Release Notes

Version 1.10.0

• The hpaadapter component of the Control Plane has been disabled by default. This component implemented the Kubernetes external metrics API to allow scaling workloads based Skywalking metrics. This was conflicting with some existing setups and could not be easily disabled. Starting from 1.10 it will be disabled by default, but it can be still easily enabled by configuring the hpaAdapter component as follows in the ControlPlane resource:

  components:
    hpaAdapter:
      enabled: true
• Management Plane and Control Plane resources have GitOps enabled by default.
• The TSB operators will prevent deletion of important Kubernetes resources so that they cannot be accidentally deleted. This can be disabled by adding the annotation tsb.tetrate.io/deletion-protection: disabled to the Management, Control and Data plane operator deployments, or setting the following in the helm charts:

  operator:
    deletionProtection: disabled
  This will block TSB uninstallation, so must be disabled before uninstalling TSB.
• The tetrate-troubleshoot image has been deprecated and no new versions of it will be provided.

Configuration Profiles

Configuration Profiles are a new feature designed to simplify and enhance traffic configuration management in TSB, addressing key issues identified in the existing hierarchical model. These profiles allow for the creation of pre-set configuration templates that can be defined and attached at various hierarchy levels (Organization, Tenant, Workspace, Group) and serve as default settings until overridden by more specific configurations. See the Configuration Profiles page for more details.

Hierarchical Access Control Policies compatibility notes:

• The previous STRICTER propagation for WASM extensions from all Security Settings has been changed so that it is not accumulative. Instead, the WASM Extension collection applied in a parent resource will overwrite their children's.

Egress Authorization

• EgressAuthorizationSettings has been enhanced to support configuring TSB resources in the from construct.
• EgressAuthorizationSettings now supports TCP traffic as well. By default, traffic will be denied. An explicit egress allow rule is required for traffic to go through.

Service Level Traffic Settings

The existing TrafficSetting API has been updated. Older settings are now moved to either Inbound or Outbound based on their behaviour, and the legacy configuration is set for deprecation. This makes it clear which settings apply when a service acts as a server (inbound) or as a client (outbound).

• RateLimiting setting has been moved to Inbound.RateLimiting
• Egress setting has been moved to Outbound.Egress
• Reachability setting has been moved to Outbound.Reachability
• Resilience setting has been moved to Outbound.UpstreamTrafficSettings
• UpstreamTrafficSetting has been moved to Outbound.UpstreamTrafficSetting
• TCP Downstream keep alive can be now configured using Inbound.Resilience.ConnectionPool.Tcp.KeepAlive

Similar changes can be observed in group wide traffic settings. The same change applies to Organization, Tenant and Workspace level traffic settings.

With this change, we have introduced a hierarchical extension for the TrafficSetting API called ServiceTrafficSetting. This allows you to specify the settings for individual services rather than applying them to all services within a TrafficGroup. All settings in the hierarchy get merged with preference to most granular setting.

For example - Suppose, rate limiting is defined through the TrafficSetting API and you define a ServiceTrafficSetting with rate limiting for a service in the same TrafficGroup. The final rate limit settings that apply on the service will be the merge of rate limit settings from the TrafficSetting and ServiceTrafficSetting.

Failover Setting

With the new ServiceTrafficSetting API it is now possible to configure failover for a specific service or for all services in a TrafficGroup.

RateLimiting Setting

With the new ServiceTrafficSetting API it is now possible to configure rate limiting for a specific service or for all services in a TrafficGroup.

Authentication Setting

This feature allows the enforcement of mutual TLS connections to upstream services that do not have a sidecar. This ensures that gateways or mesh workloads do not communicate in plain text with services outside the mesh.

📝 Fields set for deprecation will continue to work in 1.10.x. But will be deprecated in future major releases.

Egress Gateway

DEPRECATION: The functionality previously offered by the EgressGateway is now integrated into the Gateway object, which is the recommended approach. The EgressGateway resource will be deprecated in future releases.

tctl improvements

• Added the tctl experimental grafana dashboard to generate the Grafana dashboards used to monitor TSB. It lists all the available dashboards and allows the user to generate them in JSON format so that they can be imported into Grafana.
• Added the tctl experimental grafana upload command to facilitate uploading the TSB Grafana dashboards to a Grafana instance.
• Added the tctl experimental getall command to replace the tctl get all, now deprecated. This command will use a server-side list and is faster and more reliable. It is recommended to use this command instead of the deprecated one.

Known issues

• GitOps: When a TSB K8s resource contains a condition in the Status subresource with a Reason of TSBApplyError and the underlying error changes (e.g., from NotFound to PermissionDenied), the condition might not be updated. This can cause confusion during troubleshooting, as the engineer might see a different error in the Status subresource than what is reported in the tsb-operator logs. The error shown in the logs is the actual one. This issue does not impact functionality. The Status subresource will be updated after the error is resolved. Issue will be fixed in 1.10.1.
• TSB Web UI: The topology features of TSB Web UI require WebGL-supported browsers. Topology using Canvas API is considered to be supported in future releases based on usage data.