Aspen Mesh Carrier-Grade 1.14.6-am3 release notes

Introduction

These release notes describe the differences between Aspen Mesh Carrier-Grade 1.14.6-am2 and 1.14.6-am3.

Supported platforms

This release is officially supported on these platforms and versions:

Platform	Version	Recommended Helm version
OpenShift	4.12	3.11

Istio proxy (Envoy) version

1.22

Security updates

Istio

(No security updates)

Aspen Mesh features

(No security updates)

Other changes

Istio

(No changes)

Aspen Mesh features

• ASM-3767: Fixed an issue where, in IPv4/IPv6 dual-stack mode, when non-dual-stack services are exposed via an ingress gateway, the gateway pods don’t become ready.

• ASM-3821: Added the ability to autopopulate the outgoing SNI from the proxy to an off-mesh service using the Layer 7 host authority when connecting to a server that meets all of the following criteria:

  • The server is listed as a host in a service entry whose .spec.location field is MESH_EXTERNAL.

  • The server is the host in a destination rule whose .spec.trafficPolicy.tls.mode field is ISTIO_MUTUAL.

  To enable this feature, which is disabled by default, add the following field to your Aspen Mesh override values file and perform a clean installation or an upgrade of Aspen Mesh:

  global:
    carrierGradeExternalIstioMutualServiceEntriesForceAutoSNI: true
  

• ASM-125: For HTTP requests, the Packet Inspector 1 aggregator now captures the client pod’s namespace name and stores it in the client-namespace field in .bson files.

• ASM-3553: For Diameter requests and answers, the Packet Inspector 1 aggregator now captures the Diameter version and message length in .bson files.

Known issues

• ASM-4192: The Packet Inspector 1 aggregator service sometimes runs slowly when under load.

• ASM-4191: When using Packet Inspector 1, malformed Diameter packets can cause the Istio proxy (Envoy) to crash.

• ASM-4250: In OpenShift 4.12 and later, the runOnMaster configuration option for the Packet Inspector 1 aggregator service has no effect. When true, runOnMaster adds a toleration that overrides the node-role.kubernetes.io/master:NoSchedule taint on the control-plane node, allowing an aggregator pod to run on the control-plane node. In OpenShift 4.12 and later, the node-role.kubernetes.io/master:NoSchedule taint is replaced by the node-role.kubernetes.io/control-plane:NoSchedule taint, so the overriding toleration no longer works.

• ASM-4263: In a dual-stack installation of Aspen Mesh with service entries with a protocol of TLS and multiple hosts, communication fails for some of the hosts when clients initiate communication over IPv6.

• ASM-4265: In a dual-stack installation of Aspen Mesh, the workaround to allow a sidecar to reroute traffic to an application listening on the IPv6 localhost address (::1) (see also IstioIngressListener) fails to reroute traffic to the application.

Download

Use either of the following methods to download the release archive file:

• Script: Learn how to download Aspen Mesh using a script.

• Manual download: Use the link for your operating system:

  • Linux (hash)

  • macOS (hash)

  • Windows (hash)