Aspen Mesh Carrier-Grade 1.14.6-am1 release notes#
Introduction#
These release notes describe the differences between Aspen Mesh Carrier-Grade 1.14.5-am1 and 1.14.6-am1.
Supported platforms#
This release is officially supported on these platforms and versions:
Platform |
Version |
Recommended Helm version |
|---|---|---|
OpenShift |
4.12 |
3.11 |
Istio proxy (Envoy) version#
1.22
Security updates#
Istio#
(No security updates)
Istio proxy (Envoy)#
CVE-2023-0286 (CVSS score 9.1, High): Type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. F5, in consultation with the Istio community, has verified that the affected code is never executed when the Istio proxy (Envoy) is used by Aspen Mesh.
Aspen Mesh features#
(No security updates)
Other changes#
Istio#
TW-3093: Fixed an issue where the Aspen Mesh control plane (istiod) allowed the creation of a DNS_ROUND_ROBIN-resolution Istio service entry with more than one endpoint (or multiple DNS_ROUND_ROBIN-resolution Istio service entries for the same host), even though this is an invalid Istio proxy (Envoy) configuration that prevents the proxies from starting. The Aspen Mesh control plane now rejects this invalid configuration. Note that the DNS_ROUND_ROBIN resolution in Istio is equivalent to the LOGICAL_DNS resolution in Envoy. (This fix was backported from Istio 1.16 and is not included in open source Istio 1.14.6.)
Aspen Mesh features#
TW-3109: Added support for the Diameter protocol in Packet Inspector 1. Note that Diameter packet captures from ingress and egress gateways are not supported.
TW-3135: Fixed an issue where
match_criteriaoverrides were not being honored by the Packet Inspector 1 filter.TW-3252: The Packet Inspector 1 HTTP filter now drops messages when its write buffer to the aggregator service exceeds a limit. This can reduce the likelihood of Kubernetes killing sidecars because they’re out of memory.
TW-3285: Fixed an issue where the Packet Inspector 1 HTTP filter could cause a segmentation fault in the sidecar.
TW-3062: Fixed an issue where Packet Inspector 1 packet captures could be lost (due to an arbitrarily low default request timeout value for streams between sidecar proxies and the aggregator service) by eliminating the request timeout altogether. The
.requestTimeoutfield (in the override values file for the Packet Inspector 1 filter instance) that was used to work around this issue no longer has any effect and can be removed.TW-2868: Added the ability to enable automatic Subject Alternative Name (SAN) validation via Helm values. To enable SAN validation, which is disabled by default, add the following fields to your Aspen Mesh override values file and perform a clean installation or an upgrade of Aspen Mesh:
global: enableAutoSni: true enableVerifyCertAtClient: true
TW-3373: When connecting to the analysis service (either the network analysis tool or the analysis emulator), the Packet Inspector 1 aggregator service now checks the analysis service’s certificate for a DNS-name SAN extension that matches the address of the analysis service. The DNS-name SAN extension that Citadel adds to the analysis service’s certificate is a fully qualified domain name (FQDN) based on the analysis service’s service-account name; however, the address of the analysis service is based on the analysis service’s service name. To make sure the check is successful, you must do the following:
Use an FQDN when you specify the address for the analysis service (
.aspen-mesh-packet-inspector.analysis.address) in the override values file for the Packet Inspector 1 aggregator.Use the same name for the network analysis tool’s service and service account.
You can use the following command to determine the DNS-name SAN extension that Citadel added to the analysis service’s certificate:
$ kubectl get secret --namespace <analysisServiceNamespaceName> \ istio.<analysisServiceServiceAccountName> \ -o jsonpath='{.data.cert}' | base64 -D | \ openssl x509 -noout -text | grep "DNS:"
TW-3100: Fixed the script for logging in to the Aspen Mesh image registry (
tools/aspen-mesh-image-registry-login.sh) so it refers to the correct location for the pull secret.AM-3069: As a result of a change in OpenShift 4.11, OpenShift clusters using either the multi-primary or multi-primary on different networks configuration for multicluster connectivity no longer fail to create the remote secret.
Known issues#
ASM-3695: When using Multus CNI and the Istio CNI plugin, Aspen Mesh overwrites existing pod annotations during sidecar injection.
ASM-3699: When Aspen Mesh is in IPv4/IPv6 dual-stack mode on a dual-stack cluster, applications can’t reach hosts defined in service entries.
ASM-3767: In IPv4/IPv6 dual-stack mode, when non-dual-stack services are exposed via an ingress gateway, the gateway pods don’t become ready.
ASM-4192: The Packet Inspector 1 aggregator service sometimes runs slowly when under load.
ASM-4191: When using Packet Inspector 1, malformed Diameter packets can cause the Istio proxy (Envoy) to crash.
ASM-4250: In OpenShift 4.12 and later, the
runOnMasterconfiguration option for the Packet Inspector 1 aggregator service has no effect. Whentrue,runOnMasteradds a toleration that overrides thenode-role.kubernetes.io/master:NoScheduletaint on the control-plane node, allowing an aggregator pod to run on the control-plane node. In OpenShift 4.12 and later, thenode-role.kubernetes.io/master:NoScheduletaint is replaced by thenode-role.kubernetes.io/control-plane:NoScheduletaint, so the overriding toleration no longer works.ASM-4263: In a dual-stack installation of Aspen Mesh with service entries with a protocol of
TLSand multiple hosts, communication fails for some of the hosts when clients initiate communication over IPv6.ASM-4265: In a dual-stack installation of Aspen Mesh, the workaround to allow a sidecar to reroute traffic to an application listening on the IPv6 localhost address (
::1) (see also IstioIngressListener) fails to reroute traffic to the application.
Download#
Use either of the following methods to download the release archive file: