Skip to main content
Version: 1.2.x

Release Notes

Version 1.2.17

Security fixes

The following CVEs were evaluated and this version of TSB found not to be affected:

  • CVE-2021-32780
  • CVE-2022-21679
  • CVE-2022-21701
  • CVE-2022-21657
  • CVE-2022-21656
  • CVE-2022-23606
  • CVE-2021-43826
  • CVE-2021-43825
  • CVE-2021-43824
  • CVE-2022-21654
  • CVE-2022-21655
  • CVE-2021-32781

Version 1.2.16

Bug fixes

  • Allow to set the max gRPC message size in the connections between MPC and XCP central.
  • Fixed an error that prevented the control plane observability agents to connect to a mangement plane running with minimum TLS version 1.3.
  • Fixed an issue that caused tctl get all command to return *AccessBinding objects within a direct mode group with the wrong metadata.

Version 1.2.15

Security fixes

Version 1.2.14

Bug fixes

  • Fixed an issue in OAP which was incorrectly identitying outbound traffic.

Security fixes

Version 1.2.13

Security fixes

  • Fix for CVE-2021-45046

Version 1.2.12

Security fixes

  • Fix for critical vulnerability (CVE-2021-44228, CVSS score 10) in the Java logging library Apache Log4j 2.

Version 1.2.11

TBA

Version 1.2.10

TBA

Version 1.2.9

TBA

Version 1.2.8

TBA

Version 1.2.7

TBA

Version 1.2.6

TBA

Version 1.2.5

TBA

Version 1.2.4

Features

  • Starting from 1.2.4 the MPC component needs a certificate to authenticate with XCP Central using mutual TLS. When upgrading, a certificate for MPC must be created and stored in a secret named mpc-certs. The following example shows how to create the certificate using cert-manager. Note that example certificates can also be created by using the tctl install manifest management-plane-secrets with the --xcp-certs flag.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: mpc-certs
  namespace: tsb
spec:
  secretName: mpc-certs
  issuerRef:
    name: xcp-identity-issuer
    kind: Issuer
  duration: 30000h
  isCA: false
  dnsNames:
    - "mpc.tsb.svc.cluster.local"
  uris:
    - spiffe://xcp.tetrate.io/mpc
  usages:
    - client auth
    - server auth

Improvements

  • Fix an issue in XCP when Cluster object becomes bigger than 3MB.

Version 1.2.3

Features

TSB 1.2.3 is a patch release and does not include any new features

Improvements

  • Improve DB connection handling to improve performance and decrease the number of used connections.
  • Expose new settings in TSB operator for ManagementPlane Postgres settings:
    • connection_max_open to limit the number of open connections to Postgres.
    • connection_idle_max_open to limit the number of idle connections to Postgres.
    • connection_idle_lifetime to limit the amount of time an idle connection will be kept open.

Version 1.2.1

TBA

Version 1.2.0

What's New

  • We are introducing the Application and API as Alpha features.
    • Applications are logical groupings of services that are related to each other, typically within a trusted group. A common example are three tier applications composed of a frontend, a backend and a datastore service.
    • Configuring API at Application Ingress Gateway with OpenAPI specs. We added support for configuring CORS, Authentication and Authorization. We will add more configuration in the future.
    • This capability is available via tctl. UI will be available in the next release.
  • Native Tracing UI as a replacement for the Zipkin Lens UI.
  • Organization Settings API to allow configuring network reachability and regional failover.

Improvements

  • UI: Ability to view sidecars errors
  • UI: Topology offers Circular Layout, Auto Layout, Zoom to fit.
  • UI: Context sensitive role selection in policies
  • UI: Dashboard - Services view offers subset level metrics
  • UI: Auto refresh and partial rendering of UI for graphs and metrics
  • Relax virtual service validation so that VirtualServices in TrafficGroup can bound to Gateway in GatewayGroup
  • Periodic config sync between xcp central and xcp edges

Bug fixes

  • Fix Direct mode gateways not considered load balancer in service registry
  • Detect service mesh external change
  • Fix error when import YAML with UI
  • Fix UI crashing because PassthroughServers are not resolved
  • Fix xcp operator crashed when using overlays
  • Fix nodeport services not working properly with private node ips

Security fixes

This release fixes the following Envoy security vulnerabilities:

  • CVE-2021-28683 (CVSS score 7.5, High): Envoy contains a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received.
  • CVE-2021-28682 (CVSS score 7.5, High): Envoy contains a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.
  • CVE-2021-29258 (CVSS score 7.5, High): Envoy contains a remotely exploitable vulnerability where an HTTP2 request with an empty metadata map can cause Envoy to crash.

Upgrade notes

In this release the SkyWalking version adds some performance improvements for the Elasticsearch storage. For them to apply it is imperative to delete the SkyWalking related Elasticsearch indexes and templates. Please follow the procedure described in the Elasticsearch wipe procedure page to delete the appropriate data from Elasticsearch.

If you are upgrading from a TSB version 1.0.x or higher and you are using XCP's GlobalSettings to set the reachability between control planes, you need to migrate the GlobalSettings to the new OrganizationSettings in TSB.

For instance, a GlobalSettings like this one:

apiVersion: xcp.tetrate.io/v2
kind: GlobalSetting
metadata:
  namespace: tsb
  name: xcp-global-settings
spec:
  networkSettings:
    networkReachability:
      tier1: tier2

Would become:

apiVersion: api.tsb.tetrate.io/v2
kind: OrganizationSetting
metadata:
  name: org-settings
  organization: myorg
spec:
  networkSettings:
    networkReachability:
      tier1: tier2

Note also that whereas GlobalSetting is applied to the cluster via kubectl, the OrganizationSetting need to be applied to the management plane via tctl. Since this change has to be done after upgrading to 1.2.0, you can expect a brief network disruption between the management plane upgrade and the creation of the OrganizationSetting resource.

Deprecation Notices

These notices describe functionality that will be removed in a future release. Please consider upgrading your environment to remove the deprecated functionality.

  • Deprecated the ability to attach VirtualService in a TrafficGroup to a Gateway in a GatewayGroup.
    • Traffic Groups and Gateway Groups are independent resources that could have a set of disjoint selectors. When those selectors do not match exactly, configuring ingresses via VirtualServices in traffic groups could lead to configuration inconsistencies, and VirtualServices getting pushed to namespaces or clusters where the gateway objects don't even exist.
    • One of the objectives of the TSB APis is to provide configuration safety, and in future releases, the traffic (east/west) and gateway (north/south) semantics will be enforced at the group level to prevent the mentioned misconfiguration issues.
  • Deprecated the ability to reference the mesh gateway or no gateway at all from VirtualServices in GatewayGroups.
    • Gateway groups will only allow VirtualServices that configure north/south, and traffic groups will only allow VirtualServices for east/west

Known Issues

  • VM Onboarding: If you use an "offline" onboarding flow, i.e. manually copy a *.tgz file with security token and seed configuration generated by tctl x sidecar-bootstrap onto a VM, you must run the bin/start-istio-proxy.sh script while the security token is still valid (24h by default). If you run the script after the token expired, Istio Proxy running on the VM will no longer be able to authenticate to the Istio CA and will lose connectivity to the mesh.
  • VM Onboarding: Istio Proxy installed on a VM always binds to 0.0.0.0:15021 (health status endpoint). If you have other services in the mesh that use port 15021, Istio Proxy running on a VM will not be able to proxy outgoing requests to them.
  • UI: (6564) Tier1 gateways are not correctly identified as gateway type, therefore they are not shown in the dashboard's Gateways tab. In order to check for Tier1 gateway metrics, you can navigate to the Services menu and select the corresponding service from the list. Once on the details page, you will find the desired metrics in the Details and Service metrics tabs.
  • Data plane operator: (6002) Removing the last gateway in the cluster is not working properly. The operator fails to delete the last remaining ingress, tier1 or egress gateway in the cluster. To workadound this you can delete the IstioOperator CR named tsb-gateways from the data plane operator namespace ( kubectl delete istiooperator -n istio-gateway tsb-gateways).