Section 5.3.4 (Security Effect of the HMAC Key) of NIST SP 800-117 [NIST.800-107], which states that the effective security strength is the minimum of the security strength of the key and two times the size of the internal hash value.
  • This release bumps the Istio version to 1.22. Please check the upgrade notes to understand the implications of the upgrade.
  • Added a configuration to set the retention period days for traces data, the default value is 3 days. This can be configured in the ManagementPlane resource: 
    telemetryStore:
      tracesRetentionPeriodDays: 5
  • When isolation boundaries are enabled for the first time on an existing TSB install, the istio-gateway namespace will not be deleted automatically anymore. If this namespace is not required, users are advised to delete this namespace manually. If it is required to delete this namespace, one needs to cleanup the terminating resources by removing finalizers using kubectl get iop -n istio-gateway -o name | xargs -I % kubectl patch % -n istio-gateway -p '{"metadata":{"finalizers":null}}' --type=merge;. After which the namespace can be deleted normally. Read more on isolation boundaries post upgrade cleanup steps.
  • Enabled automatically refreshing access token using refresh token in OIDC response by default. To toggle this option use useRefreshToken option in gateway authentication: 
    authentication:
      oidc:
        clientId: "example-client"
        clientTokenSecret: "example-secret"
        redirectUri: http://httpbin.example.com/bearer
        provider:
          issuer: https://example.com/issuer
          authorizationEndpoint: https://example.com/authorize/v1
          tokenEndpoint: https://example.com/authorize/v1/token
          jwksUri: https://example.com/authorize/v1/jwks
        useRefreshToken: false
  • TSB can run kong plugins as an extension. This needs a sidecar to be injected in TSB called tetrate-kong-extender. The image for this sidecar is currently not supported for FIPS mode and will fail to install. Please refer HowTos to know about extending TSB in detail.

Upgrade notes

  • If the Management Plane runs on Azure and uses a managed database with Azure AD credentials, you will need to create an additional federated credential for the new tsb-n2ac service account introduced in TSB 1.11. Further details can be found in the Configuring Azure AD with PostgreSQL in TSB guide.
  • In 1.11, the postgres-credentials secret in the Management Plane namespace is updated. If you are doing a Helm based upgrade, no additional steps are required. However, if the upgrade is being done by generating the manifests with tctl, the manifest for the postgres-credentials secret needs to be regenerated with the tctl install manifest management-plane-secrets command and applied as well. The changes in the secret are the addition of a .pg_service.conf key to it, that is required for 1.11.