v1.2.4

Notable Changes

• Deprecate support for TLS v1.0 and TLS v1.1 for the Envoy proxy TLSMaxProtocolVersion option
• Reduce minimum TLS version from v1.3 to v1.2 for the osm controller, verifier, and health servers
• Support robust CRD conversion patching on upgrade to ensure reconciliation is controlled by the newer OSM version

Deprecation Notes

CRD Updates

No CRD changes between tags v1.2.3 and v1.2.4

Changelog

• chore(release): bump version to v1.2.4 and update release notes (#5330) 8265100 (Jackie Elliott)
• build(deps): bump github.com/docker/docker (#5315) (#5323) e156008 (Jackie Elliott)
• Update addEventHandler return values eda8335 (jaellio)
• build(deps): bump helm.sh/helm/v3 from 3.10.3 to 3.11.1 (#5283) 2d9d8a9 (dependabot[bot])
• [backport] build(deps): bump github.com/hashicorp/vault from 1.12.0 to 1.12.5 (#5305) 0024828 (Jackie Elliott)
• [backport] build(deps): bump github.com/containerd/containerd from 1.6.6 to 1.6.18 (#5286) (#5304) 60285f9 (Jackie Elliott)
• [backport] Add more robust CRD conversion patching (#5303) c55b7db (Jackie Elliott)
• fix(): remove support for incompatible tls versions for envoy TLSMaxProtocolVersion (#5298) 00fd7e3 (Whitney Griffith)
• fix(): reduce minimum tls version for osm controller, verifier, health (#5292) 1a9b067 (Whitney Griffith)

v1.1.4

Notable Changes

• Deprecate support for TLS v1.0 and TLS v1.1 for the Envoy proxy TLSMaxProtocolVersion option
• Reduce minimum TLS version from v1.3 to v1.2 for the osm controller, verifier, and health servers
• Support robust CRD conversion patching on upgrade to ensure reconciliation is controlled by the newer OSM version

Deprecation Notes

CRD Updates

No CRD changes between tags v1.1.3 and v1.1.4

Changelog

• chore(release): bump version to v1.1.4 and update release notes (#5329) 5cc73b8 (Jackie Elliott)
• [backport] build(deps): bump github.com/docker/docker (#5315) (#5325) f978473 (Jackie Elliott)
• fix(): remove support for incompatible tls versions for envoy TLSMaxProtocolVersion (#5298) 784d680 (Whitney Griffith)
• fix(): reduce minimum tls version for osm controller, verifier, health (#5292) 0582092 (Whitney Griffith)
• Add more robust CRD conversion patching 8c6cdfd (Keith Mattix II)
• Add shalier, keithmattix, and steeling as codeowners for v1.1 (#5319) 01f7fff (Jackie Elliott)

v1.2.3

Notable Changes

Deprecation Notes

CRD Updates

No CRD changes between tags v1.2.2 and v1.2.3

Changelog

• Release v1.2.3 368fda9 (Keith Mattix II)
• bump version of go to 1.19 (#4972) 8ed34f8 (steeling)
• Upgrade cert-manager to v1.10.0 (#5230) 56679ed (Keith Mattix II)
• Add @shalier as CODEOWNERS (#5264) 7eefefe (Keith Mattix II)
• Add @shalier as a codeowner maintainer (#5261) 9559491 (Thomas Stringer)
• Move snehachhabria and draychev to emeritus status (#5260) 9f8e06a (Thomas Stringer)
• Allow all headless services, not just those backed by Statefulsets with subdomains (#5250) 25c8e53 (Keith Mattix II)

v1.2.2

Notable Changes

Deprecation Notes

CRD Updates

No CRD changes between tags v1.2.1 and v1.2.2

Changelog

• chore(release): Bump Chart.yaml to 1.2.2 (#5215) 6815b67 (Shalier Xia)
• Fixes CVE-2022-27664 and CVE-2022-32149 d503b99 (Shalier Xia)
• [backport] cherry-pick 05e31c4 into release-v1.2 817a340 (Sanya Kochhar)
• [backport] cherry-pick 988003b into release-v1.2 b26adc1 (Sanya Kochhar)
• [backport] cherry-pick 9858c75 into release-v1.2 dd698bb (Keith Mattix II)
• [backport] cherry-pick a016262 to release-v1.2 71e6847 (steeling)

v1.1.3

Notable Changes

Deprecation Notes

CRD Updates

No CRD changes between tags v1.1.2 and v1.1.3

Changelog

• chore(release) bump Chart.yaml version to 1.1.3 (#5216) 5397803 (Shalier Xia)
• Fixes CVE-2022-27664 and CVE-2022-32149 40901f7 (Shalier Xia)
• [backport] cherry-pick 05e31c4 into release-v1.1 32fb680 (Sanya Kochhar)
• [backport] cherry-pick 988003b into release-v1.1 8f6cf95 (Sanya Kochhar)
• [backport] cherry-pick 9858c75 into release-v1.1 170b333 (Keith Mattix II)
• [backport] cherry-pick a016262 to release-v1.1 a54a55c (steeling)

v1.2.1

Notable Changes

Deprecation Notes

CRD Updates

No CRD changes between tags v1.2.0 and v1.2.1

Changelog

• bump Chart.yaml version to v1.2.1 (#5082) 76db0c6 (Shalier Xia)
• [backport] cherry-pick 68e99eb to release-v1.2 (#5069) 0b6a18f (Shalier Xia)
• [backport] cherry-pick commit 15e46da to release-v1.2 (#5063) d2175d3 (Niranjan Shankar)

v1.1.2

Notable Changes

• Remove crdconversion webhooks to fix circular dependency bug

Deprecation Notes

CRD Updates

No CRD changes between tags v1.1.1 and v1.1.2

Changelog

• bump Chart.yaml to v1.1.2 (#5083) cc859d5 (Shalier Xia)
• [backport] cherry-pick 68e99eb to release-v1.1 (#5071) 2bb5ad5 (Niranjan Shankar)
• [backport] add root path ingress e2e test (#4756) (#4765) fff4b0c (Niranjan Shankar)

v1.2.0

Notable changes

• Custom trust domains (i.e. certificate CommonNames) are now supported
• The authentication token used to configure the Hashicorp Vault certificate provider can now be passed in using a secretRef
• Envoy has been updated to v1.22 and uses the envoyproxy/envoy-distroless image instead of the deprecated envoyproxy/envoy-alpine image.
  • This means that kubectl exec -c envoy ... -- sh will no longer work for the Envoy sidecar
• Added support for Kubernetes 1.23 and 1.24
• Rate limiting: Added capability to perform local per-instance rate limiting of TCP connections and HTTP requests.
• Statefulsets and headless services have been fixed and work as expected

Breaking Changes

• The following metrics no longer use the label common_name, due to the fact that the common name's trust domain can rotate. Instead 2 new labels, proxy_uuid and identity have been added.
  • osm_proxy_response_send_success_count
  • osm_proxy_response_send_error_count
  • osm_proxy_xds_request_count
• Support for Kubernetes 1.20 and 1.21 has been dropped
• Multi-arch installation supported by the Chart Helm by customizing the affinity and nodeSelector fields
• Root service in a TrafficSplit configuration must have a selector matching the pods backing the leaf services. The legacy behavior where a root service without a selector matching the pods backing the leaf services is able to split traffic, has been removed.

CRD Updates

No CRD changes between tags v1.1.1 and v1.2.0

Changelog

• chore(release): cut v1.2.0 (#4927) 893ff87 (Jon Huhn)
• chore(release): add missing cherry picks (#4932) 4c832d1 (Jon Huhn)
• fix: update v1.2 release notes (#4916) (#4918) 929c114 (Jackie Elliott)
• demo/scripts: fix bookstore app label and container name (#4910) 9749020 (Shashank Ram)
• [backport] traffic-split: update root service selector & targetPort usage (#4902) (#4905) f5f3603 (Shashank Ram)
• Fix Contour helm chart (#4901) 951d403 (Keith Mattix II)
• update release versions and image digests (#4886) d40f9b8 (steeling)
• rename test files to include _test suffix (#4882) 3a7c924 (steeling)
• Modify release notes (#4865) 84e2bf1 (Keith Mattix II)
• Plumb trust domain through to helm chart (#4877) c0264ec (Keith Mattix II)
• Add GitHub Action to require size and kind labels (#4876) 4da737e (Thomas Stringer)
• ref: use binary flag to enable use of MeshRootCertificate (#4871) aa1abf1 (Jackie Elliott)
• test((benchmark): add Golang benchmark test cases c7036e7 (Allen Leigh)
• small cert related changes. (#4870) fa17242 (steeling)
• Refactor Envoy bootstrap from BuildFromConfig() to Builder{}.Build() + health probe tests (#4858) 3bf989a (steeling)
• Abstract webhook logic to prepare for rotating certificates (#4833) c8d7559 (steeling)
• Ignore CODEOWNERS and OWNERS for CI (#4867) 2b7c781 (Thomas Stringer)
• self-nominate steeling as a maintainer (#4824) 854edda (steeling)
• Add @keithmattix as a codeowner maintainer (#4861) 9d5e442 (Thomas Stringer)
• Don't allow envoy sidecar privilege escalation (#4860) 80de3bb (Keith Mattix II)
• Fix MRC status (#4856) bb007fd (Keith Mattix II)
• validator: validate HTTP rate limiting status code (#4857) 4a1b993 (Shashank Ram)
• release-notes: add rate limiting to v1.2 notes (#4859) 9222555 (Shashank Ram)
• Separate bootstrap building logic into the envoy/bootstrap package (#4838) 226ee64 (steeling)
• Customize affinity, nodeSelectors and tolerations in values.yaml (#4842) 45b19ea (Shalier Xia)
• fix: update configClient call and logging (#4854) d970b24 (Jackie Elliott)
• feat(certs): get Vault token from Secret (#4753) baff85f (Jackie Elliott)
• Fix flaky e2e tests (#4844) 4a3d57d (Keith Mattix II)
• rate-limiting: add HTTP local rate limiting capability (#4846) f3966a3 (Shashank Ram)
• install: use friendlier defaults for egress and permissive mode (#4837) 8fd236e (steeling)
• Update Kubernetes version testing (#4836) 831f023 (Thomas Stringer)
• envoy: update to latest version and fix typed proto usage (#4834) 08c646b (Shashank Ram)
• fix(certs): update checkAndRotate to use current durations (#4800) 28b3238 (Jackie Elliott)
• cli: Shows message for no meshes (#4738) 905005f (mudit singh)
• Fix failing e2es with GinkgoRecover and resolve CVE-2022-28948 (#4832) 8da8732 (Jackie Elliott)
• cert: Use MRCs on startup (#4816) 30885c9 (Keith Mattix II)
• start with a clean slate for future multicluster work (#4805) e3700d6 (steeling)
• feat(certs): use State for MeshRootCertificate status (#4812) 46b7165 (schristoff)
• Leverage trust domain in issuing certs; remove TD from identity (#4782) 5ab34a3 (steeling)
• doc: use lower case for "cloud native" (#4792) 8b1c3cc (mudit singh)
• rate-limit: implement connection level local rate limiting (#4823) ac27868 (Shashank Ram)
• cli: Improved error handling (#4808) 327b5b0 (mudit singh)
• envoy/cds: add nil check for ConnectionSettings (#4821) a5b3716 (Shashank Ram)
• ref(contributors): update contributor roles and requirements (#4776) 5ee33f3 (Shalier Xia)
• envoy|catalog: use TrafficMatch to build inbound filter config (#4814) 3f72969 (Shashank Ram)
• Resolve CVE-2022-31030 by upgrading containerd to v1.5.13 (#4813) c90f07a (Thomas Stringer)
• (k8s/informers): use InformerCollection for other clients (#4804) 241e8ae (Keith Mattix II)
• rate-limiting: plumb config into inbound policies (#4807) 7046cf2 (Shashank Ram)
• Set (empty) trust domain on listener builder (#4802) 3061b05 (steeling)
• rate-limiting: add spec to UpstreamTrafficSetting CRD (#4803) 76ff532 (Shashank Ram)
• k8s/informers: centralize informers to simplify code (#4801) 47c06ab (Keith Mattix II)
• docs(README): move support to a community support file (#4785) 914e8f3 (Zach Rhoads)
• Remove unused code paths and switch the policy object to a policy builder (#4791) eb281e5 (steeling)
• apis: add local rate limiting to UpstreamTrafficSetting (#4796) 1e73ba3 (Shashank Ram)
• docs(contrib): add security.md (#4722) 0ba8d42 (schristoff)
• Increase retry timeout cert-manager (#4795) 412fbcb (Niranjan Shankar)
• ref(*): remove CN from *envoy.Proxy (#4773) c318b68 (steeling)
• demo: Add scripts for Kafka demo (#4770) d3596c0 (Keith Mattix II)
• ref(certs): mrc ca handling (#4781) 6045fb7 (Keith Mattix II)
• feat(metrics): add osm_reconciliation_total metric (#4788) 7de17d7 (Jon Huhn)
• fix(e2e): add openshift SCC zookeeper (#4787) dd5ec72 (Niranjan Shankar)
• feat(certs): add trust domain to mesh root certificate (#4767) c24012f (steeling)
• Decouple certificate common name from proxy registry (#4763) 436e24f (steeling)
• test(*): add retry policy e2e (#4600) 28ed531 (Shalier Xia)
• ref(ci): update actions/setup-go to v3 db71482 (Jon Huhn)
• ref(ci): run tests/scenarios as unit tests 6c38317 (Jon Huhn)
• Decouple certificate common name from various components (#4759) ae53c47 (steeling)
• Fix CVE-2022-28948 by patching gopkg.in/yaml.v3 (#4771) 324a1a7 (Thomas Stringer)
• ref(e2e): move k8s version test config to CI 5ec3e75 (Jon Huhn)
• ref(ci): remove PR/push distinction in e2e tests f73b9af (Jon Huhn)
• feat(certs): create MRC on install (#4747) 7ddd4d1 (Jackie Elliott)
• remove unused code paths (#4758) 27ab5a7 (steeling)
• Add root path ingress e2e test (#4756) 15f0a18 (Niranjan Shankar)
• fix(vulnerability): patch runc security issue by upgrading to v1.1.2 (#4760) 21d3e60 (Thomas S...

v1.2.0-rc.1

Notable changes

• OSM certificate provider is now configured using the new CRD, MeshRootCertificate
  • Custom trust domains (i.e. certificate CommonNames) are now supported
• The authentication token used to configure the Hashicorp Vault certificate provider can now be passed in using a secretRef
• Along with root certificate rotation we support custom trust domains, as well as rotating to new trust domains with no downtime.
• Envoy has been updated to v1.22 and uses the envoyproxy/envoy-distroless image instead of the deprecated envoyproxy/envoy-alpine image.
  • This means that kubectl exec -c envoy ... -- sh will no longer work for the Envoy sidecar
• Added support for Kubernetes 1.23 and 1.24
• Rate limiting: Added capability to perform local per-instance rate limiting of TCP connections and HTTP requests.
• Statefulsets and headless services have been fixed and work as expected

Breaking Changes

• The following metrics no longer use the label common_name, due to the fact that the common name's trust domain can rotate. Instead 2 new labels, proxy_uuid and identity have been added.
  • osm_proxy_response_send_success_count
  • osm_proxy_response_send_error_count
  • osm_proxy_xds_request_count
• Support for Kubernetes 1.20 and 1.21 has been dropped
• Multi-arch installation supported by the Chart Helm by customizing the affinity and nodeSelector fields

CRD Updates

No CRD changes between tags v1.1.1 and v1.2.0-rc.1

Changelog

• update release versions and image digests (#4886) d40f9b8 (steeling)
• rename test files to include _test suffix (#4882) 3a7c924 (steeling)
• Modify release notes (#4865) 84e2bf1 (Keith Mattix II)
• Plumb trust domain through to helm chart (#4877) c0264ec (Keith Mattix II)
• Add GitHub Action to require size and kind labels (#4876) 4da737e (Thomas Stringer)
• ref: use binary flag to enable use of MeshRootCertificate (#4871) aa1abf1 (Jackie Elliott)
• test((benchmark): add Golang benchmark test cases c7036e7 (Allen Leigh)
• small cert related changes. (#4870) fa17242 (steeling)
• Refactor Envoy bootstrap from BuildFromConfig() to Builder{}.Build() + health probe tests (#4858) 3bf989a (steeling)
• Abstract webhook logic to prepare for rotating certificates (#4833) c8d7559 (steeling)
• Ignore CODEOWNERS and OWNERS for CI (#4867) 2b7c781 (Thomas Stringer)
• self-nominate steeling as a maintainer (#4824) 854edda (steeling)
• Add @keithmattix as a codeowner maintainer (#4861) 9d5e442 (Thomas Stringer)
• Don't allow envoy sidecar privilege escalation (#4860) 80de3bb (Keith Mattix II)
• Fix MRC status (#4856) bb007fd (Keith Mattix II)
• validator: validate HTTP rate limiting status code (#4857) 4a1b993 (Shashank Ram)
• release-notes: add rate limiting to v1.2 notes (#4859) 9222555 (Shashank Ram)
• Separate bootstrap building logic into the envoy/bootstrap package (#4838) 226ee64 (steeling)
• Customize affinity, nodeSelectors and tolerations in values.yaml (#4842) 45b19ea (Shalier Xia)
• fix: update configClient call and logging (#4854) d970b24 (Jackie Elliott)
• feat(certs): get Vault token from Secret (#4753) baff85f (Jackie Elliott)
• Fix flaky e2e tests (#4844) 4a3d57d (Keith Mattix II)
• rate-limiting: add HTTP local rate limiting capability (#4846) f3966a3 (Shashank Ram)
• install: use friendlier defaults for egress and permissive mode (#4837) 8fd236e (steeling)
• Update Kubernetes version testing (#4836) 831f023 (Thomas Stringer)
• envoy: update to latest version and fix typed proto usage (#4834) 08c646b (Shashank Ram)
• fix(certs): update checkAndRotate to use current durations (#4800) 28b3238 (Jackie Elliott)
• cli: Shows message for no meshes (#4738) 905005f (mudit singh)
• Fix failing e2es with GinkgoRecover and resolve CVE-2022-28948 (#4832) 8da8732 (Jackie Elliott)
• cert: Use MRCs on startup (#4816) 30885c9 (Keith Mattix II)
• start with a clean slate for future multicluster work (#4805) e3700d6 (steeling)
• feat(certs): use State for MeshRootCertificate status (#4812) 46b7165 (schristoff)
• Leverage trust domain in issuing certs; remove TD from identity (#4782) 5ab34a3 (steeling)
• doc: use lower case for "cloud native" (#4792) 8b1c3cc (mudit singh)
• rate-limit: implement connection level local rate limiting (#4823) ac27868 (Shashank Ram)
• cli: Improved error handling (#4808) 327b5b0 (mudit singh)
• envoy/cds: add nil check for ConnectionSettings (#4821) a5b3716 (Shashank Ram)
• ref(contributors): update contributor roles and requirements (#4776) 5ee33f3 (Shalier Xia)
• envoy|catalog: use TrafficMatch to build inbound filter config (#4814) 3f72969 (Shashank Ram)
• Resolve CVE-2022-31030 by upgrading containerd to v1.5.13 (#4813) c90f07a (Thomas Stringer)
• (k8s/informers): use InformerCollection for other clients (#4804) 241e8ae (Keith Mattix II)
• rate-limiting: plumb config into inbound policies (#4807) 7046cf2 (Shashank Ram)
• Set (empty) trust domain on listener builder (#4802) 3061b05 (steeling)
• rate-limiting: add spec to UpstreamTrafficSetting CRD (#4803) 76ff532 (Shashank Ram)
• k8s/informers: centralize informers to simplify code (#4801) 47c06ab (Keith Mattix II)
• docs(README): move support to a community support file (#4785) 914e8f3 (Zach Rhoads)
• Remove unused code paths and switch the policy object to a policy builder (#4791) eb281e5 (steeling)
• apis: add local rate limiting to UpstreamTrafficSetting (#4796) 1e73ba3 (Shashank Ram)
• docs(contrib): add security.md (#4722) 0ba8d42 (schristoff)
• Increase retry timeout cert-manager (#4795) 412fbcb (Niranjan Shankar)
• ref(*): remove CN from *envoy.Proxy (#4773) c318b68 (steeling)
• demo: Add scripts for Kafka demo (#4770) d3596c0 (Keith Mattix II)
• ref(certs): mrc ca handling (#4781) 6045fb7 (Keith Mattix II)
• feat(metrics): add osm_reconciliation_total metric (#4788) 7de17d7 (Jon Huhn)
• fix(e2e): add openshift SCC zookeeper (#4787) dd5ec72 (Niranjan Shankar)
• feat(certs): add trust domain to mesh root certificate (#4767) c24012f (steeling)
• Decouple certificate common name from proxy registry (#4763) 436e24f (steeling)
• test(*): add retry policy e2e (#4600) 28ed531 (Shalier Xia)
• ref(ci): update actions/setup-go to v3 db71482 (Jon Huhn)
• ref(ci): run tests/scenarios as unit tests 6c38317 (Jon Huhn)
• Decouple certificate common name from various components (#4759) ae53c47 (steeling)
• Fix CVE-2022-28948 by patching gopkg.in/yaml.v3 (#4771) 324a1a7 (Thomas Stringer)
• ref(e2e): move k8s version test config to CI 5ec3e75 (Jon Huhn)
• ref(ci): remove PR/push distinction in e2e tests f73b9af (Jon Huhn)
• feat(certs): create MRC on install (#4747) 7ddd4d1 (Jackie Elliott)
• remove unused code paths (#4758) 27ab5a7 (steeling)
• Add root path ingress e2e test (#4756) 15f0a18 (Niranjan Shankar)
• fix(vulnerability): patch runc security issue by upgrading to v1.1.2 (#4760) 21d3e60 (Thomas Stringer)
• contrib: add guideline for design docs (#4757) a241cba (Shashank Ram)
• feat(cert): cert rotation state management (#4743) ecc4e67 (steeling)
• Feature/statefulsets: fix protocol detection for ports (#4752) 9b11d76 (Keith Mattix II)
• remove head of line blocking from workerpool (#4648) d1ef8b1 (steeling)
• cli/verifier: add control plane health probe checks (#4751) dd42d04 (Shashank Ram)
• (feat/statefulsets): MeshService API changes for Headless Services (#4704) 0af42df (Keith Mattix ...

v1.1.1

Notable changes

• A new spec.sidecar.localProxyMode field in the MeshConfig API allows users
  to specify whether traffic from Envoy sidecars to application containers is
  redirected via 127.0.0.1 (the previous behavior and current default) or the
  Pod's IP address
• A new spec.traffic.networkInterfaceExclusionList field in the MeshConfig API
  allows users to specify names of network interfaces on Pods that should not
  have traffic proxied through Envoy sidecars
• The installed MeshConfig resource can now be updated with kubectl apply

Breaking changes

None

Deprecation notes

None

CRD Updates

No CRD changes between tags v1.1.0 and v1.1.1

Changelog

• chore(release): cut v1.1.1 (#4728) 407bbed (Jon Huhn)
• Release v1.1.1-rc.1 (#4720) 0171d84 (Keith Mattix II)
• Fix e2e_client_server_connectivity_test noInstall (#4708) 2cb3ee9 (Niranjan Shankar)
• pkg/injector: Enable podIP proxying via meshconfig setting (#4701) cbdcfe1 (Keith Mattix II)
• add the last applied annotation to allow using kubectl apply on the mesh config (#4673) 868c132 (steeling)
• feat(injector): add list of ignored network interfaces (#4700) 79eef29 (Jon Huhn)
• config/meshConfig: New localProxyMode field (#4686) 5a29022 (Keith Mattix II)
• Revert "config/meshConfig: New localProxyMode field (#4671)" (#4684) e9ae621 (Keith Mattix II)
• config/meshConfig: New localProxyMode field (#4671) (#4680) 134d5e2 (steeling)
• apis: add MeshRootCertificate API types (#4677) 1ca81b3 (Jackie Elliott)
• fix(doc): update release guide (#4661) e26305c (Jon Huhn)
• config/meshConfig: New localProxyMode field (#4671) 63786fd (Keith Mattix II)
• fix: upgrade vulnerable library crypto (#4676) 6089ff7 (allenlsy)