istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

preliminary release notes for 1.8 (#8415) 

* preliminary release notes for 1.8

* remove release notes warnings

* lint fixes

* spelling fixes

* wording fixes

* bug fixes

* review items, added helm3 note

* missing release notes added

* code review comments

* code review comments, last release notes addiations

* add WIP release announcement

* fix doc link

* update for removed vm autoregistration doc

* add Known Issues section to top of change notes

* remove duplicate release note

* added FAQ link to install/upgrade, review comments
This commit is contained in:
Gregory Hanson 2020-11-19 12:27:49 -05:00 committed by GitHub
parent 8d6bf41aa6
commit 9e398b565a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 401 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.spelling
View File

@ -23,6 +23,7 @@
1.6.x.
1.7.x
1.7.x.
1.8.x
1.x
10ms
10s
@ -111,6 +112,7 @@ backend
backends
base64
Bazel
Bian
BigQuery
bitpipe
BlackHole
@ -493,6 +495,7 @@ passthrough
Passthrough
PassthroughCluster
peek
Pengyuan
pem
performant
pipelined

8
content/en/news/releases/1.8.x/_index.md Normal file
View File

@ -0,0 +1,8 @@
---
title: 1.8.x Releases
description: Announcements for the 1.8 release and its associated patch releases.
weight: 21
list_by_publishdate: true
layout: release-grid
decoration: dot
---

68
content/en/news/releases/1.8.x/announcing-1.8/_index.md Normal file
View File

@ -0,0 +1,68 @@
---
title: Announcing Istio 1.8
linktitle: 1.8
subtitle: Major Update
description: Istio 1.8 release announcement.
publishdate: 2020-11-19
release: 1.8.0
skip_list: true
aliases:
- /news/announcing-1.8
- /news/announcing-1.8.0
---
We are pleased to announce the release of Istio 1.8!
{{< relnote >}}
This is our fourth and final release for 2020. We would like to thank the entire Istio team, and especially the release managers [Greg Hanson](https://github.com/GregHanson) from IBM and [Pengyuan Bian](https://github.com/bianpengyuan) from Google.
We continue to navigate in the direction outlined in our [2020 roadmap post](/blog/2020/tradewinds-2020/), improving usability, security, reliability, with focus on multi-cluster meshes and VM workloads. We've introduced new features where necessary to further those goals, but in general, we've been focusing on bug fixes and polish — a theme we'll be continuing into 2021.
Here are some highlights for this release:
## Installing and Upgrading Istio
To codify all the knowledge on how to deploy and upgrade a mesh into software, we built the `IstioOperator` API and two different methods to install it - [istioctl install](/docs/setup/install/istioctl/) and the [Istio operator](/docs/setup/install/operator/). However, some of our users have a deployment workflow for other software based on Helm, and so in this release we've added support for [installing Istio with Helm 3](/docs/setup/install/helm/). This includes both [in-place upgrades](/docs/setup/install/helm/#in-place-upgrade) and [canary deployment of new control planes](/docs/setup/install/helm/#canary-upgrade), after installing 1.8 or later. Helm 3 support is currently Alpha, so please try it out and give your feedback.
Given the several methods of installation that Istio now supports, we've added a [which Istio installation method should I use?](/faq/setup/#install-method-selection) FAQ page to help users understand which method may be best suited to their particular use case.
Vendors can now provide [optimized profiles]({{< github_tree >}}/manifests/charts/istio-operator/files/manifests/profiles/PROFILES.md) for installing Istio on their platform. [Installing Istio on OpenShift](/docs/setup/platform-setup/openshift/) is easier as a result!
## Multi-cluster
If you're serious about reliability, you run more than one Kubernetes cluster. Setting up a mesh across multiple clusters used to take a lot of manual work, and you had a lot of permutations of choice as to how you wanted to run.
In this release, we've written a [new installation guide](/docs/setup/install/multicluster/) which makes it easy to install a mesh that spans multiple clusters, with options depending on if the clusters are [on the same network](/docs/ops/deployment/deployment-models#network-models), and whether you want [multiple control planes](/docs/ops/deployment/deployment-models#control-plane-models).
## Easier to add VMs to your mesh
After making a number of security improvements to VM mesh endpoints in 1.7, we've focused on usability for 1.8. We simplified the installation process, and you can now use `istioctl` to do it. The new [smart DNS proxying](/blog/2020/dns-proxy/) feature lets you resolve mesh services from your VMs, without having to insecurely point them at your cluster DNS server. It also reduces both cluster DNS traffic, and the number of look-ups needed to resolve a service's IP. [Auto registration](/docs/setup/install/virtual-machine/#install-the-istio-control-plane) allows you to tell the VM agent what kind of workload it has, and automatically have `WorkloadEntry` objects created for it when it joins the mesh.
## Security and secrets
Certificates are now sent from Istiod to gateways, rather than them being read directly from Kubernetes. This reduces the privileges of gateways, which are often publicly exposed, improving our "defense in depth" security posture. Additionally, this opens the door for increased performance and lower memory footprint, and additional extensibility in certificate sources.
Istio ships with an out-of-the box Certificate Authority, but many users want to connect to an existing CA. Currently, you have to implement the [Istio CSR API](https://github.com/istio/api/blob/master/security/v1alpha1/ca.proto) and write third-party integrations yourself. In Istio 1.8, we introduced an approach that leverages the [Kubernetes CSR API](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) and can be integrated with any tools that can use that API. Istiod provides the role of Registration Authority (RA) to authenticate and authorize a workload, then creates, approves, and monitors updates for a CSR resource. A third-party tool (e.g., [cert-manager](https://cert-manager.io/)) can then apply the correct signer to create a signed certificate for with the appropriate backend CA. This feature is currently experimental.
## Ease of use
Every release, our User Experience working group is making Istio easier to use.
When things break, we want to make it as easy as possible to help you fix them. In this release, we've introduced `istioctl bug-report`, which gathers debug information and cluster state, to make it easier for the developers or vendor support teams to understand.
`istioctl analyze` can now show where objects don't validate properly, as well as cluster errors. In the case of an error, it will now return the exact line number of the error.
You can now refer to pods indirectly. No more `istioctl dashboard envoy $(kubectl get pods -l app=productpage -o jsonpath="{.items[0].metadata.name}")` - now it's just `istioctl dashboard envoy deployment/productpage`.
## Deprecations
Istio has been saying a long goodbye to the Mixer component, which is now [removed in 1.8](https://github.com/istio/istio/issues/25333). If you still depend on any Mixer functionality, make sure to check the upgrade notes. [You can still use the Mixer from 1.7](https://github.com/istio/istio/wiki/Enabling-Envoy-Authorization-Service-and-gRPC-Access-Log-Service-With-Mixer) - but you should really get on the [WebAssembly train](/blog/2020/wasm-announce/)!
Over the last two releases, we've [changed how we package integrations addons](/blog/2020/addon-rework/) (such as Prometheus, Zipkin, Jaeger and Kiali). Our bundled versions were not as powerful as those provided by the upstream authors, so we moved to providing upstream manifests instead of including them directly. Support for installing addons with Istioctl was deprecated in 1.7 and is removed in 1.8.
## Join the Istio community
Our [Community Meeting](https://github.com/istio/community#community-meeting) happens on the fourth Thursday of the month, at 10 AM Pacific. Due to US Thanksgiving, we've moved this month's meeting forward one week to the 19th of November. If you can't make it, why not join the conversation at [Discuss Istio](https://discuss.istio.io/), or join our [Slack workspace](https://slack.istio.io/)?
Would you like to get involved? Find and join one of our [Working Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md) and help make Istio even better.

202
content/en/news/releases/1.8.x/announcing-1.8/change-notes/index.md Normal file
View File

@ -0,0 +1,202 @@
---
title: Change Notes
description: Istio 1.8 release notes.
weight: 10
---
## Known Issues
- Memory leak in TCP Wasm extensions affecting TCP telemetry (see [Issue #24720](https://github.com/istio/istio/issues/24720)). The leak occurs when upstream connections are interrupted mid-stream.
- Wasm extension configuration updates are disruptive (see [Issue #13690](https://github.com/envoyproxy/envoy/issues/13690)). The configuration is immediately applied for existing requests and connections, and is not reverted if the outer xDS is rejected.
- Race condition with Envoy aggregate cluster when creating an `EnvoyFilter` and `ServiceEntry` for the same service. Istio-injected pods are unable to start up due to `istio-proxy` crashing with a segfault. See [Issue #28620](https://github.com/istio/istio/issues/28620) for more information.
## Traffic Management
- **Added** DNS capture in istio-agent by default for VMs installed using `istioctl x workload entry configure`.
- **Added** `holdApplicationUntilProxyStarts` field to `ProxyConfig`,
allowing it to be configured at the pod level. Should not be used in conjunction with
the deprecated `values.global.proxy.holdApplicationUntilProxyStarts` value.
([Issue #27696](https://github.com/istio/istio/issues/27696))
<!--
- **Added** support for injecting `istio-cni` into `k8s.v1.cni.cncf.io/networks` annotation with preexisting value that uses JSON notation.
([Issue #25744](https://github.com/istio/istio/issues/25744))
-->
- **Added** support for `INSERT_FIRST`, `INSERT_BEFORE`, `INSERT_AFTER` insert operations for `HTTP_ROUTE` in `EnvoyFilter` ([Issue #26692](https://github.com/istio/istio/issues/26692))
- **Added** `REPLACE` operation for `EnvoyFilter`. `REPLACE` operation can replace the contents of a named filter with new contents. It is only valid for `HTTP_FILTER` and `NETWORK_FILTER`.
([Issue #27425](https://github.com/istio/istio/issues/27425))
- **Added** Istio resource status now includes observed generation
([Issue #28003](https://github.com/istio/istio/issues/28003))
- **Fixed** remove endpoints when the new labels in `WorkloadEntry` do not match the `workloadSelector` in `ServiceEntry`.
([Issue #25678](https://github.com/istio/istio/issues/25678))
- **Fixed** when a node has multiple IP addresses (e.g., a VM in the mesh expansion scenario),
Istio Proxy will now bind `inbound` listeners to the first applicable address in the list
(new behavior) rather than to the last one (former behavior).
([Issue #28269](https://github.com/istio/istio/issues/28269))
## Security
- **Improved** Gateway certificates to be read and distributed from Istiod, rather than in the gateway pods.
This reduces the permissions required in the gateways, improves performance, and makes certificate reading
more extensible. This change is fully backwards compatible with the old mechanism, and requires no changes
to your cluster. If required, it can be disabled by setting the `ISTIOD_ENABLE_SDS_SERVER=false`
environment variable in Istiod.
([Pull Request #27744](https://github.com/istio/istio/pull/27744))
- **Improved** TLS configuration on sidecar server side inbound paths to enforce `TLSv2` version along with recommended cipher suites.
If this is not needed or creates problems with non Envoy clients, it can disabled by setting Istiod env variable `PILOT_SIDECAR_ENABLE_INBOUND_TLS_V2` to false.
([Pull Request #27500](https://github.com/istio/istio/pull/27500))
- **Updated** The `ipBlocks`/`notIpBlocks` fields of an `AuthorizationPolicy` now strictly refer to the source IP address of the IP packet as it arrives at the sidecar. Prior to this release, if using the Proxy Protocol, then the `ipBlocks`/`notIpBlocks` would refer to the IP address determined by the Proxy Protocol. Now the `remoteIpBlocks`/`notRemoteIpBlocks` fields must be used to refer to the client IP address from the Proxy Protocol.
([reference](/docs/reference/config/security/authorization-policy/))([usage](/docs/ops/configuration/traffic-management/network-topologies/))([usage](/docs/tasks/security/authorization/authz-ingress/)) ([Issue #22341](https://github.com/istio/istio/issues/22341))
- **Added** `AuthorizationPolicy` now supports nested JWT claims.
([Issue #21340](https://github.com/istio/istio/issues/21340))
- **Added** support for client side Envoy secure naming config when trust domain alias is used.
This fixes the multi-cluster service discovery client SAN generation to use all endpoints' service accounts rather than the first found service registry.
([Pull Request #26185](https://github.com/istio/istio/pull/26185))
- **Added** Experimental feature support allowing Istiod to integrate with external certificate authorities using Kubernetes CSR API (>=1.18 only).
([Issue #27606](https://github.com/istio/istio/issues/27606))([usage](/docs/tasks/security/cert-management/custom-ca-k8s/))
- **Added** Enable user to set the custom VM identity provider for credential authentication
([Issue #27947](https://github.com/istio/istio/issues/27947))
- **Added** action 'AUDIT' to Authorization Policy that can be used to determine which requests should be audited.
([Issue #25591](https://github.com/istio/istio/issues/25591))
- **Added** support for migration and concurrent use of regular K8S tokens as well as new K8S tokens with audience. This feature is enabled by
default, can be disabled by `REQUIRE_3P_TOKEN` environment variable in Istiod, which will require new tokens with audience. The
`TOKEN_AUDIENCES` environment variable allows customizing the checked audience, default remains `istio-ca`.
([Pull Request #26482](https://github.com/istio/istio/pull/26482))
- **Added** `AuthorizationPolicy` now supports a `Source` of type `remoteIpBlocks`/`notRemoteIpBlocks` that map to a new `Condition` attribute called `remote.ip` that can also be used in the "when" clause. If using an http/https load balancer in front of the ingress gateway, the `remote.ip` attribute is set to the original client IP address determined by the `X-Forwarded-For` http header from the trusted proxy configured through the `numTrustedProxies` field of the `gatewayTopology` under the `meshConfig` when you install Istio or set it via an annotation on the ingress gateway. See the documentation here: [Configuring Gateway Network Topology](/docs/ops/configuration/traffic-management/network-topologies/). If using a TCP load balancer with the Proxy Protocol in front of the ingress gateway, the `remote.ip` is set to the original client IP address as given by the Proxy Protocol.
([reference](/docs/reference/config/security/authorization-policy/))([usage](/docs/ops/configuration/traffic-management/network-topologies/))([usage](/docs/tasks/security/authorization/authz-ingress/)) ([Issue #22341](https://github.com/istio/istio/issues/22341))
## Telemetry
- **Updated** the "Control Plane Dashboard" and the "Performance Dashboard" to use the `container_memory_working_set_bytes` metric
to display memory. This metric only counts memory that *cannot be reclaimed* by the kernel even under memory pressure,
and therefore more relevant for tracking. It is also consistent with `kubectl top`. The reported values are lower than
the previous values.
- **Updated** the Istio Workload and Istio Service dashboards resulting in faster load time.
([Issue #22408](https://github.com/istio/istio/issues/22408))
- **Added** `datasource` parameter to Grafana dashboards
([Issue #22408](https://github.com/istio/istio/issues/22408))
- **Added** Listener Access Logs when `ResponseFlag` from Envoy is set.
([Issue #26851](https://github.com/istio/istio/issues/26851))
- **Added** support for `OpenCensusAgent` formatted trace export with configurable trace context headers.
- **Added** Proxy config to control Envoy native stats generation.
([Issue #26546](https://github.com/istio/istio/issues/26546))
- **Added** Istio Wasm Extension Grafana Dashboard.
([Issue #25843](https://github.com/istio/istio/issues/25843))
- **Added** gRPC streaming message count proxy Prometheus `metrics istio_request_messages_total` and `istio_response_messages_total`
([Pull Request #3048](https://github.com/istio/proxy/pull/3048))
- **Added** support for properly labeling traffic in client metrics for cases when the destination is not reached or is not behind a proxy.
([Issue #20538](https://github.com/istio/istio/issues/20538))
- **Fixed** interpretation of `$(HOST_IP)` in Zipkin and Datadog tracer address.
([Issue #27911](https://github.com/istio/istio/issues/27911))
- **Removed** all Mixer-related features and functionality. This is a scheduled
removal of a deprecated Istio services and deployments, as well as
Mixer-focused CRDs and component and related functionality.
([Issue #25333](https://github.com/istio/istio/issues/25333)),([Issue #24300](https://github.com/istio/istio/issues/24300))
## Installation
- **Promoted** [external control plane](/docs/setup/additional-setup/external-controlplane/) to alpha.
([Issue #11](https://github.com/istio/enhancements/issues/11))
- **Updated** Kiali addon to version 1.26.
- **Added** support for [installing and upgrading Istio](/docs/setup/install/helm/) using [Helm 3](https://helm.sh/docs/)
- **Improved** multi-network configuration so that labeling a service with `topology.istio.io/network=network-name` can
configure cross-network gateways without using [mesh networks](/docs/reference/config/istio.mesh.v1alpha1/#MeshNetworks).
- **Improved** sidecar injection to not modify the pod `securityPolicy.fsGroup` which could conflict with existing settings and secret mounts.
This option is enabled automatically on Kubernetes 1.19+ and is not supported on older versions.
([Issue #26882](https://github.com/istio/istio/issues/26882))
- **Improved** Generated operator manifests for use with `kustomize` are available in the [manifests]({{< github_tree >}}/manifests/charts/istio-operator/files) directory.
([Issue #27139](https://github.com/istio/istio/issues/27139))
- **Updated** install script to bypass GitHub API Rate Limiting.
([Pull Request #23469](https://github.com/istio/istio/pull/23469))
- **Added** port `15012` to the default list of ports for the `istio-ingressgateway` Service.
([Issue #25933](https://github.com/istio/istio/issues/25933))
- **Added** support for Kubernetes versions 1.16 to 1.19 to Istio 1.8.
([Issue #25793](https://github.com/istio/istio/issues/25793))
- **Added** the ability to specify the network for a Pod using the label `topology.istio.io/network`. This overrides the setting for the cluster's installation values (`values.globalnetwork`). If the label isn't set, it is injected based on the global value for the cluster.
([Issue #25500](https://github.com/istio/istio/issues/25500))
- **Deprecated** installation flags `values.global.meshExpansion.enabled` in favor of user-managed config and `values.gateways.istio-ingressgateway.meshExpansionPorts` in favor of `components.ingressGateways[name=istio-ingressgateway].k8s.service.ports`
([Issue #25933](https://github.com/istio/istio/issues/25933))
- **Fixed** Istio operator manager to allow configuring `RENEW_DEADLINE`.
([Issue #27509](https://github.com/istio/istio/issues/27509))
- **Fixed** an issue preventing `NodePort` services from being used as the `registryServiceName` in `meshNetworks`.
- **Removed** support for installing third-party telemetry applications with `istioctl`. These applications (Prometheus, Grafana, Zipkin, Jaeger, and Kiali), often referred to as the Istio addons, must now be installed separately. This does not impact Istio's ability to produce telemetry for those use in the addons. See [Reworking our Addon Integrations](/blog/2020/addon-rework/) for more info.
([Issue #23868](https://github.com/istio/istio/issues/23868)),([Issue #23583](https://github.com/istio/istio/issues/23583))
- **Removed** `istio-telemetry` and `istio-policy` services and deployments from installation by `istioctl`.
([Issue #23868](https://github.com/istio/istio/issues/23868)),([Issue #23583](https://github.com/istio/istio/issues/23583))
- **Fixed** Istio Grafana Dashboards queries which have `reporter` field.
([Issue #27595](https://github.com/istio/istio/issues/27595))
## istioctl
- **Improved** `istioctl analyze` to find the exact line number with configuration errors when analyzing yaml files.
Before, it would return the first line of the resource with the error.
([Issue #22872](https://github.com/istio/istio/issues/22872))
- **Updated** `istioctl experimental version` and `proxy-status` to use token security.
A new option, `--plaintext`, has been created for testing without tokens.
([Issue #24905](https://github.com/istio/istio/issues/24905))
- **Added** istioctl commands may now refer to pods indirectly, for example `istioctl dashboard envoy deployment/httpbin`
([Issue #26080](https://github.com/istio/istio/issues/26080))
- **Added** `io` as short name for Istio Operator resources in addition to `iop`.
([Issue #27159](https://github.com/istio/istio/issues/27159))
- **Added** `--type` for `istioctl experimental create-remote-secret` to allow user specify type for the created secret.
- **Added** an experimental OpenShift Kubernetes platform profile to `istioctl`. To install with the OpenShift profile, use `istioctl install --set profile=openshift`.
([OpenShift Platform Setup](/docs/setup/platform-setup/openshift/))([Install OpenShift using `istioctl`](/docs/setup/install/istioctl/#install-a-different-profile))
- **Added** `istioctl bug-report` command to generate an archive of Istio and cluster information to assist with debugging.
([Issue #26045](https://github.com/istio/istio/issues/26045))
- **Added** new command `istioctl experimental istiod log` to enable managing logging levels
of `istiod` components.
([Issue #25276](https://github.com/istio/istio/issues/25276)),([Issue #27797](https://github.com/istio/istio/issues/27797))
- **Deprecated** `centralIstiod` flag in favor of `externalIstiod` to better support external control plane model.
([Issue #24471](https://github.com/istio/istio/issues/24471))
- **Fixed** an issue which allowed an empty revision flag on install. ([Issue #26940](https://github.com/istio/istio/issues/26940))

120
content/en/news/releases/1.8.x/announcing-1.8/upgrade-notes/index.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Upgrade Notes
description: Important changes to consider when upgrading to Istio 1.8.
weight: 20
---
When you upgrade from Istio 1.7.x to Istio 1.8.x, you need to consider the changes on this page.
These notes detail the changes which purposefully break backwards compatibility with Istio 1.7.x.
The notes also mention changes which preserve backwards compatibility while introducing new behavior.
Changes are only included if the new behavior would be unexpected to a user of Istio 1.7.x.
## Mixer is no longer supported in Istio
If you are using the `istio-policy` or `istio-telemetry` services, or any
related Mixer configuration, you will not be able to upgrade without taking
action to either (a) convert your existing configuration and code to the new
extension model for Istio or (b) use the gRPC shim developed to bridge
transition to the new model. For more details, please refer to the [developer wiki](https://github.com/istio/istio/wiki/Enabling-Envoy-Authorization-Service-and-gRPC-Access-Log-Service-With-Mixer).
## The semantics of revision for gateways in `IstioOperator` has changed from 1.7 to 1.8
In 1.7, `revision` means you are creating a new gateway with a different revision so it would
not conflict with the default gateway. In 1.8, it means the revision of istiod the gateway
is configuring with. If you are using revision for gateways in `IstioOperator` in 1.7,
before moving to 1.8, you must upgrade it to the revision of the Istiod (or delete
the revision if you dont use revision). See [Issue #28849](https://github.com/istio/istio/issues/28849).
## Istio CoreDNS Plugin Deprecation
The Istio sidecar now provides native support for DNS resolution with `ServiceEntries` using
`meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_CAPTURE="true"`. Previously, this support
was provided by the third party [Istio CoreDNS plugin](https://github.com/istio-ecosystem/istio-coredns-plugin).
As a result, the `istio-coredns-plugin` is now deprecated and will be removed in a future release.
## Use the new filter names for `EnvoyFilter`
If you are using `EnvoyFilter` API, it is recommended to change to the new filter names as described in Envoy's [deprecation notice](https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.14.0#deprecated)
The deprecated filter names will be supported in this release for backward compatibility but will be removed in future releases.
## Inbound Cluster Name Format
The format of inbound Envoy cluster names has changed. Previously, they included the Service hostname
and port name, such as `inbound|80|http|httpbin.default.svc.cluster.local`. This lead to issues when multiple
Services select the same pod. As a result, we have removed the port name and hostname - the new format will
instead resemble `inbound|80||`.
For most users, this is an implementation detail, and will only impact debugging or tooling that directly
interacts with Envoy configuration.
## Avoid use of mesh expansion installation flags
To ease setup for multicluster and virtual machines while giving more control to users, the `meshExpansion` and `meshExpansionPorts` installation flags have been deprecated, and port 15012 has been added to the default list of ports for the `istio-ingressgateway` Service.
For users with `values.global.meshExpansion.enabled=true`, perform the following steps before upgrading Istio:
1. Apply the code sample for exposing Istiod through ingress.
{{< text bash >}}
$ kubectl apply -f @samples/istiod-gateway/istiod-gateway.yaml@
{{< /text >}}
This removes `operator.istio.io/managed` labels from the associated Istio networking resources so that the Istio installer won't delete them. After this step, you can modify these resources freely.
1. If `components.ingressGateways[name=istio-ingressgateway].k8s.service.ports` is overridden, add port 15012 to the list of ports:
{{< text yaml >}}
- port: 15012
targetPort: 15012
name: tcp-istiod
{{< /text >}}
1. If `values.gateways.istio-ingressgateway.meshExpansionPorts` is set, move all ports to `components.ingressGateways[name=istio-ingressgateway].k8s.service.ports` if they're not already present. Then, unset this value.
1. Unset `values.global.meshExpansion.enabled`.
## Protocol Detection Timeout Changes
In order to support permissive mTLS traffic as well as [automatic protocol detection](/docs/ops/configuration/traffic-management/protocol-selection/#automatic-protocol-selection),
the proxy will sniff the first few bytes of traffic to determine the protocol used. For certain "server first" protocols, such
as the protocol used by `MySQL`, there will be no initial bytes to sniff. To mitigate this issue in the past, Istio introduced
a detection timeout. However, we found this caused frequent telemetry and traffic failures during slow connections, while increasing latency
for misconfigured server first protocols rather than failing fast.
This timeout has been disabled by default. This has the following impacts:
- Non "server first" protocols will no longer have a risk of telemetry or traffic failures during slow connections
- Properly configured "server first" protocols will no longer have an extra 5 seconds latency on each connection
- Improperly configured "server first" protocols will experience connection timeouts. Please ensure you follow the steps listed in [Server First Protocols](/docs/ops/configuration/traffic-management/protocol-selection/#server-first-protocols)
to ensure you do not run into traffic issues.
## Update AuthorizationPolicy resources to use `remoteIpBlocks`/`notRemoteIpBlocks` instead of `ipBlocks`/`notIpBlocks` if using the Proxy Protocol
If using the Proxy Protocol on a load balancer in front an ingress gateway in conjunction with `ipBlocks`/`notIpBlocks` on an AuthorizationPolicy to perform IP-based access control, then please update the AuthorizationPolicy to use `remoteIpBlocks`/`notRemoteIpBlocks` instead after upgrading. The `ipBlocks`/`notIpBlocks` fields now strictly refer to the source IP address of the packet that arrives at the sidecar.
## `AUTO_PASSTHROUGH` Gateway mode
Previously, gateways were configured with multiple Envoy `cluster` configurations for each Service in the cluster, even those
not referenced by any `Gateway` or `VirtualService`. This was added to support the `AUTO_PASSTHROUGH` mode on Gateway, generally used for exposing Services across networks.
However, this came at an increased CPU and memory cost in the gateway and Istiod. As a result, we have disabled these by default
on the `istio-ingressgateway` and `istio-egressgateway`.
If you are relying on this feature for multi-network support, please ensure you apply one of the following changes:
1. Follow our new [Multicluster Installation](/docs/setup/install/multicluster/) documentation.
This documentation will guide you through running a dedicate gateway deployment for this type of traffic (generally referred to as the `eastwest-gateway`).
This `eastwest-gateway` will automatically be configured to support `AUTO_PASSTHROUGH`.
1. Modify your installation of the gateway deployment to include this configuration. This is controlled by the `ISTIO_META_ROUTER_MODE` environment variable. Setting this to `sni-dnat` enables these clusters, while `standard` (the new default) disables them.
{{< text yaml >}}
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
env:
- name: ISTIO_META_ROUTER_MODE
value: "sni-dnat"
{{< /text >}}