Announcing TSB 1.14

Introducing Tetrate Service Bridge (TSB) version 1.14.0 - TSB enhances enterprise service mesh capabilities with multiple feature, reliability, usability and operational improvements.

This release introduces Gateway improvements for API Gateway use cases, richer control over authentication, support for third-party autoscalers, and support for Argo Rollouts. Additional options to easily authenticate to the TSB Management Plane are added, along with multiple UI and observability improvements.

Tetrate have moved towards a more incremental cadence of releases, using an Agile-like approach to deliver feature updates and fixes to customers in a steady stream. The 1.14.0 release is an incremental change from the previous 1.13.2 release, and includes updates to core dependencies such as the included Istio distribution.

Here, we describe the most significant changes from the previous minor 1.13.0 release.

New Features and Improvements

• Production-Ready API Gateway Security

  • Added support for OpenAPI 3.1 and 3.2 in request payload validation
  • Graduated this feature to 'Production Ready'

• More Powerful Gateway Configuration

  • Added support for timeout and cors policy in HTTP route rules
  • Add jwt auth settings to require strict JWT enforcement only when JWT config (not OIDC) is present. Where ENABLE_JWT_AUTHENTICATION_MANDATORY_JWT_TOKEN was used previously, the env variable must be replaced with ENABLE_ENHANCED_REQUEST_AUTHENTICATION
  • requireJwt additionally updates behavior to return 401 or 403 status codes depending on request rejection due to invalid or missing JWT token

• Manage Gateway Autoscaling

  • Added ability to disable HPA for gateways, making it possible to use alternative auto-scaling solutions such as KEDA
  • Updated OAS component to support metrics query format used by KEDA

• Improve Upgrade Experience for Gateways (alpha)

  • Added capability to pause automatic redeployments of gateways after a controlplane (and Istio) Upgrade
  • This capability ensures no service interruption during an upgrade due to gateway reconfiguration
  • Mark gateways as paused, inspect state after upgrade to identify pending change, then release a gateway to be redeployed during a maintenance window
  • Monitor new metrics to determine state of gateways

• On-demand Gateway Deployment by TSB Management Plane (beta)

  • Multiple improvements, including addition of deployment templates, to the MP Gateway Install resource

• Simpler OIDC Log In for the TSB Management Plane

  • Configure OIDC using tctl to define integration, add users and teams, and set permissions, supporting simpler OIDC integration
  • Support multiple OIDC providers concurrently

• Support PingAM IdP

  • Added support for PingAM as an identity provider

• Support Istio MUTUAL authentication to external AuthZ service

  • Added support for ISTIO_MUTUAL mode for authorization to an external AuthZ service
  • External AuthZ service must be sidecar enabled or provided with mesh certificates

• Support for Argo Rollouts

  • Use Argo Rollouts to dynamically manage weights according to rules in an Argo Rollout CR to perform managed canary or blue-green rollouts of new services

• Postgres Database Recovery and Replication

  • Support PITR (Point-in-Time-Recovery) for the embedded PostGres database solution for TSB configuration and audit logs
  • Embedded Postgres can now be configured to use Replication Slots to improve replication reliability

• Manage Resources API (alpha)

  • Introducing an early-access API to identify and delete unused resources in the TSB configuration

• Multiple UI improvements:

  • Enhanced Trace Search, allowing for drill-down search by tags, fields, and other attributes in the search results. Search criteria are stored for re-use, and a new 'distribution' display shows matching traces over time
  • Significantly-improved filtering and sorting experience in the Dashboard UI and Service Registry List UI, with a consistent user experience to filter and sort by metrics and other criteria
  • Added Log Analytics capability to stream logs in real-time from a given service, and then filter and chart logs over time based on multiple criteria and metrics

• Other Notable Changes

  • Update Istio version to 1.28.3
  • Multiple Shared Gateway improvements, graduating Shared Gateway to 'Beta' status
  • mountInternalWasmExtensions now defaults to false, enabling compatibility with k8s native sidecars
  • Use core Envoy filters to replace the xfcc-guard WASM filter for XFCC header validation, removing dependency on WASM and improving performance and stability
  • Egress gateways now support JWT authentication and authorization, aligning with ingress behavior
  • Added timeout parameter for communication with external AuthZ services
  • Added until parameter in UI and API to complement since parameter when retrieving audit logs, making it easier to obtain a window of logs over time
  • Added parameterization to the datasource for TSB self-observability dashboards (--datasource-uid)
  • Reduce memory usage of TSB operator with large configurations
  • Improve UI performance for very large configurations

Refer to TSB 1.14 Release Notes for complete list of changes and improvements in TSB 1.14.

Dependencies

TSB 1.14.0 ships with Istio 1.28.3, and supports the following K8s and Openshift Platforms:

Distribution	Supported Versions
Kubernetes	1.33, 1.34, 1.35
OpenShift	4.18, 4.19, 4.20, 4.21

Other platforms may be supported by special arrangement.

Deprecations

Feature	Deprecation Release	End of Life Release	Notes
Tier 1 Gateway	1.10.0	1.14.0	Migrate to Unified Gateway
Ingress (Tier 2) Gateway	1.10.0	1.14.0	Migrate to Unified Gateway
Egress Gateway	1.10.0	1.14.0	Migrate to Unified Gateway
Security Domains	1.12.0	1.14.0	Migrate to Segmentation Policies
Applications	1.11.0	1.13.0	End-of-life

Upgrade Notes

Aligned with our 'N-2' upgrade policy, you can upgrade to TSB 1.14.0 from installations of TSB 1.13.x and 1.12.x. If you are upgrading from an earlier release, e.g. 1.11.x, you will need to upgrade to an intermediate release first. Please refer to Tetrate Technical Support before upgrading critical or production platforms.

TSB 1.14.0 replaced OpenCensus with Otel for metrics transfer from controlplane to management plane. This change is available from TSB 1.14.0, 1.13.1, 1.12.7 and 1.11.5. If you have any CP with older versions, you must enable the backwards compatibility setting in the MP spec. Please refer to the Upgrade Note for OpenCensus and Otel.

Pre-Upgrade check needed

Starting from TSB 1.12, IsolationBoundary is a required component of TSB architecture. This feature enables multiple revision installations, allowing seamless control-plane upgrades while enforcing network segregation. For a comprehensive understanding of IsolationBoundary, refer to the IsolationBoundary Concept documentation.

If you're upgrading to TSB 1.12 from a non-revisioned deployment, we strongly recommend enabling IsolationBoundary in your cluster before proceeding with the upgrade. For migration guidance, follow our Non-revisioned to Revisioned upgrade documentation.

Get Started with Tetrate Service Bridge

To get started with Tetrate Service Bridge:

• Review the Initial Requirements and identify the target platform
• Determine if you wish to:
  • follow a quick demo installation
  • perform a more-involved production-ready installation (Management Plane, Cluster Onboarding)
  • apply an upgrade to an existing Tetrate Service Bridge deployment

Don't hesitate to reach out to your Tetrate support contact if you have any questions.

📄️ Announcing TSB 1.14

Tetrate Service Bridge 1.14 release overview

📄️ Release Notes

Version 1.14.0

📄️ Upgrading TSB

Upgrades and Compatibility for TSB

📄️ Feature Status

Status of included features

📄️ Support Policy

TSB support policy, release schedule, and component version matrix