This release note describes what’s different between Solo builds of Istio versions 1.28.3 and 1.28.3-patch0.

Security Notice

When using peered global services in sidecar environments, the generated Envoy cluster configuration was missing the tlsMode: istio transport socket match causing local sidecar-to-sidecar traffic to be sent as plaintext. In environments where strict mTLS was used, connectivity would break.

General Changes

Solo Flavor Changes

  • Improved istioctl multicluster check to show gateway addresses, peer cluster addresses, and globally shared services.

  • Added ztunnel helm support for dnsPolicy and dnsConfig customization.

  • Fixed an issue where traffic was sent to pods peered for flat-network multi-cluster which were Not Ready or Terminating.

  • Fixed an issue in NodePort peering where a comma-delimited value for the solo annotation peering.solo.io/data-plane-service-type would prevent node workloads from being sent to peers.

  • Fixed an issue causing envoy clusters for peered global services to not have the tlsMode-istio transport socket configured.

  • Fixed an issue in NodePort peering where the generated ServiceEntry and node WorkloadEntry resources fail to be cleaned up when the istio-remote gateway’s peering.solo.io/preferred-data-plane-service-type annotation was no longer set to “NodePort”.

  • Fixed an issue where the control plane did not immediately reconnect when the address in the istio-remote Gateway resource was updated.

  • Fixed an issue where node WorkloadEntry resources failed to be created when NodePort peering was enabled after the peer initially connected via a LoadBalancer for an extended period of time. Node events received before the NodePort ServiceEntry existed were eventually dropped and never re-processed once NodePort peering was enabled.

FIPS Flavor Changes

No changes in this section.