Aspen Mesh Carrier-Grade 1.11.8-am1.2 release notes#
Introduction#
These release notes describe the differences between Aspen Mesh Carrier-Grade 1.11.8-am1.1 and 1.11.8-am1.2.
Supported platforms#
This release is officially supported on these platforms and versions:
Platform |
Version |
Recommended Helm version |
|---|---|---|
OpenShift |
4.7 |
3.8 |
Istio proxy (Envoy) version#
1.19
Security updates#
Istio#
(No security updates)
Aspen Mesh features#
(No security updates)
Other changes#
Istio#
(No changes)
Aspen Mesh features#
TW-2919: Added support for the Diameter protocol in Packet Inspector 1. Note that Diameter packet captures from ingress and egress gateways are not supported.
TW-3285: Fixed an issue where the Packet Inspector 1 HTTP filter could cause a segmentation fault in the sidecar.
TW-3252: Added the ability to force the Packet Inspector 1 HTTP filter to drop messages when its write buffer to the aggregator service exceeds a limit. Enabling this feature can reduce the likelihood of Kubernetes killing sidecars because they’re out of memory. For the Diameter filter, this feature is always enabled and can’t be disabled.
To enable this feature, add the
.aspen-mesh-packet-inspector.enforceWriteBufferLimitfield to your Aspen Mesh override values file, set its value totrue, and then perform a clean installation or an upgrade of Aspen Mesh.Example
aspen-mesh-packet-inspector: enforceWriteBufferLimit: true
TW-3373: When connecting to the analysis service (either the network analysis tool or the analysis emulator), the Packet Inspector 1 aggregator service now checks the analysis service’s certificate for a DNS-name SAN extension that matches the address of the analysis service. The DNS-name SAN extension that Citadel adds to the analysis service’s certificate is a fully qualified domain name (FQDN) based on the analysis service’s service-account name; however, the address of the analysis service is based on the analysis service’s service name. To make sure the check is successful, you must do the following:
Use an FQDN when you specify the address for the analysis service (
.aspen-mesh-packet-inspector.analysis.address) in your Aspen Mesh override values file.Use the same name for the network analysis tool’s service and service account.
You can use the following command to determine the DNS-name SAN extension that Citadel added to the analysis service’s certificate:
$ kubectl get secret --namespace <analysisServiceNamespaceName> \ istio.<analysisServiceServiceAccountName> \ -o jsonpath='{.data.cert}' | base64 -D | \ openssl x509 -noout -text | grep "DNS:"
AM48: Modified the Packet Inspector 1 aggregator service and filter to specify the sequence of captures and indicate the end of sequence for a transaction.
Known issues#
AM-3069: OpenShift clusters using either the Multi-Primary or the Multi-Primary on different networks configuration for multicluster connectivity fail to create the remote secret with the following error:
$ istioctl x create-remote-secret --name=cluster1 error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account
AM-3547: Pods with Istio sidecars get evicted when a node runs low on storage because they don’t request ephemeral storage.
ASM-4136: The Packet Inspector 1 aggregator service sometimes runs slowly when under load.
ASM-4162: When using Packet Inspector 1, malformed Diameter packets can cause the Istio proxy (Envoy) to crash.
ASM-4138: Packet Inspector 1 attempts to capture Diameter packets from ingress and egress gateways, even though Diameter packet capture from gateways is not supported.
Download#
Use either of the following methods to download the release archive file: