Aspen Mesh Carrier-Grade 1.14.6-am4 release notes

Introduction

These release notes describe the differences between Aspen Mesh Carrier-Grade 1.14.6-am3 and 1.14.6-am4.

Supported platforms

This release is officially supported on these platforms and versions:

Platform	Version	Recommended Helm version
OpenShift	4.12	3.11

Istio proxy (Envoy) version

1.22

Related Packet Inspector IDD versions

The following versions of the interface design description (IDD) specify the behaviors of Packet Inspector 1 and 2 included in this release:

Product	IDD version
Packet Inspector 1	v1.11
Packet Inspector 2	v1.6

Security updates

Istio

(No security updates)

Aspen Mesh features

(No security updates)

Other changes

Istio

(No changes)

Aspen Mesh features

• ASM-3110: Added support for the Diameter protocol in Packet Inspector 2. Note that Diameter packet captures from ingress and egress gateways are not supported.

• ASM-3357: Added a sample chart for a local-reply-modification filter, which does the following to facilitate debugging:

  • Customizes the local-reply behavior of the Envoy proxy as follows:

    • Doesn’t overwrite the server header

    • Customizes the network reply

  • Adds custom logging fields

  When the local proxy can’t reach the upstream service for an HTTP request, it generates a reply directly (a local reply). This reply typically has a 503 response code.

  In the Aspen Mesh release directory, the sample chart is located in the following directory:

  samples/aspenmesh/local-reply-mod

• ASM-3784: For dual-stack ingress gateways, traffic will now be routed to an internal service regardless of whether the service supports the IP family of the request.

• ASM-3583: In Packet Inspector 1, the istio-app field in the BSON payload is now populated by the value of the app.kubernetes.io/name or app pod label. If both labels exist, the istio-app field is populated by the value of the app.kubernetes.io/name label. If neither label exists, the istio-app field is not populated.

• ASM-3854: In Packet Inspector 1, you can now choose between two methods for selecting an ephemeral-port number for an HTTP capture:

  • HASHED (new, default): Uses a hash of the trace ID header for every capture.

  • LEGACY (the only mode in earlier releases): Uses a random starting ephemeral-port number when the Envoy filter starts up and then increments by one for each subsequent capture.

  You can also specify the minimum and maximum ephemeral-port numbers, regardless of which method is used.

  To change the default settings for these options, include the following fields (from manifests/charts/packet-inspector-1-filter/values.yaml) in the override values file for a Packet Inspector 1 filter instance, set their values, and install the filter instance:

  • .portSelection.method

  • .portSelection.min

  • .portSelection.maxInclusive

• ASM-3571: In Packet Inspector 1 Diameter BSON payloads, the application ID, hop-by-hop ID, and end-to-end ID were sometimes of type numberInt and sometimes of type numberLong. Now, they’re always of type numberLong.

• ASM-3036: For carriers, added the ability to enable carrier-grade cipher suites to increase the security of the following types of traffic whose encryption is negotiated using TLS 1.2:

  • On-mesh traffic

  • Mesh-ingress traffic to ingress gateways whose TLS mode for the associated port (.spec.servers[].tls.mode) is set to SIMPLE or MUTUAL

  Learn how to enable carrier-grade cipher suites.

• ASM-3847: Updated the carrierGradeExternalIstioMutualServiceEntriesForceAutoSNI option so it autopopulates the outgoing SNI from the proxy to an off-mesh service using the Layer 7 host authority when connecting to a server that meets all of the following criteria (note new criteria):

  • (New) When the .spec.ports[].protocol field for a service entry is HTTP, GRPC, or HTTP2.

  • The server is listed as a host in a service entry whose .spec.location field is MESH_EXTERNAL.

  • (New) The server is the host in a destination rule whose .spec.trafficPolicy.tls.sni field has a prefix of *..

  • The server is the host in a destination rule whose .spec.trafficPolicy.tls.mode field is ISTIO_MUTUAL.

  To change the default setting for this option, include the .global.carrierGradeExternalIstioMutualServiceEntriesForceAutoSNI field (from manifests/charts/istio-control/istio-discovery/values.yaml) in your Aspen Mesh override values file, set its value, and perform an installation or an upgrade of Aspen Mesh.

• ASM-3234: Added configuration options to control the length of time between a leader DNS controller stopping (for example, during an upgrade or when the controller crashes) and a backup DNS controller becoming the leader.

  To change the default settings for these options, include the following fields (from manifests/charts/dns-controller/values.yaml) in the override values file for a DNS-controller instance, set their values, and install or upgrade the DNS-controller instance:

  • .leaderElectionLeaseDuration

  • .leaderElectionRenewalDeadline

  • .leaderElectionRetryPeriod

• ASM-2888: Added the ability to non-persistently change the log level of a DNS-controller pod without restarting it.

• ASM-3546: Added a configuration option to specify how many Istio CNI plugin (istio-cni) pods may be unavailable at any given time during an upgrade of the plugin, which occurs as part of an Aspen Mesh upgrade. You can specify either a number of pods or a percentage of the total number of pods that Kubernetes may upgrade simultaneously.

  To change the default setting for this option, include the .cni.rollingMaxUnavailable field (from manifests/charts/istio-cni/values.yaml) in the command to upgrade the Istio CNI plugin, as shown in the following examples:

  Example 1

  This command specifies that Kubernetes may upgrade two Istio CNI plugin pods simultaneously.

  $ helm upgrade istio-cni manifests/charts/istio-cni \
      --namespace kube-system \
      --set components.cni.enabled=true \
      --set cni.rollingMaxUnavailable=2
  

  Example 2

  This command specifies that Kubernetes may upgrade five percent of the Istio CNI plugin pods simultaneously.

  $ helm upgrade istio-cni manifests/charts/istio-cni \
      --namespace kube-system \
      --set components.cni.enabled=true \
      --set cni.rollingMaxUnavailable=5%
  

• ASM-3885: Reduced the number of Envoy-proxy log messages emitted when capturing Diameter traffic.

Known issues

• ASM-4192: The Packet Inspector 1 aggregator service sometimes runs slowly when under load.

• ASM-4191: When using Packet Inspector 1, malformed Diameter packets can cause the Istio proxy (Envoy) to crash.

• ASM-4250: In OpenShift 4.12 and later, the runOnMaster configuration option for the Packet Inspector 1 aggregator service has no effect. When true, runOnMaster adds a toleration that overrides the node-role.kubernetes.io/master:NoSchedule taint on the control-plane node, allowing an aggregator pod to run on the control-plane node. In OpenShift 4.12 and later, the node-role.kubernetes.io/master:NoSchedule taint is replaced by the node-role.kubernetes.io/control-plane:NoSchedule taint, so the overriding toleration no longer works.

• ASM-4263: In a dual-stack installation of Aspen Mesh with service entries with a protocol of TLS and multiple hosts, communication fails for some of the hosts when clients initiate communication over IPv6.

• ASM-4265: In a dual-stack installation of Aspen Mesh, the workaround to allow a sidecar to reroute traffic to an application listening on the IPv6 localhost address (::1) (see also IstioIngressListener) fails to reroute traffic to the application.

Download

Use either of the following methods to download the release archive file:

• Script: Learn how to download Aspen Mesh using a script.

• Manual download: Use the link for your operating system:

  • Linux (hash)

  • macOS (hash)

  • Windows (hash)