1.30.0

Solo build of Istio version 1.30.0 minor release.

This release note describes what’s different between Solo builds of Istio versions 1.29.0 and 1.30.0.

Upgrade Notes

Permissions change for ECS discovery

Previously, integrating ECS tasks into an ambient mesh only required giving istiod AWS permissions to perform List and Describe actions on ECS clusters, services, and tasks. With this change, istiod must also have permission to perform the ec2:DescribeNetworkInterfaces action.

Helm value platforms.ecs renamed to platforms.aws

The platforms.ecs Helm value has been deprecated in favor of platforms.aws. The old path is still supported for backwards compatibility but will be removed in a future release.

Before:

platforms:
  ecs:
    accounts:
      - role: arn:aws:iam::1111111111:role/istiod
        domain: example.acme
        regions: ["us-east-1"]

After:

platforms:
  aws:
    ecsDiscovery: true
    accounts:
      - role: arn:aws:iam::1111111111:role/istiod
        domain: example.acme
        regions: ["us-east-1"]

General Changes

• Built against upstream Istio version 1.30.0. The release notes can be found here.
• Built against upstream Istio commit 65622076eb2695c8a464e55458103df132f87bb3.

Solo Flavor Changes

• Improved the istioctl multicluster check command with the following enhancements:

  • Detect missing local Segment resources that cause auto-generated ServiceEntry resources from a peered cluster to be silently dropped, and report rejected peer segments with an actionable message.
  • Support structured output via a new --output (-o) flag. Passing -o json or -o yaml emits all check results as a structured document grouped by cluster.
  • Detect rejected peer Segment states caused by hostname mismatches and overlapping Segment domains.
  • Validate that all Istio proxy containers and all sidecar-injector ConfigMap templates have the ISTIO_META_NETWORK environment variable set to match the network label on the istio-system namespace.
  • Verify that ambient.dnsCapture is enabled in the istio-cni-config ConfigMap.
  • Verify that the topology.istio.io/cluster label is present and valid on istio-remote gateways.
  • Check that a remote gateway’s effective service account matches the corresponding peer east-west gateway.
  • Report hostname conflicts by reading the controller’s conflict annotations on auto-generated ServiceEntry resources.
  • Support running against extracted bug-report directories, enabling offline multicluster analysis without direct cluster access.
  • Dynamically discover east-west gateway names from Gateway objects instead of hardcoding istio-eastwest.
  • Correctly detect NodePort east-west gateways that have fallen back to reporting a ClusterIP address by using the peering annotation to detect NodePort mode and validating that the backing Service has the required HBONE port.

• Added service inheritance support via a new ENABLE_SERVICE_INHERITANCE environment variable, which allows policies that target a Service to also include its GlobalService when enabled. Also added a solo.io/service-inheritance annotation, which can be set to true or false to override the environment variable on a per-resource basis. Service inheritance is supported by AuthorizationPolicy, EnvoyFilter, RequestAuthentication, Telemetry, TrafficExtension, and WasmPlugin.

• Added Route (HTTPRoute, GRPCRoute, TCPRoute, TLSRoute) ParentRefs support GlobalService kind.

• Added metrics to track mesh config parsing and validation status. New pilot_meshconfig_validation_status and pilot_meshnetworks_validation_status gauges indicate whether the current mesh configuration is valid (0) or invalid (1).

• Added an EC2 instance discovery platform. Auto-discovers EC2 instances tagged with ec2.solo.io/* metadata and creates WorkloadEntry and Service resources. Supports multi-account and multi-region discovery, public/private IP selection, and multi-workload instances.

• Added istioctl ec2 add-workload and istioctl vm add-workload commands for registering EC2 instances and generic VMs into the mesh.

• Added support for using public IPs attached to ECS tasks as WorkloadEntry addresses by setting the ecs.solo.io/use-public-ip tag on the task to true.

• Added two new environment variables, PEERING_EXCLUDED_LABELS and PEERING_EXCLUDED_ANNOTATIONS, that define a comma-delimited string of labels and annotations which are excluded from auto-generated peering resources’ metadata.

• Added the ability to propagate labels from source Kubernetes resources to their peered WorkloadEntry counterparts.

  • The pilot-specific ENABLE_PEERING_LABEL_PROPAGATION environment variable value accepts:
    • A comma-delimited string of label keys that should be propagated if they exist.
    • The all keyword to propagate all labels.
  • GlobalService resources’ labels can be propagated.
  • In a flat-networking scenario, Pod resources’ labels can be propagated.

• Added a --revision (-r) flag to istioctl bootstrap, allowing users to target a specific control plane revision. When set, the command looks up istiod-{revision} instead of the default istiod service.

• Added support for loading license keys from mounted volumes. The path where the volume is mounted should be provided as the license.volume Helm value.

• Added the PILOT_PEERING_WE_EXCLUSION_LABELS environment variable to prevent peering-generated ServiceEntry resources from selecting WorkloadEntry resources that carry specified label keys.

  Accepts a comma-separated list of label keys. Any WorkloadEntry carrying at least one of these keys will not be selected by a peering-generated ServiceEntry. Non-peering ServiceEntry resources are unaffected. Defaults to gloo.solo.io/parent_name, which excludes GME VirtualDestination-generated WorkloadEntry resources from peering ServiceEntry selection.

• Added a gloo.solo.io/NodePortConfigured status condition on istio-eastwest gateways configured for NodePort peering. When the gateway’s managed Service has no port with hbone in its name, the condition is set to False with reason MissingHbonePort and a descriptive message. When a valid hbone port is present, the condition is True with reason Programmed.

• Added support for authoring AuthorizationPolicy rules that match on per-workload claims carried by the source workload’s identity. Enable by setting ENABLE_WORKLOAD_CLAIMS=true on ztunnel, or via the ztunnel Helm chart with --set workloadClaims.enabled=true.

• Added hostnames to the Segment custom resource, allowing customization of additional hostnames for every peered service.

• Added the eastwest.peerCaCrl.enabled Helm value to the peering Helm chart to mirror the ztunnel chart for auto-configuring the necessary CRL environment variable and volume/volumeMount sections for CRL enforcement by the east-west gateway.

• Added a JWKS debug endpoint to istiod that publishes the CA’s signing certificate in JSON Web Key Set format, along with a new istioctl experimental jwks command to retrieve it.

• Added a CONN ID column to istioctl ztunnel-config connections output, which displays the connection ID for each inbound and outbound ztunnel connection to aid in debugging.

• Added the solo.io/sidecar-skip-waypoint ServiceEntry annotation.

  When set to "true", sidecars ignore the ServiceEntry’s istio.io/use-waypoint binding and dial the ServiceEntry endpoints directly. Ambient proxies and waypoint config generation continue to honor the binding.

• Added the solo-ztunnel-egress GatewayClass, which lets the ztunnel DaemonSet serve as the egress data plane for ambient workloads. This is an enterprise feature.

• Deprecated the Helm value platforms.ecs in favor of platforms.aws. The previous platforms.ecs.accounts path is still supported, but users should migrate to the new configuration as it will be removed in a future release.

• Fixed the peering controller creating ServiceEntry resources for services outside the mesh. Service resources with global scope labels in namespaces not enrolled in the mesh (no ambient or sidecar injection) are now correctly excluded from peering.

• Fixed prefer-other ServiceEntry resolution issues:

  • Traffic could be non-deterministically routed through a prefer-other ServiceEntry instead of a non-prefer-other ServiceEntry with the same hostname. This could occur when a VirtualService referenced a hostname served by both types of ServiceEntry, and there was an explicit Sidecar scope that limited the visibility of the non-prefer-other ServiceEntry.
  • DNS responses for a hostname served by both a prefer-other ServiceEntry and a non-prefer-other ServiceEntry could include addresses from both, causing DNS flip-flopping.

• Fixed multiple issues where adding annotations to gateways caused unnecessary restarts:

  • Adding the draining annotation to the east-west Gateway.
  • Adding the traffic distribution annotation to a Gateway (waypoint).
  • Adding a service-type annotation to the east-west Gateway.

• Fixed Service resources that have takeover enabled (either via solo.io/service-takeover=true or solo.io/service-scope=global-only) to now have their traffic distribution default to PreferNetwork unless another traffic distribution is set. This makes the takeover Service traffic distribution consistent with the federated Service traffic distribution, which defaults to PreferNetwork or inherits the base Service distribution setting.

• Fixed an issue in flat-network peering where services with a named targetPort caused remote endpoints to be silently dropped.

• Fixed several ECS discovery issues:

  • Services with long cluster or service names could not join the mesh due to the ecs.solo.io/hostname label value exceeding the 63-character Kubernetes limit.
  • Workloads failed to register as WorkloadEntry resources when no domain was specified for an AWS account. A default domain is now used so workloads are always reachable within the mesh.
  • The ECS controller did not respect custom system namespace configurations. Now, it properly uses the configured namespace instead of defaulting to istio-system.
  • AWS resource tags passed through as Kubernetes labels are now filtered. Only tags with *.istio.io/, *.solo.io/, or *.kubernetes.io/ domain prefixes are passed through to generated Kubernetes objects.

• Fixed an issue where the global waypoint label value could exceed the Kubernetes 63-byte limit when the waypoint name, namespace, and domain were long, causing the label to be rejected.

• Fixed traffic routing failures for global services that use named targetPort values. Requests could be sent to the wrong port when routing across clusters or to local services exposed via named ports.

• Fixed sidecar generation with service takeover enabled and no local Service.

• Fixed an issue where outbound clusters could be served with stale metadata-exchange configuration when the set of service endpoints supporting HBONE changed.

• Fixed an issue where updating a remote cluster’s Segment custom resource domain or aliases fields would not regenerate peered ServiceEntry hostnames.

• Fixed an issue where cross-cluster traffic from a sidecar to a non-HBONE sidecar in a flat-network peering topology was sent as plaintext instead of Istio mTLS.

FIPS Flavor Changes

No changes in this section.