Skip to content
home
main
Reference
Changelog
Solo distribution of Istio changelog
1.29

1.29.1-patch0

Page as Markdown
Solo build of Istio version 1.29.1-patch0 patch release.
This release note describes what’s different between Solo builds of Istio versions 1.29.1 and 1.29.1-patch0.
Security Notice

  • Envoy Transformation Filter CONNECT Request Crash: (Severity: High): A vulnerability exists in Solo’s transformation filter. When a route or virtual host is configured with a transformation rule that includes a path-based request matcher, an unauthenticated attacker can send an HTTP CONNECT request, causing Envoy to crash. This is a potential Denial of Service (DoS) attack vector. The crash can be triggered only if you have a transformation with a path matcher defined. This is only possible with an EnvoyFilter with a transformation that includes a path matcher:
patch:
  operation: MERGE
  value:
    typed_per_filter_config:
    io.solo.transformation:
        "@type": "type.googleapis.com/transformation.options.gloo.solo.io.TransformationPerRoute"
        staged_transformations:
        regular:
            request_transforms:
            - matcher:
                prefix: '/'
            request_transformation: {}
General Changes

Solo Flavor Changes

  • Added two new environment variables PEERING_EXCLUDED_LABELS and PEERING_EXCLUDED_ANNOTATIONS that define
a comma-delimited string of labels and annotations which are excluded from auto-generated peering resources’ metadata.
  • Added the ability to propagate labels from source Kubernetes resources to their peered WorkloadEntry counterparts.
- The pilot-specific ENABLE_PEERING_LABEL_PROPAGATION environment variable value accepts:
- a comma-delimited string of label keys that should be propagated if they exist
- the ‘all’ keyword to propagate all labels
- Global Services can have their labels propagated
- In a flat-networking scenario, Pods can have their labels propagated
  • Added the PILOT_PEERING_WE_EXCLUSION_LABELS environment variable to
prevent peering-generated ServiceEntries from selecting WorkloadEntries that
carry specified label keys.
    Accepts a comma-separated list of label keys. Any WorkloadEntry carrying at
least one of these keys will not be selected by a peering-generated
ServiceEntry. Non-peering ServiceEntries are unaffected. Defaults to
gloo.solo.io/parent_name, which excludes GME VirtualDestination-generated
WorkloadEntries from peering ServiceEntry selection.
  • Added a gloo.solo.io/NodePortConfigured status condition on istio-eastwest
gateways configured for NodePort peering. When the gateway’s managed service has no
port with hbone in its name, the condition is set to False with reason
MissingHbonePort and a descriptive message. When a valid hbone port is present,
the condition is True with reason Programmed.
  • Added support for running istioctl multicluster check against extracted bug-report directories,
enabling offline multicluster analysis without direct cluster access.
  • Fixed an issue where adding the draining annotation to the East-West Gateway caused a restart.
Fixed an issue where adding the traffic distribution annotation to a Gateway (waypoint) caused a restart.
  • Fixed a bug in multicluster ambient sidecar interoperability setups where multiple ServiceEntries fronting the same Pod
could cause the sidecar to get incorrect listener configuration and thus cause all multicluster traffic to fail.
  • Fixed a bug where DNS responses for a hostname served by both a prefer-other ServiceEntry
and a non-prefer-other ServiceEntry could include addresses from both, causing DNS flip-flopping.
  • Fixed an issue where adding a service-type annotation to the East-West Gateway caused a restart.
FIPS Flavor Changes

No changes in this section.
1.29.2-patch01.29.1