diff --git a/.spelling b/.spelling index f6464d9b03209..44ebab55d8ff5 100644 --- a/.spelling +++ b/.spelling @@ -31,6 +31,7 @@ 1.11.x 1.12.x 1.13.x +1.14.x 1.x 10ms 10s @@ -122,6 +123,8 @@ Arielli arm64 ArtifactHub AssemblyScript +attestor +attestors Atlassian AttributeGen Auth0 @@ -135,6 +138,7 @@ autoscaler Autoscalers autoscalers autoscaling +auto-sni AutoTrader Avelar az @@ -347,6 +351,7 @@ endUser-to-Service env envoyproxy etcd +events.istio.io example.com ExecAction executables @@ -399,6 +404,8 @@ GKE-Workloads GlueCon Gloo Gmail +gogo/protobuf +golang/protobuf GoLang Golang googleapis.com diff --git a/content/en/docs/releases/supported-releases/index.md b/content/en/docs/releases/supported-releases/index.md index 717dca6d1a0da..7192239a9d7b9 100644 --- a/content/en/docs/releases/supported-releases/index.md +++ b/content/en/docs/releases/supported-releases/index.md @@ -51,17 +51,18 @@ current `` release. A patch is usually a small change relative to the `}} [Kubernetes 1.22 removed some deprecated APIs](https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/) and as a result versions of Istio prior to 1.10.0 will no longer work. If you are upgrading your Kubernetes version, make sure that your Istio version is still supported. @@ -76,6 +77,7 @@ Please keep up-to-date and use a supported version. | Minor Releases | Patched versions with no known CVEs | |------------------|-----------------------------------------------| +| 1.14.x | 1.14.0+ | | 1.13.x | 1.13.2+ | | 1.12.x | 1.12.5+ | | 1.11.x | 1.11.8+ | diff --git a/content/en/news/releases/1.14.x/_index.md b/content/en/news/releases/1.14.x/_index.md new file mode 100644 index 0000000000000..c7c2671da906f --- /dev/null +++ b/content/en/news/releases/1.14.x/_index.md @@ -0,0 +1,8 @@ +--- +title: 1.14.x Releases +description: Announcements for the 1.14 release and its associated patch releases. +weight: 15 +list_by_publishdate: true +layout: release-grid +decoration: dot +--- diff --git a/content/en/news/releases/1.14.x/announcing-1.14/_index.md b/content/en/news/releases/1.14.x/announcing-1.14/_index.md new file mode 100644 index 0000000000000..5d4b7b7384bf8 --- /dev/null +++ b/content/en/news/releases/1.14.x/announcing-1.14/_index.md @@ -0,0 +1,82 @@ +--- +title: Announcing Istio 1.14 +linktitle: 1.14 +subtitle: Major Update +description: Istio 1.14 release announcement. +publishdate: 2022-05-24 +release: 1.14.0 +skip_list: true +aliases: +- /news/announcing-1.14 +- /news/announcing-1.14.0 +--- + +We are pleased to announce the release of Istio 1.14! + +{{< relnote >}} + +This is the second Istio release of 2022. We would like to thank the entire Istio community +for helping to get Istio 1.14.0 published. +Special thanks are due to the release managers Lei Tang (Google) and Greg Hanson (Solo.io), +and to Test & Release WG lead Eric Van Norman (IBM) for his help and guidance. + +{{< tip >}} +Istio 1.14.0 is officially supported on Kubernetes versions `1.21` to `1.24`. +{{< /tip >}} + +Here are some of the highlights of the release: + +## Support for the SPIRE runtime + +SPIRE is a production-ready implementation of the SPIFFE specification, that offers +pluggable multi-factor attestation and SPIFFE federation. We've made changes in the way +we integrate with external Certificate Authorities, using the Envoy SDS API, to enable +support for SPIRE. Thanks to the team at HP Enterprise for contributing this work! + +SPIRE enables the introduction of strongly attested identities through the use of a combination +of different attestation mechanisms. It provides a variety of node and workload attestors out +of the box for workloads running in Kubernetes, AWS, GCP, Azure, Docker and through a plugin +oriented architecture, it also enables the use of custom attestors. +The project has a pluggable integration with custom Key Management Systems for +storing the CA private keys, and enables integration with existing PKIs through the Upstream Certificate Authority plugin. +SPIRE implements SPIFFE Federation, enabling workloads to trust peers in a different trust domain, in +a configurable and flexible way through the Federation API. + +For more information, check out the [documentation](/docs/ops/integrations/spire/) and this [video](https://www.youtube.com/watch?v=WOPoNqfrhb4) from the HPE and Solo teams. + +## Add auto-sni support + +Some servers require SNI be included in a request. This new feature configures SNI automatically +without users manually configuring it or using an `EnvoyFilter` resource. +For more information, check out the [pull request 38604](https://github.com/istio/istio/pull/38604) +and the [pull request 38238](https://github.com/istio/istio/pull/38238). + +## Add support for configuring the TLS version for Istio workloads + +TLS version is important for security. This new feature adds +support for configuring the minimum TLS version for Istio workloads. +For more information, check out the [documentation](/docs/tasks/security/tls-configuration/workload-min-tls-version/). + +## Telemetry improvements + +The [Telemetry API](/docs/tasks/observability/telemetry/) has undergone a number of improvements, +including support for OpenTelemetry access logging, filtering based on `WorkloadMode`, and more. + +## Upgrading to 1.14 + +When you upgrade, we would like to hear from you! Please take a few minutes to respond to a brief [survey](https://forms.gle/yEtCbt45FZ3VoDT5A) to let us know how we’re doing. + +You can also join the conversation at [Discuss Istio](https://discuss.istio.io/), or join our [Slack workspace](https://slack.istio.io/). +Would you like to contribute directly to Istio? Find and join one of our [Working Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md) and help us improve. + +## IstioCon wrap up + +IstioCon 2022, the second edition of the project’s conference, took place Apr 25-29. We had almost 4,000 registered +participants, with a 4.5/5 satisfaction score. The conference was held in English and Chinese, with people +joining from 120 countries all over the world. During April 2022, the month of the conference, 81% of users +on istio.io were first time users. We will be sharing a more detailed report of the event on [events.istio.io](https://events.istio.io). + +## CNCF wrap up + +We're so pleased at the response to our announcement that [Istio has been proposed to the CNCF](/blog/2022/istio-has-applied-to-join-the-cncf/). +We're hard at work on our application, and hope to have more to share in the coming months! \ No newline at end of file diff --git a/content/en/news/releases/1.14.x/announcing-1.14/change-notes/index.md b/content/en/news/releases/1.14.x/announcing-1.14/change-notes/index.md new file mode 100644 index 0000000000000..6ddc82c9f8433 --- /dev/null +++ b/content/en/news/releases/1.14.x/announcing-1.14/change-notes/index.md @@ -0,0 +1,177 @@ +--- +title: Istio 1.14 Change Notes +linktitle: 1.14.0 +subtitle: Minor Release +description: Istio 1.14.0 change notes. +publishdate: 2022-05-24 +release: 1.14.0 +weight: 10 +aliases: +- /news/announcing-1.14.0 +--- + +## Traffic Management + +- **Added** support for sending unready endpoints to Envoy. This will be useful when slow start mode in Envoy is enabled. + This can be disabled by setting `PILOT_SEND_UNHEALTHY_ENDPOINTS` to false. + +- **Added** new configuration options to `istio-iptables` and `istio-clean-iptables` + for including/excluding certain user groups from interception of the outgoing traffic + generated by them. + + This feature is intended primarily for use on VMs, where system administrators need + to restrain interception of the outgoing traffic down to a few applications instead + of intercepting all outgoing traffic. + + By default, as before, the Istio Sidecar will intercept outgoing traffic from all processes, + no matter what user groups they are running under. + + To change this behavior, system administrators can now use 2 new environment variables + supported by `istio-iptables` and `istio-clean-iptables` : `ISTIO_OUTBOUND_OWNER_GROUPS` + and `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE`. + + `ISTIO_OUTBOUND_OWNER_GROUPS` is a comma separated list of groups whose outgoing traffic + should be redirected to Envoy (sidecar). + A group can be specified either by name or by a numeric GID. + The wildcard character `*` can be used to configure redirection of traffic from all groups + (default). + + `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE` is a comma separated list of groups whose outgoing + traffic should be excluded from redirection to Envoy (sidecar). + A group can be specified either by name or by a numeric GID. + Only applies when traffic from all groups (i.e. `*`) is being redirected to Envoy (sidecar). + + `ISTIO_OUTBOUND_OWNER_GROUPS` and `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE` are mutually + exclusive, use only one of them. + + For example, `ISTIO_OUTBOUND_OWNER_GROUPS=101,java` instructs to intercept outgoing traffic only from + those processes that run under one of the user groups `101` (by `GID`) or `java` (by name). + `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE=root,202` instructs to intercept outgoing traffic + from all processes except for those that under one of the user groups `202` (by `GID`) + or `root` (by name). + ([Issue #37057](https://github.com/istio/istio/issues/37057)) + +- **Added** the ability to automatically set SNI when `DestinationRules` + do not specify it and `ENABLE_AUTO_SNI` is enabled. + +- **Added** the ability to set `credentialName` based secret configuration + at sidecars for egress TLS traffic when `WorkloadSelector` is specified in `DestinationRule`, + provided the sidecar has permission to list secrets in the namespace where it resides. + +- **Added** support for `WorkloadSelector` in `DestinationRule`. + +- **Added** warning messages for users attempting to use IP addresses as SNI values in `VirtualService.TLSRoute.Match.SniHosts` + ([Issue #33401](https://github.com/istio/istio/issues/33401)) + +- **Added** support of replacing virtual host in envoy filter. + +- **Added** the API `runtimeValues` to [Proxy Config](/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig) for + configuring Envoy runtime configuration. ([Issue #37202](https://github.com/istio/istio/issues/37202)) + +- **Added** setting upstream TLS maximum version to TLS 1.3. ([Issue #36271](https://github.com/istio/istio/issues/36271)) + +- **Fixed** the problem that xDS may not be updated if multiple `destinationRules` for a service are merged. + In this case the merged rule only records one name/namespace pair of all the `destinationRules`. + However, this meta is used to record config dependencies of a sidecar. + + In this fix, we introduce a new struct `consolidatedDestRule` and record all the `destinationrules`' meta + to avoid missing any `destinationRule` dependencies. ([Issue #38082](https://github.com/istio/istio/issues/38082)) + +- **Fixed** an issue causing traffic from a gateway to a service with an [undeclared protocol](/docs/ops/configuration/traffic-management/protocol-selection/#automatic-protocol-selection) being treated as TCP traffic rather than HTTP. + ([Issue #37196](https://github.com/istio/istio/issues/37196)) + +- **Fixed** an issue with `DNS` type `ServiceEntry`s causing excessive DNS requests when the DNS lookup fails. + ([Issue #35603](https://github.com/istio/istio/issues/35603)) + +- **Fixed** IP family detection when using the CNI to behave the same way as without it. + ([Issue #36871](https://github.com/istio/istio/issues/36871)) + +- **Fixed** IPv6 detection on clusters with IPv4 NAT implementation, such as Amazon EKS, by excluding link-local addresses from detection. + ([Issue #36961](https://github.com/istio/istio/issues/36961)) + +- **Improved** XDS generation to send less resource when possible, sometimes omitting a response entirely. + This can be disabled by the `PILOT_PARTIAL_FULL_PUSHES=false` environment variable. + ([Issue #37989](https://github.com/istio/istio/issues/37989)),([Issue #37974](https://github.com/istio/istio/issues/37974)) + +- **Updated** Istio's default load balancing algorithm from `ROUND_ROBIN` to `LEAST_REQUEST`. + The `ROUND_ROBIN` algorithm can lead to overburdened endpoints, especially when weights + are used. The `LEAST_REQUEST` algorithm distributes the load more evenly across and is far less + likely to overburden endpoints. A number of experiments (by both the Istio and + Envoy teams) have shown that `LEAST_REQUEST` outperforms `ROUND_ROBIN` in virtually all + cases, with little/no downsides. It's generally considered a drop-in replacement for + `ROUND_ROBIN`. + + `ROUND_ROBIN` will continue to be supported if explicitly specified. To restore + `ROUND_ROBIN` as the default, set the istiod environment variable + `ENABLE_LEGACY_LB_ALGORITHM_DEFAULT=true`. + +## Security + +- **Added** a new approach for CA integration through the Envoy SDS API. + ([usage]( https://istio.io/latest/docs/ops/integrations/spire/))([design]( https://docs.google.com/document/d/1zJP6QJukLzckTbdY42ZMLkulGXz4gWzH9SwOh4xoe0A)) ([Issue #37183](https://github.com/istio/istio/issues/37183)) + +- **Added** support for using `PrivateKeyProvider` in SDS. ([Issue #35809](https://github.com/istio/istio/issues/35809)) + +- **Added** support for TLS configuration API for workloads. ([Issue #2285](https://github.com/istio/api/issues/2285)) + +- **Fixed** the request authentication policy to always allow the CORS preflight request. + ([Issue #36911](https://github.com/istio/istio/issues/36911)) + +## Telemetry + +- **Added** the implementation of the OpenTelemetry access log. + +- **Added** environment variable support at Wasm extension via VM configuration in WasmPlugin API. + +- **Added** `WorkloadMode` selection to Logging. + +## Extensibility + +- **Added** support for WasmPlugin pulling image from private repository with `imagePullSecret`. + +## Installation + +- **Added** support of installing gateway helm chart as `daemonset`. + ([Issue #37610](https://github.com/istio/istio/issues/37610)) + +- **Fixed** an issue of Envoy losing connection after `istio-ca-root-cert` is changed. + ([Issue #36723](https://github.com/istio/istio/issues/36723)) + +- **Fixed** an issue that was preventing the operator from updating deployments when `.autoscaleEnabled` is `true` and `.k8s.replicaCount` is nonzero. + When both `autoscale` is enabled and `replicaCount` is nonzero, warning messages will be generated during validation. + +- **Fixed** an unknown field `customService` in `v1alpha1.EgressGatewayConfig`. + ([Issue #37260](https://github.com/istio/istio/issues/37260)) + +- **Fixed** the default container annotation when there are multiple containers. + ([Issue #38060](https://github.com/istio/istio/pull/38060)) + +- **Fixed** `istioctl` should add Kubernetes resource in all revisions when running analyze. + ([Issue #38148](https://github.com/istio/istio/issues/38148)) + +- **Fixed** the in-cluster operator can't create resources on recreation of the same `IstioOperator` resource. + ([Issue #35657](https://github.com/istio/istio/issues/35657)) + +- **Removed** `caBundle` default value from Chart to allow a GitOps approach. + ([Issue #33052](https://github.com/istio/istio/issues/33052)) + +## istioctl + +- **Added** analysis interval to reduce the wasteful re-runs of analyzer. + ([Issue #30200](https://github.com/istio/istio/issues/30200)) + +- **Added** the cluster id to `istioctl experimental ps`. + ([Issue #36290](https://github.com/istio/istio/issues/36290)) + +- **Added** a new analyzer for envoy filter patch operations. + ([Issue #37415](https://github.com/istio/istio/issues/37415)) + +- **Added** the pod full name to the IST0103 analysis message. + +- **Added** `istioctl ps` support for ECDS. + +- **Fixed** unexpected warning logs for `istioctl install --dry-run`. + ([Issue #37084](https://github.com/istio/istio/issues/37084)) + +- **Fixed** nil pointer dereference panic when using `kube-inject` when +not passing a needed revision but also passing `injectConfigMapName`. ([Issue #38083](https://github.com/istio/istio/issues/38083)) diff --git a/content/en/news/releases/1.14.x/announcing-1.14/upgrade-notes/index.md b/content/en/news/releases/1.14.x/announcing-1.14/upgrade-notes/index.md new file mode 100644 index 0000000000000..dfda7f62f2495 --- /dev/null +++ b/content/en/news/releases/1.14.x/announcing-1.14/upgrade-notes/index.md @@ -0,0 +1,22 @@ +--- +title: Istio 1.14 Upgrade Notes +description: Important changes to consider when upgrading to Istio 1.14.0. +publishdate: 2022-05-24 +weight: 20 +--- + +When you upgrade from Istio 1.13.x to Istio 1.14.0, you need to consider the changes on this page. +These notes detail the changes which purposefully break backwards compatibility with Istio 1.14.0. +The notes also mention changes which preserve backwards compatibility while introducing new behavior. +Changes are only included if the new behavior would be unexpected to a user of Istio `1.13.x`. +Users upgrading from 1.12.x to Istio 1.14.0 should also reference the [1.13.0 change logs](/news/releases/1.13.x/announcing-1.13/change-notes/). + +## `gogo/protobuf` library migration + +The `istio.io/api` and `istio.io/client-go` libraries have switched from using the [`gogo/protobuf`](https://github.com/gogo/protobuf) +to using the [`golang/protobuf`](https://github.com/golang/protobuf) library for API types. + +This change does not have any impact on typical Istio users, but rather impacts users importing Istio as a Go library. + +For these users, upgrading the Istio libraries will likely cause compilation issues. These issues are typically simple to address, +and largely syntactical. The [Go blog](https://go.dev/blog/protobuf-apiv2) on the new protobuf API can help with migration.