This release note describes what’s different between Solo builds of Istio versions 1.27.5 and 1.27.5-patch0.

Security Notice

When using peered global services in sidecar environments, the generated Envoy cluster configuration was missing the tlsMode: istio transport socket match causing local sidecar-to-sidecar traffic to be sent as plaintext. In environments where strict mTLS was used, connectivity would break.

General Changes

Solo Flavor Changes

  • Improved istioctl multicluster check to show gateway addresses, peer cluster addresses, and globally shared services.

  • Improved istioctl multicluster check by skipping the stale workload check unless flat-network is detected.

  • Added support to retry failed remote peer creation or updates when PEERING_AUTOMATIC_LOCAL_GATEWAY is enabled.

  • Fixed an issue where the remote peer did not have its address updated when PEERING_AUTOMATIC_LOCAL_GATEWAY is enabled.

  • Fixed an issue where istiod would generate invalid WorkloadEntry resources when remote services had unnamed ports.

  • Fixed east-west gateway TLS listeners showing an incorrect UnsupportedProtocol status when PILOT_ENABLE_ALPHA_GATEWAY_API was disabled.

  • Fixed an issue causing envoy clusters for peered global services to not have the tlsMode-istio transport socket configured.

  • Fixed an issue where the control plane did not immediately reconnect when the address in the istio-remote Gateway resource was updated.

FIPS Flavor Changes

No changes in this section.