Skip to main content
logoTetrate Service BridgeVersion: 1.7.x

Release Notes

Version 1.7.2

TSB 1.7.2 is a patch release that fixes CVEs in TSB's dependencies. Of particular note, CVE-2023-44487 has been fixed in Envoy, Istio and core TSB components. Some vulnerability scanners may still list the vulnerability as being present in some of TSBs packages, but in those instances the vulnerability is not exploitable.

Outstanding CVEs

At the time of shipping, the following CVEs had been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2016-2781 - No fix available
  • CVE-2019-10743 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2021-31879 - No fix available
  • CVE-2022-27943 - No fix available
  • CVE-2022-3219 - No fix available
  • CVE-2022-3715 - No fix available
  • CVE-2022-3857 - No fix available
  • CVE-2022-48522 - No fix available
  • CVE-2022-4899 - No fix available
  • CVE-2023-29383 - No fix available
  • CVE-2023-2953 - No fix available
  • CVE-2023-2975 - No fix available
  • CVE-2023-3446 - No fix available
  • CVE-2023-34969 - No fix available
  • CVE-2023-36054 - No fix available
  • CVE-2023-3817 - No fix available
  • CVE-2023-38545 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-38546 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-39318 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-39319 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-39323 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-39325 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-3978 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4016 - No fix available
  • CVE-2023-4039 - No fix available
  • CVE-2023-44487 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-45142 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4586 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4911 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-38545 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-39323 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-39325 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-44487 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-45142 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-47108 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4911 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • GHSA-m425-mq94-257g - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • GHSA-xpw8-rcwv-8f8p - TSB does not execute the code path identified by the vulnerability and is not vulnerable.

Version 1.7.0

What’s New

  • Enabled TCP keepalive.

    • At front envoy, by default. To disable, use tctl install manifest management-plane-operator --registry gcr.io/mycompany/registry --set "operator.deployment.env[0].name=DISABLE_DOWSTREAM_KEEPALIVE,operator.deployment.env[0].value=true"
    • At ingress gateways, by default. To disable, use tctl install manifest control-plane-operator --registry gcr.io/mycompany/registry --set "operator.deployment.env[0].name=DISABLE_GATEWAY_DOWSTREAM_KEEPALIVE,operator.deployment.env[0].value=true" when using TSB-managed Istio.

  • Added deletion protection for Organizations, Tenants, Workspaces and Groups:

    • The deletionProtectionEnabled property has been added to prevent these resources from being deleted when set.
    • If a resource or any of its children resources is protected, deletion is not allowed.
    • To delete a protected resource, the deletionProtectionEnabled property must be cleared, or the new --force flag in tctl must be used.

  • Metrics for API endpoints

    • Metrics for API endpoints are enabled by default. To disable the option, set spec.meshObservability.settings.apiEndpointMetricsEnabled to false.
    • As new metrics are added, an increase in ElasticSearch storage usage is expected.

  • Improved experience when pulling WASM extensions from private registries.

    • Extensions that are hosted in private OCI registries can now be downloaded using an internal WASM download proxy that is part of the TSB ControlPlane. This download proxy centrally caches the images to optimize downloads and centralizes the credentials used to pull them. When using the download proxy, the imagePullSecrets references in the WASM extensions only have to be created in the istio-system namespace. In addition, when using the download proxy, the image pull secrets are not needed anymore when pulling from the cloud provider registries. The download proxy is disabled by default in this release. To enable , just edit the ManagementPlane resource spec as follows: 
      spec:
        enableWasmDownloadProxy: true
    • Internal WASM extensions can be directly mounted in the Sidecar, Ingress and Egress gateway pods instead of being downloaded from the image registries. This can improve pod availability and startup times. The feature is disabled by default. To enable it, set the following configuration in the istio component of the ControlPlane resource: 
      spec:
        components:
          istio:
            mountInternalWasmExtensions: true
      This feature is also available on onboarded VM workloads, and the internal WASM extensions are installed by the onboarding-agent package. If your workloads were onboarded using the Manual Onboarding using tctl, you can install the onboarding agent package in your workloads and keep the WASM extensions located in /wasm-plugins.

  • Moved from istio stats envoy filters to Telemetry API allowing greater control over metrics and telemetry.

  • Cluster Service Account auto-generated on cluster creation. Now, when a new Cluster is created a Service account with the name following the pattern auto-cluster-<cluster-name> is created, and returned along a new key pair ready to be used in the cluster onboard process. With this, cluster onboarding has been simplified to:

    1. Create cluster in TSB: tctl apply -f <new-cluster.yaml>
    2. Get the install template: tctl x cluster-install-template <cluster-name> > cluster-values.yaml
    3. Apply Helm install: helm install <repo>/controlplane <release-name> -n istio-system --version v1.7.0 -f cluster-values.yaml

    The previous cluster onboarding flows are still valid and supported.

  • OAP supports basic PromQL, users can obtain metrics through PromQL Service to do integration such as building a Grafana dashboard.

Upgrade notes

  • With the introduction of the new Gateway resource, there have been API modifications to maintain consistency within the TSB API. These changes were driven by our use of Protocol Buffers (protobuf), which has specific conventions for naming and managing collections. Here's what you need to know:
    • The service previously known as Gateway has been renamed to Gateways
      • If you interact with TSB using the gRPC API, it's essential to update your application with the latest gRPC client library.
      • If you utilize tctl, please ensure you have the most recent version to seamlessly communicate with TSB.

Known Issues and Limitations

  • ExternalServices health is reported as unacceptable in the topology UI.
  • The enableWasmDownloadProxy is not fully supported yet on VMs.
  • There is a regression in the conversion of VirtualServices and DestinationRules in DIRECT mode that may cause the resources to be deleted when they're modified in TSB. A workaround exists and can be mitigated by setting the --concurrent-k8s-configs-push=0 (defaults to 50) in the MPC deployment startup flags. This will mitigate the issue but VirtualServices and DestinationRules will be deleted/recreated (instead of just updated) when they're updated in TSB, and that may have an impact o traffic when this happens. This issue is fixed in the next patch release.