From de64aa08886645a4bfab7919d15345990a7f2016 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 10 Oct 2025 16:33:44 +0800 Subject: [PATCH 1/3] 1.27.2 release notes --- .spelling | 1 + .../1.27.x/announcing-1.27.2/index.md | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 content/en/news/releases/1.27.x/announcing-1.27.2/index.md diff --git a/.spelling b/.spelling index 7d070a04ed7a..29ccecc87f9d 100644 --- a/.spelling +++ b/.spelling @@ -588,6 +588,7 @@ GlueCon Gmail googleapis.com googlegroups.com +goroutine GoTo GPUs Grafana diff --git a/content/en/news/releases/1.27.x/announcing-1.27.2/index.md b/content/en/news/releases/1.27.x/announcing-1.27.2/index.md new file mode 100644 index 000000000000..2cf08f19af7e --- /dev/null +++ b/content/en/news/releases/1.27.x/announcing-1.27.2/index.md @@ -0,0 +1,38 @@ +--- +title: Announcing Istio 1.27.2 +linktitle: 1.27.2 +subtitle: Patch Release +description: Istio 1.27.2 patch release. +publishdate: 2025-10-13 +release: 1.27.2 +aliases: + - /news/announcing-1.27.2 +--- + +This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.27.1 and 1.27.2. + +{{< relnote >}} + +## Changes + +- **Improved**: For Kubernetes Gateway API gateways, access to referenced TLS secrets +now requires both the namespace and the service account to match (previously only the namespace), or an explicit `ReferenceGrant`. +Gateways that use a hostname address remain namespace-only. + +- **Fixed** a goroutine leak in multicluster where `krt` collections with data from remote clusters would stay in memory even after that cluster was removed. + ([Issue #57269](https://github.com/istio/istio/issues/57269)) + +- **Fixed** the behavior of istio-cni cleanup when the `get daemonset` command fails with an error other than "not found". It now defaults to not cleaning up the CNI config and binary when it cannot be determined whether an upgrade, deletion, or node reboot is in progress. ([Issue #57316](https://github.com/istio/istio/issues/57316)) + +- **Fixed** the cluster waypoint `correct_originate` configuration when `PILOT_SKIP_VALIDATE_TRUST_DOMAIN` is set. ([Issue #56741](https://github.com/istio/istio/issues/56741)) + +- **Fixed** an annotation issue where both `istio.io/reroute-virtual-interfaces` and the deprecated `traffic.sidecar.istio.io/kubevirtInterfaces` were processed. The newer `reroute-virtual-interfaces` annotation now correctly takes precedence. + ([Issue #57662](https://github.com/istio/istio/issues/57662)) + +- **Fixed** ServiceEntry resolution in ztunnel now matches ServiceEntry port names to pod container ports, aligning behavior with sidecars where there isn't an explicit `targetPort` + ([Issue #57713](https://github.com/istio/istio/issues/57713)) + +- **Fixed** missing gateway reconciliation for MeshConfig changes. ([Issue #57890](https://github.com/istio/istio/issues/57890)) + +- **Removed** the istioctl installation dependency between pilot and CNI. CNI installation is no longer dependent on pilot being installed first. If the istio-cni configuration exists before installation (which can be the case when using an istio-owned CNI config), pilot installation will not fail while waiting for CNI readiness since CNI installation is no longer dependent on pilot. ([Issue #57600](https://github.com/istio/istio/issues/57600)) + From eac386baf9144f15893adc9a817d8c0cae07e583 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 10 Oct 2025 18:10:32 +0800 Subject: [PATCH 2/3] fix lint --- content/en/news/releases/1.27.x/announcing-1.27.2/index.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/content/en/news/releases/1.27.x/announcing-1.27.2/index.md b/content/en/news/releases/1.27.x/announcing-1.27.2/index.md index 2cf08f19af7e..85da2e9cf23c 100644 --- a/content/en/news/releases/1.27.x/announcing-1.27.2/index.md +++ b/content/en/news/releases/1.27.x/announcing-1.27.2/index.md @@ -26,13 +26,11 @@ Gateways that use a hostname address remain namespace-only. - **Fixed** the cluster waypoint `correct_originate` configuration when `PILOT_SKIP_VALIDATE_TRUST_DOMAIN` is set. ([Issue #56741](https://github.com/istio/istio/issues/56741)) -- **Fixed** an annotation issue where both `istio.io/reroute-virtual-interfaces` and the deprecated `traffic.sidecar.istio.io/kubevirtInterfaces` were processed. The newer `reroute-virtual-interfaces` annotation now correctly takes precedence. - ([Issue #57662](https://github.com/istio/istio/issues/57662)) +- **Fixed** an annotation issue where both `istio.io/reroute-virtual-interfaces` and the deprecated `traffic.sidecar.istio.io/kubevirtInterfaces` were processed. The newer `reroute-virtual-interfaces` annotation now correctly takes precedence. ([Issue #57662](https://github.com/istio/istio/issues/57662)) - **Fixed** ServiceEntry resolution in ztunnel now matches ServiceEntry port names to pod container ports, aligning behavior with sidecars where there isn't an explicit `targetPort` ([Issue #57713](https://github.com/istio/istio/issues/57713)) - **Fixed** missing gateway reconciliation for MeshConfig changes. ([Issue #57890](https://github.com/istio/istio/issues/57890)) -- **Removed** the istioctl installation dependency between pilot and CNI. CNI installation is no longer dependent on pilot being installed first. If the istio-cni configuration exists before installation (which can be the case when using an istio-owned CNI config), pilot installation will not fail while waiting for CNI readiness since CNI installation is no longer dependent on pilot. ([Issue #57600](https://github.com/istio/istio/issues/57600)) - +- **Removed** the istioctl installation dependency between pilot and CNI. CNI installation is no longer dependent on pilot being installed first. If the istio-cni configuration exists before installation (which can be the case when using an istio-owned CNI config), pilot installation will not fail while waiting for CNI readiness since CNI installation is no longer dependent on pilot. ([Issue #57600](https://github.com/istio/istio/issues/57600)) From 2fba63aa65d283d7767925a13fcb854a64544c16 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 10 Oct 2025 19:12:54 +0800 Subject: [PATCH 3/3] update --- content/en/news/releases/1.27.x/announcing-1.27.2/index.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/content/en/news/releases/1.27.x/announcing-1.27.2/index.md b/content/en/news/releases/1.27.x/announcing-1.27.2/index.md index 85da2e9cf23c..8bc8e0e8bb02 100644 --- a/content/en/news/releases/1.27.x/announcing-1.27.2/index.md +++ b/content/en/news/releases/1.27.x/announcing-1.27.2/index.md @@ -15,9 +15,7 @@ This release contains bug fixes to improve robustness. This release note describ ## Changes -- **Improved**: For Kubernetes Gateway API gateways, access to referenced TLS secrets -now requires both the namespace and the service account to match (previously only the namespace), or an explicit `ReferenceGrant`. -Gateways that use a hostname address remain namespace-only. +- **Improved** access to referenced TLS secrets to require both namespace and service accounts to match (previously only the namespace), or to have an explicit `ReferenceGrant`, for Kubernetes Gateway API gateways. Gateways that use a hostname address remain namespace-only. - **Fixed** a goroutine leak in multicluster where `krt` collections with data from remote clusters would stay in memory even after that cluster was removed. ([Issue #57269](https://github.com/istio/istio/issues/57269)) @@ -28,7 +26,7 @@ Gateways that use a hostname address remain namespace-only. - **Fixed** an annotation issue where both `istio.io/reroute-virtual-interfaces` and the deprecated `traffic.sidecar.istio.io/kubevirtInterfaces` were processed. The newer `reroute-virtual-interfaces` annotation now correctly takes precedence. ([Issue #57662](https://github.com/istio/istio/issues/57662)) -- **Fixed** ServiceEntry resolution in ztunnel now matches ServiceEntry port names to pod container ports, aligning behavior with sidecars where there isn't an explicit `targetPort` +- **Fixed** `ServiceEntry` resolution in ztunnel to match port names to pod container ports, aligning behavior with sidecars, when there isn't an explicit `targetPort` set. ([Issue #57713](https://github.com/istio/istio/issues/57713)) - **Fixed** missing gateway reconciliation for MeshConfig changes. ([Issue #57890](https://github.com/istio/istio/issues/57890))