Announcement for release 1.26 (#16451)

* adding announcement for 1.26.0 Signed-off-by: Gustavo <grnmeira@gmail.com> * adding supportStatus.yml Signed-off-by: Gustavo <grnmeira@gmail.com> * bumping k8s versions, eol date and tested k8s versions * fixes from lints Signed-off-by: Gustavo <grnmeira@gmail.com> * push draft release blog * s/1.25/1.26/ (thanks Keith) * - **Improved** release note formatting. * fix broken links * change the change notes * adding fix for #56151 to release notes Signed-off-by: Gustavo <grnmeira@gmail.com> * Update content/en/news/releases/1.26.x/announcing-1.26/_index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update content/en/news/releases/1.26.x/announcing-1.26/_index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update content/en/news/releases/1.26.x/announcing-1.26/_index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update content/en/news/releases/1.26.x/announcing-1.26/change-notes/index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update content/en/news/releases/1.26.x/announcing-1.26/change-notes/index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update content/en/news/releases/1.26.x/announcing-1.26/change-notes/index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update content/en/news/releases/1.26.x/announcing-1.26/change-notes/index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update content/en/news/releases/1.26.x/announcing-1.26/change-notes/index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update content/en/news/releases/1.26.x/announcing-1.26/change-notes/index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update data/compatibility/supportStatus.yml Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update data/compatibility/supportStatus.yml Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update .spelling Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update .spelling Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update .spelling Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update .spelling Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update content/en/news/releases/1.26.x/announcing-1.26/_index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * small fixes and consistency Signed-off-by: Gustavo <grnmeira@gmail.com> --------- Signed-off-by: Gustavo <grnmeira@gmail.com> Co-authored-by: Craig Box <craig.box@gmail.com> Co-authored-by: Daniel Hawton <daniel@hawton.org>
2025-05-08 09:24:44 +01:00 · 2025-05-08 09:24:44 +01:00 · e0f7ab078c
parent 2cb4f4f9e4
commit e0f7ab078c
7 changed files with 235 additions and 3 deletions
--- a/.spelling
+++ b/.spelling
@ -32,7 +32,9 @@
 1.24.x
 1.24.x.
 1.25.x
+1.25.x.
 1.26.x
+1.26.x.
 1.27.3
 1.27.x
 1.3.x
@ -743,6 +745,7 @@ Kebe
 keepalive
 Keepalived
 Kenan
+KEP-3257
 Ketama
 key.pem
 Keycloak
@ -761,6 +764,7 @@ Kristián
 KServe
 Kuat
 Kube
+kube-apiserver
 kube-proxy
 kubebuilder
 KubeCon
@ -830,6 +834,7 @@ MB
 Meetup
 meetup
 meetups
+Meira
 memcached
 memcached-2's
 Mengxue
@ -1321,6 +1326,7 @@ v1.30
 v1.31
 v1.32
 v1.33
+v1.34
 v1.5
 v1.55
 v1.55.1
--- a/content/en/docs/releases/supported-releases/index.md
+++ b/content/en/docs/releases/supported-releases/index.md
@ -70,9 +70,9 @@ Please keep up-to-date and use a supported version.

 | Minor Releases | Patched versions with no known CVEs |
 |----------------|-------------------------------------|
+| 1.26.x         | 1.26.0+                             |
 | 1.25.x         | 1.25.0+                             |
 | 1.24.x         | 1.24.0+                             |
-| 1.23.x         | 1.23.2+                             |

 ## Supported Envoy Versions

@ -82,8 +82,8 @@ The relationship between the two project's versions:

 | Istio version | Envoy release branch |
 |---------------|----------------------|
+| 1.26.x        | release/v1.34        |
 | 1.25.x        | release/v1.33        |
 | 1.24.x        | release/v1.32        |
-| 1.23.x        | release/v1.31        |

 You can find the precise Envoy commit used by Istio [in the `istio/proxy` repository](https://github.com/istio/proxy/blob/{{< source_branch_name >}}/WORKSPACE#L26): look for the `ENVOY_SHA` variable.
--- a/content/en/news/releases/1.26.x/_index.md
+++ b/content/en/news/releases/1.26.x/_index.md
@ -0,0 +1,8 @@
+---
+title: 1.26.x Releases
+description: Announcements for the 1.26 release and its associated patch releases.
+weight: 6
+list_by_publishdate: true
+layout: release-grid
+decoration: dot
+---
--- a/content/en/news/releases/1.26.x/announcing-1.26/_index.md
+++ b/content/en/news/releases/1.26.x/announcing-1.26/_index.md
@ -0,0 +1,55 @@
+---
+title: Announcing Istio 1.26.0
+linktitle: 1.26.0
+subtitle: Major Release
+description: Istio 1.26 Release Announcement.
+publishdate: 2025-05-08
+release: 1.26.0
+aliases:
+    - /news/announcing-1.26
+    - /news/announcing-1.26.0
+---
+
+We are pleased to announce the release of Istio 1.26. Thank you to all our contributors, testers, users and enthusiasts for helping us get the 1.26.0 release published!
+We would like to thank the Release Managers for this release, **Daniel Hawton** from Solo.io, **Faseela K** from Ericsson Software Technology, and **Gustavo Meira** from Microsoft.
+
+{{< relnote >}}
+
+{{< tip >}}
+Istio 1.26.0 is officially supported on Kubernetes versions 1.29 to 1.32. We expect 1.33 to work also, and plan to add testing and support before Istio 1.26.1.
+{{< /tip >}}
+
+## What’s new?
+
+### Customization of resources provisioned by the Gateway API
+
+When you create a Gateway or a waypoint using the Gateway API, a `Service` and a `Deployment` are created automatically. It has been a common request to allow customization of these objects, and that is now supported in Istio 1.26 by specifying a `ConfigMap` of parameters. If configuration for a `HorizontalPodAutoscaler` or `PodDisruptionBudget` is provided, those resources will automatically be created also. [Learn more about customizing the generated Gateway API resources.](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment)
+
+### New Gateway API support
+
+[`TCPRoute`](https://gateway-api.sigs.k8s.io/guides/tcp/) is now available in waypoints, allowing TCP traffic shifting in ambient mode.
+
+We also added support for the experimental [`BackendTLSPolicy`](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/) and started the implementation of [`BackendTrafficPolicy`](https://gateway-api.sigs.k8s.io/api-types/backendtrafficpolicy/) in Gateway API 1.3, which will eventually set retry constraints.
+
+### Support for the new Kubernetes `ClusterTrustBundle`
+
+We've added experimental support for [the experimental `ClusterTrustBundle` resource in Kubernetes](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#cluster-trust-bundles), allowing support for the new method of bundling a certificate and its root of trust into a single object.
+
+### Plus much, much more
+
+* `istioctl analyze` can now run specific checks!
+* The CNI node agent no longer runs in the `hostNetwork` namespace by default, reducing the chance of port conflicts with other services running on a host!
+* Required `ResourceQuota` resources and `cniBinDir` values are set automatically when installing on GKE!
+* An `EnvoyFilter` can now match a `VirtualHost` on a domain name!
+
+Read about these and more in the full [release notes](change-notes/).
+
+## Catch up with the Istio project
+
+If you only check in with us when we have a new release, you might have missed that [we published a security audit on ztunnel](/blog/2025/ztunnel-security-assessment/), [we compared performance of ambient mode throughput vs. running in-kernel](/blog/2025/ambient-performance/), or that [we had a major presence at KubeCon EU](/blog/2025/istio-at-kubecon-eu/). Check those posts out!
+
+## Upgrading to 1.26
+
+We would like to hear from you regarding your experience upgrading to Istio 1.26. You can provide feedback in the `#release-1.26` channel in our [Slack workspace](https://slack.istio.io/).
+
+Would you like to contribute directly to Istio? Find and join one of our [Working Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md) and help us improve.
--- a/content/en/news/releases/1.26.x/announcing-1.26/change-notes/index.md
+++ b/content/en/news/releases/1.26.x/announcing-1.26/change-notes/index.md
@ -0,0 +1,135 @@
+---
+title: Istio 1.26.0 Change Notes
+linktitle: 1.26.0
+subtitle: Minor Release
+description: Istio 1.26.0 release notes.
+publishdate: 2025-05-08
+release: 1.26.0
+weight: 10
+aliases:
+    - /news/announcing-1.26.0
+    - /news/announcing-1.26.x
+---
+
+## Traffic Management
+
+* **Improved** the CNI agent to no longer require `hostNetwork`, enhancing compatibility. Dynamic switching to the host network is now performed as needed. The previous behavior can be temporarily restored by setting the `ambient.shareHostNetworkNamespace` field in the `istio-cni` chart. ([Issue #54726](https://github.com/istio/istio/issues/54726))
+
+* **Improved** iptables binary detection to validate baseline kernel support and to prefer `nft` when both legacy and `nft` are available but neither has existing rules.
+
+* **Updated** the default value of maximum connections accepted per socket event to 1 to improve performance. To revert to the previous behavior, set `MAX_CONNECTIONS_PER_SOCKET_EVENT_LOOP` to zero.
+
+* **Added** the ability for `EnvoyFilter` to match a `VirtualHost` by domain name.
+
+* **Added** initial support for the experimental Gateway API features `BackendTLSPolicy` and `XBackendTrafficPolicy`. These are disabled by default and require setting `PILOT_ENABLE_ALPHA_GATEWAY_API=true`.
+  ([Issue #54131](https://github.com/istio/istio/issues/54131)), ([Issue #54132](https://github.com/istio/istio/issues/54132))
+
+* **Added** support for referencing `ConfigMap`s, in addition to `Secret`s, for `DestinationRule` TLS in `SIMPLE` mode — useful when only a CA certificate is required.
+  ([Issue #54131](https://github.com/istio/istio/issues/54131)), ([Issue #54132](https://github.com/istio/istio/issues/54132))
+
+* **Added** customization support for [Gateway API automated deployments](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment). This applies to both Istio `Gateway` types (ingress and egress) and Istio Waypoint `Gateway` types (ambient waypoints). Users can now customize generated resources such as `Service`, `Deployment`, `ServiceAccount`, `HorizontalPodAutoscaler`, and `PodDisruptionBudget`.
+
+* **Added** a new environment variable `ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT` for `istiod`. When set to `false`, it disables automatic attachment of Gateway API resources to existing gateway deployments. By default, this is `true` to maintain the current behavior.
+
+* **Added** the ability to configure retry host predicates using the Retry API (`retry_ignore_previous_hosts`).
+
+* **Added** support for specifying backoff intervals during retries.
+
+* **Added** support for using `TCPRoute` in waypoint proxies.
+
+* **Fixed** a bug where the validation webhook incorrectly reported a warning when a `ServiceEntry` configured a `workloadSelector` with DNS resolution.
+  ([Issue #50164](https://github.com/istio/istio/issues/50164))
+
+* **Fixed** an issue where FQDNs did not work in a `WorkloadEntry` using ambient mode.
+
+* **Fixed** a case where `ReferenceGrants` did not function when mTLS was enabled on a Gateway listener.
+  ([Issue #55623](https://github.com/istio/istio/issues/55623))
+
+* **Fixed** an issue where Istio failed to correctly retrieve `allowedRoutes` for a sandboxed waypoint.
+  ([Issue #56010](https://github.com/istio/istio/issues/56010))
+
+* **Fixed** a bug where `ServiceEntry` endpoints were leaked when a pod was evicted.
+  ([Issue #54997](https://github.com/istio/istio/issues/54997))
+
+* **Fixed** an issue where the listener address was duplicated for dual stack services with IPv6 priority.  ([Issue #56151](https://github.com/istio/istio/issues/56151))
+
+## Security
+
+* **Added** experimental support for the v1alpha1 `ClusterTrustBundle` API. This can be enabled by setting `values.pilot.env.ENABLE_CLUSTER_TRUST_BUNDLE_API=true`. Ensure the corresponding feature gates are enabled in your cluster; see [KEP-3257](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3257-cluster-trust-bundles) for details.
+  ([Issue #43986](https://github.com/istio/istio/issues/43986))
+
+## Telemetry
+
+* **Added** support for the `omit_empty_values` field in the `EnvoyFileAccessLog` provider via the Telemetry API.
+  ([Issue #54930](https://github.com/istio/istio/issues/54930))
+
+* **Added** environment variable `PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY`, which separates tracing spans for server and client gateways. This currently defaults to `false`, but will become the default in the future.
+
+* **Added** a warning message for use of deprecated telemetry providers Lightstep and OpenCensus.
+  ([Issue #54002](https://github.com/istio/istio/issues/54002))
+
+## Installation
+
+* **Improved** the installation experience on GKE. When `global.platform=gke` is set, required `ResourceQuota` resources are deployed automatically. When installing via `istioctl`, this setting is also auto-enabled if GKE is detected. Additionally, the `cniBinDir` is now configured appropriately.
+
+* **Improved** the `ztunnel` Helm chart to not assign resource names to `.Release.Name`, defaulting instead to `ztunnel`. This reverts a change introduced in Istio 1.25.
+
+* **Added** support for setting the `reinvocationPolicy` in the revision-tag webhook when installing Istio via `istioctl` or Helm.
+
+* **Added** the ability to configure the service `loadBalancerClass` in the Gateway Helm chart.
+  ([Issue #39079](https://github.com/istio/istio/issues/39079))
+
+* **Added** a values `ConfigMap` that stores both the user-provided Helm values and the merged values after applying profiles for the `istiod` chart.
+
+* **Added** support for reading header values from `istiod` environment variables.
+  ([Issue #53408](https://github.com/istio/istio/issues/53408))
+
+* **Added** a configurable `updateStrategy` for the `ztunnel` and `istio-cni` Helm charts.
+
+* **Fixed** a bug in the sidecar injection template that incorrectly removed existing init containers when both traffic interception and native sidecar were disabled.
+  ([Issue #54562](https://github.com/istio/istio/issues/54562))
+
+* **Fixed** missing `topology.istio.io/network` labels on gateway pods when `--set networkGateway` is used.
+  ([Issue #54909](https://github.com/istio/istio/issues/54909))
+
+* **Fixed** a problem where setting `replicaCount=0` in the `istio/gateway` Helm chart caused the `replicas` field to be omitted instead of explicitly set to `0`.
+  ([Issue #55092](https://github.com/istio/istio/issues/55092))
+
+* **Fixed** an issue that caused file-based certificate references (e.g., from `DestinationRule` or `Gateway`) to fail when using SPIRE as the CA.
+
+* **Removed** the deprecated `ENABLE_AUTO_SNI` flag and associated code paths.
+
+## istioctl
+
+* **Added** a `--locality` parameter on `istioctl experimental workload group create`.
+  ([Issue #54022](https://github.com/istio/istio/issues/54022))
+
+* **Added** the ability to run specific analyzer checks using the `istioctl analyze` command.
+
+* **Added** a `--tls-server-name` parameter to `istioctl create-remote-secret`, allowing the `tls-server-name` to be set in the generated kubeconfig. This ensures successful TLS connections when the `server` field is overridden with a gateway proxy hostname.
+
+* **Added** support for the `envVarFrom` field in the `istiod` chart.
+
+* **Fixed** an issue where `istioctl analyze` reported an unknown annotation `sidecar.istio.io/statsCompression`.
+  ([Issue #52082](https://github.com/istio/istio/issues/52082))
+
+* **Fixed** an error that blocked installation when `IstioOperator.components.gateways.ingressGateways.label` or `IstioOperator.components.gateways.ingressGateways.label` was omitted.
+  ([Issue #54955](https://github.com/istio/istio/issues/54955))
+
+* **Fixed** a bug where `istioctl` ignored the `tag` fields under `IstioOperator.components.gateways.ingressGateways` and `egressGateways`.
+  ([Issue #54955](https://github.com/istio/istio/issues/54955))
+
+* **Fixed** an issue where `istioctl waypoint delete` could remove a non-waypoint Gateway resource when a name was specified.
+  ([Issue #55235](https://github.com/istio/istio/issues/55235))
+
+* **Fixed** an issue where `istioctl experimental describe` did not respect the `--namespace` flag.
+  ([Issue #55243](https://github.com/istio/istio/issues/55243))
+
+* **Fixed** a bug that prevented simultaneous generation of `istio.io/waypoint-for` and `istio.io/rev` labels when creating a waypoint proxy using `istioctl`.
+  ([Issue #55437](https://github.com/istio/istio/issues/55437))
+
+* **Fixed** an issue where `istioctl admin log` could not modify the log level for `ingress status`.
+  ([Issue #55741](https://github.com/istio/istio/issues/55741))
+
+* **Fixed** a validation failure when `reconcileIptablesOnStartup: true` was set in the `istioctl` YAML configuration.
+  ([Issue #55374](https://github.com/istio/istio/issues/55374))
--- a/content/en/news/releases/1.26.x/announcing-1.26/upgrade-notes/index.md
+++ b/content/en/news/releases/1.26.x/announcing-1.26/upgrade-notes/index.md
@ -0,0 +1,22 @@
+---
+title: Istio 1.26 Upgrade Notes
+description: Important changes to consider when upgrading to Istio 1.26.0.
+weight: 20
+---
+
+When upgrading from Istio 1.25.x to Istio 1.26.x, you need to consider the changes on this page.
+These notes detail the changes which purposefully break backwards compatibility with Istio 1.25.x.
+The notes also mention changes which preserve backwards compatibility while introducing new behavior.
+Changes are only included if the new behavior would be unexpected to a user of Istio 1.26.x.
+
+## Upcoming removal of telemetry providers
+
+The telemetry providers for Lightstep and OpenCensus are deprecated (since 1.22 and 1.25 respectively), as both have been replaced with the OpenTelemetry provider. They will be removed in Istio 1.27.  Please change to using the OpenTelemetry provider now if you use either.
+
+## Ztunnel Helm chart changes
+
+In Istio 1.25, the resources in the ztunnel Helm chart were changed to be named `.Resource.Name`.
+This often caused issues, as the name needs to be kept in sync with the Istiod Helm chart.
+
+In this release, we have reverted to default to a static `ztunnel` name again.
+As before, this can be overridden with `--set resourceName=my-custom-name`.
--- a/data/compatibility/supportStatus.yml
+++ b/data/compatibility/supportStatus.yml
@ -7,6 +7,12 @@
  eolDate:
  k8sVersions: ["1.29", "1.30", "1.31", "1.32"]
  testedK8sVersions: ["1.23", "1.24", "1.25", "1.26", "1.27", "1.28"]
+- version: "1.26"
+  supported: "Yes"
+  releaseDate: "May 08, 2025"
+  eolDate: "~Sept 2025 (Expected)"
+  k8sVersions: ["1.29", "1.30", "1.31", "1.32"]
+  testedK8sVersions: ["1.24", "1.25", "1.26", "1.27", "1.28"]
 - version: "1.25"
  supported: "Yes"
  releaseDate: "March 03, 2025"
@ -20,7 +26,7 @@
  k8sVersions: ["1.28", "1.29", "1.30", "1.31"]
  testedK8sVersions: ["1.23", "1.24", "1.25", "1.26", "1.27"]
 - version: "1.23"
-  supported: "Yes"
+  supported: "No"
  releaseDate: "Aug 14, 2024"
  eolDate: "Apr 16, 2025"
  k8sVersions: ["1.27", "1.28", "1.29", "1.30"]