Release notes

Introduction link

The release notes include important installation changes and known issues. They also highlight ways that you can take advantage of new features or enhancements to improve your product usage.

For more information, see the following related resources:

• Upgrade guide: Steps to upgrade from the previous minor version to the current version.
• Version reference: Information about Solo’s version support.

🔥 Breaking changes link

Review details about the following breaking changes. The severity is intended as a guide to help you assess how much attention to pay to this area during the upgrade, but can vary depending on your environment.

🚨 High link

Review severe changes that can impact production and require manual intervention.

• No high-severity changes are currently reported.

🔔 Medium link

Review changes that might have impact to production and require manual intervention, but possibly not until the next version is released.

• No medium-severity changes are currently reported.

ℹ️ Low link

Review informational updates that you might want to implement but that are unlikely to materially impact production.

otelmetricsprocessor removed link

The otelmetricsprocessor that was previously used to transform Cilium metrics is removed. In previous releases, the processor was removed from all Solo Enterprise for Istio components and not used anymore. If you have processes or automation that depend on the metrics labels that the processor created, make sure to update these accordingly.

🚧 New known issues link

Review new known issues and how to mitigate them.

Gloo UI discovery when moving from single to multicluster setups link

In a single cluster setup, you might have installed the Gloo UI to collect telemetry data in your cluster. In this case, the Gloo UI component performs all service and mesh discovery. However, if you later decide to add this standalone cluster to a multicluster setup, you must create a Gloo agent in the cluster, which also performs service and mesh discovery. To prevent conflicts with discovery that the Gloo agent must now perform instead of the Gloo UI, you must first edit your existing Helm release for the Gloo UI to set glooUi.discovery.enabled to false before deploying the Gloo agent.

🌟 New features link

Review the following new features that are introduced in version 2.10 and that you can enable in your environment.

Istio 1.27 support link

You can now run Solo Enterprise for Istio with Istio 1.27. Istio 1.22 is no longer supported. For more information, see the version support matrix, and the Solo distribution of Istio changelog for 1.27.

New features in the Solo distribution of Istio 1.27:

• istioctl multicluster check: The Solo distribution of Istio binary now includes the custom istioctl multicluster check command, which you can use to verify multiple aspects of multicluster ambient mesh support and status. For more information, check out one of the multicluster ambient guides or the CLI reference.
• Basic locality support: When you create east-west gateways in a multicluster ambient mesh setup, such as by running istioctl multicluster expose, Istio now automatically populates locality labels on the east-west gateways. These locality labels are copied to the remote peer gateways that you create to link the clusters, such as by running istioctl multicluster link. Istio then writes these localities to the WorkloadEntries that are generated for the remote east-west gateways in each cluster. This allows you to create DestinationRule policies on waypoints for failover between regions, locality-based load balancing, and more. However, note that this functionality does not fully support multi-zone or multi-region clusters. Only one WorkloadEntry is generated to represent the east-west gateway load balancer for a remote linked cluster. For this reason, locality applies at the level of an entire remote cluster, rather than at the level of workloads in different regions or zones within the cluster.
• Advanced mTLS egress: Deploy a waypoint proxy that serves as a shared egress gateway for Istio workloads in your ambient mesh. This gateway originates mTLS egress traffic in which each Istio workload identity uses a per client-app service account as its own unique, external identity. This way, you can map a mesh identity onto an external identity, and originate mTLS connections with the mapped external identity based on the identity of the client that initiates the connection. To get started, check out Advanced mTLS egress. Note: mTLS egress based on client identity is an advanced feature that is in the alpha state. Alpha features are likely to change, are not fully tested, and are not supported for production. For more information, see Solo feature maturity. Additionally, this feature requires an Enterprise-level Solo license.
• Flat network: You can configure Istio for a flat network setup. This way, no east-west gateways are required to send traffic between clusters in a multicluster service mesh. Instead, you use the pod IP address of the target service directly. For more information, see Flat networking (advanced).

ztunnel outlier detection link

In versions 1.26.1-patch0 and later of the Solo distribution of Istio, outlier detection is enabled by default on ztunnels for outbound client app connections, and connections through east-west network gateways. Outlier detection is performed by the ztunnel through TCP connection checks to the backend pods. If a backend is detected as unhealthy by failing the TCP connection check, the ztunnel uses Exponentially Weighted Moving Average (EWMA) to ensure failing backends receive fewer connections, and performs circuit breaking to eject backends with a growing backoff for consecutive failures. For more information, see the ambient resiliency overview.

🔄 Feature changes link

Review the following changes that might impact how you use certain features in your Gloo environment.

Upcoming end of support for the Istio lifecycle manager link

Support for the Istio lifecycle manager, provided either by the istioInstallations section of the Helm chart or by the GatewayLifecycleManager and IstioLifecycleManager custom resources, will end in version 2.11.

Before version 2.11 is released, be sure to switch your Istio management to Helm, or to use the new way of installing managed Istio with the Gloo Operator. Check out the guides for installing ambient or sidecar meshes, or for migration steps, see Migrate to the Gloo Operator from the Istio lifecycle manager.

Updated Gloo UI design link

The Gloo UI has an updated look and feel. All pages are available at-a-glance in the left-hand navigation. Additionally, the Gloo UI Graph now defaults to the new graph experience. To learn more about the new Gloo UI design, see Explore the UI.

🗑️ Removed features link

Removed support for Istio 1.22 link

Istio 1.22 is no longer supported with Solo Enterprise for Istio version 2.10. For more information, see the version support matrix.

🚧 Known issues link

The Solo team fixes bugs, delivers new features, and makes changes on a regular basis as described in the changelog. Some issues, however, might impact many users for common use cases. These known issues are as follows:

• Cluster names: Do not use underscores (_) in the names of your clusters or in the kubeconfig context for your clusters.
• Istio:
  • Patch versions 1.26.0 and 1.26.1 of the Solo distribution of Istio lack support for FIPS-tagged images and ztunnel outlier detection. When upgrading or installing 1.26, be sure to use patch version 1.26.1-patch0 and later only.
  • In the Solo distribution of Istio 1.25 and later, you can access enterprise-level features by passing your Solo license in the license.value or license.secretRef field of the Solo distribution of the istiod Helm chart. The Solo istiod Helm chart is strongly recommended due to the included safeguards, default settings, and upgrade handling to ensure a reliable and secure Istio deployment. Though it is not recommended, you can pass your license key in the open source istiod Helm chart by using the --set pilot.env.SOLO_LICENSE_KEY field.
  • Multicluster setups require the Solo distribution of Istio version 1.24.3 or later (1.24.3-solo), including the Solo distribution of istioctl.
  • Due to a lack of support for the Istio CNI and iptables for the Istio proxy, you cannot run Istio (and therefore Solo Enterprise for Istio) on AWS Fargate. For more information, see the Amazon EKS issue.
• OTel pipeline: FIPS-compliant builds are not currently supported for the OTel collector agent image.