Tetrate Service Bridge 1.10
Introducing Tetrate Service Bridge (TSB) version 1.10.0
- As an all-in-one enterprise application connectivity platform, TSB continuing to extend the service mesh capabilities efficiently for enterprise teams, environments and applications.
Building on the success of previous versions, TSB 1.10.0
marks a significant milestone with the introduction of enhanced security, availability, and access permission features. These advancements streamline the management of mesh infrastructure through the implementation of mesh-focused Persona Specific Roles, FIPS Compliance, templatized mesh configuration management via Config Profiles, and improved multi cluster failover capabilities for Gateway and Application workloads using Failover Setting
New Features and Improvements
-
Default Roles based on Personas:
- Introduced Persona specific Roles in TSB to manage the user onboarding workflow and delegate resource access permissions based on user personas.
- These Roles include
Tenant Owner
,Workspace Owner
,Traffic Owner
,Security Owner
and theOperator
Roles, allowing for more controlled management of TSB resources.
-
- Tetrate Service Bridge (TSB) is now available as a FIPS-validated build. This build enhances security posture for organizations requiring strict compliance.
-
- Introduced
Configuration Profiles
in TSB to enable the creation of pre-set configuration templates that can be defined and attached at various hierarchy levels (Organization, Tenant, Workspace, Group). Configuration Profiles
serve as a default settings until overridden by more specific configurations down the TSB hierarchy.
- Introduced
-
Gateway and Service level Failover:
- Ability to configure
failover
between gateways directly on Gateway. - Ability to configure
failover
for individual services/hostnames using ServiceTrafficSetting.
- Ability to configure
-
Service level Traffic Settings:
- Ability to configure
resiliencey
andloadBalancer
settings for individual or group of services/hostnames. - Introduced both
Inbound
andOutbound
configuration options for client side/server side use-cases.
- Ability to configure
-
- Ability to configure TSB hierarchical constructs like
Tenant
,Workspace
,Group
&Service Account
as a source, while configuring egress access restrictions to external service endpoints. - Ability to configure access restrictions for both HTTP & TCP outbound traffic via Egress Gateway.
- Ability to configure TSB hierarchical constructs like
-
- Enforce Gateway to Services Communication over mTLS, irrespective of whether the upstream services are sidecar injected or non-injected.
-
Multiple UI improvements: We have made several UI improvements to enhance user experience, including:
- New Features:
- Istio Proxy Tools: Introduced Istio Proxy Tools in the TSB Admin UI, enabling users to quickly and effectively troubleshoot proxy configurations of application sidecars and gateways.
- Workspace Propagation View: Introduced a graphical representation of TSB configurations (Workspace, Traffic Group, Gateway Group, Security Groups) and their propagation to clusters and namespaces. Added config status info for troubleshooting invalid translations.
- Topology Search: TSB Topology UI now supports searching for different nodes, such as service names, host names, subsets, clusters, and namespaces. This enables users to quickly identify the health of all instances or subsets of a service.
- Embed Grafana Dashboard: TSB users can now embed their existing Grafana mesh dashboard URLs into TSB UI for quick access.
- New Features:
Additional Enhancements
Refer to TSB 1.10 Release Notes for complete list of additional improvements in TSB 1.10
Deprecations
- Egress Gateway: TSB
EgressGateway
resource has been deprecated in favour of Unified Gateway - Ingress Gateway: TSB
IngressGateway
resource has been deprecated in favour of Unified Gateway - Tier1 Gateway: TSB
Tier1Gateway
resource has been deprecated in favour of Unified Gateway - Traffic Settings: TSB
TrafficSetting
API has been enhanced. Older settings are now moved to eitherInbound
orOutbound
settings based on their behaviour, and the legacy configuration is set for deprecation. This makes it clear which settings apply when a service acts as a server (inbound) or as a client (outbound)UpstreamTrafficSetting
has been moved to Outbound.UpstreamTrafficSetting.RateLimiting
setting has been moved toInbound.RateLimiting
.Reachability
setting has been moved toOutbound.Reachability
.Resilience
setting has been moved to Outbound.UpstreamTrafficSettings.
Upgrade Notes
- In Istio 1.21, when using custom TLS settings in a DestinationRule, the default behavior is to verify the certificates using the OS CA certificates. The old behavior was to skip the verification. Please refer Istio 1.21.x Upgrade Notes for more details.
- This impacts the TSB direct-mode behavior. If there are any DestinationRule defined with the custom TLS settings, the server certificates will be automatically verified using the OS CA certificates when not using a DestinationRule
caCertificates
field. To fallback to old behavior, use theinsecureSkipVerfiy
field in DestinationRule to skip the verification. - There is no impact on TSB bridged-mode behavior.
Get Started with Tetrate Service Bridge
To get started with Tetrate Service Bridge:
- Review the Initial Requirements and identify the target platform
- Determine if you wish to:
- follow a quick demo installation
- perform a more-involved production-ready installation (Management Plane, Cluster Onboarding)
- apply an upgrade to an existing Tetrate Service Bridge deployment
Don't hesitate to reach out to your Tetrate support contact if you have any questions.
📄️ Release Notes
Version 1.10.3
📄️ Feature Status
Status of included features.
📄️ TSB Support Policy
TSB support policy, release schedule, and component version matrix.