Aspen Mesh Carrier-Grade 1.14.6-am6 release notes

Introduction

These release notes describe the differences between Aspen Mesh Carrier-Grade 1.14.6-am5 and 1.14.6-am6.

Supported platforms

This release is officially supported on these platforms and versions:

Platform	Version	Recommended Helm version
OpenShift	4.12	3.11

Istio proxy (Envoy) version

1.22

Related Packet Inspector IDD versions

The following versions of the interface design description (IDD) specify the behaviors of Packet Inspector 1 and 2 included in this release:

Product	IDD version
Packet Inspector 1	v1.11
Packet Inspector 2	v1.6

Security updates

Note

In addition to fixing the specific vulnerability listed below, fixed several vulnerabilities in the Go dependencies.

Istio

(No security updates)

Istio proxy (Envoy)

• CVE-2023-44487 (CVSS score 7.5, High): HTTP/2 “Rapid Reset” DoS vulnerability.

Aspen Mesh features

(No security updates)

Other changes

Istio

(No changes)

Aspen Mesh features

• ASM-4263: Fixed an issue where—in a dual-stack installation of Aspen Mesh with service entries with a protocol of TLS and multiple hosts—communication fails for some of the hosts when clients initiate communication over IPv6.

• ASM-4265: Fixed an issue where, in a dual-stack installation of Aspen Mesh, the workaround to allow a sidecar to reroute traffic to an application listening on the IPv6 localhost address (::1) (see also IstioIngressListener) fails to reroute traffic to the application.

• ASM-4226: Added the ability to configure the number of aggregator pods to which Packet Inspector 1 filters distribute their captures. Increased the default value from 1 to 5 (the maximum is 10), which effectively improves load balancing among aggregator pods.

  To change the number of aggregator-pod connections, change the value of the connectionsPerThread field in the override values file for your Packet Inspector 1 filter instance. For example, to revert to the behavior in previous releases, change the value to 1.

• ASM-4257: Added the ability to configure the Packet Inspector 1 filter HTTP/2 stream-window and connection-window (buffer) sizes for connections from the filter to the aggregator service. Reduced the default values of both window sizes from 268435456 to 33554432 to constrain memory growth of the proxy when the Packet Inspector 1 aggregator service is unhealthy. The minimum is 65535; the maximum is 2147483647.

  To change the window sizes, change the value of the initialStreamWindowSize and initialConnectionWindowSize fields in the override values file for your Packet Inspector 1 filter instance.

• ASM-3732: For collecting metrics from the DNS controller and the Packet Inspector 1 aggregator, added service monitors that work with Prometheus Operator to allow you to configure Prometheus without writing scrape configurations.

  To enable and configure the service monitor for the DNS controller, change the following fields in the override values file for your DNS-controller instance:

  serviceMonitor:
    enabled: false
    interval: 30s
  

  To enable and configure the service monitor for the Packet Inspector 1 aggregator, change the following fields in the override values file for the Packet Inspector 1 aggregator:

  serviceMonitor:
    enabled: false
    interval: 30s
  

  The following service and pod monitors are also included (and are present in Aspen Mesh 1.11 and later):

  • istiod (service monitor)

  • Istio proxy (pod monitor) (collects metrics from the Istio proxies, including the Packet Inspector 1 and 2 filters)

  Learn how to install the istiod service monitor and the Istio-proxy pod monitor.

• ASM-4250: Fixed an issue that caused the runOnMaster configuration option for the Packet Inspector 1 aggregator service to have no effect in OpenShift 4.12 and later. Changed the name of the configuration option from runOnMaster to runOnControlPlane, although the aggregator chart still honors the name runOnMaster.

• ASM-4267: For Packet Inspector 1, added new label values to the aspenmesh_packet_inspector_total_duration_ms aggregator metric to assess the performance of the aggregator service.

• ASM-4193: In Packet Inspector 1, reduced the default amount of memory allocated to the aggregator service’s circular buffer (daemonSetBufferMemoryPercent) to 30 percent.

• ASM-4192: Fixed an issue that caused the Packet Inspector 1 aggregator service to run slowly when under load.

• ASM-4191: Fixed a Packet Inspector 1 issue where malformed Diameter packets could cause the Istio proxy (Envoy) to crash. Malformed Diameter packets are now indicated by new filter metrics.

• ASM-4185: In Packet Inspector 1, added Prometheus Go memory metrics for the aggregator service to facilitate memory tuning.

• ASM-4190: Metrics Collector now scrapes the Packet Inspector 1 aggregator metrics by default (you don’t need to change the scrape configuration). Note that Metrics Collector is deprecated, which means it may be removed in a later release.

Known issues

(No known issues)

Download

Use either of the following methods to download the release archive file:

• Script: Learn how to download Aspen Mesh using a script.

• Manual download: Use the link for your operating system:

  • Linux (hash)

  • macOS (hash)

  • Windows (hash)