UDS Core 0.60
UDS Core 0.60 changes the default Istio service mesh mode to ambient for all Package CRs. Packages without an explicit spec.network.serviceMesh.mode setting will automatically switch from sidecar to ambient mode on upgrade. This release also reorganizes SSO secret fields, enables Keycloak logout confirmation by default, and aligns Istio and Authservice with the cluster-wide trust bundle.
⚠ Breaking changes
Section titled “⚠ Breaking changes”| Change | Impact | Action required |
|---|---|---|
Default Istio mesh mode changed to ambient | Packages without explicit spec.network.serviceMesh.mode switch from sidecar to ambient on upgrade | Set mode: sidecar on any Package CR that must remain in sidecar mode |
Notable features
Section titled “Notable features”- Exemption deployment for pre-core workloads: deploy
ExemptionCRs before UDS Core for infrastructure that needs policy exceptions during bootstrap (#2277) - Istio gateway nodeport configuration: configure Istio gateways with nodeport settings for environments that require them (#2277)
- Keycloak logout confirmation: all SSO clients now show a logout confirmation prompt by default (#2260)
- Trust bundle alignment: Istio and Authservice use the common cluster trust bundle, aligning with central CA configuration (#2281)
Dependency updates
Section titled “Dependency updates”| Package | Previous | Updated |
|---|---|---|
| Istio | 1.28.1 | 1.28.3 |
| Keycloak | 26.5.0 | 26.5.1 |
| UDS Identity Config | 0.22.0 | 0.23.0 |
| Prometheus | 3.8.1 | 3.9.1 |
| Alertmanager | 0.30.0 | 0.30.1 |
| Velero | 1.17.1 | 1.17.2 |
| Velero plugins | 1.13.1 | 1.13.2 |
| kube-prometheus-stack Helm chart | 80.10.0 | 81.2.2 |
| prometheus-operator-crds Helm chart | 25.0.1 | 26.0.0 |
| Velero Helm chart | 11.1.1 | 11.3.2 |
Upgrade considerations
Section titled “Upgrade considerations”Known issues in v0.60.0 and v0.60.1
Section titled “Known issues in v0.60.0 and v0.60.1”Packages with an unset spec.network.serviceMesh.mode that request Authservice protection encounter two issues:
- Routing failure (v0.60.0): the operator does not correctly handle ambient mode routing for Authservice-protected workloads, leaving them unprotected. Fixed in v0.60.1 via #2326.
- Stale AuthorizationPolicies (v0.60.0, v0.60.1): after upgrading, stale AuthorizationPolicies from the previous sidecar configuration can block access to Authservice-enabled applications. Fixed in v0.60.2 via #2368.
Set the mesh mode explicitly as a workaround if you cannot upgrade to v0.60.2 immediately:
spec: network: serviceMesh: # Set explicitly to avoid known issues with unset mesh mode mode: ambientPre-upgrade steps
Section titled “Pre-upgrade steps”-
Audit
PackageCRs for mesh modeIdentify all
PackageCRs that do not setspec.network.serviceMesh.modeexplicitly. These will switch to ambient mode on upgrade:Terminal window uds zarf tools kubectl get packages -A -o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}{"\t"}{.spec.network.serviceMesh.mode}{"\n"}{end}'Packages with a blank value in the second column have no explicit mesh mode set. Decide for each whether ambient mode is acceptable or whether you need to pin it to
sidecar. -
Set explicit mesh mode on
PackageCRsFor any Package that must remain in sidecar mode, set the mode explicitly:
package-cr.yaml spec:network:serviceMesh:# Pin to sidecar mode to prevent automatic switch to ambientmode: sidecar -
Update SSO secret field names
Update any
spec.ssoconfigurations in yourPackageCRs to use the new field names. Review the release notes for the specific field mapping. -
Target v0.60.2
uds-bundle.yaml packages:- name: corerepository: registry.defenseunicorns.com/public/core# Upgrade to 0.60.2 (includes fixes for ambient mode and stale authpolicies)ref: 0.60.2-upstream
Identity Config updates (0.23)
Section titled “Identity Config updates (0.23)”This release upgrades UDS Identity Config to 0.23.0.
- Keycloak logout confirmation: enable logout confirmation on the
account,account-console, andsecurity-admin-consoleclients (Keycloak 26.5.0 feature)
Existing realms require manual client updates to enable logout confirmation. If you cannot perform a full realm re-import, follow these steps in the Keycloak admin console:
-
Enable logout confirmation on default clients
- Navigate to the
UDSrealm - Go to
Clients>account - Find the
Logout confirmationoption and set it toOn - Click
Save - Repeat these steps for the
account-consoleandsecurity-admin-consoleclients
- Navigate to the
Post-upgrade verification
Section titled “Post-upgrade verification”-
Confirm Istio mesh mode
Verify that workloads are running in the expected mesh mode:
Terminal window uds zarf tools kubectl get packages -A -o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}: {.spec.network.serviceMesh.mode}{"\n"}{end}' -
Validate SSO and logout
Confirm SSO login works and the new logout confirmation prompt appears.
Related documentation
Section titled “Related documentation”- Upgrade Overview - general upgrade procedures and checklists
- Configuration Changes - applying config changes on a running platform
- UDS Core 0.60.0 Changelog - full changelog
- UDS Identity Config 0.23.0 Changelog - full changelog
- Full diff (0.59.1…0.60.2) - all changes between versions