1.22 releasenotes (#15044)

* init

* lint & gen

* clean what's new

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* update

* Update

* nit

* update

* update link

* nit

* more link

* wordify

* tidy

* a thank you

* update link

* nit

* Update content/en/news/releases/1.22.x/announcing-1.22/_index.md

Co-authored-by: Lin Sun <lin.sun@solo.io>

* Update content/en/news/releases/1.22.x/announcing-1.22/upgrade-notes/index.md

Co-authored-by: Lin Sun <lin.sun@solo.io>

* address

---------

Co-authored-by: Daniel Hawton <daniel@hawton.org>
Co-authored-by: Craig Box <craig.box@gmail.com>
Co-authored-by: Lin Sun <lin.sun@solo.io>

.spelling

@@ -23,6 +23,7 @@
 1.20.x
 1.20.x.
 1.21.x
+1.21.x.
 1.22.x
 1.23.x
 1.24.0
@@ -97,6 +98,7 @@ abcde12345
 Abhi
 accounts.my
 ack-istio
+acked
 ACLs
 Acmeair
 addon
@@ -439,11 +441,13 @@ Ekansh
 Elasticsearch
 embeddable
 emojis
+Emre
 enablement
 endUser-to-Service
 enqueue
 enum
 env
+EnvoyCon
 EnvoyFilter
 envoyproxy
 etcd
@@ -551,6 +555,7 @@ Hystrix
 i.e.
 Idit
 ILBs
+impactful
 incentivized
 Incrementality
 Indo-Pacific
@@ -987,6 +992,7 @@ Salesforce
 Salmond
 sandboxed
 sandboxing
+Savcı   
 sayin
 Schaaf
 schedulable
@@ -1072,6 +1078,7 @@ subnetworks
 subresource
 subresources
 substring
+Sumit
 Superfeet
 Superset
 superset
@@ -1094,6 +1101,7 @@ Telekom
 telemetry.istio.io
 telemetryv2_
 templated
+templating
 Tencent
 test-api
 Tetrate
@@ -1112,6 +1120,7 @@ touchpoints
 tradeoff
 tradeoffs
 TrafficPolicy
+Trendyol
 Trivedi
 Trulia
 trustability
@@ -1196,6 +1205,7 @@ veth
 veth-pair
 vhost
 vhosts
+Vij
 Virtualization
 virtualization
 VirtualService

content/en/news/releases/1.22.x/_index.md

@@ -0,0 +1,8 @@
+---
+title: 1.22.x Releases
+description: Announcements for the 1.22 release and its associated patch releases.
+weight: 7
+list_by_publishdate: true
+layout: release-grid
+decoration: dot
+---

content/en/news/releases/1.22.x/announcing-1.22/_index.md

@@ -0,0 +1,66 @@
+---
+title: Announcing Istio 1.22.0
+linktitle: 1.22.0
+subtitle: Major Release
+description: Istio 1.22 Release Announcement.
+publishdate: 2024-05-13
+release: 1.22.0
+---
+
+We are pleased to announce the release of Istio 1.22 - one of the largest and most impactful releases we've ever launched. Thank you to all our contributors, testers, users and enthusiasts for helping us get the 1.22.0 release published.
+
+We would like to thank the Release Managers for this release, **Jianpeng He** from Tetrate, **Sumit Vij** from Credit Karma and **Zhonghu Xu** from Huawei. Once again, the release managers owe a debt of gratitude to Test & Release WG lead Eric Van Norman for his help and guidance; more on him later.
+
+{{< relnote >}}
+
+{{< tip >}}
+Istio 1.22.0 is officially supported on Kubernetes versions `1.27` to `1.30`.
+{{< /tip >}}
+
+## What's new
+
+### Ambient mode now in Beta
+
+Istio’s ambient mode is designed for simplified operations without requiring changes or restarts to your application. It introduces lightweight, shared node proxies and optional Layer 7 per-workload proxies, thus removing the need for traditional sidecars from the data plane. Compared to sidecar mode, ambient mode reduces memory overhead and CPU usage by over 90% in many cases.
+
+Under development since 2022, the Beta release status indicates ambient mode’s features and stability are ready for production workloads with appropriate precautions. [Our ambient mode blog post has all the details](/blog/2024/ambient-reaches-beta/).
+
+### Istio APIs promoted to `v1`
+
+Istio provides APIs that are crucial for ensuring the robust security, seamless connectivity, and effective observability of services within the service mesh. These APIs are used on thousands of clusters across the world, securing and enhancing critical infrastructure. Most of the features powered by these APIs have been [considered stable](/docs/releases/feature-stages/) for some time, but the API version has remained at `v1beta1`. As a reflection of the stability, adoption, and value of these resources, the Istio community has decided to promote these APIs to `v1` in Istio 1.22. Learn about what this means in [a blog post introducing the v1 APIs](/blog/2024/v1-apis/).
+
+### Gateway API now Stable for service mesh
+
+We are thrilled to announce that Service Mesh support for the Gateway API is now officially marked as "Stable"! With the release of Gateway API v1.1 and its support in Istio 1.22, you can make use of Kubernetes' next-generation traffic management APIs for both ingress ("north-south") and service mesh ("east-west") use cases. Read more about the improvements in [our Gateway API v1.1 blog](/blog/2024/gateway-mesh-ga/).
+
+### Delta xDS now on by default
+
+Configuration is distributed to Istio’s Envoy sidecars (as well as ztunnel and waypoints) using the xDS protocol. Traditionally, this has been through a "state of the world" design, where if one out of a thousand services is modified, Istio would send information about all 1,000 services to every sidecar. This was very costly in terms of CPU usage (both in the control plane, and aggregated across the sidecars) and network throughput.
+
+To improve performance, we implemented the [delta (or incremental) xDS APIs](https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol#incremental-xds), which sends only _changed_ configurations. We have worked hard over the past 3 years to ensure that the outcome with delta xDS is provably the same as using the state of the world system. and it has been a supported option in the last few Istio releases. In 1.22, we have made it the default. To learn more about the development of this feature, check out [this EnvoyCon talk](https://www.youtube.com/watch?v=LOm1ptEWx_Y).
+
+### Path templating in Authorization Policy
+
+Up until now, you have had to list every path to which you wanted to apply an `AuthorizationPolicy` object. Istio 1.22 takes advantage of a new feature in Envoy allowing you to specify [template wildcards](/docs/reference/config/security/authorization-policy/#Operation) to match of a path.
+
+You can now safely allow path matches like `/tenants/{*}/application_forms/guest` — a [long-requested feature](https://github.com/istio/istio/issues/16585)!
+
+Special thanks to [Emre Savcı](https://github.com/mstrYoda) from Trendyol for building a prototype, and for never giving up.
+
+## A thank you
+
+Finally, we would like to take this opportunity to congratulate [Eric Van Norman](https://github.com/ericvn) on the eve of his retirement, after 34 years at IBM.
+
+Eric is a much respected member of the Istio community. Joining the project in early 2019, he served as a Release Manager for Istio 1.4, a maintainer in the Documentation working group, the lead of the Test and Release working group, and was an obvious choice to join the Technical Oversight Committee in 2021.
+
+Much of Eric’s development work is behind-the-scenes, making sure the various pipelines that build and test Istio’s releases and documentation continue to operate and improve. Indeed, Eric is the [second largest contributor](https://istio.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1&var-period_name=Last%20decade&var-metric=contributions&var-repogroup_name=All&var-country_name=All&var-companies=All) to Istio on GitHub.
+
+While Eric will be stepping down from the TOC, he has promised to stay around in the community - although we may have to change from Slack to ham radio to reach him!
+
+## Upgrading to 1.22
+
+We would like to hear from you regarding your experience upgrading to Istio 1.22. You can provide feedback
+in the [`#release-1.22`](https://istio.slack.com/archives/C06PU4H4EMR) channel in our [Slack workspace](https://slack.istio.io/).
+
+Would you like to contribute directly to Istio? Find and join one of
+our [Working Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md) and help us improve.

content/en/news/releases/1.22.x/announcing-1.22/change-notes/index.md

@@ -0,0 +1,262 @@
+---
+title: Istio 1.22.0 Change Notes
+linktitle: 1.22.0
+subtitle: Minor Release
+description: Istio 1.22.0 release notes.
+publishdate: 2024-05-13
+release: 1.22.0
+weight: 10
+aliases:
+    - /news/announcing-1.22.0
+---
+
+## Deprecation Notices
+
+These notices describe functionality that will be removed in a future release according to [Istio's deprecation policy](/docs/releases/feature-stages/#feature-phase-definition). Please consider upgrading your environment to remove the deprecated functionality.
+
+- **Deprecated** usage of `values.istio_cni` in favor of `values.pilot.cni`.
+  ([Issue #49290](https://github.com/istio/istio/issues/49290))
+
+## Traffic Management
+
+- **Improved** `ServiceEntry` with `resolution: NONE` to respect `targetPort`, if specified.
+  This is particularly useful when doing TLS origination, allowing to set `port:80, targetPort: 443`.
+  If undesired, set `--compatibilityVersion=1.21` to revert to the old behavior or remove the `targetPort` specification.
+
+- **Improved** XDS generation to do utilize fewer resources when possible, sometimes omitting a response entirely.
+  This can be disabled by the `PILOT_PARTIAL_FULL_PUSHES=false` environment variable, if necessary.
+  ([Issue #37989](https://github.com/istio/istio/issues/37989)),([Issue #37974](https://github.com/istio/istio/issues/37974))
+
+- **Added** support for skipping the initial installation of the CNI entirely.
+
+- **Added** a node taint controller to istiod which removes the `cni.istio.io/not-ready` taint from a node once the Istio CNI pod is ready on that node.
+  ([Issue #48818](https://github.com/istio/istio/issues/48818)),([Issue #48286](https://github.com/istio/istio/issues/48286))
+
+- **Added** endpoints acked generation to the proxy distribution report available through the pilot debug API `/debug/config_distribution`.
+  ([Issue #48985](https://github.com/istio/istio/issues/48985))
+
+- **Added** support for configuring waypoint proxies for Services.
+
+- **Added** capability to annotate pods, services, namespaces and other similar kinds with an annotation, `istio.io/use-waypoint`, to specify a waypoint in the form `[<namespace name>/]<waypoint name>`. This replaces the old requirement for waypoints either being scoped to the entire namespace or to a single service account. Opting out of a waypoint can also be done with a value of `#none` to allow a namespace-wide waypoint where specific pods or services are not guarded by a waypoint allowing greater flexibility in waypoint specification and use.
+  ([Issue #49436](https://github.com/istio/istio/issues/49436))
+
+- **Added** support for the `istio.io/waypoint-for` annotations in waypoint proxies.
+  ([Issue #49851](https://github.com/istio/istio/issues/49851))
+
+- **Added** a check to prevent creation of ztunnel config when user has specified a gateway as `targetRef` in their AuthorizationPolicy.
+  ([Issue #50110](https://github.com/istio/istio/issues/50110))
+
+- **Added** the annotation `networking.istio.io/address-type` to allow `istio` class Gateways to use `ClusterIP` for status addresses.
+
+- **Added** the ability to annotate workloads or services with `istio.io/use-waypoint` pointing to Gateways of arbitrary gateway classes.
+  These changes allow configuring a standard Istio gateway as a waypoint.
+  For this to work, it must be configured as a `ClusterIP` Service with
+  redirection enabled. This is colloquially referred to as a "gateway
+  sandwich" where the ztunnel layer handles mTLS.
+  ([Issue #48362](https://github.com/istio/istio/issues/48362))
+
+- **Added** functionality to enroll individual pods into ambient by labeling them with `istio.io/dataplane-mode=ambient`.
+  ([Issue #50355](https://github.com/istio/istio/issues/50355))
+
+- **Added** the ability to allow pods to be opted out of ambient redirection by using the `istio.io/dataplane-mode=none` label.
+  ([Issue #50736](https://github.com/istio/istio/issues/50736))
+
+- **Removed** the ability to opt-out pods from ambient redirection using the `ambient.istio.io/redirection=disabled` annotation, as that is a status annotation reserved for the CNI.
+  ([Issue #50736](https://github.com/istio/istio/issues/50736))
+
+- **Added** an environment variable for istiod `PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME` that allows overriding the name of the default `GatewayClass` Gateway API resource. The default value is `istio`.
+
+- **Added** an environment variable for istiod `PILOT_GATEWAY_API_CONTROLLER_NAME` that allows overriding the name of the Istio Gateway API controller as exposed in the `spec.controllerName` field in the `GatewayClass` resource. The default value is `istio.io/gateway-controller`.
+
+- **Added** support for using the PROXY Protocol for outbound traffic. By specifying `proxyProtocol` in a `DestinationRule.trafficPolicy`,
+  the sidecar will send PROXY Protocol headers to the upstream service. This feature is not supported with HBONE proxy for now.
+
+- **Added** validation checks to reject `DestinationRules` with duplicate subset names.
+
+- **Added** field `supportedFeatures` on a Gateway API's class status before the controller accepts the Gateway class.
+  ([Issue #2162](https://github.com/kubernetes-sigs/gateway-api/issues/2162))
+
+- **Added** checking services' `Resolution`, `LabelSelector`, `ServiceRegistry`, and namespace when merging services during `SidecarScope` construction.
+
+- **Enabled** [Delta xDS](https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol#incremental-xds) by default. See upgrade notes for more information.
+  ([Issue #47949](https://github.com/istio/istio/issues/47949))
+
+- **Fixed** an issue where the Kubernetes gateway was not working correctly with the namespace-scoped waypoint proxy.
+
+- **Fixed** an issue where the delta ADS client received a response which contained `RemoveResources`.
+
+- **Fixed** an issue that when using `withoutHeaders` to configure route matching rules in `VirtualService`.
+  If the fields specified in `withoutHeaders` do not exist in the request header, Istio cannot match the request.
+  ([Issue #49537](https://github.com/istio/istio/issues/49537))
+
+- **Fixed** an issue where the priority of envoy filters is ignored when they are in root namespace and proxy namespace.
+  ([Issue #49555](https://github.com/istio/istio/issues/49555))
+
+- **Fixed** an issue where `--log_as_json` option did not work for the `istio-init` container.
+  ([Issue #44352](https://github.com/istio/istio/issues/44352))
+
+- **Fixed** an issue with massive Virtual IPs reshuffling when adding or removing a duplicated host.
+  ([Issue #49965](https://github.com/istio/istio/issues/49965))
+
+- **Fixed** Gateway status addresses receiving Service VIPs from outside the cluster.
+
+- **Fixed** annotation `use-waypoint` to be a label, for consistency.
+  ([Issue #50572](https://github.com/istio/istio/issues/50572))
+
+- **Fixed** build EDS-typed cluster endpoints with domain address.
+  ([Issue #50688](https://github.com/istio/istio/issues/50688))
+
+- **Fixed** a bug where injection template incorrectly evaluated when `InboundTrafficPolicy` was set to "localhost".
+  ([Issue #50700](https://github.com/istio/istio/issues/50700))
+
+- **Fixed** added server-side keepalive to waypoint HBONE endpoints.
+  ([Issue #50737](https://github.com/istio/istio/issues/50737))
+
+- **Fixed** empty prefix match in `HTTPMatchRequest` not being rejected by the validating webhook.
+  ([Issue #48534](https://github.com/istio/istio/issues/48534))
+
+- **Fixed** a behavioral change in Istio 1.20 that caused merging of `ServiceEntries` with the same hostname and port names
+  to give unexpected results.
+  ([Issue #50478](https://github.com/istio/istio/issues/50478))
+
+- **Fixed** a bug when a Sidecar resource not merging ports correctly when it is configured with multiple egress listeners with different ports of a Kubernetes service. This lead to creating only one Cluster with the first port, and the second port was ignored.
+
+- **Fixed** an issue causing routes to be overwritten by other virtual services.
+
+- **Removed** the `values.cni.privileged` flag from `istio-cni` node agent chart in favor of feature-specific permissions.
+  ([Issue #49004](https://github.com/istio/istio/issues/49004))
+
+- **Removed** the `PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS` feature flag.
+
+- **Removed** the `PILOT_ENABLE_INBOUND_PASSTHROUGH` setting, which has been enabled-by-default for the past 8 releases.
+  This feature can now be configured using a new [Inbound Traffic Policy Mode](https://github.com/istio/api/blob/9911a0a6990a18a45ed1b00559156dcc7e836e52/mesh/v1alpha1/config.proto#L203).
+
+## Security
+
+- **Updated** the default value of the feature flag `ENABLE_AUTO_ENHANCED_RESOURCE_SCOPING` to `true`.
+
+- **Added** support for path templating in `AuthorizationPolicy`. See Envoy URI template [docs](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/path/match/uri_template/v3/uri_template_match.proto).
+  ([Issue #16585](https://github.com/istio/istio/issues/16585))
+
+- **Added** support for customizing the connection timeout setting when resolving `jwksUri`.
+  ([Issue #47328](https://github.com/istio/istio/issues/47328))
+
+- **Added** support for Istio CA to handle node authorization for CSRs with impersonating the identity of remote clusters.
+  This could help Istio CA to authenticate ztunnel in remote clusters in an external control plane scenario.
+    ([Issue #47489](https://github.com/istio/istio/issues/47489))
+
+- **Added** an environment variable `METRICS_LOCALHOST_ACCESS_ONLY` for disabling metrics endpoint from outside of the pod, to allow only localhost access. User can set this with command arguments
+  `--set values.pilot.env.METRICS_LOCALHOST_ACCESS_ONLY=true` for control plane and `--set meshConfig.defaultConfig.proxyMetadata.METRICS_LOCALHOST_ACCESS_ONLY=true` for proxy during `istioctl` installation.
+
+- **Added** Certificate Revocation List (CRL) support for peer certificate validation based on file paths specified in `ClientTLSSettings` in destination rule for Sidecars, and in `ServerTLSSettings` in Gateway for Gateways.
+
+- **Fixed** list matching for the audience claims in JWT tokens.
+  ([Issue #49913](https://github.com/istio/istio/issues/49913))
+
+- **Removed** the `first-party-jwt` legacy option for `values.global.jwtPolicy`. Support for the more secure `third-party-jwt`
+  has been default for many years and is supported in all Kubernetes platforms.
+
+## Telemetry
+
+- **Improved** JSON access logs to emit keys in a consistent order.
+
+- **Added** option to export OpenTelemetry traces via HTTP.
+  ([reference]( https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider)) ([Issue #47835](https://github.com/istio/istio/issues/47835))
+
+- **Enabled** configuring Dynatrace Sampler as the `OpenTelemetryTracingProvider` in `MeshConfig`.
+  ([Issue #50001](https://github.com/istio/istio/issues/50001))
+
+- **Enabled** configuring Resource Detectors as the `OpenTelemetryTracingProvider` in `MeshConfig`.
+  ([Issue #48885](https://github.com/istio/istio/issues/48885))
+
+- **Fixed** an issue where `TraceId` was not propagated when using OpenTelemetry access logger.
+  ([Issue #49911](https://github.com/istio/istio/issues/49911))
+
+- **Removed** default tracing configuration that enables tracing to `zipkin.istio-system.svc`. See upgrade notes for more information.
+
+## Extensibility
+
+- **Improved** using the tag-stripped URL and checksum as a Wasm module cache key, where the tagged URL is separately cached.
+  This may increase the chance of cache hits (e.g., trying to find the same image with both of the tagged and digest URLs.)
+  In addition, this will be a base to implement `ImagePullPolicy`.
+
+## Installation
+
+- **Improved** Helm value field names to configure whether an existing CNI install
+  will be used. Instead of `values.istio_cni` the enablement fields will be in
+  `values.pilot.cni`, as istiod is the affected component.
+  The new setting is more clear than having `values.cni` for install config and `values.istio_cni`
+  for enablement in istiod. The old `values.istio_cni` fields will still be supported
+  for at least two releases.
+  ([Issue #49290](https://github.com/istio/istio/issues/49290))
+
+- **Improved** the `meshConfig.defaultConfig.proxyMetadata` field to do a deep merge when overridden, rather than replacing all values.
+
+- **Added** the ability to add customized annotations to istiod service account resource through the Helm chart.
+
+- **Added** the `openshift-ambient` profile.
+  ([Issue #42341](https://github.com/istio/istio/issues/42341))
+
+- **Added** a new, optional experimental admission policy that only allows stable features/fields to be used in Istio APIs.
+  ([Issue #173](https://github.com/istio/enhancements/issues/173))
+
+- **Added** support for configuring CA bundles for validation and injection webhooks.
+
+- **Fixed** gathering `pprof` data from the local ztunnel admin endpoint, which would fail due to the lack of a writable in-container `/tmp`.
+  ([Issue #50060](https://github.com/istio/istio/issues/50060))
+
+- **Removed** deprecated `external` profile. Please use the `remote` profile instead for installation.
+  ([Issue #48634](https://github.com/istio/istio/issues/48634))
+
+## istioctl
+
+- **Added** the `istioctl proxy-stauts` command, which is the promoted `istioctl experimental proxy-status` command. The old `istioctl proxy-status` command has been removed.
+  This promotion should not result in any loss of functionality. However, the request is now sent based on xDS instead of HTTP, and we have introduced a set of new xDS-based flags to target the control plane.
+
+- **Added** support for multi-cluster analysis in `istioctl analyze` command when there are remote cluster secrets set up through [Install Multicluster](/docs/setup/install/multicluster/).
+
+- **Added** a new `istioctl dashboard proxy` command, which can be used to show the admin UI of different proxy pods, for example: Envoy, ztunnel, and waypoint.
+
+- **Added** the `--proxy` option to `istioctl experimental wait` command.
+  ([Issue #48696](https://github.com/istio/istio/issues/48696))
+
+- **Added** namespace filtering to `istioctl proxy-config workload` command using the `--workloads-namespace` flag to display workloads in the specified namespace.
+
+- **Added** the `istioctl dashboard istio-debug` command to display the Istio debug endpoints dashboard.
+
+- **Added** the `istioctl experimental describe` command to support displaying the details of policies for `PortLevelSettings`.
+  ([Issue #49802](https://github.com/istio/istio/issues/49802))
+
+- **Added** ability to define the traffic address type (service, workload, all or none) for waypoints via the `--for` flag when using the `istioctl experimental waypoint apply` command.
+  ([Issue #49896](https://github.com/istio/istio/issues/49896))
+
+- **Added** the ability to name waypoints through `istioctl` via the `--name` flag on the waypoint command.
+  ([Issue #49915](https://github.com/istio/istio/issues/49915)), ([Issue #50173](https://github.com/istio/istio/issues/50173))
+
+- **Removed** the ability to specify a service account for the waypoint by deleting the `--service-account` flag on the waypoint command.
+  ([Issue #49915](https://github.com/istio/istio/issues/49915)), ([Issue #50173](https://github.com/istio/istio/issues/50173))
+
+- **Added** the ability to enroll a waypoint proxy in the waypoint's namespace through `istioctl` via the `--enroll-namespace` flag on the waypoint command.
+  ([Issue #50248](https://github.com/istio/istio/issues/50248))
+
+- **Added** the `istioctl ztunnel-config` command. This allow users to view ztunnel configuration information via the `istioctl ztunnel-config workload` command.
+  ([Issue #49841](https://github.com/istio/istio/issues/49841))
+
+**Removed** the workload flag from proxy-config command. Use `istioctl ztunnel-config workload` command to view ztunnel configuration information instead.
+  ([Issue #49841](https://github.com/istio/istio/issues/49841))
+
+- **Added** a warning when using `istioctl experimental waypoint apply --enroll-namespace` and the namespace is not labeled for ambient redirection.
+  ([Issue #50396](https://github.com/istio/istio/issues/50396))
+
+- **Added** the `--for` flag to `istioctl experimental waypoint generate` command so that the user can preview the YAML before they apply it.
+  ([Issue #50790](https://github.com/istio/istio/issues/50790))
+
+- **Added** an experimental OpenShift Kubernetes platform profile to `istioctl`. To install with the OpenShift profile, use `istioctl install --set profile=openshift`.
+  See [OpenShift Platform Setup]( https://istio.io/docs/setup/platform-setup/openshift/) and [Install OpenShift using `istioctl`]( https://istio.io/docs/setup/install/istioctl/#install-a-different-profile) documents for more information.
+
+- **Added** the flag `--proxy-admin-port` to the command `istioctl experimental envoy-stats` to set a custom proxy admin port.
+
+- **Fixed** an issue where the `istioctl experimental proxy-status <pod>` compare command was not working due to unknown configs.
+
+- **Fixed** the `istioctl describe` command not displaying Ingress information under non `istio-system` namespaces.
+  ([Issue #50074](https://github.com/istio/istio/issues/50074))

content/en/news/releases/1.22.x/announcing-1.22/upgrade-notes/index.md

@@ -0,0 +1,58 @@
+---
+title: Istio 1.22 Upgrade Notes
+description: Important changes to consider when upgrading to Istio 1.22.x.
+weight: 20
+publishdate: 2024-05-13
+---
+
+When you upgrade from Istio 1.21.x to Istio 1.22.0, you need to consider the changes on this page.
+These notes detail the changes which purposefully break backwards compatibility with Istio 1.21.x.
+The notes also mention changes which preserve backwards compatibility while introducing new behavior.
+Changes are only included if the new behavior would be unexpected to a user of Istio 1.21.x.
+
+## Delta xDS on by default
+
+In previous versions, Istio used the "State of the world" xDS protocol to configure Envoy.
+In this release, the ["Delta"](https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol#incremental-xds) xDS protocol is enabled by default.
+
+This should be an internal implementation detail, but because this controls the core configuration protocol in Istio,
+an upgrade notice is present in an abundance of caution.
+
+The expected impacts of this change is improved performance of configuration distribution.
+This may result in reduced CPU and memory utilization in Istiod and proxies, as well as less network traffic between the two.
+Note that while this release changes the *protocol* to be incremental, Istio does not yet send perfect minimal incremental updates.
+However, there are already optimizations in place for a variety of critical code paths, and this change enables us to continue optimizations.
+
+If you experience unexpected impacts of this change, please set the `ISTIO_DELTA_XDS=false` environment variable in proxies
+and file a GitHub issue.
+
+## Default tracing to `zipkin.istio-system.svc` removed
+
+In previous versions of Istio, tracing was automatically configured to send traces to `zipkin.istio-system.svc`.
+This default setting has been removed; users will need to explicitly configure where to send traces moving forward.
+
+`istioctl x precheck --from-version=1.21` can automatically detect if you may be impacted by this change.
+
+If you previously had tracing enabled implicitly, you can enable it by doing one of:
+* Installing with `--set compatibilityVersion=1.21`.
+* Following [Configure tracing with Telemetry API](/docs/tasks/observability/distributed-tracing/telemetry-api/).
+
+## Default value of the feature flag `ENHANCED_RESOURCE_SCOPING` to true
+
+`ENHANCED_RESOURCE_SCOPING` is enabled by default. This means that the pilot will processes only the Istio Custom Resource configurations that are in
+scope of what is specified from `meshConfig.discoverySelectors`. Root-ca certificate distribution is also affected.
+
+If this is not desired, use the new `compatibilityVersion` feature to fallback to old behavior.
+
+## `ServiceEntry` with `resolution: NONE` now respects `targetPort`
+
+`ServiceEntry` with `resolution: NONE` previously ignored any `targetPort` specifier.
+In this release, the `targetPort` is now respected.
+If undesired set `--compatibilityVersion=1.21` to revert to the old behavior, or remove the `targetPort` specification.
+
+## New ambient mode waypoint attachment method
+
+Waypoints in Istio's ambient mode no longer use the original service account or namespace attachment semantics. If you were using a namespace-scope waypoint previously migration should be fairly straight forward. Label your namespace with the appropriate waypoint and it should function in a similar way. Please check the [doc](/docs/ambient/usage/l7-features/#targeting-policies-or-routing-rules).
+If you were using service account attachment there will be more to understand.
+
+Under the old waypoint logic all types of traffic, both addressed to a service as well as addressed to a workload, were treated similarly because there wasn't a good way to properly associate a waypoint to a service. With the new attachment this limitation has been resolved. This includes adding a distinction between service addressed and workload addressed traffic. Annotating a service, or service-like kind, will redirect traffic which is service addressed to your waypoint. Likewise annotating a workload will redirect workload addressed traffic. It is therefore important to understand how consumers address your providers and select a waypoint attachment method which corresponds to this method of access.