Chapter 1. OpenShift Service Mesh release notes

This release introduces support for Kubernetes Gateway API custom resource definitions (CRDs). You can now use these CRDs to configure OpenShift Service Mesh with the Kubernetes Gateway API. This feature is available with Red Hat OpenShift Service Mesh 4.19.

This release introduces support for OpenShift Service Mesh on x86 dual-stack clusters. This feature remains a technology preview on all other platforms.

This release introduces support for the Kubernetes traffic distribution feature, part of the Kubernetes Service API, within OpenShift Service Mesh. As of Red Hat OpenShift Service Mesh 4.19, this is a Beta feature and requires enabling the ServiceTrafficDistribution parameter in the Istio Custom Resources (CRs).

This release introduces developer preview support for the experimental Kubernetes ClusterTrustBundle feature. This feature provides a new way of distributing X.509 trust anchors (root certificates) to workloads within the cluster. As of Red Hat OpenShift Service Mesh 4.19, this is an Alpha feature and requires enabling the ClusterTrustBundle feature.

This release updates OpenShift Service Mesh to use UBI-micro base containers for most container images. The UBI-micro image is the smallest possible Universal Base Image (UBI), which excludes a package manager and all of its dependencies normally included in a container image. This change minimizes the attack surface of container images that use the UBI-micro base.

This release updates the status of Istio ambient mode to Technology Preview. Istio ambient mode provides a sidecar-less alternative data plane to the traditional sidecar-based data plane. By default, ambient mode splits the data plane into node-level L4 ZTunnels and namespace-scoped L7 Waypoint proxies.

Istio ambient mode requires Kubernetes Gateway API custom resource definitions (CRDs). Use OpenShift Service Mesh 4.19 or later, which includes the CRDs by default.

To avoid potential conflicts, you must install Istio ambient mode only on clusters that do not have an existing Red Hat OpenShift Service Mesh installation. Istio ambient mode is not compatible with clusters that use Red Hat OpenShift Service Mesh 2.6 or earlier.

When you use Istio ambient mode, pods that rely on liveness or readiness probes require you to set the OVN-Kubernetes gateway mode to local instead of the default shared mode. In local mode, traffic routes through the host and the host processes it using the routing table, ensuring that probes function correctly. For more information, see the "Configuring gateway mode" section in the OVN-Kubernetes documentation.

To start using Istio ambient mode, see the "Istio ambient mode" section in the OpenShift Service Mesh 3 installation documentation.

This release provides technology preview support for Kubernetes Gateway API Inference Extensions. These extensions build on Kubernetes Gateway API to provide inference-specific routing capabilities that optimize for self-hosted generative-AI workloads. This implementation was backported to OpenShift Service Mesh 3.1 from Istio 1.27.

There is currently a known issue that prevents OpenShift Container Platform nodes from upgrading. The podDisruptionBudget resource prevents the draining of the node where the istiod pod is running, unless there are multiple replicas of the istiod pod.

Workaround: Set the .spec.values.global.defaultPodDisruptionBudget.enabled field in the Istio CR to false. Alternatively, you can temporarily increase the number of replicas for the istiod deployment. OSSM-9392

This release removes the use of ISTIO_META_DNS_AUTO_ALLOCATE option in the proxyMetadata configuration. You can use the DNS auto-allocation label in the ServiceEntry resource instead. A future release will remove support for the ISTIO_META_DNS_AUTO_ALLOCATE option.

For more information about using the DNS auto-allocation label in the ServiceEntry resource, see the "Address auto-collection" section in the Istio documentation.