Skip to main content
Version: 1.4.x

Release Notes

Version 1.4.15

Bug fixes and Improvements

  • Fixed namespace selector resolver in case of workspace not existing and group selecting explicit cluster, ensuring proper namespace selection.
  • Fixed a memory leak in XCP edge that occurred under certain conditions.
  • Enhanced config push stability to prevent data loss and ensure data integrity during configuration changes.
  • Optimized cluster state local cache to improve data retrieval speed and reduce resource utilization.

Security fixes

  • Update TSB component images to address CVEs.

Version 1.4.14

Bug fixes and Improvements

  • Addressed user interface (UI) issues to improve overall usability.
  • Resolved a rare issue of race condition during edge/central start-up that might have caused temporary partial config/cluster state push.

Security fixes

  • Update TSB component images to address CVEs.

Version 1.4.13

Bug fixes and Improvements

  • Improvements to xcp edge memory usage.
  • Extended roles to support defining who can manage roles and who can change the platform root policy.
  • Fixed a UI issue that was causing problems when saving direct mode config.
  • Addressed a UI CSRF handler issue to improve security.
  • Added a new uptime endpoint _ping to the UI.
  • Revamped the direct mode config UI to use a namespace select instead of a text input for a more user-friendly experience.

Security fixes

  • Update TSB component images to address CVEs.

Version 1.4.12

Bug fixes and Improvements

  • IngressGateway paths are now ordered when translated from OpenAPI spec in API resource.
  • tctl get all now support parallel requests.
  • Allow to set Istio operator resources in Data Plane operator.
  • Improvements to Cluster delete handling and start up synchronisations between XCP Central and Edges.

Security fixes

  • Update TSB component images to address CVEs.

Version 1.4.11

Improvements

  • Reject duplicate hostnames for Tier1Gateways at the Edge
  • Introduce periodic sync of Edge cluster state with central
  • Gateway external address override through Service Annotation
  • Zero downtime support for cross cluster communication through gateways when externalTrafficPolicy set to Local
  • Performance improvements for cluster state sync across Edges

Version 1.4.10

Bug fixes

  • Fixed a race condition in XCP Edge startup which could lead to Edge stop reporting cluster state updates to Central and Edge peers.

Version 1.4.9

Bug fixes

  • Fixed an issue in UI where lists where limited to 10 items.
  • tctl collect now includes the Istio objects present in the cluster.
  • Fixed an issue in XCP for which multicluster routing might miss endpoints from remote clusters.
  • Fixed an issue in XCP where Edge might not report all addresses available for a service.

Security fixes

  • Fixed some minor CVEs in the provided images.

Version 1.4.8

Bug fixes

  • Fixed an issue in the validation of the tctl install image-sync command.
  • Fixed an issue in how XCP resolved the SPIFEE IDs to build authorization policies.
  • Resolved a UI issue where hostnames where not shown in the topology view.
  • Resolved a UI issue where the app crashed with certain empty chart responses.
  • Fixed a problem that did not allow overriding env vars in the oap component of the control plane.
  • Fixed a problem where TSB might fail to update some child resources after a parent resource changed.
  • Fixed a problem where XCP edge might fail to notify local service changes to peer Edges in some situations.

Security fixes

  • Update Istio version to 1.9.9.
  • Fixes for CVE-2022-0778 on several of the provided images.
  • Fixes for CVE-2018-25032 on several of the provided images.
  • Fixes for CVE-2021-22569 in Skywalking images.
  • Uptdated the rate limit server

Version 1.4.7

Bug fixes

  • Removed the restriction for workspace name to be unique in XCP even across tenants
  • Fixed east/west AuthZ issue that allowed cross cluster calls even when authorization restriction was in place
  • Added secure naming for cross cluster communication
  • Fixed an issue in tctl get all where bindings for Direct Mode groups were incorrectly rendered
  • Fixed an issue with cluster state reporting in TSB for large clusters
  • Fixed an issue with XCP Central certification parsing

Performance Improvement

  • An improvement to edges' performance and resource reduction by enhancing cluster state filter for edges

Version 1.4.6

Bug fixes

  • Fixed an issue with some web UI component not being able to start in IPv4 only environment.
  • Fixed an issue for which a control plane could not connect to a management plane that allowed TLS v1.3 only.

Version 1.4.5

Security fixes

  • Fix CVE-2021-44832 in the Java logging library Apache Log4j 2.

Bug fixes

  • Fixed an issue with some TSB components not being able to start in IPv4 only environment
  • Minor fixes to App Ingress watcher and use of hard coded tags

Version 1.4.4

Security fixes

  • Fix CVE-2021-45105 in the Java logging library Apache Log4j 2.

Bug fixes

  • Fixed TLS certificate issues associated with App Ingress

What's New

  • Remove restriction that cluster names have to be valid dns1123 names
  • App Ingress to use kubernetes provided dns cert for controlplane communication
  • Added 'install' command to AppIngress

Version 1.4.3

Security fixes

  • Fix CVE-2021-45046 in the Java logging library Apache Log4j 2.

Version 1.4.2

Security fixes

  • Fix for critical vulnerability (CVE-2021-44228, CVSS score 10) in the Java logging library Apache Log4j 2.

Version 1.4.1

What's New

  • The status of configuration rollout for TSB objects can now be tracked with tctl. Two experimental commands have been added in this release:
    • tctl experimental status - Allows retrieving the status of a given resource. This will show if the configuration has been accepted, sent to XCP, if there are validation errors, and in future releases it will also show if it has been fully deployed to all the target clusters.
    • tctl experimental wait - This command allows waiting until a resource reaches a desired status. This is useful to wait until the configuration has been deployed and is ready to be used. The available statuses this command supports are the ones that are made available by the tctl experimental status command.
  • Enhanced troubleshooting for the Management Plane:
    • tctl experimental debug log-level - This command allows to directly see and modify the logging levels of the TSB components without having to restart them.
    • tctl experimental debug dashboard - This can be used to open a web console for a TSB component. The new debug dashboard provides access to some insights of the TSB services, such as environment variables, logging levels, available metrics, and even profiling information.
    • tctl experimental audit - Allows querying the audit logs for a given resource. This provides detailed information to understand who changed what and when, for any TSB-managed resource.

Upgrade notes

  • The PostgreSQL image that comes with the demo profile has been upgraded from version 11.1 to 14.1 to fix many CVEs that were present in the older version. Note that the demo profile is not meant for production use and demo installations and environments are not expected to be upgraded the same way as production releases. Upgrading a demo PostgreSQL container that already contains data is not supported and extra caution needs to be taken to prevent data loss. It is recommended that you take backups of all your data and follow the migration instructions on the PostgreSQL website if you plan to upgrade a demo environment to this release.

Security fixes

  • The following CVEs have been addressed as part of this release: CVE-2009-5155, CVE-2016-2779, CVE-2016-9427, CVE-2017-1000408, CVE-2017-1000409, CVE-2017-14062, CVE-2017-16932, CVE-2017-16997, CVE-2017-18269, CVE-2017-8872, CVE-2018-1000001, CVE-2018-1000858, CVE-2018-14632, CVE-2018-15686, CVE-2018-20346, CVE-2018-20406, CVE-2018-20506, CVE-2018-20843, CVE-2018-6485, CVE-2018-6551, CVE-2018-8740, CVE-2019-10149, CVE-2019-12900, CVE-2019-13917, CVE-2019-1543, CVE-2019-15846, CVE-2019-15903, CVE-2019-17455, CVE-2019-18218, CVE-2019-19956, CVE-2019-20367, CVE-2019-20388, CVE-2019-20907, CVE-2019-3829, CVE-2019-3842, CVE-2019-5010, CVE-2019-8457, CVE-2019-8905, CVE-2019-8907, CVE-2019-9169, CVE-2019-9636, CVE-2019-9936, CVE-2019-9937, CVE-2020-10531, CVE-2020-11655, CVE-2020-12783, CVE-2020-13871, CVE-2020-26160, CVE-2020-28007, CVE-2020-28008, CVE-2020-28009, CVE-2020-28011, CVE-2020-28012, CVE-2020-28013, CVE-2020-28015, CVE-2020-28017, CVE-2020-28019, CVE-2020-28020, CVE-2020-28021, CVE-2020-28022, CVE-2020-28023, CVE-2020-28024, CVE-2020-28025, CVE-2020-28026, CVE-2020-29652, CVE-2020-7595, CVE-2020-9283, CVE-2021-29482, CVE-2021-3121, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-38371.

Version 1.4.0

What's New

  • Application and API features with OpenAPI annotations for developer centric experience.
  • Single sign-on (SSO) with OIDC.
  • Automatic synchronization of users and teams from Azure AD.
  • JWT Support for XCP Edge to XCP Central communication, for new Management Plane installations. (1)
  • Adds Egress Gateway.
  • Configurable retention period for metrics (OAP/SkyWalking) and traces (Zipkin).
  • Ratelimiting support at Tier1Gateway, IngressGateway, and Sidecars.
  • External AuthZ Support at Tier1Gateway, IngressGateway, and Sidecars.
  • Performance improvements in the config propagation and cluster state reporting.
  • Important Component upgrades
    • Istio 1.9.8.
    • Envoy 1.17.1.
    • SkyWalking 8.7.
    • Zipkin 2.23.4.
    • OpenTelemetry Collector 0.36.0.
  • Streaming service logs (alpha feature).
  • Autoscaling VM onboarding (alpha feature).
(1) Concurrent support of JWT and mTLS for XCP communications is planned for the next release, which is required to allow for a rolling upgrade from mTLS to JWT.

Upgrade Notes

  • We have increased the resource defaults for OpenTelemetry collector as newer versions have become more resource hungry. The new request default is 400m cpu, 500Mi memory. The new limit default is 800m cpu, 1000Mi memory.
  • If your Elasticsearch control plane settings are protocol: https and selfSigned: false, TSB didn't previously validate that cert against the system CA bundle. This validation now happens so if your Elasticsearch uses a self-signed cert, but you haven't set selfSigned: true in the settings, you will need to do so and create the relevant Kubernetes secret. See control plane onboarding for more details.
  • Starting from 1.4, the MPC component needs a certificate to authenticate with XCP Central when using mutual TLS. When upgrading, a certificate for MPC must be created and stored in a secret named mpc-certs. The following example shows how to create the certificate using cert-manager. This step is not needed for new installations which default to JWT based authentication. Note that example certificates can also be created by using the tctl install manifest management-plane-secrets with the --xcp-certs flag.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: mpc-certs
  namespace: tsb
spec:
  secretName: mpc-certs
  issuerRef:
    name: xcp-identity-issuer
    kind: Issuer
  duration: 30000h
  isCA: false
  dnsNames:
    - "mpc.tsb.svc.cluster.local"
  uris:
    - spiffe://xcp.tetrate.io/mpc
  usages:
    - client auth
    - server auth