Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

  • About VMware Tanzu Service Mesh

  • What's New in This Release

  • Tanzu Service Mesh Environment Requirements and Supported Platforms

About VMware Tanzu Service Mesh

VMware Tanzu® Service Mesh™ is VMware's enterprise-class service mesh solution that provides consistent control and security for microservices, end users, and data—across all your clusters and clouds—in the most demanding multi-cluster and multi-cloud environments.

To learn more about Tanzu Service Mesh, visit the Tanzu Service Mesh product page or contact your VMware account executive for a free trial.

Tanzu Service Mesh 3.4.0

New Features and Improvements

Fixes

  • Support for GRPC protocol.

  • Fix on the Kubernetes cluster manager when the maximum cluster limit is reached.

  • Fix for intermittent connectivity issues in GNS.

Known Issues

  • When a gRPC application is deployed in a GNS, traffic succeeds but the topology graph view does not show an accurate hop-by-hop connection across clusters.

    Workaround:

    In the clusters that contain services that are clients of the gRPC Service, manually duplicate the Service (not the Deployment) from the workload cluster to the client cluster. For example:

    apiVersion: v1 
    kind: Service 
    metadata:  
      name: cartservice 
    spec:   
      ports:     
        - name: grpc       
        port: 7070       
        targetPort: 7070   
      selector:     
        app: cartservice

Tanzu Service Mesh Images to Download

For customers who onboard clusters by using the Tanzu Service Mesh client-side images from a private registry

Make sure that you download the following images for Istio 1.20.6 from the Tanzu Service Mesh public ECR registry into your private registry before upgrading to version 3.4:

  • public.ecr.aws/v6x6b8s5/config-service:v1.1.17

  • public.ecr.aws/v6x6b8s5/deployment_utils:8d8b5b1d

  • public.ecr.aws/v6x6b8s5/enterprise-kickstarter:v0.0.5

  • public.ecr.aws/v6x6b8s5/k8s-cluster-manager:v6.4.13

  • public.ecr.aws/v6x6b8s5/metrics-proxy:v3.4.1

  • public.ecr.aws/v6x6b8s5/policy-service:63f07e9c

  • public.ecr.aws/v6x6b8s5/telegraf:1.18.3 public.ecr.aws/v6x6b8s5/telemetry-plugin:v3.0.0

  • public.ecr.aws/v6x6b8s5/tsm-agent-operator:v3.6.20

  • public.ecr.aws/v6x6b8s5/vmwareallspark/install-cni:1.20.6-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/kubectl:1.16

  • public.ecr.aws/v6x6b8s5/vmwareallspark/mixer:1.7.3-custom-mixer-0.3-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/pilot:1.20.6-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.20.6-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.7.3-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-installer:v0.4.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-manifests:tsm-v20.6.0-54c3264c6d95156844630c2eb2114453c83b3f2d

  • public.ecr.aws/v6x6b8s5/ws-client:v3.3.9

Tanzu Service Mesh 3.3.2

Released February 5, 2024

These release notes describe the Tanzu Service Mesh 3.3.2 release.

Fixes

  • Fix for AWS records that did not get deleted during race condition.

  • Fix in pod Disruption budget (PDB) configuration for Istio telemetry.

  • Fix to create HTTPS-based public service in GSLB.

  • Fix for crash loop in Global Namespace Service.

Tanzu Service Mesh Images to Download

For customers who onboard clusters by using the Tanzu Service Mesh client-side images from a private registry

Make sure that you download the following images from the Tanzu Service Mesh public ECR registry into your private registry before upgrading to version 3.3.2:

  • public.ecr.aws/v6x6b8s5/config-service:v1.1.15

  • public.ecr.aws/v6x6b8s5/deployment_utils:8d8b5b1d

  • public.ecr.aws/v6x6b8s5/enterprise-kickstarter:v0.0.5

  • public.ecr.aws/v6x6b8s5/k8s-cluster-manager:v6.4.13

  • public.ecr.aws/v6x6b8s5/metrics-proxy:v3.4.1

  • public.ecr.aws/v6x6b8s5/policy-service:63f07e9c

  • public.ecr.aws/v6x6b8s5/telemetry-plugin:v3.0.0

  • public.ecr.aws/v6x6b8s5/tsm-agent-operator:v3.6.20

  • public.ecr.aws/v6x6b8s5/vmwareallspark/kubectl:1.16

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-installer:v0.4.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-manifests:tsm-v18.5.1

  • public.ecr.aws/v6x6b8s5/ws-client:v3.3.9

  • public.ecr.aws/v6x6b8s5/telegraf:1.18.3

  • public.ecr.aws/v6x6b8s5/vmwareallspark/mixer:1.7.3-custom-mixer-0.2-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/pilot:1.18.5-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.18.5-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.7.3-distroless

  • public.ecr.aws/v6x6b8s5/telegraf:1.18.3

  • public.ecr.aws/v6x6b8s5/vmwareallspark/install-cni:1.18.5-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/timescaledb:2.9.3-pg14

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-cainjector:v1.11.1

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-controller:v1.11.1

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-istio-csr:v0.6.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-webhook:v1.11.1

  • public.ecr.aws/v6x6b8s5/metrics-writer:v1.1.63

  • public.ecr.aws/v6x6b8s5/timescaledb:2.9.3-pg14

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-cainjector:v1.11.1

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-controller:v1.11.1

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-istio-csr:v0.6.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-webhook:v1.11.1

Tanzu Service Mesh 3.3.0

Released September 18, 2023

These release notes describe the Tanzu Service Mesh 3.3.0 release.

New Features and Improvements

Support of New Istio and Kubernetes Versions

Tanzu Service Mesh 3.3.0 supports Istio version 1.18.5 and Kubernetes version 1.27. For details of the changes in Istio 1.18.5, see the Istio 1.18.5 release notes. For details of the changes in Kubernetes 1.27, see the Kubernetes 1.27 release notes.

For a list of the platforms supported by Tanzu Service Mesh 3.3.0, see Tanzu Service Mesh Environment Requirements and Supported Platforms.

Known Issues

  • The Tanzu Service Mesh CLI plugin, which is integrated into the Tanzu CLI, fails to create more than 9 objects from an applied YAML manifest file.

  • If an OpenShift client cluster is used, automatic API discovery functionality becomes available in the Tanzu Service Mesh Console with a delay of 40-50 seconds because of a problem with OpenShift Container Platform (OCP).

Tanzu Service Mesh Images to Download

For customers who onboard clusters by using the Tanzu Service Mesh client-side images from a private registry

Make sure that you download the following images from the Tanzu Service Mesh public ECR registry into your private registry before upgrading to version 3.3.0:

  • public.ecr.aws/v6x6b8s5/config-service:v1.1.15

  • public.ecr.aws/v6x6b8s5/deployment_utils:8d8b5b1d

  • public.ecr.aws/v6x6b8s5/enterprise-kickstarter:v0.0.5

  • public.ecr.aws/v6x6b8s5/flyway-metricsv2-client:v0.0.9

  • public.ecr.aws/v6x6b8s5/k8s-cluster-manager:v6.4.13

  • public.ecr.aws/v6x6b8s5/metrics-proxy:v3.4.1

  • public.ecr.aws/v6x6b8s5/metrics-writer:v1.1.63

  • public.ecr.aws/v6x6b8s5/policy-service:63f07e9c

  • public.ecr.aws/v6x6b8s5/telegraf:1.18.3

  • public.ecr.aws/v6x6b8s5/telemetry-plugin:v3.0.0

  • public.ecr.aws/v6x6b8s5/timescaledb:2.9.3-pg14

  • public.ecr.aws/v6x6b8s5/tsm-agent-operator:v3.6.20

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-cainjector:v1.11.1

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-controller:v1.11.1

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-istio-csr:v0.6.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-webhook:v1.11.1

  • public.ecr.aws/v6x6b8s5/vmwareallspark/install-cni:1.18.0-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/kubectl:1.16

  • public.ecr.aws/v6x6b8s5/vmwareallspark/kubectl:1.27

  • public.ecr.aws/v6x6b8s5/vmwareallspark/mixer:1.7.3-custom-mixer-0.2-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/pilot:1.18.0-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.18.0-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.7.3-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-installer:v0.4.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-manifests:tsm-v18.0.0

  • public.ecr.aws/v6x6b8s5/ws-client:v3.3.9

Tanzu Service Mesh 3.2.2

Released August 1, 2023

These release notes describe the Tanzu Service Mesh 3.2.2 release.

New Features and Improvements

API Collaboration, Validation, and Scoring

You can view and score APIs that are in the development stage of the API life cycle. Tanzu Service Mesh extracts the API specification of these APIs from a GitHub repository, based on a configuration, and then automatically scans such configured APIs to validate them for problems and provides API scores for quality, OpenAPI standard compliance, security, and governance. You can view the contents of the API specification for a configured API and view the details of its API scores.

For more information about configured APIs and viewing their scores, see Tanzu Service Mesh product documentation.

Tanzu Service Mesh CLI Integrated into the Tanzu CLI

The Tanzu CLI has been integrated with the VMware Tanzu CLI as a plugin to provide a unified Tanzu experience to our customers. The Tanzu CLI gives users a single of point of interaction with different Tanzu products, including Tanzu Service Mesh, and provides them with commands to manage their VMware Tanzu infrastructure. For more information about the Tanzu CLI, see the VMware Tanzu CLI documentation.

The current behavior and functionality of the Tanzu Service Mesh CLI as a plugin within the Tanzu CLI remains unchanged. For information about installing and using the Tanzu Service Mesh plugin within the Tanzu CLI, see the Tanzu Service Mesh CLI documentation.

Metrics Retention Reduced to 7 Days

Previously, up to 30 days of performance metrics were retained in the system for the Tanzu Service Mesh-managed services and clusters. This had a substantial impact on scalability and performance due to the size of the database and lengthy API call response times for 30-day queries.

The metrics retention period has been reduced from 30 days to 7 days to help decrease the API call response times. The change will yield a significant improvement in the scalability and performance of Tanzu Service Mesh. The 7-day retention period will still allow users to monitor short-term trends and identify potential issues while significantly reducing the system load.

Customers who require more than 30 days of data for analysis can use another tool that Tanzu Service Mesh can send metrics to. The Tanzu Service Mesh team is currently working on a solution to export metrics to external tools.

Known Issues

  • The API Management page does not display the endpoints for discovered and configured APIs because a request that is sent to the backend to retrieve the endpoint data fails due to an expired or missing authentication token in the request. As a workaround, refresh the API Management page to have the endpoints appear.

  • If the configuration for a discovered API points to a GitHub repository that stores multiple specification files (API reference or extension files in addition to the primary specification file), only the primary specification is displayed in API Management in Tanzu Service Mesh. Also, if those reference and extension files are stored in a directory other than the root directory in the repository, Tanzu Service Mesh cannot scan the files to validate them.

  • If a user sends a request to onboard a cluster through the API and sets the enableNamespaceInclusions and enableNamespaceExclusions fields in the request to false, all namespaces in the cluster will be included for automatic Istio sidecar injection if no namespace exclusion conditions are provided.

  • Discovering and updating headless services and service groups in a global namespace can take up to 5 minutes. This delay will be reduced in an upcoming release.

Tanzu Service Mesh Images to Download

For customers who onboard clusters by using the Tanzu Service Mesh client-side images from a private registry

Make sure that you download the following images from the Tanzu Service Mesh public ECR registry into your private registry before upgrading to version 3.2.2:

  • public.ecr.aws/v6x6b8s5/config-service:v1.1.12

  • public.ecr.aws/v6x6b8s5/deployment_utils:8d8b5b1d

  • public.ecr.aws/v6x6b8s5/enterprise-kickstarter:v0.0.5

  • public.ecr.aws/v6x6b8s5/flyway-metricsv2-client:v0.0.3

  • public.ecr.aws/v6x6b8s5/k8s-cluster-manager:v6.4.8

  • public.ecr.aws/v6x6b8s5/metrics-proxy:v3.4.1

  • public.ecr.aws/v6x6b8s5/metrics-writer:v1.1.57

  • public.ecr.aws/v6x6b8s5/policy-service:63f07e9c

  • public.ecr.aws/v6x6b8s5/telegraf:1.18.3

  • public.ecr.aws/v6x6b8s5/telemetry-plugin:v3.0.0

  • public.ecr.aws/v6x6b8s5/timescaledb:2.9.3-pg14

  • public.ecr.aws/v6x6b8s5/tsm-agent-operator:v3.6.18

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-cainjector:v1.11.1

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-controller:v1.11.1

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-istio-csr:v0.6.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/cert-manager-webhook:v1.11.1

  • public.ecr.aws/v6x6b8s5/vmwareallspark/install-cni:1.17.3-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/kubectl:1.16

  • public.ecr.aws/v6x6b8s5/vmwareallspark/mixer:1.7.3-custom-mixer-0.2-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/kubectl:1.27

  • public.ecr.aws/v6x6b8s5/vmwareallspark/pilot:1.17.3-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.7.3-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.17.3-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-installer:v0.4.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-manifests:tsm-v17.3.0

  • public.ecr.aws/v6x6b8s5/ws-client:v3.3.6

Tanzu Service Mesh 3.2.0

Released June 21, 2023.

These release notes describe the Tanzu Service Mesh 3.2.0 release.

New Features and Improvements

UI for Vault CA Integration

This release brings a UI experience for configuring an integration with Vault certificate authority (CA). You integrate with Vault CA to use Vault-issued certificates for secure mTLS communication between services within your service mesh.

You can create a Vault integration from the Admin area of the Tanzu Service Mesh Console. For more information, see the Tanzu Service Mesh product documentation.

Customer-Managed Namespace Labeling

Tanzu Service Mesh now offers you an option to take control over namespace labeling for Istio injection and prevent Tanzu Service Mesh from overriding the labeling changes you make in Kubernetes. You can select the Cluster admin owned option for a cluster when you onboard it or edit it.

When you select Cluster admin owned, you delegate all responsibility for namespace labeling, including selection for inclusion, to the cluster administrator who operates the cluster. This is useful when the person operating Tanzu Service Mesh and the person on the cluster are two different people. The cluster administrator can then create and label namespaces on the cluster as needed, without having the changes overridden by Tanzu Service Mesh. For more information about customer-managed namespace labeling, see the Tanzu Service Mesh product documentation.

Public services without global load balancing (GSLB)

In addition to being able to configure public services with global load balancing (GSLB), you can configure public services without GSLB, or non-GSLB public services. Based on the configuration provided for the public service, Tanzu Service Mesh creates an ingress gateway definition on each Kubernetes cluster where the public service is running to allow access to the service from the cluster’s ingress controller and Istio ingress gateways.

For more information about creating non-GSLB public services, see the Tanzu Service Mesh product documentation.

Rolling Upgrades Feature Deprecated

Starting from release 3.2, the global namespace Rolling upgrades feature, which was managed from the v1alpha1/global-namespaces/{gnsId}/public-service/{fqdn}/route API, is deprecated. Istio-level traffic management and public service weighted load balancing will continue to be supported.

Metrics Retention Period to Change from 30 Days to 7 Days

To respond to customer feedback and to increase system scale, in the upcoming 3.3 release of Tanzu Service Mesh, we will deprecate the 30-day performance metrics retention period and reduce the retention period to 7 days.

Fixes

  • Fix for a bug where services sporadically disappear and take a long time to recover or re-establish network connectivity.

Known Issues

  • Known issues in the integration between VMware Tanzu Mission Control and Tanzu Service Mesh:

    • Tanzu Mission Control does not support Tanzu Service Mesh Enterprise.

    • Tanzu Mission Control does not support additional onboarding features (proxy connections to a cluster, CA integration, namespace inclusions).

    • Tanzu Mission Control does not support Day 2 operations (including upgrades of Tanzu Service Mesh).

    • When a user creates an EKS cluster in Tanzu Mission Control and enables Tanzu Service Mesh integration on it, Tanzu Service Mesh returns only the partial name of the cluster. This causes certain operations, such as installing Tanzu Service Mesh upgrades on the cluster or offboarding the cluster from Tanzu Service Mesh, to fail.

  • In release 3.2.0, a new GitHub integration card was added to the Integrations page of the Tanzu Service Mesh Console. This card is used to configure a GitHub repository and branch from which to retrieve an API specification and is used with a new API collaboration, validation, and scoring feature. The GitHub integration card always appears but does not provide functionality because the API collaboration, validation, and scoring feature will be available in an upcoming hot fix of version 3.2.

  • If a public service configuration specifies public URLs that are based on two external DNS accounts (for example, Avi and AWS DNS accounts), the public service details page incorrectly shows the health status of the public URL from one of these DNS accounts (for example, the AWS DNS account) as unhealthy.

  • If a public service has more than one service version, the Service Instances, CPU Usage, and Memory Usage graphs on the Performance tab of the public service details page show no data. As a workaround, to view the CPU usage and memory usage metrics for the public service, go to the Service Instances tab, click the instance you want, and view the CPU Usage and Memory Usage graphs on the service instance details page.

  • In version 3.2.0, when Tanzu Service Mesh SaaS services are upgraded, this can cause external integration accounts (such as Avi and AWS integration accounts) to go into disconnected state. In this case, the Integrations page shows "Account Disconnected" for the integration accounts. A workaround is to delete and re-add each disconnected account. This bug will be resolved in a future release.

  • The DENY count is not displayed for an L7 access control policy (ACP) if the API Discovery feature is not activated.

  • If a service is selected for a global namespace, and that service then gets scaled up according to an applicable autoscaling policy, the existing Envoy upstream connection pool may not use the new pods to route requests. New connections to the upstream service will use the available pods but may result in an uneven distribution of traffic.

Tanzu Service Mesh Images to Download

For customers who onboard clusters by using the Tanzu Service Mesh client-side images from a private registry

Make sure that you download the following images from the Tanzu Service Mesh public ECR registry into your private registry before upgrading to version 3.2.0:

  • public.ecr.aws/v6x6b8s5/config-service:v1.1.10

  • public.ecr.aws/v6x6b8s5/deployment_utils:8d8b5b1d

  • public.ecr.aws/v6x6b8s5/enterprise-kickstarter:v0.0.5

  • public.ecr.aws/v6x6b8s5/k8s-cluster-manager:v4.6.15

  • public.ecr.aws/v6x6b8s5/metrics-proxy:v3.4.1

  • public.ecr.aws/v6x6b8s5/metrics-writer:v1.1.54

  • public.ecr.aws/v6x6b8s5/policy-service:63f07e9c

  • public.ecr.aws/v6x6b8s5/telegraf:1.18.3

  • public.ecr.aws/v6x6b8s5/telemetry-plugin:v3.0.0

  • public.ecr.aws/v6x6b8s5/timescaledb:2.9.3-pg14

  • public.ecr.aws/v6x6b8s5/tsm-agent-operator:v3.6.17

  • public.ecr.aws/v6x6b8s5/tsm-flyway:v3.5.16

  • public.ecr.aws/v6x6b8s5/vmwareallspark/install-cni:1.16.4-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/kubectl:1.16

  • public.ecr.aws/v6x6b8s5/vmwareallspark/mixer:1.7.3-custom-mixer-0.2-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/pilot:1.16.4-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.16.4-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.7.3-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-installer:v0.4.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-manifests:tsm-v16.4.0

  • public.ecr.aws/v6x6b8s5/ws-client:v3.3.6

For more information about using customer-owner image registries in Tanzu Service Mesh, see Customer-Owned Image Registry Support and Secret Authentication.

Tanzu Service Mesh 3.1.1

Released April 21, 2023

These release notes describe the Tanzu Service Mesh 3.1.1 release.

New Features and Improvements

Support of Vault Certificate Authority (CA)

In addition to self-signed certificates and Venafi CA, Tanzu Service Mesh now supports certificates issued by Vault CA to secure the service mesh using mTLS.

Following are the high-level steps for enabling integration with Vault CA in Tanzu Service Mesh:

  1. Configure your Vault server to enable communication between the Vault server and the cluster to be onboarded.

  2. Create a Vault CA integration account in Tanzu Service Mesh.

  3. At the time of cluster onboarding, select the Vault CA label from the account for a cluster to have Tanzu Service Mesh secure the service mesh installation on the cluster with Vault-signed certificates.

Release 3.1 delivers only changes in the API to support integration with Vault CA., including the changes in the following APIs:

  • PUT /v1alpha1/external-accounts/{id} - Create a Vault integration account, including the CA label.

  • PUT /v1alpha2/certificate-authorities/{ca_id} - Associate the CA configuration with the label that can be applied to a cluster at the time of onboarding.

  • PUT /v1alpha1/certificates/{id} - Create a certificate chain to be used for the Vault integration account.

A future release will bring a full UI experience for configuring a Vault integration account, applying the CA label to clusters during onboarding, and viewing the CA health check for a cluster.

Tanzu Service Mesh CLI Download UI

This release brings a user interface experience for downloading the Tanzu Service Mesh CLI. Organizations can integrate the CLI into their GitOps workflow to apply declarative Git-central specifications of Tanzu Service Mesh features and policies to Tanzu Service Mesh SaaS.

For more information about downloading the CLI from the Tanzu Service Mesh UI, see Download and Install the CLI. For more information about the Tanzu Service Mesh CLI and GitOps workflow in Tanzu Service Mesh, see GitOps Workflow with Tanzu Service Mesh.

Fixes

  • A fix for an issue where after the upgrade to version 3.0, namespaces that have the istio-injection=enabled label don't have a check box selected in the Edit Cluster dialog box.

  • Fixed an issue where the SLO Status and Error Budget Remaining columns on the SLO Dashboards tab incorrectly show plain text for the icons.

  • A fix for a bug where API audit log export does not send to a specified Splunk’s HTTP Event Collector (HEC) port.

  • A fix for a bug where the service group details page and the global namespace details page show an empty Policies tab.

  • A fix for the Service Instances tab on the GNS details page to show only the service instances from the clusters selected for the global namespace.

  • Fixed a bug in Tanzu Service Mesh Enterprise that prevents service groups from being synced to a client cluster and that causes access control policies to not be applied properly on the cluster.

  • A fix for showing public services configured in a global namespace on the Public Services tab of the global namespace details page and in the Edit Global Namespace window.

  • A fix for the Autoscaling Policies page and the SLO Policies page showing autoscaling policies and SLO policies only in incognito mode.

  • A fix to show incoming APIs on the APIs & Connections tab of the service version topology view.

  • A fix for the Configuration tab of the cluster details page to show the included namespaces on the cluster. The Namespace Exclusion label was changed to Namespace Inclusion.

  • General bug fixes for pages with no data, and optimization enhancements to SLO and Tanzu Service Mesh Enterprise features.

Known Issues

  • Tanzu Service Mesh currently does not support the use of a single external Vault CA account for multiple clusters. Each cluster must be associated with a separate external CA account.

To create an external Vault CA account for a cluster, make these API calls:

  1. (Optional)If the Vault server is using a certificate authority bundle that is self-signed or that is not publicly available, make a call to PUT /v1alpha1/certificates/{id}.

  2. To create an external integration account, make a call to PUT /v1alpha1/external-accounts/{id}.

  3. To create a CA configuration and associate the CA configuration with the CA label to use during the onboarding of the cluster, make a call to PUT /v1alpha2/certificate-authorities/{ca_id} . To specify the CA label, set the value under labels in the request body to the external account name from the request to PUT /v1alpha1/external-accounts/{id}.

  4. (Optional) To change the trust domain for all the clusters in the default project, make a call to PUT /v1alpha1/projects/default, setting trust_domain to the trust domain you want.

  • When Vault is used as an external CA, clusters can have different CA accounts associated with them. The current restriction in the UI does not allow clusters using different CAs to be added to a global namespace. As a workaround, you can add the clusters to the global namespace through API, provided that their CA accounts point to the same root of trust. To create a global namespace and add the clusters to it, make a call to PUT /v1alpha1/global-namespaces/{id}.

  • Changing the CA label that was selected for a cluster during onboarding causes the application pods and Istio pods to be in an unstable state where they continue to use the old CA's certificates for some time. As a workaround, restart the application pods to get the new certificates. After the application pods are restarted, the Istio pods will get a new certificate automatically.

  • When an external CA account gets deleted in the backend, the Edit Cluster dialog box still shows the CA label associated with the account in the Integrations list. If a user selects the CA label of the non-existing account for the cluster, the cluster's CA Health Status is incorrectly shown as Connected.

  • The installation of Tanzu Service Mesh currently fails on Red Hat OpenShift clusters.

Tanzu Service Mesh Images to Download

For customers who onboard clusters by using the Tanzu Service Mesh client-side images from a private registry

Make sure that you download the following images from the Tanzu Service Mesh public ECR registry into your private registry before upgrading to version 3.1:

  • public.ecr.aws/v6x6b8s5/config-service:v1.1.7

  • public.ecr.aws/v6x6b8s5/deployment_utils:8d8b5b1d

  • public.ecr.aws/v6x6b8s5/enterprise-kickstarter:v0.0.5

  • public.ecr.aws/v6x6b8s5/k8s-cluster-manager:v4.6.11

  • public.ecr.aws/v6x6b8s5/metrics-proxy:v3.4.1

  • public.ecr.aws/v6x6b8s5/policy-service:63f07e9c

  • public.ecr.aws/v6x6b8s5/telegraf:1.18.3

  • public.ecr.aws/v6x6b8s5/telemetry-plugin:v3.0.0

  • public.ecr.aws/v6x6b8s5/tsm-agent-operator:v3.6.11

  • public.ecr.aws/v6x6b8s5/vmwareallspark/install-cni:1.12.7-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/kubectl:1.16

  • public.ecr.aws/v6x6b8s5/vmwareallspark/mixer:1.7.3-custom-mixer-0.2-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/pilot:1.12.7-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.12.7-release-v1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.7.3-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-installer:v0.4.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-manifests:tsm-v12.7.2

  • public.ecr.aws/v6x6b8s5/ws-client:v3.3.3

  • public.ecr.aws/v6x6b8s5/timescaledb:2.9.3-pg14

  • public.ecr.aws/v6x6b8s5/tsm-flyway:v3.5.12

For more information about using customer-owner image registries in Tanzu Service Mesh, see Customer-Owned Image Registry Support and Secret Authentication.

Tanzu Service Mesh 3.0.4

Released April 5, 2023

These release notes describe the Tanzu Service Mesh 3.0.4 release.

Enhancements

Support of a GitOps Model with Tanzu Service Mesh CLI

Tanzu Service Mesh supports an organizational DevOps model where a Git repository is the source of truth for all configuration and where the repository stores human-readable declarative manifests describing a desired Tanzu Service Mesh environment configuration (global namespaces and security and compliance policies).

Tanzu Service Mesh provides a CLI that you can use to automate the deployment of a Tanzu Service Mesh environment to your clusters. You can configure an automated pipeline to trigger the CLI to apply the configuration from the manifest files to the clusters at regular intervals, thus ensuring that the clusters remain in sync with the desired configuration in Git.

You also have the option of running the CLI manually.

Version 3.0 offers a browser-based URL for downloading the CLI as a workaround. A more consistent UI experience for downloading and installing the CLI will be available in the next version.

For more information about support of GitOps in Tanzu Service Mesh and about the Tanzu Service Mesh CLI, see the Tanzu Service Mesh product documentation.

Namespace Onboarding Workflow

The Namespace Onboarding Workflow is a feature in which you select namespaces to be injected with a proxy sidecar. Under the previously used "exclusion" model, any new namespace that was created would automatically be injected with a sidecar, and it was up to the customer to choose which namespaces they want to exclude. However, this posed a challenge for customers when installing system applications into Kubernetes clusters that they did not want to have a sidecar injected into.

Based on customer feedback, the model has been changed to follow the Istio model. In this new model, to onboard a namespace and have sidecars injected, the customer must opt in by manually labeling the namespace with the istio-injection=enabled label from the Kubernetes console or in the UI during onboarding or the "edit cluster" operation. The labeling from the console or the UI is interchangeable, and customers can choose a method that fits their needs.

With the new model, you need to specifically label or select for injection any new namespace that is created. Although this change addresses the problem, it is a change in operations that customers need to be aware of.

For backward compatibility, clusters that are already onboarded using the old exclusion model will continue to operate the same way after the upgrade, and customers can choose to switch to the new inclusion model at their convenience with a cluster edit operation or through the API.

Important:
  • When onboarding a cluster to Tanzu Service Mesh whether it already had Istio before or it is a clean cluster, you must select which namespaces on the cluster are included for Istio sidecar injection. Old istio-injection labels on the namespaces will not carry over to Tanzu Service Mesh. For more information about namespace inclusions during cluster onboarding, see Onboard a Cluster to Tanzu Service Mesh.

  • If you set namespace inclusions for a cluster in the Tanzu Service Mesh UI (during onboarding or when editing a cluster configuration) or through the API,  you will not be able to manually label any namespaces on the cluster with istio-injection in Kubernetes.

To take control over namespace labeling and prevent Tanzu Service Mesh from overriding the namespace labeling changes you make in Kubernetes, do the following:

1. Annotate each namespace on which you want to set the istio-injection label with allspark=disable update:

kubectl annotate ns namespace-name allspark=disable-update

2. Set the istio-injection label on the namespace:

kubectl label ns namespace-name istio-injection=enabled | disabled

Be aware that the Tanzu Service Mesh UI currently does not reflect the namespace labeling changes you make in Kubernetes if you set the override annotation. In a future release, we plan to add the ability to reflect the real-time status of namespaces and delegate control of namespace labeling to users.

For more information about the Namespace Onboarding Workflow feature, see the Tanzu Service Mesh product documentation.

Enterprise Proxy Support

This version adds support for enterprise proxy communication between client clusters and Tanzu Service Mesh SaaS. If a proxy configuration is added on a cluster, the Tanzu Service Mesh software sends traffic from the client cluster through an enterprise proxy to SaaS.

If configured, the proxy communicates with an endpoint for the ingress gateway over a regular TLS connection. The endpoint uses a globally trusted certificate for secure communications.

A digitally signed JWT access token is attached to every request sent from a client cluster to SaaS to properly authorize the request.

New v1alpha2 APIs

For customers who use APIs to onboard clusters, we recommend using the new v1alpha2 APIs.

Fixes

  • A fix to an issue where an new AVI integration cannot be saved if Allow Insecure Mode is selected.

  • A fix for the API Management tab where the UI times out intermittently when the backend takes longer to respond to an API call.

  • Resource limit changes for policy-service installed in client clusters during onboarding.

  • A fix to address service-group object sync on client clusters.

  • A fix to an issue where egress traffic to an external service is not observable in Tanzu Service Mesh when Tanzu Service Mesh SaaS was deployed in Advanced mode.

  • Fix to the Severity icon missing from the Security Events table on the Security page.

  • A fix to the error budget and target levels not being observable for a service's SLO policy.

  • A fix to an issue where the User Discovery option is enabled during a global namespace edit although it was not enabled when the global namespace was configured.

  • A fix to the Show filter in the Access Control Policy table not filtering access control policies according to a selected value.

  • A fix for access control policy metrics not showing in the Access Control Policy table.

  • A fix to an issue where after the upgrade of SaaS to version 3.0, namespaces that were previously selected for Istio sidecar injection are not shown as selected for Istio sidecar injection in the Edit Cluster dialog box.

  • A fix to an issue where an included namespace is not checked in the Edit Cluster dialog box although the corresponding Is Exactly inclusion rule for the same namespace is correctly shown in the dialog box. The issue occurred after a namespace having an Is Exactly inclusion rule got deleted.

  • A fix to an issue where a cluster that was onboarded with a custom registry configuration cannot be edited.

  • A fix for intermittent failures of the service mesh auto installation caused by Tanzu Service Mesh Lifecycle Manager not detecting cluster details.

Known Issues

  • The UI does not provide a warning to a user to restart pods if the user includes or excludes an existing namespace from Istio sidecar injection during onboarding and that namespace has some application pods. A restart of the pods is required for the change to take effect.

  • If a user selects all the namespaces for Istio sidecar injection during onboarding and then edits the cluster to deselect all the selected namespaces, Istio sidecar injection is not disabled properly for the namespaces. Running kubectl get namespace -L istio-injection shows that the namespaces have istio-injection enabled.

  • If a global namespace is configured to span two or more namespaces on the same cluster, an external service configured in the global namespace works only with the first of these namespaces.

  • It is not possible to select custom optimization settings in a new attack detection policy.

  • Access control policy metrics do not show up in the Access Control Policy popup window when a user clicks a cross-cluster connection between services in the topology graph on the GNS Topology tab.

Past Tanzu Service Mesh Releases

January 18, 2023 (version 1.16.9)

These release notes describe the Tanzu Service Mesh 1.16.9 release.

Enhancements

Global SLO Dashboard

Release 1.16.9 introduces the Tanzu Service Mesh Global Service Level Objective (GSLO) Dashboard, which allows application SREs, developers, and operators to track and monitor their SLOs in real-time in one place. The Global SLO Dashboard gives users a comprehensive view of the applications' overall health by displaying all SLOs for their services in one consolidated view. SLOs can be searched, sorted, and filtered using the dashboard, and users can also manage them in a central location. In addition, the users will be able to identify which SLOs are meeting the desired SLO target and which are not. This will contribute to effective capacity planning and better troubleshooting by providing a clear understanding of the services requiring more attention, resulting in higher application productivity.

For more information about SLOs in Tanzu Service Mesh, see Service Level Objectives with Tanzu Service Mesh technical documentation.

External Certificate Authority

With the 1.16.9 release, Venafi Certificate Authority accounts can be integrated with Tanzu Service Mesh for automatic TLS certificate management using Venafi Trust Protection Platform (TPP). All certificates will be protected and controlled for workloads, and this process is transparent to the Tanzu Service Mesh Controller. 

Here are some UI enhancements to support External CA integration:

  • Improvements to the Cluster Details page to include CA status.

  • Refactored cluster onboarding UI to support external CA integration.

  • Changes to the logic to display the Trust Domain modal.

Notice:

  • Trust domains should not be edited, even though the UI doesn't restrict them. You need to off-board the cluster and then on-board it back with the new trust domain in order for this to work.

  • Adding services from clusters that use different CAs (for example, self-signed on one cluster and Venafi on the other cluster) fails when GNS creation is attempted.

Headless Services

The current release introduces Headless services with StatefulSets that are used to manage stateful applications such as databases or other applications that keep track of their state. By using StatefulSets, a set of pods can be deployed and scaled within a global namespace, ensuring that they are ordered and unique. Headless service is a regular Kubernetes service where the spec.clusterIP is explicitly set to "None" and spec.type is set to "ClusterIP". Instead, SRV records are created for all the named ports of service's endpoints.

Private IP Support

With this release, Tanzu Service Mesh allows customers to make a cluster private in the cloud by using the API to prevent it from being exposed to the internet. During cluster onboarding, this would apply the appropriate configuration to the cloud automatically, ensuring that only an internal IP address is configured and that the gateway is not exposed to the internet.

Here are some advantages:

  • Operators can segregate east-west service-to-service communications and traffic facing the public from traffic facing their internal users.

  • Operators can separate and insert granular traffic controls for north-south versus east-west traffic. 

Other Enhancements

  • UI enhancements to notify the block for the same service port and host port when configuring External Services.

  • Enhancements to contextual help search links.

  • UI enhancement to implement a check when setting 100% SLO Target.

  • Addition of Schema Validation checks toggles buttons for GNS.

  • Addition of a new Details Page for External Services.

  • Upgrade of the TLS version to 1.2.

Fixes

  • Fixes to display cluster names of SLOs associated with service groups in the GSLO dashboard. 

  • A fix for issuer deletion during an external account update.

  • A fix to the issue with CA status not updating until the page is refreshed.

  • A fix to cluster status set to unknown for default TSM signed clusters.

  • A fix to trust domains not updating in pods when Venafi account changes.

  • Fixes for Istio metrics that have been missing after high throughput applications scale beyond 20 instances.

  • A fix for blackhole traffic caused by traffic shifting in the Public Services.

  • A fix for TSM operator crash on cluster onboarding through TMC.

  • A fix for Weighted GSLB Fields not updated in GNS.

  • A fix for GNS creation failure.

  • A fix for external service policy propagation.

  • Fixes to 404 error when calling getTimestamp in the replicator.

  • UI fixes to display the Performance tab for External Service.

  • Fixes to platform integration test failures due to advanced integration runs.

  • Fixes to prevent the Datagrid footer from overflowing.

  • A fix for flaky GNS service entry inventory test.

  • A fix for unrefreshed cluster status for default TSM signed clusters.

  • Fixes to issues with public service configuration edit not working when changing GSLB scheme.

  • UI fixes to remove the Venafi account listing from the DNS page.

  • Fixes to Service Level Objectives' tests.

  • Fixes to input full word for Autoscaling policy labels.

  • UI fixes to the Create/Edit modal for Trust Domain.

  • UI fixes to the Cluster Overview page to address a problem encountered during cluster editing.

  • A fix for an issue with the Kubernetes cluster manager liveness probe.

  • UI fixes for the alignment issue in the Cluster & Nodes section's Health Status label.

  • Fixes to the API List response to remove deleted CA listings.

  • Fixes to the Analytics > Detail View page for sorting issues with the last access time.

  • Fixes for domain sync delay caused by a large number of namespaces onboarded to the cluster.

  • Fixes for flaky Public Services table.

  • UI fixes to display Hamburger Signs (three dots) with large characters in GNS names.

  • Fixes for topology errors to display connections correctly.

  • A fix to make the CSV file include all cluster names when downloaded the first time or after the page loads/reloads.

  • Fixes for random UI theme changes during navigation.

  • Fixes for Datagrid filtering.

  • Fixes to the Service Preview to list the services during GNS editing.

  • Fixes for the Service Performance Metrics display issue in TSM UI.

  • A fix to make a certificate and key file mandatory in the AVI > New Certificate pop-up.

  • Fixes to GNS and Cluster topology to display correct data.

  • UI fixes to update excluded namespaces immediately.

  • Fixes to the GSLB dropdown to restrict the display of labels for namespaces that are not part of the GNS.

  • Fixes to display the complete list of public services.

  • A UI fix for the Image Registry Page's loader misplacement. 

  • Fixes to the Service Level Objectives (SLO) page to display actionable SLO names.

  • A fix for a clear display of error messages when SLO creation fails.

  • A fix to remove the Security tab from the GNS Service Details page.

  • Fixes for CLM crashes when issuer events cannot be handled (Rancher installation).

  • Fixes for cluster onboarding issues in TMC.

  • Fixes to service specs in inventory to deal with complex types.

  • Fixes for TSM operator backward compatibility.

  • Fixes for TSM Enterprise installation to enable envoy filter crd flag.

  • Fixes for Calico Pod crashing due to AVI connector.

  • Fixes for missing Istio metrics after high throughput application scales beyond 20 instances.

  • Fixes to uncompress Kinesis events.

  • Fixes for SFB crash for 1000 TPS.

  • Fixes for autoscaling during error in aggregator.

  • UI Fix for GNS services preview.

  • Fix for port 80 vulnerability in istio-ingressgw and api-gw.

  • Fixes for tenant api gateway not responding with CPU 100% usage.

  • Fix for versioned services responding with 503.

  • Fix for k8s-connector to garbage collect Secret Hashnode from Datamodel

Known Issues

  • Currently, Venafi integration only supports HTTPS/HTTP traffic over the service port: 80.

July 5, 2022 (version 1.15.1)

These release notes describe the Tanzu Service Mesh 1.15.1 release.

Enhancements

External Services

With the 1.15.1 release, Tanzu Service Mesh can access services that are configured outside of the mesh, for example, third-party database services can be accessed by services within a global namespace. External services can run on virtual machines, external Kubernetes clusters, Tanzu Application Service environments (TAS), lambda functions, or even on bare metal, and can be accessed over TCP, TLS, HTTP, or HTTPS. External services can have multiple endpoints, and load balancing can be done between them.  The round-robin load balancing mechanism is currently set as the default, and users do not need to configure additional load balancing schemes in the UI. Tanzu Service Mesh provides detailed information to help you monitor the performance of an external service using performance metrics. External Service traffic can be observed in GNS Topology, as well as on the external service Performance page.

Wildcard Support for External Services 

External service wildcard support in Tanzu Service Mesh Global Namespace allows services inside Tanzu Service Mesh global namespace to connect to external servers whose hostnames are in wildcard format (e.g. *.google.com, *.wikipedia.com). With wildcard support, we can choose exactly which servers to connect to among the set of wildcard servers. Tanzu Service Mesh currently supports matching subdomains of external service hostnames using wildcards.

Notice:

Check out the External Service documentation for more information on how to create/edit external services, monitor their performance, and wildcard support. 

Other Enhancements

  • Enhancements to the egress gateway to process forwarded domain traffic from mesh.

  • Enhancements in the pod association with the correct service version for handling external service traffic.

  • Changes to the query manager to continue fetching SLO and autoscaling registered decisions from the TSM SaaS timescale database.

  • Improved observability/metrics integration with external services. 

  • Envoy-filter for egress gateway enables patching the cluster to use a specific TLS version for upstream traffic.

  • Updated Photon 4 images to the latest version, so there are fewer vulnerabilities.

  • Upgraded TLS version to 1.2.

  • Support for Splunk configuration has been added to the External Resource API.

  • Implementation of policy and telemetry channels using the Ingress Gateway.

  • Update of Kube manifests API to 1.16 from 1.15.

  • Upgrade of Istio to 1.6 across all SaaS environments.

  • Support for operator proxy.

Fixes

  • A fix for custom registry operator.

  • Fixes to external services access failure in Istio 1.12.2.

  • Fixes to make external services available through host and service ports.

  • Fixes to pagination issue in the Service Table to display the total records.

  • Fixes to prevent crashes during policy deletion.

  • A Fix for TCP external services issue.

  • Fixes to the UI to display the correct external service topology for a single GNS Multicluster configuration.

  • Fixes to remove spurious information from the Service status bar.

  • A fix for the external service configuration issue.

  • Fixes to the Cluster Details page to display all metrics.

  • Correction of the mismatch between the actual attack count and tooltip display on the Security Event page. 

  • A fix to ignore data from removed clusters in the GNS topology and Connections tabs.

  • A fix for rounding off time in Security Events.

  • A fix is made to list cross-cluster TCP connections.

  • Fixes to display outgoing APIs in the Connections tab for cross-cluster configuration.

Known Issues

  • To access wildcard support for external services, there must be a live www subdomain server in the list of external servers. 

  • For multiple service endpoint configurations, the service port and the gateway port should not be the same.

  • A failure occurs when the same external service is configured in multiple global namespaces.

  • A multinamespace GNS cannot be configured in the same cluster for an external service.

March 29, 2022 (version 1.14.10)

These release notes describe the Tanzu Service Mesh 1.14.10 release.

Enhancements

AVI Proxy

Prior to release 1.14.10, a requirement for integrating TSM with NSX Advanced Load Balancer (formerly known as Avi Networks) was that the Avi API should be publicly exposed so that there will be a direct connection between the TSM global controller and Avi controller. In this release, users can specify one or more clusters to connect with the Avi Instance via cluster labels. Cluster labels are used to identify clusters that may potentially be used by TSM SaaS to connect to Avi controller(s).  Note that this functionality requires Kubernetes clusters to have network connectivity to the Avi Instance running on the infrastructure. Any connectivity or authentication issues will be displayed on the Integrations page of the Tanzu Service Mesh Console UI.

In this regard, we address:

  • Connectivity requirements for integrating Avi API through a proxy.

  • Support for reporting proxy connectivity status for an external account via API.

  • Support for rich application metrics in the Avi connector.

Custom Registry Support 

Release 1.14.10 adds support for customer-owned registries for cluster onboarding. Users can now specify a private/local enterprise registry from which Tanzu Service Mesh data plane images are pulled, as well as its location and credentials. New features in this release include:

  • Support for creating a new customer image registry account and using secret authentication.  

  • Support for referencing an existing customer registry when onboarding a cluster. In addition, a customer registry account can be created from the cluster onboarding page if one does not already exist, and only one customer registry account can be referenced per cluster.

Additional notes:

  • At this time, a customer registry definition already used for cluster onboarding cannot be edited. The registry definition can be deleted by the user, but the clusters that have been onboarded with the registry must be re-onboarded to the TSM service. A warning about this implication will show up when one tries to delete the definition.

Notice:

As a prerequisite for onboarding a cluster using Tanzu Service Mesh images from your private registry, you need to mirror the required repositories from the TSM's public ECR registry located at public.ecr.aws/v6x6b8s5. For private registries that do not support mirroring, download the images from TSM's public ECR registry and push them into your private registries. In the last section, you will find the list of images and repositories. The TSM image list varies for each data plane release.

Application Onboarding Improvements - Support for Stateful Sets

Support for stateful components that rely on data services for storing state and data is provided using a distributed database management system for improved scalability, availability, consistency, and resiliency; and an advanced messaging system for low latency and high throughput. Stateful services can reside on a single cluster or multiple clusters. RabbitMQ and MongoDB have been tested and verified using de-facto standard operators in some specific configurations. Currently, other data services have not been validated and may not function as expected. Data services will be tailored to the specific needs of each customer.

Multiple Namespace in a GNS

Previously, applications in a global namespace had to contain all their services in one namespace. In this release, this constraint has been lifted and Tanzu Service Mesh now supports adding services from multiple namespaces. In this way, users can choose any namespace in a Kubernetes cluster to add to the global namespace. This release is fully compatible with the following features which use multiple namespaces: Cross Cluster Traffic, Observability, and Public Services. Future releases will add support for additional features such as ACP, API Security, Traffic Management, SLO, and Auto Scaling.

Other Enhancements

  • Support for Tanzu Service Mesh TMC Operator in Kubernetes 1.22.

  • Support for Istio 1.12.

  • Support for VMware Tanzu™ Kubernetes Grid™ 1.5.

  • Consolidation of Tanzu Service Mesh images into one public image repository.

  • Improvements to the health status of integration configuration.

  • Support for new TMC stack in operator pipeline.

  • Consolidation of all Tanzu Service Mesh images into the ECR public repository.

  • Updated all data plane images to the latest Photon 4 OS images version to reduce vulnerabilities.

  • Assuring users configure trust domains for Tanzu Service Mesh integration with CA.

  • Improvements to API discovery.

Fixes

  • A fix for metrics displayed on the Clusters page.

  • A fix to exclude some namespaces.

  • Update of the label "Proxy Location: <some value>".

  • Fixes for cache issues.

  • A fix for the display of unhealthy cluster status.

  • Fixes for the regex issue in Safari.

  • Fixes for memory leak in subscriptions.

  • A fix to load events topology from Service version view.

  • Updates to autoscaling policies to accurately display data after the upgrade.

  • Fixes to include Disk Wait on the Service Group details page.

  • Improvements to keyboard navigation.

  • Corrections to accessibility audits.

  • A fix to exclude namespaces during cluster onboarding.

  • A fix for heap memory allocation issue.

  • Fixes for crashloops in Avi connectors.

  • A fix to enable Auto-scaling for instances with SLO policies.

  • A fix for UI theme changes when navigating.

  • A fix for crash loop when onboarding OCP 4.7.8 cluster.

  • Fixes for tenant API gateway cache issue.

  • A fix for GNS failover issue in Tanzu™ Kubernetes Grid™ on vSphere.

  • A fix for liveliness/readiness probe failure.

  • A fix for issue with Envoy sidecars not processing the filters.

  • Fixes for custom registry issues.

Known Issues

  • Logging into Avi Networks using incorrect credentials results in a 401 error, and one workaround for this is to change the account profile used for the integration to No-Lockout-User-Account-Profile in the Avi controller's user administration settings.

  • At present, TSM does not support visualizing TCP traffic across clusters.

  • Potential for inconsistency with routing for multiple namespaces when there are multiple services with the same name, causing GNS to enter into warning mode.

  • A multi-namespace GNS cannot be configured in the same cluster for an external service.

To mirror: list of repositories

  • public.ecr.aws/v6x6b8s5/config-service

  • public.ecr.aws/v6x6b8s5/k8s-cluster-manager

  • public.ecr.aws/v6x6b8s5/metrics-proxy

  • public.ecr.aws/v6x6b8s5/telegraf

  • public.ecr.aws/v6x6b8s5/tsm-agent-operator

  • public.ecr.aws/v6x6b8s5/vmwareallspark/install-cni

  • public.ecr.aws/v6x6b8s5/vmwareallspark/mixer

  • public.ecr.aws/v6x6b8s5/vmwareallspark/pilot

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-installer

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-manifests

  • public.ecr.aws/v6x6b8s5/ws-client

  • public.ecr.aws/v6x6b8s5/deployment_utils

To download: list of images

  • public.ecr.aws/v6x6b8s5/config-service:2294257dfbb51d081bb7a69dad80dedd4ee6a0ff

  • public.ecr.aws/v6x6b8s5/k8s-cluster-manager:v4.4.1

  • public.ecr.aws/v6x6b8s5/metrics-proxy:v3.2.0

  • public.ecr.aws/v6x6b8s5/telegraf:1.18.3

  • public.ecr.aws/v6x6b8s5/tsm-agent-operator:v3.5.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/install-cni:1.12.2-release-tsm-advance-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/mixer:1.7.3-custom-mixer-0.1-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/pilot:1.12.2-release-tsm-advance-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.12.2-release-tsm-advance-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2:1.7.3-distroless

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-installer:v0.4.0

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-manifests:tsm-v5.0.4

  • public.ecr.aws/v6x6b8s5/ws-client:v3.3.0

  • public.ecr.aws/v6x6b8s5/deployment_utils:8d8b5b1d

Refer to the relevant data plane version 5.0.4 release note.

February 15, 2022 (version 1.14.0)

These release notes describe the Tanzu Service Mesh 1.14.0 release.

Enhancements

Traffic Management

This release brings in Tanzu Service Mesh traffic management APIs, which gives users the ability to define traffic shifting policies for services in a global namespace (GNS). The combination of traffic management policies with global namespaces, gives users the ability to define progressive upgrades for applications deployed in a global namespace across regions and clusters. Policies are defined in a central location and allow users to perform canary, and blue green upgrades for public as well as internal services. See our recent blog post for additional information.

Other Enhancements

  • Improvements to secrets management.

  • Updates to deployment of backend services.

  • Improvements to application metrics.

  • API updates which include:

    • Enhancements to communication with client clusters.

    • Initial support for specifying clusters to be targeted by Avi proxy; initial support is for one cluster, with forthcoming support for a list of clusters.

  • Improvements to SaaS controller services on synching cluster details.

  • Support for private docker registry, which can be specified at cluster onboarding.

  • The Tanzu Service Mesh Console UI has a integrations details page, and now displays a health check status for each integration in the integration tab.

  • Improvements to the processing of autoscaling policies.

Fixes

  • A fix for a duplication of configuration seen with a custom CoreDNS setup. Affected platform: VMware Tanzu™ Kubernetes Grid™ running on Azure Kubernetes Service (AKS) version 1.18.7 with CoreDNS 1.6.7.

  • Improvements to the data model including increased message size.

  • A fix for Global Namespace, which includes upgrading public service objects to ensure they are compatible with new DNS structure requiring health checks.

  • Stabilization and reduction in time for tenant registration.

  • Improvements to services responsible for service level objectives (SLOs).

  • A fix for metrics aggregation.

  • Fixes in the Tanzu Service Mesh Console UI:

    • Autoscaling policy display improvements.

    • Public services' subdomains display.

    • A warning is now displayed when deleting an integration that is in use by a public service.

    • Redirection after service group deletion is corrected to service group table.

    • Global namespace scoped API call is now correctly displayed in service version details page.

    • Upon deletion of a public service on the public service table, a notification of successful deletion now is displayed.

    • General improvements to loading and dynamic display.

    • An issue seen with some Safari versions.

Known Issues

  • The average value of CPU usage milli cores displayed at the top of the instance autoscaling chart is not displaying the average based on the values over the current duration in the chart.

January 26, 2022 (version 1.13.9)

These release notes describe the Tanzu Service Mesh 1.13.9 release.

Fixes

  • Fix for the login to the Tanzu Service Mesh Console UI during the new customer onboarding process.

January 26, 2022 (version 1.13.8)

These release notes describe the Tanzu Service Mesh 1.13.8 release.

Enhancements

  • This release includes maintenance in the Tanzu Service Mesh SaaS backend.

December 20, 2021 (version 1.13.7)

These release notes describe the TSM 1.13.7 release.

Fixes

  • Fix for a bug introduced in 1.13.6 in relation to CPU millicore calculations in autoscaler configuration.

December 15, 2021 (version 1.13.6)

These release notes describe the TSM 1.13.6 release.

Enhancements

  • When a user navigates to the SLO Dashboard and then clicks on the "Full Page", the user should now see a breadcrumb such as Home >GNS Name>SLO Name added to the SLO Dashboard page.

  • In the SLO configuration wizard for org scoped monitored SLOs, while attaching service group(s), it validates that the service group exists. This change will be reflected in the drop down of the service group field in the SLO policy configuration wizard.

  • Improvements to the synchronization of Tanzu Service Mesh inventory and Kubernetes state.

  • Updates to role-based access control (RBAC) on client clusters. This change includes utilizing Roles to define minimal permissions within a specific namespace.

  • Customer required images are available in public ECR.

Fixes

Tanzu Service Mesh version 1.13.6 is a maintenance release that contains performance enhancements and minor Tanzu Service Mesh UI improvements:

  • Fix for occasional "No Data" issue in autoscaler and SLO charts caused by some internal caching issues.

  • When a user creates an autoscaling policy for a service in simulation mode in the Tanzu Service Mesh UI and then navigates to the service details page, user can now see the correct health status instead of "Error".

  • Fix for accessibility issues with the SLO chart content when a user resizes the viewport to a narrow view.

  • In the autoscaling policy configuration wizard, the autoscaling metric dropdown text will now display a consistent text style.

  • Fix for occasional empty services in SLO dashboard when a user navigates back and forth between the various tabs of the dashboard.

  • Fixes for the UI that include refresh improvements for performance charts and instance tables with a large number of elements.

  • A fix in the UI where multiple service groups resulted in broken layout on dropdown selection.

  • A fix in the UI for service topology rendering and cluster overlay which resulted in services appearing to be orphaned.

  • A fix in the UI which enables RPS by default in the Service Topology.

  • Improvements in the display of the status of cluster upgrades in the UI.

  • Improvements in the display of public services health checks in the UI.

  • Listing resource group services now returns a list of only application-specific services instead of all Kubernetes or system services.

Known Issues

  • Tenants with DNS integrations with large numbers of DNS records (30K+) results in the UI not loading.

November 15, 2021 (version 1.13.3)

These release notes describe the TSM 1.13.3 release.

Enhancements

Global Server Load Balancer (GSLB) and Application Continuity

This release enhances the support of the Application Continuity use case in Tanzu Service Mesh by adding support for new GSLB algorithms. Users can now publish their services outside the global namespace and configure the high availability algorithm to be based on Round Robin (default), Weighted Round Robin, or Active Standby. Furthermore, the integration is now available for NSX Advanced Load Balancer (formerly Avi Networks). This release also adds support for configurable health checks on public services. Health checks are performed at a configurable interval and monitor each endpoint of the application deployed across multiple clusters or clouds.

Applications can be exposed to the outside world, in a highly available manner, by configuring and exposing a GSLB service within a global namespace. Tanzu Service Mesh (TSM) automates the process of initial application publishing, and automatically discovers new deployments of a service; this streamlines and reduces time to publish and supports use cases where applications expand to new clusters and sites. The service mesh adapts to additional instances by automatically updating the GSLB configuration. With GSLB TSM integration, TSM can detect problems with applications deployed in the global namespace that are not visible to traditional GSLB services and initiates a failover to the healthy service. Therefore, the combination of TSM and GSLB increases the resiliency of the deployed application over use of only GSLB. Integration is available with NSX Advanced Load Balancer (formerly Avi Networks) and/or AWS Route 53.

Public Service Details and Monitoring

Detailed information on public services, including performance metrics are available in the TSM console to help monitor the health and performance of public services and GSLB routing information for services' public URLs. TSM computes an overall health status based on the health of each public URL. TSM periodically makes connection attempts to each URL to evaluate its health. The overall status of a public service is considered healthy if all public URLs are healthy and considered unhealthy if at least one of the public URLs is unhealthy. The Tanzu Service Mesh Console UI contains this information on the public services details page.

Other Enhancements

  • Tanzu Service Mesh Console UI has modernized theming and made improvements to dark and light themes.

  • Enhanced contextual help in the Tanzu Service Mesh Console UI.

Fixes

  • Improvements for deleting DNS integration and the reporting of inventory.

  • The Tanzu Service Mesh Console UI no longer shows a quota of number of clusters available for potential onboarding.

  • A fix for the SLO Actions Tab that ensures the associated autoscaling policies are properly displayed.

  • Fixes for SLO charts, including improvements in refresh, time range display, and fixes for the color displayed in association with violations.

  • All cluster types support public services when mixing IPs and CNAMEs. A workaround using clusters of all the same type for Azure Kubernetes Service (AKS) and Anthos Google Kubernetes Engine (GKE) is no longer required.

Known Issues

  • Tenants with DNS integrations with large numbers of DNS records (30K+) results in the UI not loading.

  • When a user creates an autoscaling policy for a service in simulation mode in the Tanzu Service Mesh UI and then navigates to the service details page, the health status “Error” is shown for the service.

October 21, 2021 (version 1.12.14)

These release notes describe the TSM 1.12.14 release.

Fixes

  • This release contains a fix for a bug with the TSM autoscaler, and improves detection of instances.

Known Issues

  • When a user creates an autoscaling policy for a service in simulation mode in the Tanzu Service Mesh UI and then navigates to the service details page, the health status “Error” is shown for the service.

  • Azure Kubernetes Service (AKS) and Anthos Google Kubernetes Engine (GKE) clusters to not support public services, specifically when mixing IPs and CNAMEs. A workaround is using clusters of all the same type; for example, all GKE.

October 14, 2021 (version 1.12.12)

These release notes describe the TSM 1.12.12 release.

Fixes

  • This release contains a fix for a bug that resulted in an incorrect cluster list displayed in the UI.

Known Issues

  • When a user creates an autoscaling policy for a service in simulation mode in the Tanzu Service Mesh UI and then navigates to the service details page, the health status “Error” is shown for the service.

  • Azure Kubernetes Service (AKS) and Anthos Google Kubernetes Engine (GKE) clusters to not support public services, specifically when mixing IPs and CNAMEs. A workaround is using clusters of all the same type; for example, all GKE.

October 13, 2021 (version 1.12.11)

These release notes describe the TSM 1.12.11 release.

Fixes

  • This release contains fixes for bugs in the cluster deletion workflow.

Known Issues

  • When a user creates an autoscaling policy for a service in simulation mode in the Tanzu Service Mesh UI and then navigates to the service details page, the health status “Error” is shown for the service.

  • Azure Kubernetes Service (AKS) and Anthos Google Kubernetes Engine (GKE) clusters to not support public services, specifically when mixing IPs and CNAMEs. A workaround is using clusters of all the same type; for example, all GKE.

October 11, 2021 (version 1.12.8)

These release notes describe the enhancements and changes to supported platforms in the TSM 1.12.8 release.

Enhancements

  • This release contains enhanced logging to improve debugging of backend SaaS services.

  • Additionally, new supported platforms and deprecations are noted.

New Platforms Supported

Tanzu Service Mesh now supports Kubernetes clusters running on these platforms:

  • Amazon Elastic Kubernetes Service (Amazon EKS) 1.20, 1.21

  • Red Hat OpenShift 4.7.8

  • VMware Tanzu™ Kubernetes Grid™ Integrated Edition (TKGI) 1.12

  • VMware Tanzu™ Kubernetes Grid™ Service (VMware vSphere® 7.0.1.00200) 1.18.19+vmware.1

Platform Support Deprecation Notice

Tanzu Service Mesh no longer supports Kubernetes versions 1.17 and below, including these platforms:

  • Amazon Elastic Kubernetes Service (Amazon EKS) 1.16, 1.17

  • VMware Tanzu™ Kubernetes Grid™ 1.2.0 (Kubernetes 1.17.11), 1.3.0 (Kubernetes 1.17.16)

  • VMware Tanzu™ Kubernetes Grid™ Integrated Edition (TKGI) 1.4, 1.5, 1.6, 1.7

  • VMware Tanzu™ Kubernetes Grid™ Service (VMware vSphere® 7.0.0) - Kubernetes 1.16.8

Note: For details, visit the public platform support matrix.

Known Issues

  • When a user creates an autoscaling policy for a service in simulation mode in the Tanzu Service Mesh UI and then navigates to the service details page, the health status “Error” is shown for the service.

  • Azure Kubernetes Service (AKS) and Anthos Google Kubernetes Engine (GKE) clusters to not support public services, specifically when mixing IPs and CNAMEs. A workaround is using clusters of all the same type; for example, all GKE.

September 22, 2021 (version 1.12.6)

These release notes describe the enhancements in the 1.12.6 release of VMware Tanzu Service Mesh.

Enhancements

Improvements in Service Level Objectives (SLOs)

Two types of SLO are now available in Tanzu Service Mesh: monitored SLOs and actionable SLOs.

In the case of monitored SLOs, you can configure these to monitor the behavior of a service and track error budgets on a monthly basis. In the case of actionable SLOs, besides monitoring the behavior of services and tracking error budgets, you can also influence service resiliency features, like preventing service instances from being scaled down in response to a violation of the SLIs.

You can also configure an SLO to be scoped to the services in a specific global namespace (a GNS-scoped SLO).

For more information about SLOs in Tanzu Service Mesh, see Service Level Objectives with Tanzu Service Mesh technical documentation.

Enhanced Service Autoscaling

With Tanzu Service Mesh Service Autoscaler, application developers and operators can now configure an autoscaling policy for services inside a global namespace through the UI or through API. This choice between configuring autoscaling in the Tanzu Service Mesh UI or through API is available only for GNS-scoped autoscaling policies. Tanzu Service Mesh Service Autoscaler continues to provide a Kubernetes Custom Resource Definition to configure autoscaling for services in cluster namespaces. You now have the option of associating an autoscaling policy with an SLO to influence autoscaling of service instances if the SLO is violated. For more information about service autoscaling in Tanzu Service Mesh, see the Service Autoscaling with Tanzu Service Mesh User's Guide.

Fixes

  • Performance graphs could be missing for services that have an SLO applied to them. The issue affected only SLOs created before Tanzu Service Mesh version 1.11.7. Editing the SLO and re-adding the services to the SLO fixed the problem.

  • A fix for an issue where under certain circumstances, users could experience slowness while the service dependencies graph was being loaded on the “Service Dependencies” tag of the service details page. This could happen when “Last 30 days” was selected as the metric time range.

Known Issues

  • When a user creates an autoscaling policy for a service in simulation mode in the Tanzu Service Mesh UI and then navigates to the service details page, the health status “Error” is shown for the service.

August 31, 2021 (version 1.12.4)

Tanzu Service Mesh version 1.12.4 is a maintenance release that contains minor logging changes to assist in debugging the cluster onboarding process.

Known Issues

  • Performance graphs can be missing for services that have an SLO applied to them. The issue affects only SLOs created before Tanzu Service Mesh version 1.11.7. Editing the SLO and re-adding the services to the SLO fixes the problem.

  • The following APIs exposed in the API Explorer for future use are currently not supported:

    Autoscaling section of the API Explorer

    Global Namespaces Public Service section of the API Explorer

    • GET /v1alpha1/autoscaling/configs

    • PUT /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • GET /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • DELETE /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • GET /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies

    • PUT /v1alpha1/global-namespaces/{gnsId}/public-service/{fqdn}

August 11, 2021 (version 1.12.3)

The release of Tanzu Service Mesh 1.12.3 contains changes to the Global Controller that improve the debugging of issues.

Known Issues

  • Performance graphs can be missing for services that have an SLO applied to them. The issue affects only SLOs created before Tanzu Service Mesh version 1.11.7. Editing the SLO and re-adding the services to the SLO fixes the problem.

  • The following APIs exposed in the API Explorer for future use are currently not supported:

    Autoscaling section of the API Explorer

    Global Namespaces Public Service section of the API Explorer

    • GET /v1alpha1/autoscaling/configs

    • PUT /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • GET /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • DELETE /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • GET /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies

    • PUT /v1alpha1/global-namespaces/{gnsId}/public-service/{fqdn}

July 21, 2021 (version 1.11.12)

This release of TSM 1.11.12 contains stability fixes that ensure compatibility with VMware Tanzu Kubernetes Grid.

Known Issues

  • Performance graphs can be missing for services that have an SLO applied to them. The issue affects only SLOs created before Tanzu Service Mesh version 1.11.7. Editing the SLO and re-adding the services to the SLO fixes the problem.

  • The following APIs exposed in the API Explorer for future use are currently not supported:

    • GET /v1alpha1/autoscaling/configs

    • PUT /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • GET /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • DELETE /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • GET /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies

    • PUT /v1alpha1/global-namespaces/{gnsId}/public-service/{fqdn}

July 19, 2021 (version 1.11.9)

These release notes describe the fixes in the TSM 1.11.9 release.

Fixes

  • A fix for a bug found where a backend service became unhealthy. This fix enhances metrics performance. Metric aggregation improvements include enhancements in processing metrics data.

Known Issues

  • Performance graphs can be missing for services that have an SLO applied to them. The issue affects only SLOs created before Tanzu Service Mesh version 1.11.7. Editing the SLO and re-adding the services to the SLO fixes the problem.

  • The following APIs exposed in the API Explorer for future use are currently not supported:

    • GET /v1alpha1/autoscaling/configs

    • PUT /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • GET /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • DELETE /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • GET /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies

    • PUT /v1alpha1/global-namespaces/{gnsId}/public-service/{fqdn}

July 13, 2021 (version 1.11.7)

These release notes describe the new features, enhancements, and fixes in the July 13, 2020 release.

New Features

Export of API Audit Logs to Splunk

You can now send audit logs of calls to the Tanzu Service Mesh APIs to Splunk Enterprise for analysis and visualization of how users in your organization use the APIs.

API Audit Log export requires that you configure an HTTP Event Collector (HEC) input in Splunk Enterprise and provide your HEC configuration through the API.

Amazon CloudWatch and Splunk endpoints are supported for export of API logs.

For more information about export of API logs to Splunk, see the Tanzu Service Mesh product documentation.

Enhancements

Enhanced Service Topology Browsing Experience

You can now view the topology of service in a global namespace or cluster in a separate window for greater ease of use and easier in-window browsing.

You have the option of downloading the service topology information (service incoming and outgoing connections) to a comma-separated values (CSV) file to make this information accessible by users with visual impairments.

For more information about the Topology Browser window, see the Tanzu Service Mesh product documentation.

New Platforms Supported

Tanzu Service Mesh now additionally supports clusters running on these platforms:

  • Azure Kubernetes Service (AKS) v. 1.18.17

  • Anthos GKE v. 1.19.10

  • VMware Tanzu™ Kubernetes Grid™ Integrated Edition 1.11

Note: For details, visit the Tanzu Service Mesh Environment Requirements and Supported Platforms page.

Fixes

  • Services fail over to healthy endpoints when any service endpoint becomes unhealthy. If all service endpoints became unhealthy, it was possible for traffic to blackhole for a period of time. With this fix, traffic is guaranteed to be directed to at least one healthy service endpoint at all times, as long as there is a healthy service endpoint.

  • Tanzu Service Mesh now properly preserves a mapping rule within a global namespace if a cluster selected in the rule is removed, and another cluster with the same name is then onboarded. Tanzu Service Mesh also supports placeholder cluster names in mapping rules where a user enters the name of a non-existing cluster into a mapping rule and creates the cluster later.

  • Fix for an issue where Tanzu Service Mesh did not completely remove a cluster whose onboarding was canceled, which caused the onboarding of another cluster with the same name to fail.

  • When users log into the application for the first time in incognito mode, they no longer see a white application screen that flashes for a few seconds.

  • Fix for a bug where the service instances table incorrectly showed 0 ms, instead of "–", for non-existing p50 Latency, p90 Latency, and p99 Latency metrics for some of the service instances.

  • Added more space between service labels and their nodes on topology view graphs for greater visibility. Also improved styling for when nodes are dragged inside the topology view.

  • A fix for an issue where deleting a certificate, health check, or external DNS account that was in use by a public service and then recreating the same certificate, health check, or DNS account will affect the operation of the public service.

  • Several enhancements and fixes were made to the UI for improved user experience, including:

    • Improved layout of GNS and cluster cards, modal windows, charts, and hover cards

    • Minor issues with drop-down lists resolved

    • Consistently styled icons used across the UI

    • Consistent use of "Remove" and "Delete" labels across the UI ("Remove" for clusters and "Delete" for other objects)

Known Issues

  • Performance graphs can be missing for services that have an SLO applied to them. The issue affects only SLOs created before Tanzu Service Mesh version 1.11.7. Editing the SLO and re-adding the services to the SLO fixes the problem.

  • The following APIs exposed in the API Explorer for future use are currently not supported:

    • GET /v1alpha1/autoscaling/configs

    • PUT /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • GET /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • DELETE /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies/{policyId}

    • GET /v1alpha1/global-namespaces/{gnsId}/autoscaling-policies

    • PUT /v1alpha1/global-namespaces/{gnsId}/public-service/{fqdn}

May 25, 2021 (version 1.10.13)

These release notes describe the new features, enhancements, and fixes in the May 25, 2020 release.

New Features

Enterprise Proxy Support

When onboarding Kubernetes clusters to Tanzu Service Mesh, you can now specify that the clusters communicate with Tanzu Service Mesh Global Controller through an enterprise HTTP/HTTPS proxy. You will need to provide the proxy configuration settings during onboarding, which include the Proxy address, user name, password, and the certificate the proxy presents to secure connections. With this release, Tanzu Service Mesh supports both transparent and explicit proxy configurations. The use of a transparent proxy does not require any special configuration in Tanzu Service Mesh. Once a proxy is configured, communications between your clusters and Tanzu Service Mesh Global controller will be routed through your enterprise HTTP/HTTPS proxy and will be encrypted using TLS.

Enhancements

Days of Metrics Data is Now Available

Tanzu Service Mesh now collects and retains metrics data for your services and nodes for up to 30 days. Additionally, Tanzu Service Mesh Console now allows you to select up to 30 days of metrics from the timeframe selector available on the service graphs, node heatmaps, and performance charts.

Enhanced Performance Charts and Cards

Performance charts have been enhanced for a better user experience and accessibility. You can now hover over data points on a chart to view the metric values and timestamp for each data point. The data shown on charts are automatically updated according to the current data refresh interval.

Metrics Per Service Version

For services, you can now view and compare metrics for individual service versions. You can show and hide the versions by clicking on the legend in the chart. This feature is useful to observe performance characteristics when rolling out a new service version (for example, canary deployment).

New Platforms Supported

Tanzu Service Mesh now supports clusters based on VMware Tanzu™ Kubernetes Grid™ 1.3 and Amazon EKS 1.19.

Note: Visit the Tanzu Service Mesh Environment Requirements and Supported Platforms page.

Fixes

  • It is now possible to expose multiple HTTPS public services that have different domain names and that reside on the same cluster on port 443.

  • A fix for the bug in the UI where users could not onboard clusters in the onboarding panel because of a backend issue with Tanzu Kubernetes Grid clusters provisioned by Tanzu Mission Control.

  • A fix for the bug where the UI froze when a user tried to access the GNS Topology tab after applying a custom topology and adding new nodes.

  • The topology thumbnail view on a global namespace card was enhanced to accommodate multiple clusters in a global namespace when a user applies a custom topology layout.

  • A fix for the bug where an endless spinning loader was shown for some of the charts when a user selected the Show All option on the Performance tab.

  • A fix for the bug where the Generate Security Token button in the Onboard Clusters panel became unavailable after a user entered a cluster ID of more than 28 characters.

  • A fix for the bug where after creating a global namespace, on the details page for the new global namespace, a user could see the topology graph for another global namespace.

  • Fixed a bug where on the Service Mapping page of the Edit Global Namespace wizard, the Next button was unavailable on a slow Internet connection.

  • Fixed a bug that caused the Sort drop-down list on the active GNS Overview tab to disappear.

  • Fixed a bug where the Edit Global Namespace wizard incorrectly selected the No Public Services option for a global namespace that has a public service configured in it.

  • Fixed a bug where the y-axis of the chart in a node card showed incorrect label values.

  • A fix for a bug where refreshing the service details page caused the performance charts to show no data although some of the services in the service group had traffic.

  • Fixed a bug where the node heatmap view for the Group by Cluster grouping sometimes showed the cluster IDs instead of cluster names.

  • Fixed overlapping nodes on the cluster topology thumbnail view on the Cluster Overview tab.

  • Fixed a bug that caused blue dots to appear on the graph line in the Services box on the top metrics bar.

  • Hovercards across Tanzu Service Mesh were modified to always show a metric graph for the last 5 minutes in the chart. This resolves the bug where the graph appeared squeezed-together in the chart if the Last 1 hour time range was selected for the cluster's service topology graph on the Service Topology tab.

Known Issues

  • Deleting a certificate, health check, or external DNS account that is in use by a public service and then recreating the same certificate, health check, or DNS account will affect the operation of the public service. If you need to delete such a certificate, health check, or external DNS account, the workaround is to also delete and re-create the referencing public service.

  • Tanzu Service Mesh does not preserve a mapping rule within a global namespace if the cluster selected in the rule is removed, and another cluster with the same name is then onboarded. This causes issues with the global namespace topology view. As a workaround, select the other cluster in the mapping rule by editing the global namespace.

March 16, 2021 (version 1.9)

These release notes describe the new features, enhancements, and fixes in the March 16, 2021 release.

New Features

Public Services

Global Namespace now includes an option to define a Public Service. A Public Service provides a foundational building block to enable various use cases, including application continuity and cloud bursting. A Public Service is a service that is within a Global Namespace and is exposed outside of the Global Namespace to allow end users or services to access the service.

You configure a public service as part of the global namespace configuration. You set the URL at which the service will be accessible and, optionally, settings for checking the health state of the service. You can expose a public service as a secure service (over HTTPS) or an unsecure service (over HTTP).

For more information about public services, see the Using Tanzu Service Mesh documentation.

Enhancements

  • Cluster Names and Cluster IDs are now displayed on the UI. Users can modify display names for their clusters.

  • If no clusters have been onboarded, the message "No clusters have been onboarded yet. Please onboard a cluster" with a link to the cluster onboarding panel is prominently displayed at the top of the Home page.

  • The onboarding of a cluster can now be canceled at any point during the onboarding process.

  • The GNS Details page now shows the mTLS status for the services in the GNS.

  • Cards on the GNS Overview and Cluster Overview tabs are now by default sorted by "Name" and "Low to High."

  • Several enhancements were made to improve the look of UI, including enhanced color and styling of notices, warnings, and alerts.

Fixes

  • If upgrades are not available for a cluster because it is using an unsupported version of Kubernetes, the Software Updates page now shows an appropriate message.

  • If a user selects the "Is Exactly" operator for a namespace exclusion when onboarding a cluster, this selection is now preserved for the namespace exclusion in the Edit Cluster dialog box.

  • The Service Details page now shows a correct SLO status (for example, "Healthy") for a service that is a member of a service group for which an SLO was created.

  • The metrics bar at the top of the Home page now shows correct data for services, service instances, nodes, and clusters.

  • Resource details pages (for example, service details pages and cluster details pages) are immediately deleted from the UI for an application or cluster that is removed.

  • An onboarded cluster that was not shown in the UI under certain conditions is correctly shown in the UI.

  • A namespace exclusion defined for a cluster in Tanzu Mission Control is now shown in the Edit Cluster dialog box in Tanzu Service Mesh.

  • A fix for a bug where the Cluster Name field in the Edit Cluster dialog box was empty under certain conditions.

  • The Nodes drop-down list on the Node Heatmap tab of the Home page no longer displays "Node Groups" and correctly displays the names of individual nodes.

  • A health status of "Unknown" no longer appears at the top the Service Details page for a service that doesn't have any SLOs created for it.

  • The Software Updates page correctly displays cluster rows after a cluster is deleted and then re-attached to Tanzu Service Mesh.

  • A user no longer receives an error after clicking the Tanzu Mission Control link on the cluster details page.

  • When a user enters the name of a non-existing cluster on the Mapping Rules page of the Global Namespace Wizard, a message "Add new cluster" is shown instead of "No items found."

  • When a user changes the target time percentage for an SLO for a service group, the performance graph on the service details page for a service group member is correctly updated with the new target percentage.

  • Fix for a bug where a global namespace card showed an incorrect number of services and service instances for a global namespace that had all the services and service instances deleted from it.

  • Cluster cards on the Cluster Overview tab and global namespace cards on the GNS Overview tab, which represent global namespaces created using exactly the same clusters, now consistently show the same counts of services and service instances.

  • After a cluster with no services is onboarded, the Onboard New Cluster button no longer appears on the Services Cards and Infrastructure Cards tabs of the Performance page.

  • If any changes occur in the status of the autoscaling configuration, the status is now updated in the response from the API.

  • Fix for a bug that caused the Service Topology tab for a cluster and the cluster details page to show different counts of services.

  • Fix a for a bug where the Service Instances field on the service version details page appeared empty under certain conditions.

  • The metrics bar on the Home page shows the counts of service instances, nodes, and clusters that are consistent with the corresponding counts on the cluster cards.

  • Fix for a bug where the Infrastructure table on the service group details page showed incorrect information about nodes for a service group.

  • Fix for a bug where, under certain conditions, metrics were not shown in the cluster topology graph on the cluster details page.

  • Fix for a bug that caused all clusters to disappear from the UI under certain conditions.

  • The application no longer occasionally hangs after a new service is added to a cluster and a user applies a custom layout to the topology view of service versions on the cluster details page.

  • Fix for a bug where under certain conditions the SLO violation chart showed violations of the SLO whereas the corresponding SLI chart didn't show the same violations.

Known Issues

  • Deleting a certificate, health check, or external DNS account that is in use by a public service and then recreating the same certificate, health check, or DNS account will affect the operation of the public service. If you need to delete such a certificate, health check, or external DNS account, the workaround is to delete and re-create the referencing public service.

    Notes

    • If you try to delete a certificate, health check, or external DNS account that is in use by a public service, the deletion dialog box displays a warning and lists the affected public services.

    • The issue does not affect certificates, health checks, or external DNS accounts that are not used in public services.

  • Currently, it is not possible to configure different domains on port 443 for two or more HTTPS public services that reside on the same cluster. The workaround is to use a wildcard (*) for the subdomain and make sure that the top-level domains of the URLs match OR ensure that only one domain is exposed per cluster. For example, for two public services shopping.acme.com and cart.acme.com on the same cluster, you can specify this URL: *.acme.com. The wildcard will match both subdomains.

December 10, 2020 (version 1.8)

This update to VMware Tanzu Service Mesh contains new features, enhancements, known issues, and fixes.

New Features

Service Mesh Lifecycle Management

In addition to automated installation, Tanzu Service Mesh now automates the service mesh upgrades and rollbacks. Tanzu Service Mesh UI includes a Software Updates page where platform operators can see at a glance whether each of their clusters is running the latest version of Tanzu Service Mesh. If a cluster is out of date, the operator can choose to upgrade it to a newer version of Tanzu Service Mesh. If an upgrade fails for some reason, Tanzu Service Mesh automatically rolls back to the previous version. Operators also have the option of initiating a rollback from the Software Updates page. 

For more information about upgrades and rollbacks, see the Using Tanzu Service Mesh documentation.

VMware Tanzu Mission Control Integration

Tanzu Service Mesh is now integrated with Tanzu Mission Control. This initial integration allows platform operators to manage the lifecycle (install, upgrade, rollback, remove) of the Tanzu Service Mesh running inside clusters managed by Tanzu Mission Control. Platform operators can trigger Tanzu Service Mesh lifecycle management functions through the Tanzu Mission Control UI, CLI, or API. Additionally, from the Tanzu Service Mesh UI, operators can link to Tanzu Mission Control to view cluster details, and from the Tanzu Mission Control UI, operators can link to Tanzu Service Mesh to see service mesh details.

For more information about enabling Tanzu Service Mesh LCM in Tanzu Mission Control, see the Using Tanzu Service Mesh documentation.

Service Level Objectives (SLOs) - TECH PREVIEW

Service level objectives (SLOs) provide a formalized way to describe, measure, and monitor the performance, quality, and reliability of microservice applications. SLOs provide a shared quality benchmark for application and platform teams to reference for gauging service level agreement (SLA) compliance and continuous improvement.   

For more information about SLOs in Tanzu Service Mesh, see Service Level Objectives with Tanzu Service Mesh User's Guide.

Service Autoscaling - TECH PREVIEW

With Tanzu Service Mesh Service Autoscaler, application developers and operators can have automatic scaling of microservices that meet changing levels of demand based on metrics, such as CPU or memory usage. These metrics are available to Tanzu Service Mesh without needing additional code changes or metrics plugins.

For more information about service autoscaling in Tanzu Service Mesh, see the Service Autoscaling with Tanzu Service Mesh User's Guide.

Enhancements

  • Application operators can now select specific Kubernetes namespaces in which to enable service mesh capabilities (that is, enable automatic sidecar injection).

  • A new Tanzu Service Mesh operator monitors the status and health of the service mesh data plane components running in the cluster and self-heals the components as needed.

  • Tanzu Service Mesh now supports clusters based on VMware Tanzu™ Kubernetes Grid™ 1.2 (which uses Kubernetes 1.19).

  • Tanzu Service Mesh now supports clusters based on VMware Tanzu™ Kubernetes Grid™ Service (VMware vSphere® 7.0.0).

  • The Home page now features three tabs: GNS Overview (shows global namespace cards with summary information), Cluster Overview (shows cluster cards with summary information), and Node Heatmap (displays node metrics (for example, CPU and memory usage) and correlates services to nodes).

  • When a user moves away for one service details page to another, the focus automatically moves to the top of the page.

  • The Cluster Onboarding window now offers an option to retry a failed Tanzu Service Mesh installation.

  • Several enhancements were made to optimize GraphQL queries involved in the rendering of global namespace and cluster topologies. 

  • Several UI accessibility improvements were made, including interactions with buttons, modals, and accordions. 

  • The Tanzu Service Mesh account setup window now displays the latest product logo at the top.

Fixes

  • Tanzu Service Mesh now installs without issue on Tanzu Kubernetes Grid Integrated Edition 1.9 clusters.

  • The Service Preview list in the Global Namespace wizard now correctly shows services in a two-column list.

  • Service group display names, not service group IDs, are displayed on the Performance page and the Node Heatmap page when nodes are grouped by Service Group. 

  • Results of a GraphQL query do not disappear when a user changes the theme of the Tanzu Service Mesh Console.

  • The Error Rate column in the Service Instances table no longer shows 0 eps for services in a service group for which error rate data is available.

  • Autocomplete functionality in GraphQL Playground is functioning properly.

  • Users are no longer logged out when running a query in GraphQL Explorer. 

  • Users can now navigate to previously visited pages in the browser's back history from the Home page. 

  • Tables are now using the same name format for the latency column headings (for example, p50 Latency).

  • The UI is correctly showing the health status of a global namespace.

  • Only the Tab key can now be used to set the focus on a UI element. 

  • The hover behavior in topologies highlights the node being hovered over.

  • The grouping by global namespace now works correctly in node heatmaps.

  • Table column widths now accommodate long values.

  • The service name is now shown in the Service Details field on the Details tab of a service card when a user points to a service or service version.

  • Switching between the tabs on the Performance page takes less time.

  • Retrieval of data for the Global Namespace Details page is improved to show a Loading indicator only once.

  • The Service Groups filter on the Performance page now works correctly.

  • In table columns, now only values that go to another page or open a hover card appear as links.

  • Zoom settings are now correctly applied to cluster topologies when a user switches between showing and hiding service versions.

  • Zoom settings are now correctly applied to global namespace topologies when a user switches between showing and hiding service versions.

Known Issues

  • Tanzu Service Mesh currently has a limit of up to 25 clusters. If platform operators attempt to exceed this limit, the cluster onboarding process automatically fails. The Tanzu Service Mesh Console UI does not have an explicit notification that the limit has been reached, although users can view the total cluster count in the UI. 

    Both of these issues will be addressed in the next release. (Tanzu Mission Control Console UI does have a notification indicating the number of clusters with Tanzu Service Mesh, and whether the 25-cluster limit has been reached.)

  • SLOs created against service groups are not yet visible on service group details pages. They are still visible on the service details page of a service that is a service group member.

  • When a cluster is using an unsupported version of Kubernetes, the Software Updates page shows a status of "Out of Date" for the cluster, but does not offer a way to upgrade the service mesh running in the cluster.

    A notification to update the Kubernetes version will be added to the Tanzu Service Mesh Console UI.

  • When a user deletes a cluster from the TSM console, it may take a few minutes for the cluster to be removed from the display. This will be fixed in a subsequent release.

October 12, 2020 (version 1.7)

Enhancements

  • Tanzu Service Mesh now supports VMware Tanzu Kubernetes Grid Integrated Edition 1.9. 

  • Tanzu Service Mesh Lifecycle Manager Operator reconciles / re-deploys agent components if they are accidentally removed from an onboarded cluster. 

  • Minor changes to the Service Mapping step of the Global Namespace wizard, including reversing the order of the cluster and GNS mapping rules. 

  • Accessibility enhancements to enable mouse-free navigation through the UI using the Tab key. 

Fixes

  • Fixes a case where the pop-up window displayed "undefined," rather than the original onboarding URL, when cluster onboarding is cancelled. 

  • Fixes duplicates of the same services being displayed when creating a new service group or new global namespace. 

  • Fixes cases where a blank or empty onboarding URL was shown in the Onboard Clusters dialog box. 

  • Fixes the CPU Usage Milli Cores and Memory Usage Byte columns incorrectly displaying values of zero in the Services or Service Instances table.

  • Fixes the Save button is disabled in the Edit Service Group dialog box for a service group created through a POST request via the API

  • Fixes zero values being displayed in the Services, Service Instances, Clusters, and Nodes columns on the Service Groups tab in Inventory. 

  • Fixes the Save and Cancel buttons not being visible in the New Service Group dialog box after a user added several membership conditions. 

  • Fixes a continuously spinning progress indicator when logging into Tanzu Service Mesh for the first time.

  • Fixes the UI failing to report the status of tenant registration and continuously showing a progress spinner. 

  • Fixes a case where newly created global namespaces did not immediately show on the Global Namespaces tab of the Home page. 

  • Fixes various style and text inconsistencies in the Service Group deletion and new Service Group dialog boxes. 

  • Fixes an issue where the "Node Name" column was incorrectly displayed in the Services table. 

  • Fixes the UI displaying "No metric" when a user clicked the "Cards" display for Services. 

  • Fixes a case where a user gets an empty service group description and empty membership conditions in the Edit Service Group dialog box. 

  • Fixes an issue preventing users from using spaces in a service group name. 

  • Fixes Membership Conditions automatically collapsing when a user clicks in a membership condition on the Service Group Details page. 

  • Fixes the global namespace topology graph displaying overlapping services or services placed outside their clusters. 

  • Fixes an issue where a user had to refresh the page manually or wait until the next automatic data refresh for an edited description of a service group to appear.

August 20, 2020 (version 1.6)

New Features and Improvements

  • Integration with VMware Tanzu™ Mission Control™. You can now deploy Tanzu Service Mesh on clusters managed by VMware Tanzu Mission Control. For more information, see Native Support for TMC clusters.

  • You can get visibility into the overall health of your global namespaces. For more information, see Global Namespace Health Checks

  • Improved cluster offboarding: cluster data is immediately removed once offboarding is complete.

  • Completed operations are automatically removed from the task panel in the lower-right corner of the UI after a configured time.

  • Accessibility improvements to cluster onboarding UI, the Resource Groups page, and the Global Namespace Wizard for users with visual or motor impairments.

Feature Highlights

Global Namespace Health Checks

Release 1.5.6 introduces a new feature—Global Namespace Health Check. This feature periodically checks the configuration in a global namespace and reports any errors or out-of-sync conditions.

Native Support for TMC clusters

Release 1.5.6 introduces support for TMC clusters. Application operators can onboard clusters managed by TMC to Tanzu Service Mesh and use the capabilities around observability, discovery, and security. In older versions of Tanzu Service Mesh, users were expected to configure pod security policies for the TMC cluster. This is no longer needed from version 1.5.6.

Fixes

  • A user was unable to create a global namespace because an incorrect version of the API was used. The use of the correct API version fixed the issue.

  • The Welcome to Tanzu Service Mesh window closed before the tenant registration was complete. Now the Welcome to Tanzu Service Mesh remains open until the tenant registration is complete. Once tenant registration is complete, the Home page is displayed, and the Welcome to Tanzu Service Mesh window is hidden. 

  • If a cluster had a large number of services, that caused nodes in the service topology view to overlap. The performance and scalability of service topology views have been improved to avoid overlap of nodes.

  • A deleted cluster is removed from cluster counts in metrics and the Clusters table.

  • Bug fixes related to metrics for duplicate services and service with null data.

  • Fix for a bug where the user cannot create a new service group under certain conditions.

  • Fixes for bugs with custom topology layouts.

  • After a cluster, global namespace, or resource group is deleted, it's now properly removed from the UI.

  • Fix for a bug where, after a successful login, the application is unable to locate the user's preferences.

  • When a user hovered over a service in the Services table, an empty service details card was displayed. Now the service's details are correctly shown on its card when a user hovers over it in the Services table.

  • Sometimes a user was unable to expand a message header in the task panel at the lower right to see the whole message. Now a user can see the whole message expanded by clicking the header.

  • When a user clicked Remove Cluster, the UI didn't provide a progress indicator for the cluster removal or notification that a background process was running. Now when a user clicks Remove Cluster, a job starts in the background, and a progress indicator appears in the lower-right corner of the UI. The indicator shows a meaningful message that reflects the actual progress of the cluster removal. 

  • A user could previously provide the same domain name for multiple global namespaces. Validation for a unique domain name was added. Now when a user enters a non-unique domain name, an error message appears prompting the user to enter a unique name.

July 13, 2020 (version 1.5)

New Features and Improvements

  • Backend enhancements to improve stability and high availability of the platform.

  • Added versioning support for the Tanzu Service Mesh API.

  • New Onboarding and Offboarding APIs for the Tanzu Service Mesh Cluster Lifecycle Manager.

  • Tanzu Service Mesh UI and Backend Service now use v1alpha APIs for creating a global namespace.

Fixes

  • Fixed Istio's Mixer component, which caused incorrect metrics reporting.

  • Fixed corner cases of when services sometimes go missing from a Global Namespace (GNS).

  • Fixed Istio secret discovery service (SDS) intermittently fails to push key/cert pair needed for mTLS configuration in TSM Service.

  • Fixed intermittent crash in the registration service when unregistered a tenant.

  • Fixed loader spins for first time on-boarding experience when there are no clusters.

  • Fixed service topology issues where topology does not show selected services in global namespaces and clusters.

June 5, 2020

New Features and Improvements

  • Added animated transitions and UI usability enhancements to the Global Namespace topology.

  • Cluster Lifecycle Management (CLM)

    • Enhanced usability by adding validation of client clusters during the onboarding process, including failure states.

    • Enhanced monitoring and debugging of client clusters by migrating existing state (Istio state and connected fields) to the new richer cluster status format.

    • Added logic for fetching client cluster logs (TSM agent, Istio, DNS, etc.) directly via TSM APIs for troubleshooting and cluster support.

  • Added support for Istio 1.4.

Fixes

  • Bug fix to reduce the header size from previous cookie sessions.

  • Bug fix to display an API error when session token gets expired.  

  • Bug fix to display selected metric preferences for GNS topology.

  • Bug fix to show empty state placeholder text “No Namespaces” if no namespaces are returned in Home page.

  • Bug fix to add missing “rps” to the unit topology for zero value.

  • Bug fix to address cluster deletion from UI.

Environment Requirements and Supported Platforms

check-circle-line exclamation-circle-line close-line
Scroll to top icon