- Multi cluster service support
- Certificate rotation now ignores monotonic clock readings when checking expiration
- Add keep-alive time to detect sidecar disconnections
- Remove CRD conversion webhook (the webhook does not act differently than how if the CRD conversion strategy was set to
None
) - Fixed ingress backend SAN's (the trust domain was getting appended to the provided SAN)
- Remove CRD conversion webhook (the webhook does not act differently than how if the CRD conversion strategy was set to
None
) - Fixed ingress backend SAN's (the trust domain was getting appended to the provided SAN)
- Custom trust domains (i.e. certificate CommonNames) are now supported
- The authentication token used to configure the Hashicorp Vault certificate provider can now be passed in using a secretRef
- Envoy has been updated to v1.22 and uses the
envoyproxy/envoy-distroless
image instead of the deprecatedenvoyproxy/envoy-alpine
image.- This means that
kubectl exec -c envoy ... -- sh
will no longer work for the Envoy sidecar
- This means that
- Added support for Kubernetes 1.23 and 1.24
Rate limiting
: Added capability to perform local per-instance rate limiting of TCP connections and HTTP requests.- Statefulsets and headless services have been fixed and work as expected
- The following metrics no longer use the label
common_name
, due to the fact that the common name's trust domain can rotate. Instead 2 new labels,proxy_uuid
andidentity
have been added.fsm_proxy_response_send_success_count
fsm_proxy_response_send_error_count
fsm_proxy_xds_request_count
- Support for Kubernetes 1.20 and 1.21 has been dropped
- Multi-arch installation supported by the Chart Helm by customizing the
affinity
andnodeSelector
fields - Root service in a
TrafficSplit
configuration must have a selector matching the pods backing the leaf services. The legacy behavior where a root service without a selector matching the pods backing the leaf services is able to split traffic, has been removed.
- Circuit breaking support for traffic directed to in-mesh and external destinations
The following changes are not backward compatible with the previous release.
- The
fsm_proxy_response_send_success_count
andfsm_proxy_response_send_error_count
metrics are now labeled with the proxy certificate's common name and XDS type, so queries to match the previous equivalent need to sum for all values of each of those labels.
The following capabilities have been deprecated and cannot be used.
- The
fsm_injector_injector_sidecar_count
andfsm_injector_injector_rq_time
metrics have been removed. Thefsm_admission_webhook_response_total
andfsm_http_response_duration
metrics should be used instead. - FSM will no longer support installation on Kubernetes version v1.19.
- New internal control plane event management framework to handle changes to the Kubernetes cluster and policies
- Validations to reject/ignore invalid SMI TrafficTarget resources
- Control plane memory utilization improvements
- Support for TCP server-first protocols for in-mesh traffic
- Updates to Grafana dashboards to reflect accurate metrics
- FSM control plane images are now multi-architecture, built for linux/amd64 and linux/arm64
The following changes are not backward compatible with the previous release.
- Top level Helm chart keys are renamed from
FlomeshServiceMesh
tofsm
fsm mesh upgrade
no longer carries over values from previous releases. Use the--set
flag onfsm mesh upgrade
to pass values as needed. The--container-registry
and--fsm-image-tag
flags have also been removed in favor of--set
.
The following capabilities have been deprecated and cannot be used.
- Kubernetes Ingress API to configure a service mesh backend to authorize ingress traffic. FSM's IngressBackend API must be used to authorize ingress traffic between an ingress gateway and service mesh backend.