------------------------------------------------------------------- Tue Jul 21 16:00:43 UTC 2020 - Madhu Mohan Nelemane - Removed files/paths conflicting with those installed with istio images * Istio package is installed as part of istio-pilot-image * istio-pilot-image is derived from istio-base-image * istio-base-image installs ca-certificates which conflicts with the files here * Installation of ca-certificates is now responsibility of base-image * Paths/files removed: * /etc/ssl/certs/ca-certificates.crt * /etc/ssl/certs/ * /etc/ssl/ ------------------------------------------------------------------- Fri Jul 3 14:50:25 UTC 2020 - Madhu Mohan Nelemane - Include /etc/ssl/certs/ca-certificates.crt in the rpm * Untar ca-certificates.tgz from the source and copy to the expected location * Requirement listed in https://github.com/SUSE/avant-garde/issues/1777 ------------------------------------------------------------------- Fri Jul 3 09:06:19 UTC 2020 - Madhu Mohan Nelemane - Include envoy template files in /etc/istio/proxy/ * These template files are used if using istio with envoy-proxy * Requirement listed in https://github.com/SUSE/avant-garde/issues/1777 ------------------------------------------------------------------- Wed Jun 17 05:00:22 UTC 2020 - Madhu Mohan Nelemane - Adding /usr/bin/istio-iptables needed to run pilot-agent ------------------------------------------------------------------- Mon Jun 15 07:08:11 UTC 2020 - Madhu Mohan Nelemane - moved back binaries to /usr/bin as best practice - Corrected URL for istio repo and TAG ------------------------------------------------------------------- Fri Jun 5 06:10:57 UTC 2020 - Madhu Mohan Nelemane - Changed to pilot-discovery and pilot-agent paths to /usr/local/bin ------------------------------------------------------------------- Tue Jun 2 14:32:49 UTC 2020 - Madhu Mohan Nelemane - Upgraded to istio 1.5.4 with build for pilot-agent and pilot-discovery * Security Update (1.5.4): - ISTIO-SECURITY-2020-005 Denial of Service with Telemetry V2 enabled. * CVE-2020-10739: By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar * Changes: - 1.5.3: * Fixed the Helm installer to install Kiali using a dynamically generated signing key. * Fixed overlaying the generated Kubernetes resources for addon components with user-defined overlays (Issue 23048) * Fixed istio-sidecar.deb failing to start on Debian buster with iptables default nftables setting (Issue 23279) * Fixed the corresponding hash policy not being updated after the header name specified in DestinationRule.trafficPolicy.loadBalancer.consistentHash.httpHeaderName is changed (Issue 23434) * Fixed traffic routing when deployed in a namespace other than istio-system (Issue 23401) - 1.5.2: * Fixed Istiod deployment lacking label used by the matching PodDisruptionBudget (Issue 22267) * Fixed Custom Istio installation with istioctl not working using external charts (Issue 22368) * Fixed Panic in istio-init with GKE+COS and interceptionMode: TPROXY (Issue 22500) * Fixed Logging for validation by sending warnings to stdErr (Issue 22496) * Fixed Kiali not working when external Prometheus link used for the IstioOperator API (Issue 22510) * Fixed Istio agent should calculate grace period based on the cert TTL, not client-side settings (Issue 22226] * Fixed Incorrect error message referring to incorrect CLI option for the istioctl kube-inject command (Issue 22501) * Fixed IstioOperator validation of slice (Issue 21915) * Fixed Race condition caused by read/write of rootCert and rootCertExpireTime not always being protected (Issue 22627) * Fixed BlackHoleCluster HTTP metrics broken with Telemetry v2 (Issue 21385) * Fixed istio-init container failing when Istio CNI is enabled (Issue 22695) * Fixed istioctl does not set gateway name for multiple gateways (Issue 22703) * Fixed Unstable inbound bind address when configuring a sidecar ingress listener without bind address (Issue 22830) * Fixed Proxy pods for Istio 1.4 not showing up when upgrading from Istio 1.4 to 1.5 using default profile (Issue 22841) * Fixed PersistentVolumeClaim for Grafana not being created in the namespace specified in the IstioOperator spec (Issue 22835) * Fixed istio-sidecar-injector and istiod related pods crashing when applying new manifest through istioctl because alwaysInjectSelector and neverInjectSelector are not correctly indented in the istio-sidecar-injector config map (Issue 23027) * Fixed Prometheus scraping failing in CNI injected pods because the default excludeInboundPort configuration does not include port 15090 (Issue 23038) * Fixed Lightstep secret volume issue causing the bundled Prometheus to not install correctly with Istio operator (Issue 23078) * Fixed Avoid using host header to extract destination service name at gateway in default Telemetry V2 configuration. * Fixed Zipkin: Fix wrongly rendered timestamp value (Issue 22968) * Improved Add annotations for setting CPU/memory limits on sidecar (Issue 16126) * Improved Enable rewriteAppHTTPProbe annotation for liveness probe rewrite by default(Issue 10357) ------------------------------------------------------------------- Wed Apr 1 07:00:52 UTC 2020 - Madhu Mohan Nelemane - Added build for 1.5.1 with cilium-filters from branch github.com/cilium/istio (inject-cilium-filter-1.5.1) ------------------------------------------------------------------- Tue Mar 31 03:31:17 UTC 2020 - Madhu Mohan Nelemane - Update to version 1.5.1 * Security Update: - ISTIO-SECURITY-2020-004 Istio uses a hard coded signing_key for Kiali. * CVE-2020-1764: Istio uses a default signing key to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio. In addition, another CVE is fixed in this release, described in the Kiali 1.15.1 release. * Changes: - Fixed an issue where Istio Operator instance deletion hangs for in-cluster operator (Issue 22280) - Fixed istioctl proxy-status should not list differences if just the order of the routes have changed (Issue 21709) - Fixed Incomplete support for array notation in “istioctl manifest apply —set” (Issue 20950) - Fixed Add possibility to add annotations to services in Kubernetes service spec (Issue 21995) - Fixed Enable setting ILB Gateway using istioctl (Issue 20033) - Fixed istioctl does not correctly set names on gateways (Issue 21938) - Fixed OpenID discovery does not work with beta request authentication policy (Issue 21954) - Fixed Issues related to shared control plane multicluster (Issue 22173) - Fixed Ingress port displaying target port instead of actual port (Issue 22125) - Fixed Issue where endpoints were being pruned automatically when installing the Istio Controller (Issue 21495) - Fixed Add istiod port to gateways for mesh expansion(Issue 22027) - Fixed Multicluster secret controller silently ignoring updates to secrets (Issue 18708) - Fixed Autoscaler for mixer-telemetry always being generated when deploying with istioctl or Helm (Issue 20935) - Fixed Prometheus certificate provisioning is broken (Issue 21843) - Fixed Segmentation fault in Pilot with beta mutual TLS (Issue 21816) - Fixed Operator status enumeration not being rendered as a string (Issue 21554) - Fixed in-cluster operator fails to install control plane after having deleted a prior control plane (Issue 21467) - Improved Add option to enable V8 runtime for telemetry V2 (Issue 21846) - Improved compatibility of Helm gateway chart (Issue 22295) - Improved operator by adding a Helm installation chart (Issue 21861) - Improved Support custom CA on istio-agent (Issue 22113) - Improved Add a flag that supports passing GCP metadata to STS (Issue 21904) ------------------------------------------------------------------- Mon Mar 30 14:58:08 UTC 2020 - Madhu Mohan Nelemane - Upgrade to version 1.5.0: * Traffic Management: - Improved performance of the ServiceEntry resource by avoiding unnecessary full pushes #19305 - Improved Envoy sidecar readiness probe to more accurate determine readiness #18164. - Improved performance of Envoy proxy configuration updates via xDS by sending partial updates where possible #18354. - Added an option to configure locality load balancing settings for each targeted service via destination rule#18406. - Fixed an issue where pods crashing would trigger excessive Envoy proxy configuration pushes #18574. - Fixed issues with applications such as headless services to call themselves directly without going through Envoy proxy #19308. - Added detection of iptables failure when using Istio CNI #19534 - Added consecutiveGatewayErrors and consecutive5xxErrors as outlier detection options within destination rule #19771. - Improved EnvoyFilter matching performance #19786 - Added support for HTTP_PROXY protocol #19919. - Improved iptables setup to use iptables-restore by default #18847. - Improved Gateway performance by filtering unused clusters. This setting is disabled by default #20124. * Security: - Graduated SDS to stable and enabled by default. It provides identity provisioning for Istio Envoy proxies. - Added Beta authentication API. The new API separates peer (i.e mutual TLS) and origin (JWT) authentication into PeerAuthentication and RequestAuthentication respectively. Both new APIs are workload-oriented, as opposed to service-oriented in alpha AuthenticationPolicy. - Added deny semantics and exclusion matching to Authorization Policy. - Graduated auto mutual TLS from alpha to beta. This feature is now enabled by default. - Improved SDS security by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections. - Improved Istio by including certificate provisioning functionality within istiod. - Added Support Kubernetes first-party-jwt as a fallback token for CSR authentication in clusters where third-party-jwt is not supported. - Added Support Istio CA and Kubernetes CA to provision certificates for the control plane, configurable via values.global.pilotCertProvider. - Added Istio Agent provisions a key and certificates for Prometheus. * Telemetry: - Added TCP protocol support for v2 telemetry. - Added gRPC response status code support in metrics/logs. - Added support for Istio Canonical Service. - Improved stability of v2 telemetry pipeline. - Added alpha-level support for configurability in v2 telemetry. - Added support for populating AWS platform metadata in Envoy node metadata. - Improved Stackdriver adapter for Mixer to support configurable flush intervals for tracing data. - Added support for a headless collector service to the Jaeger addon. - Fixed kubernetesenv adapter to provide proper support for pods that contain a dot in their name. - Improved the Fluentd adapter for Mixer to provide millisecond-resolution in exported timestamps. * Operator: - Replaced the alpha IstioControlPlane API with the new IstioOperator API to align with existing MeshConfig API. - Added istioctl operator init and istioctl operator remove commands. - Improved reconciliation speed with caching operator#667. * istioctl: - Graduated Istioctl Analyze out of experimental. - Added various analyzers: mutual TLS, JWT, ServiceAssociation, Secret, sidecar image, port name and policy deprecated analyzers. - Updated more validation rules for RequestAuthentication. ------------------------------------------------------------------- Mon Feb 24 10:35:58 UTC 2020 - Fabian Vogt - Initial commit