Release Notes
Version 1.10.0
- The
hpaadapter
component of the Control Plane has been disabled by default. This component implemented the Kubernetes external metrics API to allow scaling workloads based Skywalking metrics. This was conflicting with some existing setups and could not be easily disabled. Starting from 1.10 it will be disabled by default, but it can be still easily enabled by configuring thehpaAdapter
component as follows in theControlPlane
resource:components:
hpaAdapter:
enabled: true - Management Plane and Control Plane resources have GitOps enabled by default.
- The TSB operators will prevent deletion of important Kubernetes resources so that they cannot be accidentally deleted.
This can be disabled by adding the annotation
tsb.tetrate.io/deletion-protection: disabled
to the Management, Control and Data plane operator deployments, or setting the following in the helm charts:This will block TSB uninstallation, so must be disabled before uninstalling TSB.operator:
deletionProtection: disabled - The
tetrate-troubleshoot
image has been deprecated and no new versions of it will be provided.
Configuration Profiles
Configuration Profiles are a new feature designed to simplify and enhance traffic configuration management in TSB, addressing key issues identified in the existing hierarchical model. These profiles allow for the creation of pre-set configuration templates that can be defined and attached at various hierarchy levels (Organization, Tenant, Workspace, Group) and serve as default settings until overridden by more specific configurations. See the Configuration Profiles page for more details.
Hierarchical Access Control Policies compatibility notes:
- The previous STRICTER propagation for WASM extensions from all Security Settings has been changed so that it is not accumulative. Instead, the WASM Extension collection applied in a parent resource will overwrite their children's.
Egress Authorization
EgressAuthorizationSettings
has been enhanced to support configuring TSBresources
in thefrom
construct.EgressAuthorizationSettings
now supports TCP traffic as well. By default, traffic will be denied. An explicit egress allow rule is required for traffic to go through.
Service Level Traffic Settings
The existing TrafficSetting
API has been updated. Older settings are now moved to either Inbound
or Outbound
based on their behaviour, and the legacy configuration is set for deprecation. This makes it clear which settings apply when a service acts as a server (inbound) or as a client (outbound).
RateLimiting
setting has been moved toInbound.RateLimiting
Egress
setting has been moved toOutbound.Egress
Reachability
setting has been moved toOutbound.Reachability
Resilience
setting has been moved toOutbound.UpstreamTrafficSettings
UpstreamTrafficSetting
has been moved toOutbound.UpstreamTrafficSetting
- TCP Downstream keep alive can be now configured using
Inbound.Resilience.ConnectionPool.Tcp.KeepAlive
Similar changes can be observed in group wide traffic settings. The same change applies to Organization
, Tenant
and Workspace
level traffic settings.
With this change, we have introduced a hierarchical extension for the TrafficSetting
API called ServiceTrafficSetting
. This allows you to specify the settings for individual services rather than applying them to all services within a TrafficGroup
.
All settings in the hierarchy get merged with preference to most granular setting.
For example - Suppose, rate limiting is defined through the TrafficSetting
API and you define a ServiceTrafficSetting
with rate limiting for a service in the same TrafficGroup
. The final rate limit settings that apply on the service will be the merge of rate limit settings from the TrafficSetting
and ServiceTrafficSetting
.
Failover Setting
With the new ServiceTrafficSetting
API it is now possible to configure failover for a specific service or for all services in a TrafficGroup
.
RateLimiting Setting
With the new ServiceTrafficSetting
API it is now possible to configure rate limiting for a specific service or for all services in a TrafficGroup
.
Authentication Setting
This feature allows the enforcement of mutual TLS connections to upstream services that do not have a sidecar. This ensures that gateways or mesh workloads do not communicate in plain text with services outside the mesh.
📝 Fields set for deprecation will continue to work in 1.10.x. But will be deprecated in future major releases.
Egress Gateway
DEPRECATION: The functionality previously offered by the EgressGateway
is now integrated into the Gateway
object, which is the recommended approach. The EgressGateway
resource will be deprecated in future releases.
tctl improvements
- Added the
tctl experimental grafana dashboard
to generate the Grafana dashboards used to monitor TSB. It lists all the available dashboards and allows the user to generate them in JSON format so that they can be imported into Grafana. - Added the
tctl experimental grafana upload
command to facilitate uploading the TSB Grafana dashboards to a Grafana instance. - Added the
tctl experimental getall
command to replace thetctl get all
, now deprecated. This command will use a server-side list and is faster and more reliable. It is recommended to use this command instead of the deprecated one.
Known issues
- GitOps: When a TSB K8s resource contains a condition in the
Status
subresource with aReason
ofTSBApplyError
and the underlying error changes (e.g., fromNotFound
toPermissionDenied
), the condition might not be updated. This can cause confusion during troubleshooting, as the engineer might see a different error in theStatus
subresource than what is reported in thetsb-operator
logs. The error shown in the logs is the actual one. This issue does not impact functionality. TheStatus
subresource will be updated after the error is resolved. Issue will be fixed in 1.10.1. - TSB Web UI: The topology features of TSB Web UI require WebGL-supported browsers. Topology using Canvas API is considered to be supported in future releases based on usage data.