Introduction

The release notes include important installation changes and known issues. They also highlight ways that you can take advantage of new features or enhancements to improve your product usage.

For more information, see the following related resources:

  • Changelog: A full list of changes, including the ability to compare previous patch and minor versions.
  • Upgrade guide: Steps to upgrade from the previous minor version to the current version.
  • Version reference: Information about Solo’s version support.

đŸ”Ĩ Breaking changes

Review details about the following breaking changes. To review when breaking changes were released, you can use the comparison feature of the changelog. The severity is intended as a guide to help you assess how much attention to pay to this area during the upgrade, but can vary depending on your environment.

🚨 High

Review severe changes that can impact production and require manual intervention.

  • No high-severity changes are currently reported.

🔔 Medium

Review changes that might have impact to production and require manual intervention, but possibly not until the next version is released.

Istio debug endpoint namespace authorization

Upstream Istio (istio/istio#58925) adds namespace authorization to the port 15014 debug endpoints in versions 1.27.7, 1.28.4, and 1.29.0. Authorization is controlled by the ENABLE_DEBUG_ENDPOINT_AUTH environment variable, which is true by default. The system namespace (typically istio-system) is always authorized. However, non-system namespaces are restricted to only config_dump, ndsz, and edsz, and other endpoints such as /debug/syncz are not available to them. If you installed the Solo Enterprise for Istio management plane, this behavior can break the Gloo UI, because the UI pulls configuration from debug endpoints.

In the Solo distribution of Istio 1.29, the new DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES environment variable is added, which lets you allowlist namespaces so that trusted control plane components can still query debug endpoints. By default, the gloo-mesh namespace is allowlisted so that standard installations in the gloo-mesh namespace continue to work. If you run the UI in a namespace other than gloo-mesh, you must allow that namespace by listing it in the DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES environment variable of your istiod installation, in the env section of your Helm values. The variable accepts a comma-separated list of namespaces.

ℹī¸ Low

Review informational updates that you might want to implement but that are unlikely to materially impact production.

  • No low-severity changes are currently reported.

🚧 New known issues

No new known issues are currently reported.

🌟 New features

Review the following new features that are introduced in version 2.12 and that you can enable in your environment.

Istio 1.29 support

You can now run Gloo Mesh (Gloo Platform APIs) with Istio 1.29. Istio 1.24 is no longer supported. For more information, see the version support matrix, and the Solo distribution of Istio changelog for 1.29.

New features in the Solo distribution of Istio 1.29 include the following.

New public image repo for the Solo distribution of Istio

You can now get the Solo distribution of Istio images from the us-docker.pkg.dev/soloio-img/istio public image repo, and Helm charts from the us-docker.pkg.dev/soloio-img/istio-helm repo. Private repo keys are no longer required for versions 1.29 and later. However, to use the features enabled by these images, and to use distributions like -fips, you must still provide a valid license key. Contact your account representative to obtain a license.

For more information, see the Istio images built by Solo.io support article.

🔄 Feature changes

Review the following changes that might impact how you use certain features in your environment.

  • No feature changes are currently reported.

🗑ī¸ Removed features

Removed support for Istio 1.24

Istio 1.24 is no longer supported with Gloo Mesh (Gloo Platform APIs) version 2.12. For more information, see the version support matrix.

Removal of the Istio lifecycle manager

The Istio lifecycle manager (ILM) feature is removed in version 2.12.

If you still use the Istio lifecycle manager:

  • When upgrading to Gloo Mesh (Gloo Platform APIs) version 2.12, be sure to offboard from the Istio lifecycle manager first. You can change the way that you manage Istio by using either Helm or the Gloo Operator. To get started with an ambient mesh, see the Solo Enterprise for Istio docs. For sidecar meshes, see the sidecar installation guides, or for migration steps, see Migrate to the Gloo Operator from the Istio lifecycle manager.
  • After you upgrade to version 2.12, any existing Istio resources that were generated by the Istio lifecycle manager remain, but Gloo Mesh (Gloo Platform APIs) no longer manages them.
  • If you cannot offboard yet, continue to use Gloo Mesh (Gloo Platform APIs) version 2.11. Note that version 2.11 is supported until version 2.15 is released due to the n-5 Solo.io version support policy. However, keep in mind that you can continue to use the Istio lifecycle manager to upgrade to the latest patch updates for Istio 1.27 or earlier only.

🚧 Known issues

The Solo team fixes bugs, delivers new features, and makes changes on a regular basis as described in the changelog. Some issues, however, might impact many users for common use cases. These known issues are as follows:

  • Cluster names: Do not use underscores (_) in the names of your clusters or in the kubeconfig context for your clusters.
  • Istio:
    • If you use Istio versions versions 1.27.7, 1.28.4, 1.29.0 or later, and you installed the Gloo Mesh (Gloo Platform APIs) management plane into a namespace other than gloo-mesh, you must allow that namespace by listing it in the DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES environment variable of your istiod installation. For more information, see the release notes.
    • Patch versions 1.26.0 and 1.26.1 of the Solo distribution of Istio lack support for FIPS-tagged images and ztunnel outlier detection. When upgrading or installing 1.26, be sure to use patch version 1.26.1-patch0 and later only.
    • In the Solo distribution of Istio 1.25 and later, you can access enterprise-level features by passing your Solo license in the license.value or license.secretRef field of the Solo distribution of the istiod Helm chart. The Solo istiod Helm chart is strongly recommended due to the included safeguards, default settings, and upgrade handling to ensure a reliable and secure Istio deployment. Though it is not recommended, you can pass your license key in the open source istiod Helm chart by using the --set pilot.env.SOLO_LICENSE_KEY field.
    • Istio patch versions 1.25.1 and 1.24.4 contain an upstream certificate rotation bug in which requests with more than one trusted root certificate cannot be validated. If you use Gloo Mesh (Gloo Platform APIs) to manage root certificate rotation and use Istio 1.25 or 1.24, be sure to use 1.25.2 or 1.24.5 and later only.
    • Due to a lack of support for the Istio CNI and iptables for the Istio proxy, you cannot run Istio (and therefore Gloo Mesh (Gloo Platform APIs)) on AWS Fargate. For more information, see the Amazon EKS issue.
  • OTel pipeline: FIPS-compliant builds are not currently supported for the OTel collector agent image.
  • Route name and matcher changes: When performing a bulk update for the name or matchers of a route in a RouteTable resource, the translation of the Istio VirtualService and EnvoyFilter might take some time to complete leading to policies temporarily not being applied to your routes. For more information about this issue and mitigation strategies, see Bulk route name and matcher updates.