These release notes contain information about the data plane of VMware Tanzu™ Service Mesh™, built on VMware NSX®, including the required Kubernetes version, the versions of the data plane components, new features, and fixes.

Tanzu Service Mesh 5.0.7

Released July 5, 2022

Release 5.0.7 includes support for external services as well as wildcards; external services (for example, third-party database services) located outside the VMware Tanzu Service Mesh are made accessible by services inside the Mesh's global namespace. External services can run on virtual machines, external Kubernetes clusters, Tanzu Application Service (TAS) environments, lambda functions or even on bare metal, and can be accessed over TCP, TLS, HTTP, or HTTPS. When connecting to the external service using an HTTPS or TLS protocol, a TLS certificate can be added if desired. Users can define multiple external endpoints for a single external service, and they can load balance them (round-robin scheme by default); they can also edit existing external services to add additional endpoints.

Each external server has a subdomian through which we can access the external service. Tanzu Service Mesh offers the ability to match subdomains of external service hostnames using wildcards; it is possible for services inside Tanzu Service Mesh global namespace to connect to external servers whose hostnames are in wildcard format (for example, *.google.com, *.wikipedia.com). With wildcard capabilities, you can select exactly which servers to connect to from a list of wildcard servers.

Users can view details about external services, including their configuration and performance metrics, which are useful for monitoring their performance. External service configuration can also be edited. Future releases will include support for traffic management and access control policies for external services.

Release 5.0.7 retains Istio 1.12.2. Istio 1.12.2 contains security updates and Telemetry customization. For the details contained in Istio 1.12.2, see the Istio 1.12 release notes and Istio 1.12.2 release notes.

Tanzu Service Mesh 5.0.7 components are outlined in the Data Plane Components table. This release retains the metrics proxy version 3.2.0 and Telegraf version 1.18.3.

Known issues include wildcards with external services that require a live www server in the list of external servers, and the service port and gateway port should not be the same for multiple endpoint configurations.

Table 1. Data Plane Components

Component

Version

Istio

1.12.2

Telegraf

1.18.3

Metrics proxy

3.2.0

Tanzu Service Mesh 5.0.4 (Upgraded to 5.0.6)

Released March 29, 2022

Release 5.0.6 includes use of the public ECR registry as well as support for custom registries; custom registries are any registry under the user's control, such as private or local enterprise registries. In the event the custom registry requires authentication, users are required to create a secret in all namespaces requiring authentication to the custom registry in order to pull images; this includes vmware-tsm-system, istio-system, kube-system, and any new namespaces that will require pulling sidecar images. If credentials are required for a custom docker registry, the SECRET authentication type must be used.

When onboarding a new cluster with a custom registry definition, the Tanzu Service Mesh images (Istio and TSM agents) will be downloaded from that registry. At the current time, changes to the registry definition on already onboarded clusters aren't supported. Deleting a registry definition that has been used for onboarding clusters will result in a failed restart for certain pods; this is because the registry definition is no longer valid, and Tanzu Service Mesh does not support updating that definition at the moment. In case of deleting the registry definition, the affected clusters that were onboarded with it must be re-onboarded. A warning about this implication will show up when one tries to delete the definition. Future releases will include support for updating a registry definition.

Release 5.0.6 brings in Istio 1.12.2. Istio 1.12.2 contains security updates and Telemetry customization. Istio Telemetry is retained, but will be deprecated in future releases. For the details contained in Istio 1.12.2, see the Istio 1.12 release notes and Istio 1.12.2 release notes.

Tanzu Service Mesh 5.0.6 components are outlined in the Data Plane Components table. Metrics proxy has been updated to 3.2.0, and Istio has been updated to 1.12.2 with this release. The version has been patched with fixes for the Envoy OAuth filter.

A known issue is that Kubernetes CoreDNS ConfigMap customization would be lost after the upgrade of the TSM data plane. Read this article to find out more.

Important:

Kindly upgrade Tanzu Service Mesh data plane version 5.0.4 to 5.0.6. The upgraded version (5.0.6) contains fixes for Envoy OAuth vulnerability which became public on June 9, 2022. For more information, see CVE-2022-29226 Detail.

Table 2. Data Plane Components

Component

Version

Istio

1.12.2

Telegraf

1.18.3

Metrics proxy

3.2.0

Tanzu Service Mesh 5.0.3 (upgraded to 5.0.5)

Released December 15, 2021

Version 5.0.3 includes several updates. Data plane support for automatic protocol detection is activated by default. Envoy access logging to standard output is deactivated at the time of installation.

External service access is now a configurable parameter. Istio installation options are modified to pass the user-specified configuration to activate/deactivate external service access at installation time. External service access is activated by default and allows for routing to external services on a per-cluster basis. This change allows organizations to deactivate external service access, thereby enhancing control over security posture. Reference the API Explorer in the Tanzu Service Mesh Console UI for details on customizing the IstioOperator spec meshConfig.outboundTrafficPolicy.mode used for this configuration. Note: in a future release, external service access will be deactivated by default.

Tanzu Service Mesh 5.0.3 contains the components outlined in the Data Plane Components table.

Important:

Kindly upgrade Tanzu Service Mesh data plane version 5.0.3 to 5.0.5. The upgraded version (5.0.5) contains fixes for Envoy OAuth vulnerability which became public on June 9, 2022. For more information, see CVE-2022-29226 Detail.

Table 3. Data Plane Components

Component

Version

Istio

1.10.4

Telegraf

1.18.3

Metrics proxy

3.1.1

Tanzu Service Mesh 5.0.2

Released December 15, 2021

Version 5.0.2 utilizes customer required images that are available in public ECR. See component versions as outlined in the Data Plane Components table.

Table 4. Data Plane Components

Component

Version

Istio

1.10.4

Telegraf

1.18.3

Metrics proxy

3.1.1

Tanzu Service Mesh 5.0.1

Released October 11, 2021

Version 5.0.1 contains a fix that ensures cross-cluster traffic is properly displayed in the UI.

Note: GNS functionality requires Istio versions across multiple clusters are the same.

Table 5. Data Plane Components

Component

Version

Istio

1.10.4

Telegraf

1.18.3

Metrics proxy

3.1.1

Tanzu Service Mesh 5.0.0

Released October 11, 2021

Version 5.0.0 includes a new version of Istio, version 1.10.4. Istio 1.10.4 contains security updates, fixes for security vulnerabilities for Envoy, as well as improvements in traffic routing. This release retains Istio Telemetry V2 and Istio CoreDNS, which will be deprecated in future releases.

For details on the Istio 1.10 release and fixes included in Istio 1.10.4, see the Istio 1.10 release notes and Istio 1.10.4 release notes.

Note: GNS functionality requires Istio versions across multiple clusters are the same.

Tanzu Service Mesh 5.0.0 requires Kubernetes 1.18 or later. See the Data Plane Components table for component versions.

Table 6. Data Plane Components

Component

Version

Istio

1.10.4

Telegraf

1.18.3

Metrics proxy

3.1.1

Tanzu Service Mesh 4.5.0

Released October 11, 2021

Version 4.5.0 includes minor fixes, as well as configuration updates to support Open Shift Platform.

Component

Version

Istio

1.7.6

Telegraf

1.18.3

Metrics proxy

3.1.1

Tanzu Service Mesh 4.4.0

Released August 2, 2021

Version 4.4.0 features a new version of Istio, version 1.7.6. Istio 1.7.6 contains fixes for several issues that users of Tanzu Service Mesh can experience, including an issue that caused pods to fail to initialize after a restart of the worker nodes on a Kubernetes cluster.

For details of the fixes contained in Istio 1.7.6, see the Istio 1.7.6 release notes.

Table 7. Data Plane Components

Component

Version

Istio

1.7.6

Telegraf

1.17.3

Metrics proxy

3.1.1

Tanzu Service Mesh 4.3.0

Released June 28, 2021

Version 4.3.0 contains a new version of the Metrics proxy component, version 3.1.1. See the Data Plane Components table below.

Table 8. Data Plane Components

Component

Version

Istio

1.7.3

Telegraf

1.17.3

Metrics proxy

3.1.1

Tanzu Service Mesh 4.0.3

Released May 31, 2021

Version 4.0.3 contains a fix for an issue with the data plane upgrade command.

To upgrade a client cluster to a new version of data plane, the upgrade command running on the cluster tried to access the Istio GitHub repository for information about current versions. Because the client cluster could not access GitHub, the upgrade failed. The upgrade command was modified to not require access to GitHub during an upgrade process.

Table 9. Data Plane Components

Component

Version

Istio

1.7.3

Telegraf

1.17.3

Metrics proxy

2.1.2

Tanzu Service Mesh 4.0.2

Released April 1, 2021.

Starting from version 4.0.2, two instances of istiocoredns are now deployed during the Tanzu Service Mesh installation. This change is required for consistency with the PodDisruptionBudget, which is programmed for istiocoredns with one allowed disruption.

Table 10. Data Plane Components

Component

Version

Istio

1.7.3

Telegraf

1.17.3

Metrics proxy

2.1.2

Tanzu Service Mesh 4.0.1

Released March 16, 2021.

In version 4.0.1, the externalTrafficPolicy of the ingress gateway service was changed from Cluster to Local. This change helps preserve the source IP address of the client and avoid additional network hops for LoadBalancer and NodePort type services.

Tanzu Service Mesh 4.0.1 requires Kubernetes 1.16.0 or later and uses the following versions of the data plane components.
Table 11. Data Plane Components

Component

Version

Istio

1.7.3

Telegraf

1.9.0

Metrics proxy

1.0.2

Tanzu Service Mesh 4.0.0

Released December 10, 2020.

Tanzu Service Mesh 4.0.0 requires Kubernetes 1.16.0 or later.

Version 4.0.0 uses the following versions of the data plane components.
Table 12. Data Plane Components

Component

Version

Istio

1.7.3

Telegraf

1.9.0

Metrics proxy

1.0.2

Tanzu Service Mesh 3.0.0

Released December 10, 2020.

Tanzu Service Mesh 3.0.0 requires Kubernetes 1.15.0 or later.

Version 3.0.0 uses the following versions of the data plane components.
Table 13. Data Plane Components

Component

Version

Istio

1.6.9

Telegraf

1.9.0

Metrics proxy

1.0.2

Tanzu Service Mesh 2.0.0

Released May 13, 2020.

Tanzu Service Mesh 2.0.0 requires Kubernetes 1.13.0 or later.

Version 2.0.0 uses the following versions of the data plane components.
Table 14. Data Plane Components

Component

Version

Istio

1.4.7

Telegraf

1.9.0

Metrics proxy

1.0.2

Tanzu Service Mesh 1.0.0

Released December 9, 2019.

Tanzu Service Mesh 1.0.0 requires Kubernetes 1.12.0 or later.

Version 1.0.0 uses the following versions of the data plane components.
Table 15. Data Plane Components

Component

Version

Istio

1.3.8

Telegraf

1.9.0

Metrics proxy

1.0.2