Istio 1.14 release announcement, change-notes, and upgrade-notes (#11264

) * Istio 1.14 release announcement * Add doc link for auto sni * Add change-notes, upgrade-notes * Revise k8s versions * Fix extra empty lines and grammar errors * Add 1.12.x * Update the 1.14 upgrade survey link * Add IstioCon wrap-up and update SPIRE * Update the release date * Fix lint * Fix lint * Fix lint * Fix lint * Fix the indent, grammar problems * Update content/en/news/releases/1.14.x/announcing-1.14/upgrade-notes/index.md Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * Update content/en/news/releases/1.14.x/announcing-1.14/change-notes/index.md Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * Update content/en/news/releases/1.14.x/announcing-1.14/change-notes/index.md Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * Update content/en/news/releases/1.14.x/announcing-1.14/_index.md Co-authored-by: craigbox <craigbox@google.com> * Fix comma, remove expected * Update content/en/news/releases/1.14.x/announcing-1.14/_index.md * Fix lint error * Fix lint * Change the auto sni links * Fix lint error * Update content/en/news/releases/1.14.x/announcing-1.14/_index.md Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> Co-authored-by: craigbox <craigbox@google.com> Co-authored-by: Lin Sun <lin.sun@solo.io>
istio · May 31, 2022 · 403ce4d · 403ce4d
1 parent 6476cca
commit 403ce4d
Show file tree

Hide file tree

Showing 6 changed files with 309 additions and 11 deletions.
diff --git a/.spelling b/.spelling
@@ -31,6 +31,7 @@
 1.11.x
 1.12.x
 1.13.x
+1.14.x
 1.x
 10ms
 10s
@@ -122,6 +123,8 @@ Arielli
 arm64
 ArtifactHub
 AssemblyScript
+attestor
+attestors
 Atlassian
 AttributeGen
 Auth0
@@ -135,6 +138,7 @@ autoscaler
 Autoscalers
 autoscalers
 autoscaling
+auto-sni
 AutoTrader
 Avelar
 az
@@ -347,6 +351,7 @@ endUser-to-Service
 env
 envoyproxy
 etcd
+events.istio.io
 example.com
 ExecAction
 executables
@@ -399,6 +404,8 @@ GKE-Workloads
 GlueCon
 Gloo
 Gmail
+gogo/protobuf
+golang/protobuf
 GoLang
 Golang
 googleapis.com

diff --git a/content/en/docs/releases/supported-releases/index.md b/content/en/docs/releases/supported-releases/index.md
@@ -51,17 +51,18 @@ current `<minor>` release. A patch is usually a small change relative to the `<m
 
 ## Support status of Istio releases
 
-| Version         | Currently Supported  | Release Date      | End of Life              | Supported Kubernetes Versions | Tested, but not supported |
-|-----------------|----------------------|-------------------|--------------------------|-------------------------------|---------------------------|
-| master          | No, development only |                   |                          |                               |                           |
-| 1.13            | Yes                  | February 11, 2022 | ~October 2022 (Expected) | 1.20, 1.21, 1.22, 1.23        | 1.16, 1.17, 1.18, 1.19    |
-| 1.12            | Yes                  | November 18, 2021 | ~June 2022 (Expected)    | 1.19, 1.20, 1.21, 1.22        | 1.16, 1.17, 1.18          |
-| 1.11            | Yes                  | August 12, 2021   | ~Mar 2022 (Expected)     | 1.18, 1.19, 1.20, 1.21, 1.22  | 1.16, 1.17                |
-| 1.10            | No                   | May 18, 2021      | Jan 7, 2022              | 1.18, 1.19, 1.20, 1.21        | 1.16, 1.17, 1.22          |
-| 1.9             | No                   | February 9, 2021  | Oct 8, 2021              | 1.17, 1.18, 1.19, 1.20        | 1.15, 1.16                |
-| 1.8             | No                   | November 10, 2020 | May 12, 2021             | 1.16, 1.17, 1.18, 1.19        | 1.15                      |
-| 1.7             | No                   | August 21, 2020   | Feb 25, 2021             | 1.16, 1.17, 1.18              | 1.15                      |
-| 1.6 and earlier | No                   |                   |                          |                               |                           |
+| Version         | Currently Supported  | Release Date      | End of Life              | Supported Kubernetes Versions  | Tested, but not supported    |
+|-----------------|----------------------|-------------------|--------------------------|--------------------------------|------------------------------|
+| master          | No, development only |                   |                          |                                |                              |
+| 1.14            | Yes                  | May 24, 2022      | ~January 2023 (Expected) | 1.21, 1.22, 1.23, 1.24         | 1.16, 1.17, 1.18, 1.19, 1.20 |
+| 1.13            | Yes                  | February 11, 2022 | ~October 2022 (Expected) | 1.20, 1.21, 1.22, 1.23         | 1.16, 1.17, 1.18, 1.19       |
+| 1.12            | Yes                  | November 18, 2021 | ~June 2022 (Expected)    | 1.19, 1.20, 1.21, 1.22         | 1.16, 1.17, 1.18             |
+| 1.11            | Yes                  | August 12, 2021   | Mar 25, 2022             | 1.18, 1.19, 1.20, 1.21, 1.22   | 1.16, 1.17                   |
+| 1.10            | No                   | May 18, 2021      | Jan 7, 2022              | 1.18, 1.19, 1.20, 1.21         | 1.16, 1.17, 1.22             |
+| 1.9             | No                   | February 9, 2021  | Oct 8, 2021              | 1.17, 1.18, 1.19, 1.20         | 1.15, 1.16                   |
+| 1.8             | No                   | November 10, 2020 | May 12, 2021             | 1.16, 1.17, 1.18, 1.19         | 1.15                         |
+| 1.7             | No                   | August 21, 2020   | Feb 25, 2021             | 1.16, 1.17, 1.18               | 1.15                         |
+| 1.6 and earlier | No                   |                   |                          |                                |                              |
 
 {{< warning >}}
 [Kubernetes 1.22 removed some deprecated APIs](https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/) and as a result versions of Istio prior to 1.10.0 will no longer work. If you are upgrading your Kubernetes version, make sure that your Istio version is still supported.
@@ -76,6 +77,7 @@ Please keep up-to-date and use a supported version.
 
 | Minor Releases   | Patched versions with no known CVEs           |
 |------------------|-----------------------------------------------|
+| 1.14.x           | 1.14.0+                                       |
 | 1.13.x           | 1.13.2+                                       |
 | 1.12.x           | 1.12.5+                                       |
 | 1.11.x           | 1.11.8+                                       |

diff --git a/content/en/news/releases/1.14.x/_index.md b/content/en/news/releases/1.14.x/_index.md
@@ -0,0 +1,8 @@
+---
+title: 1.14.x Releases
+description: Announcements for the 1.14 release and its associated patch releases.
+weight: 15
+list_by_publishdate: true
+layout: release-grid
+decoration: dot
+---
diff --git a/content/en/news/releases/1.14.x/announcing-1.14/_index.md b/content/en/news/releases/1.14.x/announcing-1.14/_index.md
@@ -0,0 +1,82 @@
+---
+title: Announcing Istio 1.14
+linktitle: 1.14
+subtitle: Major Update
+description: Istio 1.14 release announcement.
+publishdate: 2022-05-24
+release: 1.14.0
+skip_list: true
+aliases:
+- /news/announcing-1.14
+- /news/announcing-1.14.0
+---
+
+We are pleased to announce the release of Istio 1.14!
+
+{{< relnote >}}
+
+This is the second Istio release of 2022. We would like to thank the entire Istio community
+for helping to get Istio 1.14.0 published.
+Special thanks are due to the release managers Lei Tang (Google) and Greg Hanson (Solo.io),
+and to Test & Release WG lead Eric Van Norman (IBM) for his help and guidance.
+
+{{< tip >}}
+Istio 1.14.0 is officially supported on Kubernetes versions `1.21` to `1.24`.
+{{< /tip >}}
+
+Here are some of the highlights of the release:
+
+## Support for the SPIRE runtime
+
+SPIRE is a production-ready implementation of the SPIFFE specification, that offers
+pluggable multi-factor attestation and SPIFFE federation. We've made changes in the way
+we integrate with external Certificate Authorities, using the Envoy SDS API, to enable
+support for SPIRE. Thanks to the team at HP Enterprise for contributing this work!
+
+SPIRE enables the introduction of strongly attested identities through the use of a combination
+of different attestation mechanisms. It provides a variety of node and workload attestors out
+of the box for workloads running in Kubernetes, AWS, GCP, Azure, Docker and through a plugin
+oriented architecture, it also enables the use of custom attestors.
+The project has a pluggable integration with custom Key Management Systems for
+storing the CA private keys, and enables integration with existing PKIs through the Upstream Certificate Authority plugin.
+SPIRE implements SPIFFE Federation, enabling workloads to trust peers in a different trust domain, in
+a configurable and flexible way through the Federation API.
+
+For more information, check out the [documentation](/docs/ops/integrations/spire/) and this [video](https://www.youtube.com/watch?v=WOPoNqfrhb4) from the HPE and Solo teams.
+
+## Add auto-sni support
+
+Some servers require SNI be included in a request. This new feature configures SNI automatically
+without users manually configuring it or using an `EnvoyFilter` resource.
+For more information, check out the [pull request 38604](https://github.com/istio/istio/pull/38604)
+and the [pull request 38238](https://github.com/istio/istio/pull/38238).
+
+## Add support for configuring the TLS version for Istio workloads
+
+TLS version is important for security. This new feature adds
+support for configuring the minimum TLS version for Istio workloads.
+For more information, check out the [documentation](/docs/tasks/security/tls-configuration/workload-min-tls-version/).
+
+## Telemetry improvements
+
+The [Telemetry API](/docs/tasks/observability/telemetry/) has undergone a number of improvements,
+including support for OpenTelemetry access logging, filtering based on `WorkloadMode`, and more.
+
+## Upgrading to 1.14
+
+When you upgrade, we would like to hear from you! Please take a few minutes to respond to a brief [survey](https://forms.gle/yEtCbt45FZ3VoDT5A) to let us know how we’re doing.
+
+You can also join the conversation at [Discuss Istio](https://discuss.istio.io/), or join our [Slack workspace](https://slack.istio.io/).
+Would you like to contribute directly to Istio? Find and join one of our [Working Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md) and help us improve.
+
+## IstioCon wrap up
+
+IstioCon 2022, the second edition of the project’s conference, took place Apr 25-29. We had almost 4,000 registered
+participants, with a 4.5/5 satisfaction score. The conference was held in English and Chinese, with people
+joining from 120 countries all over the world. During April 2022, the month of the conference, 81% of users
+on istio.io were first time users. We will be sharing a more detailed report of the event on [events.istio.io](https://events.istio.io).
+
+## CNCF wrap up
+
+We're so pleased at the response to our announcement that [Istio has been proposed to the CNCF](/blog/2022/istio-has-applied-to-join-the-cncf/).
+We're hard at work on our application, and hope to have more to share in the coming months!
diff --git a/content/en/news/releases/1.14.x/announcing-1.14/change-notes/index.md b/content/en/news/releases/1.14.x/announcing-1.14/change-notes/index.md
@@ -0,0 +1,177 @@
+---
+title: Istio 1.14 Change Notes
+linktitle: 1.14.0
+subtitle: Minor Release
+description: Istio 1.14.0 change notes.
+publishdate: 2022-05-24
+release: 1.14.0
+weight: 10
+aliases:
+- /news/announcing-1.14.0
+---
+
+## Traffic Management
+
+- **Added** support for sending unready endpoints to Envoy. This will be useful when slow start mode in Envoy is enabled.
+  This can be disabled by setting `PILOT_SEND_UNHEALTHY_ENDPOINTS` to false.
+
+- **Added** new configuration options to `istio-iptables` and `istio-clean-iptables`
+  for including/excluding certain user groups from interception of the outgoing traffic
+  generated by them.
+
+  This feature is intended primarily for use on VMs, where system administrators need
+  to restrain interception of the outgoing traffic down to a few applications instead
+  of intercepting all outgoing traffic.
+
+  By default, as before, the Istio Sidecar will intercept outgoing traffic from all processes,
+  no matter what user groups they are running under.
+
+  To change this behavior, system administrators can now use 2 new environment variables
+  supported by `istio-iptables` and `istio-clean-iptables` : `ISTIO_OUTBOUND_OWNER_GROUPS`
+  and `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE`.
+
+  `ISTIO_OUTBOUND_OWNER_GROUPS` is a comma separated list of groups whose outgoing traffic
+  should be redirected to Envoy (sidecar).
+  A group can be specified either by name or by a numeric GID.
+  The wildcard character `*` can be used to configure redirection of traffic from all groups
+  (default).
+
+  `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE` is a comma separated list of groups whose outgoing
+  traffic should be excluded from redirection to Envoy (sidecar).
+  A group can be specified either by name or by a numeric GID.
+  Only applies when traffic from all groups (i.e. `*`) is being redirected to Envoy (sidecar).
+
+  `ISTIO_OUTBOUND_OWNER_GROUPS` and `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE` are mutually
+  exclusive, use only one of them.
+
+  For example, `ISTIO_OUTBOUND_OWNER_GROUPS=101,java` instructs to intercept outgoing traffic only from
+    those processes that run under one of the user groups `101` (by `GID`) or `java` (by name).
+  `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE=root,202` instructs to intercept outgoing traffic
+    from all processes except for those that under one of the user groups `202` (by `GID`)
+    or `root` (by name).
+    ([Issue #37057](https://github.com/istio/istio/issues/37057))
+
+- **Added** the ability to automatically set SNI when `DestinationRules`
+  do not specify it and `ENABLE_AUTO_SNI` is enabled.
+
+- **Added** the ability to set `credentialName` based secret configuration
+  at sidecars for egress TLS traffic when `WorkloadSelector` is specified in `DestinationRule`,
+  provided the sidecar has permission to list secrets in the namespace where it resides.
+
+- **Added** support for `WorkloadSelector` in `DestinationRule`.
+
+- **Added** warning messages for users attempting to use IP addresses as SNI values in `VirtualService.TLSRoute.Match.SniHosts`
+  ([Issue #33401](https://github.com/istio/istio/issues/33401))
+
+- **Added** support of replacing virtual host in envoy filter.
+
+- **Added** the API `runtimeValues` to [Proxy Config](/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig) for
+  configuring Envoy runtime configuration.  ([Issue #37202](https://github.com/istio/istio/issues/37202))
+
+- **Added** setting upstream TLS maximum version to TLS 1.3.  ([Issue #36271](https://github.com/istio/istio/issues/36271))
+
+- **Fixed** the problem that xDS may not be updated if multiple `destinationRules` for a service are merged.
+  In this case the merged rule only records one name/namespace pair of all the `destinationRules`.
+  However, this meta is used to record config dependencies of a sidecar.
+
+  In this fix, we introduce a new struct `consolidatedDestRule` and record all the `destinationrules`' meta
+  to avoid missing any `destinationRule` dependencies.  ([Issue #38082](https://github.com/istio/istio/issues/38082))
+
+- **Fixed** an issue causing traffic from a gateway to a service with an [undeclared protocol](/docs/ops/configuration/traffic-management/protocol-selection/#automatic-protocol-selection) being treated as TCP traffic rather than HTTP.
+  ([Issue #37196](https://github.com/istio/istio/issues/37196))
+
+- **Fixed** an issue with `DNS` type `ServiceEntry`s causing excessive DNS requests when the DNS lookup fails.
+  ([Issue #35603](https://github.com/istio/istio/issues/35603))
+
+- **Fixed** IP family detection when using the CNI to behave the same way as without it.
+  ([Issue #36871](https://github.com/istio/istio/issues/36871))
+
+- **Fixed** IPv6 detection on clusters with IPv4 NAT implementation, such as Amazon EKS, by excluding link-local addresses from detection.
+  ([Issue #36961](https://github.com/istio/istio/issues/36961))
+
+- **Improved** XDS generation to send less resource when possible, sometimes omitting a response entirely.
+  This can be disabled by the `PILOT_PARTIAL_FULL_PUSHES=false` environment variable.
+  ([Issue #37989](https://github.com/istio/istio/issues/37989)),([Issue #37974](https://github.com/istio/istio/issues/37974))
+
+- **Updated** Istio's default load balancing algorithm from `ROUND_ROBIN` to `LEAST_REQUEST`.
+  The `ROUND_ROBIN` algorithm can lead to overburdened endpoints, especially when weights
+  are used. The `LEAST_REQUEST` algorithm distributes the load more evenly across and is far less
+  likely to overburden endpoints. A number of experiments (by both the Istio and
+  Envoy teams) have shown that `LEAST_REQUEST` outperforms `ROUND_ROBIN` in virtually all
+  cases, with little/no downsides. It's generally considered a drop-in replacement for
+  `ROUND_ROBIN`.
+
+  `ROUND_ROBIN` will continue to be supported if explicitly specified. To restore
+  `ROUND_ROBIN` as the default, set the istiod environment variable
+  `ENABLE_LEGACY_LB_ALGORITHM_DEFAULT=true`.
+
+## Security
+
+- **Added** a new approach for CA integration through the Envoy SDS API.
+  ([usage]( https://istio.io/latest/docs/ops/integrations/spire/))([design]( https://docs.google.com/document/d/1zJP6QJukLzckTbdY42ZMLkulGXz4gWzH9SwOh4xoe0A)) ([Issue #37183](https://github.com/istio/istio/issues/37183))
+
+- **Added** support for using `PrivateKeyProvider` in SDS. ([Issue #35809](https://github.com/istio/istio/issues/35809))
+
+- **Added** support for TLS configuration API for workloads.  ([Issue #2285](https://github.com/istio/api/issues/2285))
+
+- **Fixed** the request authentication policy to always allow the CORS preflight request.
+  ([Issue #36911](https://github.com/istio/istio/issues/36911))
+
+## Telemetry
+
+- **Added** the implementation of the OpenTelemetry access log.
+
+- **Added** environment variable support at Wasm extension via VM configuration in WasmPlugin API.
+
+- **Added** `WorkloadMode` selection to Logging.
+
+## Extensibility
+
+- **Added** support for WasmPlugin pulling image from private repository with `imagePullSecret`.
+
+## Installation
+
+- **Added** support of installing gateway helm chart as `daemonset`.
+  ([Issue #37610](https://github.com/istio/istio/issues/37610))
+
+- **Fixed** an issue of Envoy losing connection after `istio-ca-root-cert` is changed.
+  ([Issue #36723](https://github.com/istio/istio/issues/36723))
+
+- **Fixed** an issue that was preventing the operator from updating deployments when `.autoscaleEnabled` is `true` and `.k8s.replicaCount` is nonzero.
+  When both `autoscale` is enabled and `replicaCount` is nonzero, warning messages will be generated during validation.
+
+- **Fixed** an unknown field `customService` in `v1alpha1.EgressGatewayConfig`.
+  ([Issue #37260](https://github.com/istio/istio/issues/37260))
+
+- **Fixed** the default container annotation when there are multiple containers.
+  ([Issue #38060](https://github.com/istio/istio/pull/38060))
+
+- **Fixed** `istioctl` should add Kubernetes resource in all revisions when running analyze.
+  ([Issue #38148](https://github.com/istio/istio/issues/38148))
+
+- **Fixed** the in-cluster operator can't create resources on recreation of the same `IstioOperator` resource.
+  ([Issue #35657](https://github.com/istio/istio/issues/35657))
+
+- **Removed** `caBundle` default value from Chart to allow a GitOps approach.
+  ([Issue #33052](https://github.com/istio/istio/issues/33052))
+
+## istioctl
+
+- **Added** analysis interval to reduce the wasteful re-runs of analyzer.
+  ([Issue #30200](https://github.com/istio/istio/issues/30200))
+
+- **Added** the cluster id to `istioctl experimental ps`.
+  ([Issue #36290](https://github.com/istio/istio/issues/36290))
+
+- **Added** a new analyzer for envoy filter patch operations.
+  ([Issue #37415](https://github.com/istio/istio/issues/37415))
+
+- **Added** the pod full name to the IST0103 analysis message.
+
+- **Added** `istioctl ps` support for ECDS.
+
+- **Fixed** unexpected warning logs for `istioctl install --dry-run`.
+  ([Issue #37084](https://github.com/istio/istio/issues/37084))
+
+- **Fixed** nil pointer dereference panic when using `kube-inject` when
+not passing a needed revision but also passing `injectConfigMapName`.  ([Issue #38083](https://github.com/istio/istio/issues/38083))
diff --git a/content/en/news/releases/1.14.x/announcing-1.14/upgrade-notes/index.md b/content/en/news/releases/1.14.x/announcing-1.14/upgrade-notes/index.md
@@ -0,0 +1,22 @@
+---
+title: Istio 1.14 Upgrade Notes
+description: Important changes to consider when upgrading to Istio 1.14.0.
+publishdate: 2022-05-24
+weight: 20
+---
+
+When you upgrade from Istio 1.13.x to Istio 1.14.0, you need to consider the changes on this page.
+These notes detail the changes which purposefully break backwards compatibility with Istio 1.14.0.
+The notes also mention changes which preserve backwards compatibility while introducing new behavior.
+Changes are only included if the new behavior would be unexpected to a user of Istio `1.13.x`.
+Users upgrading from 1.12.x to Istio 1.14.0 should also reference the [1.13.0 change logs](/news/releases/1.13.x/announcing-1.13/change-notes/).
+
+## `gogo/protobuf` library migration
+
+The `istio.io/api` and `istio.io/client-go` libraries have switched from using the [`gogo/protobuf`](https://github.com/gogo/protobuf)
+to using the [`golang/protobuf`](https://github.com/golang/protobuf) library for API types.
+
+This change does not have any impact on typical Istio users, but rather impacts users importing Istio as a Go library.
+
+For these users, upgrading the Istio libraries will likely cause compilation issues. These issues are typically simple to address,
+and largely syntactical. The [Go blog](https://go.dev/blog/protobuf-apiv2) on the new protobuf API can help with migration.