istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add some missed upgrade notes (#15910) 

* Add release note about Istio CSR

* add DNS issue
This commit is contained in:
John Howard 2024-11-08 14:53:01 -08:00 committed by GitHub
parent daccb4888c
commit 79557cc24f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
content/en/news/releases/1.24.x/announcing-1.24/upgrade-notes/index.md
View File

@ -28,6 +28,19 @@ BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"
See the individual change and upgrade notes for more information.
## Ambient upgrade with DNS proxy
For upgrades to Istio 1.24.0 when using Ambient mode, with `cni.ambient.dnsCapture=true` configured, users will need to follow a specific set of upgrade steps:
1. Upgrade Istio CNI
1. Restart any workloads enrolled into ambient mode
1. Upgrade Ztunnel
Failure to do so will result in DNS resolution failures.
If this occurs, you can restart the workloads to resolve the issue.
This is expected to be improved in future patch releases; follow [the issue](https://github.com/istio/ztunnel/issues/1360) for more information.
## Istio CRDs are templated by default and can be installed and upgraded via `helm install istio-base`
This changes how CRDs are upgraded.
@ -116,3 +129,22 @@ The peer metadata uses baggage encoding with the following field attributes:
- `workload`
- `type` (e.g. `"deployment"`)
- `name` (e.g. `"pod-foo-12345"`)
## Compatibility with cert-manager's `istio-csr`
In this release, Istio introduces increased validation checks in gRPC communication to the control plane.
Note this only impacts Istio's own internal gRPC usage, not users' traffic.
While Istio's control plane is not impacted by this, a popular third-party CA implementation, [`istio-csr`](https://github.com/cert-manager/istio-csr) is.
While this has been [fixed upstream](https://github.com/cert-manager/istio-csr/pull/422), there is not yet a released version with the fix at the time of writing (`v0.12.0` does not have the fix).
This can be worked around in the meantime by installing Istio with the following settings:
{{< text yaml >}}
meshConfig:
defaultConfig:
proxyMetadata:
GRPC_ENFORCE_ALPN_ENABLED: "false"
{{< /text >}}
If you are impacted by this issue, you will see an error message like `"transport: authentication handshake failed: credentials: cannot check peer: missing selected ALPN property"`.