Skip to main content
Version: 1.6.x

Release Notes

Version 1.6.2

Bug fixes and Improvements

  • GitOps is now supported in the management plane cluster.
  • GitOps webhook is now removed whenever the GitOps component is deactivated.
  • By default, the synchronization of TelemetrySources and TelemetryMetrics is disabled to enhance resource consumption efficiency.
  • Added functionality for North/South gateway to handle exposed host HTTPS multicluster calls from mesh clients, assisting in the migration process to ISTIO_MTLS.
  • Addressed UI bugs and introduced improvements to enhance the user experience.
  • Added the ability to delete AccessBindings using tctl or GitOps.
  • Added support to detect minikube as a cluster provider.
  • Added inline authz support for HTTP external server in Tier1 gateway.
  • Improved propagation strategy behavior that the propagation strategy set for a resource will now only be enforced for the resource's descendants, rather than the resource itself.
  • Fixed race condition in tsb-migrations job.

Security fixes

We shipped the releases with no CVEs at the time of release, new CVEs will emerge, and those will be fixed and documented in the following release notes.

There are currently some known not exploitable vulnerabilities:

  • CVE-2023-29402 - Only exploitable at build time, and all the TSB build process only uses go get which is not affected
  • CVE-2023-29403 - setuid / setguid is not used
  • CVE-2023-29404 and CVE-2023-29405 - Only exploitable at build time and go is not used in the TSB build
  • “PRISMA-2022-0227” - Not exploitable as the library is imported as indirect, it will be fixed in the next release based on Istio 1.17.

Version 1.6.1

What's New

  • Subset based routing is now supported when cross cluster east-west failover is enabled.
  • Zero traffic disruption for cross cluster communication during downscaling or node draining.
  • TSB now supports K8s 1.25.

Bug fixes and Improvements

  • IsolationBoundaries improvements.
    • Improvements in resource clean-up while disabling or removing an Istio revision under IsolationBoundaries.
    • Ability to operate and upgrade the Istio CNI component under a user-specified revision.
  • Improved the XCP edge-to-central exchange of configurations and cluster states sync for enhanced performance.
  • Fixed an upstream issue related to the IstioOperator cache not being properly updated while switching revisions.
  • Fixed an issue related to helm uninstall timeout.
  • Fixed an issue related to OAP to keep required security context properties as default.
  • Improvement to handling of internal webhook certs.
  • Fixed bug related to AuthZ policies at gateway when envoy proxy protocol is enabled.
  • Optimizations to eastwest communication resource needs.
  • Allow ISTIO_MUTUAL TLS setting in direct mode gateways.
  • Addressed user interface (UI) issues to improve overall usability.
    • Fixed namespace scope in workspace group cards and topology view
    • Fixed issues related to topology view slider and date selector.
    • New Zipkin Lens ui enhancements.

Security fixes

  • Update TSB component images to address CVEs.

Version 1.6.0

What’s New

  • Security Rules extended to provide significantly more flexibility and specificity, by:
  • High Availability capabilities added to further improve efficiency and failover:
  • User Interface enhancements to empower TSB users to visualize and monitor platform and service activity:
    • Add Log streaming viewers to UI dashboard, capturing logs from services and Istio proxies.
    • Support multiple rule binding in Role UI.
    • Add Users and Teams view in Setting UI.
    • Improved time range slider in Topology view.
    • UI now offers a new Dark Mode.
  • Investigate Application Performance:
  • Platform Additions and Changes:
  • Traffic Control:
    • ServiceRoute now supports advanced traffic shifting subset sections for HTTP and TCP services.
  • Extensibility:
    • Support for WASM Extensions across gateways and service proxies, with WASM catalog and admin-defined defaults for WASM extensions.
  • Security:
  • Reduce footprint by removing Zipkin dependency and using OAP Skywalking for tracing. Improve efficiency and scalability of SkyWalking storage:
    • Removed the Zipkin Backend and replaced it with OAP for collecting and querying traces. Use SkyWalking receiver-zipkin to collect traces from Zipkin trace reporter, and zipkin-query to provide Zipkin trace query API.
    • OAP support merges all metrics/meter and records(without super datasets) indices into one physical index template metrics-all and records-all. Provide oap component setting storageIndexMergingEnabled to "true" to merge indices into one physical index template. Metrics/meter and records indices are sharded into multi-physical indices as in the previous versions (Notice This is enabled by default in the SPM). Refer to SkyWalking new-elasticsearch-storage-option and SkyWalking-storage-elasticsearch
    • OAP supports per index template settings to scale out the storage to your needs. Regardless of the oap component's storageIndexMergingEnabled value, users can choose to adjust ElasticSearch's shard number(by adjusting the SW_STORAGE_ES_INDEX_SHARDS_NUMBER env var of the oap component) or provide per index the concrete number of shards and replicas. For instance, if storageIndexMergingEnabled is enabled, we can increase the number of shards from the metrics-all index template:
        oap:
      storageIndexMergingEnabled: true
      storageSpecificIndexSettings:
      - indexName: "metrics-all"
      numberOfShards: 4
      numberOfReplicas: 1
    • OAP supports enabling URIs/APIs(Endpoint) analysis by setting apiEndpointMetricsEnabled to "true". By default, this setting is "false", URIs/APIs(Endpoint) analysis is disabled. If the variable value needs to be modified, it should be configured in both the OAP management plane deployment and the control plane deployment. For example, if you need to enable it, you could update both the ManagementPlane resource and ControlPlane resource:
        spec:
      meshObservability:
      settings:
      apiEndpointMetricsEnabled: true
  • Added --apikey-stdin to provide API Key when doing image synchronization. For example: echo myAPIKey | tctl install image-sync --username myuser --registry gcr.io/mycompany/registry --apikey-stdin.
  • OAP supports basic PromQL, users can obtain metrics through PromQL Service to do integration such as build Grafana UI.

Upgrade notes

  • Due to Zipkin Backend being replaced by OAP, after the upgrade the Zipkin deployment needs to be removed, including TSB Control Plane (automatically) and Management Plane (deployment, cronjob zipkin-cleanup, config in CRD managementplanes.install.tetrate.io). The Elasticsearch indexes zipkin-span and zipkin-autocomplete can be removed too.
  • Due to a fix introduced in Istio 1.14, when both replicaCount and autoscaleEnabled are set, replicaCount will be ignored and only autoscale configuration will be applied. This can lead to issues where the tier1gateways and ingressgateways scale down to 1 replica temporarily during the upgrade until the autoscale configuration is applied. In order to avoid this issue, edit the tier1gateway or ingressgateway spec and remove the replicas field. Since the current deployment will already be managed by the HPA controller, this will allow you to upgrade the pods with the desired configuration.
  • If you enable Isolation Boundary on existing environment, you need to scale down TSB data plane operator before adding isolation boundaries in the control plane resource. See Non-revisioned to Revisioned upgrade for more details.

Deprecation Notices

  • Removed the Zipkin Backend.

Known Issues and Limitations

For full details on production readiness and supportability of TSB features, refer to the Feature Status matrix. In addition:

  • WAF plugin image is pulled from Tetrate public registry oci://ghcr.io/tetrateio instead of leveraging customer container registry defined within control plane.
  • securityContext defined in TSB control plane CR is not applied to vmgateway component.
  • Subset based routing is not supported in EastWestGateway failover.
  • WasmExtension will be applied to all the traffic without ability to select specific traffic by its direction or port.
  • If you use private registry for your WasmExtension, Wasm imagePullSecret has to exist in the target namespace.
  • To use Identity Propagation, You have to set imagePullSecret for your TSB images registry in istio-system namespace.
  • Identity Propagation only supports HTTP traffic.
  • Port 15443 is not allowed in Istio Gateway in Tier 2 DIRECT mode and tls modes ISTIO_MUTUAL and AUTO_PASSTHROUGH are not allowed in Istio Gateway in DIRECT mode.
  • Workload Onboarding only support single isolation boundary.