Introduction

The release notes include important installation changes and known issues. They also highlight ways that you can take advantage of new features or enhancements to improve your product usage.

For more information, see the following related resources:

đŸ”Ĩ Breaking changes

Review details about the following breaking changes. The severity is intended as a guide to help you assess how much attention to pay to this area during the upgrade, but can vary depending on your environment.

🚨 High

Review severe changes that can impact production and require manual intervention.

🔔 Medium

Review changes that might have impact to production and require manual intervention, but possibly not until the next version is released.

  • No medium-severity changes are currently reported.

ℹī¸ Low

Review informational updates that you might want to implement but that are unlikely to materially impact production.

Dashboard upgrades

The gloo-mesh-ui deployment no longer watches secrets and config maps that are used to secure access to the dashboard. If you update these resources, such as to rotate a secret, you must now restart the gloo-mesh-ui deployment after the Helm upgrade. Note that this change does not apply in scenarios where you customize the secret or config map names during the initial Helm installation.

OTel image change

The name of the OpenTelemetry image that is used in Gloo Mesh is changed as follows:

  • Old name: gloo-otel-collector
  • New name: otel-collector

Make sure to update any CI/CD pipelines to pull the new image (gcr.io/gloo-mesh/otel-collector:0.2.0), such as in an airgapped environment.

⚒ī¸ Installation changes

In addition to comparing differences across versions in the changelog, review the following installation changes from the previous minor version to version 2.7.

Disable Redis stream pipeline by default

The logs/redis_stream_cilium_flows pipeline is now set to false by default. The pipeline is dependent on the logs/cilium_flows pipeline, which was already false by default. This change was made to better align the pipeline values and reduce the complexity of the installation settings.

If you updated your installation to enable the Cilium flow logs and you want to keep the Redis stream logs enabled, make sure to explicitly set the logs/redis_stream_cilium_flows pipeline to true before you upgrade to version 2.7.

🌟 New features

Review the following new features that are introduced in version 2.7 and that you can enable in your environment.

Managed Istio installations with the Gloo Operator (alpha)

By using the Gloo Operator to manage your service meshes, you no longer need to manually install and manage the istiod control plane. Instead, you provide minimal Istio configuration to the operator in a ServiceMeshController custom resource, and the operator translates this configuration into a managed istiod control plane in your cluster for you. The operator reduces both the amount of configuration required to deploy Istio, and the overhead required to manage the lifecycle of Istio resources in your cluster.

To get started, see

Install Gloo-managed sidecar meshes or Install Gloo-managed ambient meshes.

Note that the Gloo operator is an alpha feature in version 2.7.

Multicluster ambient service mesh

Gloo Mesh now supports ambient service mesh installations that span a multicluster environment. By using the Solo distribution of Istio, you can deploy an ambient service mesh to each workload cluster, link each ambient mesh by creating remote peer gateways, and facilitate traffic across the multicluster mesh by creating east-west gateways.

To get started, see the guides for installing a multicluster ambient mesh by using the Gloo Operator or Helm.

Multicluster sidecar meshes

You can use the Solo.io multicluster peering functionality to link clusters together and set up multicluster routing between these clusters. This feature requires the Solo distribution of Istio, which you can obtain with a valid Gloo Mesh license. If you do not have one, contact an account representative.

Note that you must install the Istio ambient components into your cluster to successfully create east-west gateways and establish multicluster peering. Although you install Istio ambient components into your cluster, you continue to use sidecar injection for your workloads. Your workloads are not added to an ambient mesh.

To learn more abou this setup, see the multicluster sidecar mesh guide for the Gloo Operator or Helm.

Istio 1.24 and 1.23 support

You can now run Gloo Mesh with Istio 1.24 and 1.23. Istio 1.18 and 1.19 are no longer supported. For more information, see the version support matrix.

Kubernetes 1.31

You can now run Gloo Mesh with Kubernetes 1.31. Kubernetes version 1.24 and 1.25 are no longer supported. For more information, see the version support matrix.

Gloo Gateway support

You can now use Gloo Gateway as the ingress gateway, waypoint proxy, or egress gateway to your ambient mesh. In addition, you can use Gloo Gateway as an ingress gateway to your sidecar mesh. For more information, check out the following guides in the Gloo Gateway documentation:

🔄 Feature changes

Review the following changes that might impact how you use certain features in your Gloo environment.

New Gloo UI design

The Gloo UI has a new look and feel. In addition, the following features were introduced:

  • New Dashboard design that allows you to quickly see the status of your insights, metrics, such as requests per second and request latency, and the health of your Gloo and Istio components. To view the new dashboard, you must have insights enabled.
  • New design of the Traffic section that gives you an overview of traffic-related resources, such as Gateways, Routes, Destinations, and Policies.
  • New Clusters page that quickly gives you an overview of the cluster’s insights and the health of the Gloo Mesh, Istio, Kubernetes Gateway API resources and components that are deployed in your cluster.

To learn more about the new Gloo UI design, see Explore the UI.

Logs for Gloo and Istio components

In previous releases, logs for Gloo and Istio components were enabled by default in the Gloo UI. Starting with version 2.7, the logs are no longer automatically enabled. Instead, you must enable logs for the Gloo UI during your installation. For more information, see Enable logs.

Telemetry pipeline architecture changes

In 2.7, the following components in the Gloo Mesh telemetry pipeline were changed:

  • The Gloo analyzer is now deployed as a sidecar to the Gloo agent in multicluster setups. The analyzer scans your workload cluster setups and sends back analyzer results as logs via the Gloo telemetry pipeline. Previously, the Gloo analyzer was deployed as a separate component in the gloo-mesh namespace. You can still run the Gloo analyzer as a separate deployment on clusters where no Gloo UI is deployed by setting glooAnalyzer.runAsSidecar=false in your Helm installation. Note that in single cluster setups, you do not need to install the Gloo agent and Gloo analyzer as the insights engine in the Gloo UI is sufficient to scan your environment and generate the insights.
  • The insights engine is now deployed as a sidecar to the Gloo UI. Previously, the insights engine was part of the Gloo management server. In multicluster setups in 2.7, the insights engine in the Gloo UI now reads the logs from Redis streams that the Gloo analyzer sends via the Gloo telemetry pipeline. The insights engine then runs queries by using the metrics that are stored in Prometheus to generate insights. In single cluster setups, the insights engine scans your environment to generate the insights. No Gloo analyzer is required. Insights are stored in memory in the Gloo UI pod. Note that you cannot run the insights engine as a separate deployment anymore.

For more information about the telemetry pipeline architecture, see About the telemetry pipeline.

🗑ī¸ Removed features

Gloo UI redesign

As part of redesigning the UI, the following changes were introduced:

  • Fields removed from Graph: The following fields are removed from the workload node view in the Graph UI. These fields showed boundaries of the underlying network infrastructure provider when you onboarded VMs to the mesh.

    • instance
    • platform
    • subnet
    • vpc

  • Removed views: The following views were removed:

    • Traffic > Ingress, related gateways and routes can be found under Traffic > Gateways and Traffic > Routes
    • Inventory > Services, services can now be found under Traffic > Destinations

  • GraphQL and Cilium: All GraphQL and Cilium information was removed.

  • Removed session support: Due to lack of use and the extra dependency on Redis that can introduce risk, the ability to store Gloo UI sessions in Redis was removed. This removes the following settings:

    • In the Dashboard resource, the authn.oidc.session.redis settings.
    • In the Helm chart, the glooUi.auth.oidc.session.redis settings.

Removed support for Istio 1.18 and 1.19

Istio 1.18 and Istio 1.19 are no longer supported with Gloo Mesh version 2.7. For more information, see the version support matrix.

Removed support for Kubernetes 1.24 and 1.25

Kubernetes 1.24 and 1.25 are no longer supported with Gloo Mesh version 2.7. For more information, see the version support matrix.

🚧 Known issues

The Solo team fixes bugs, delivers new features, and makes changes on a regular basis as described in the changelog. Some issues, however, might impact many users for common use cases. These known issues are as follows:

  • Cluster names: Do not use underscores (_) in the names of your clusters or in the kubeconfig context for your clusters.
  • Istio:
    • Due to a lack of support for the Istio CNI and iptables for the Istio proxy, you cannot run Istio (and therefore Gloo Mesh) on AWS Fargate. For more information, see the Amazon EKS issue.
      • In Gloo Mesh version 2.6 and later, ambient mode requires the Solo distribution of Istio version 1.22.3 or later (1.22.3-solo). In Gloo Mesh version 2.7 and later, multicluster setups require the Solo distribution of Istio version 1.24.3 or later (1.24.3-solo), including the Solo distribution of istioctl.
      • In Istio 1.22.0-1.22.3, the ISTIO_DELTA_XDS environment variable must be set to false. For more information, see this upstream Istio issue. Note that this issue is resolved in Istio 1.22.4.
      • Istio 1.20 is supported only as patch version 1.20.1-patch1 and later. Do not use patch versions 1.20.0 and 1.20.1, which contain bugs that impact several Gloo Mesh features that rely on Istio ServiceEntries.
    • OTel pipeline: FIPS-compliant builds are not currently supported for the OTel collector agent image.