Aspen Mesh Carrier-Grade 1.18.7-am1 release notes#

Introduction#

These release notes describe the differences between Aspen Mesh Carrier-Grade 1.14.6-am7 and 1.18.7-am1.

Supported platforms#

This release is officially supported on these platforms and versions:

Platform	Version	Recommended Helm version
OpenShift	4.12	3.13
OpenShift	4.14	3.15

Istio proxy (Envoy) version#

1.26

Related Packet Inspector IDD versions#

The following versions of the interface design description (IDD) specify the behaviors of Packet Inspector 1 and 2 included in this release:

Product	IDD version
Packet Inspector 1	v1.11
Packet Inspector 2	v1.7

Security updates#

Istio#

(No security updates)

Note

The following Istio CVE was fixed between open source Istio 1.14.6 and 1.18.7 but had already been fixed in an earlier version of Aspen Mesh. We’ve included it here for completeness.

CVE-2022-39278 (1.14.5-am1)

Changes to Istio CNI RBAC permissions (no official CVE)

Istio proxy (Envoy)#

(No security updates)

Note

The following Envoy CVEs were fixed between open source Istio 1.14.6 and 1.18.7 but had already been fixed in earlier versions of Aspen Mesh. We’ve included them here for completeness.

CVE-2023-44487 (1.14.6-am6)
CVE-2023-35941 (1.14.6-am5)
CVE-2023-35944 (1.14.6-am5)
CVE-2023-35945 (1.14.6-am5)
CVE-2023-35942 (1.14.6-am5)
CVE-2023-35943 (1.14.6-am5)
CVE-2023-27487 (1.14.6-am2)
CVE-2023-27493 (1.14.6-am2)
CVE-2023-27496 (1.14.6-am2)
CVE-2023-27491 (1.14.6-am2)
CVE-2023-27488 (1.14.6-am2)
CVE-2023-27492 (1.14.6-am2)

Aspen Mesh features#

(No security updates)

Other changes#

Istio#

Note

This is the first Aspen Mesh release to use the open source Istio dual-stack-networking implementation instead of the proprietary Aspen Mesh implementation. The open source Istio dual-stack-networking implementation is currently considered experimental. Learn about the status of Istio features.

Key differences in behavior are as follows:

The open source Envoy dual-stack configuration uses approximately half the memory as the proprietary Envoy dual-stack configuration.
In the open source implementation, Envoy is free to choose the IP family (IPv4 or IPv6) it uses to address a server. In the proprietary implementation, Envoy uses the same IP family as the client application.
In the open source implementation, Envoy treats IPv4 and IPv6 addresses for the same host as if they are different hosts, which leads to different load balancing behavior than in the proprietary implementation.

For more information about how these dual-stack-networking implementations differ, see the following:

ASM-4118: (Backport from open source Istio 1.20) Changed the way you configure the ingress gateway for dual-stack networking. Replaced the .global.ingressGatewayDualStack field with the following two fields, which allow more detailed configuration:
- .gateways.istio-ingressgateway.ipFamilyPolicy
- .gateways.istio-ingressgateway.ipFamilies
Learn how to configure the ingress gateway for dual-stack networking.

ASM-4128: (Backport from open source Istio 1.20) For OpenShift, removed the need to add the anyuid security context constraint (SCC) to service accounts in the istio-system namespace and other namespaces in which automatic sidecar injection should occur. Also removed the need to add an istio-cni network-attachment definition to namespaces in which automatic sidecar injection should occur. When you install the Istio CNI plugin, it creates an istio-cni network-attachment definition in the default namespace that the sidecar-injection template references.
ASM-3884: (Backport from open source Istio 1.20) Fixed a dual-stack issue where, for on-mesh dual-stack services, istiod didn’t populate their corresponding Envoy routes with the nondefault IP-family address, which prevented communication with the services using the nondefault IP-family address.
ASM-4119: (Backport from open source Istio 1.20) Fixed a dual-stack issue where, if the cluster administrator configured the default IP family for the cluster as IPv6 instead of IPv4, ingress gateways wouldn’t start up.
ASM-4196: (Backport from open source Istio 1.20) Fixed a dual-stack issue that prevented Envoy from serving Prometheus metrics over IPv6.
ASM-4182: (Backport from open source Istio 1.20) Fixed a dual-stack issue where Envoy readiness probes fail when the cluster checks for readiness using the nondefault IP-family address.
ASM-4375: (Backport from open source Istio 1.20) Added the ability to optionally configure the IP family policy and IP family used by istiod. For example, if you add the following information to your Aspen Mesh override values file, istiod can communicate with Envoy over IPv4 and IPv6:
```
pilot:
  ipFamilyPolicy: RequireDualStack
  ipFamilies:
  - IPv4
  - IPv6
```
ASM-4407: (Backport from open source Istio 1.20.1) Fixed an issue that prevented sidecar custom injection (per-pod customization of the sidecar injection template) from working on OpenShift.
Istio 1.18.7
Istio 1.18.6
Istio 1.18.5 (security updates only)
Istio 1.18.4 (not released)
Istio 1.18.3
Istio 1.18.2
Istio 1.18.1
Istio 1.18
Istio 1.17.8 (security updates only)
Istio 1.17.7 (not released)
Istio 1.17.6
Istio 1.17.5 (security updates only)
Istio 1.17.4
Istio 1.17.3
Istio 1.17.2
Istio 1.17.1
Istio 1.17
Istio 1.16.7 (security updates only)
Istio 1.16.6
Istio 1.16.5
Istio 1.16.4
Istio 1.16.3
Istio 1.16.2
Istio 1.16.1
Istio 1.16
Istio 1.15.7
Istio 1.15.6
Istio 1.15.5
Istio 1.15.4
Istio 1.15.3
Istio 1.15.2
Istio 1.15.1
Istio 1.15

Aspen Mesh features#

ASM-4000: Aspen Mesh container images are now stored in the new Aspen Mesh artifact registry (an OCI-compliant registry) instead of the Aspen Mesh image registry.

Important

If you want to store the Aspen Mesh container images in a private artifact registry, that registry must also be OCI-compliant to accommodate the new way the container images are organized in the registry. For instructions and information on when you might want to store the Aspen Mesh container images in a private artifact registry, see Store Aspen Mesh container images in a private artifact registry. The related scripts have been updated to refer to the new registry, so this change is largely transparent.
ASM-4195: Added sample Grafana dashboards for the DNS controller, Packet Inspector 1, and Packet Inspector 2. Learn how to use the sample dashboards to observe metrics in Grafana for the following companion products and components:
ASM-4354: Changed the way you configure the keep-alive interval and timeout for istiod in your Aspen Mesh override values file. Instead of using the .pilot.keepaliveInterval and .pilot.keepaliveTimeout fields, you now specify the keep-alive interval and timeout via a list of options and values in the .pilot.extraContainerArgs field.

Example
```
pilot:
  extraContainerArgs:
    - --keepaliveInterval
    - "30s"
    - --keepaliveTimeout
    - "10s"
```
Important

You must include in the extraContainerArgs list in your Aspen Mesh override values file all options that appear in the extraContainerArgs list in the istiod chart (manifests/charts/istio-control/istio-discovery/values.yaml), even if you don’t want to override the default value for an option. Otherwise, you’ll redefine the list to include only the options you specify. For any option not included in the list, Helm won’t pass the default value from the istiod chart to istiod, and istiod will use its hard-coded value.
ASM-4415: In Diameter packets captured by Packet Inspector 1, changed the value of the hop limit in IPv6 IP headers from 0 to 255, as specified in the IDD.
ASM-4406: The sample simpleserver service is now installed via Helm instead of kubectl.

Known issues#

(No known issues)

Download#

Use either of the following methods to download the release archive file:

Script: Learn how to download Aspen Mesh using a script.
Manual download: Use the link for your operating system:
- Linux (hash)
- macOS (hash)
- Windows (hash)