Reliability

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required for most users. OpenShift users leveraging TPROXY mode should review the update for critical fixes. All Gateway API users should be aware of internal VirtualService naming changes for generated resources. 📝 Summary Istio 1.26.2 delivers targeted fixes and crucial consistency improvements, especially for OpenShift and Gateway API users. A significant bug has been resolved for OpenShift deployments utilizing TPROXY mode, which previously suffered from incorrect UID and GID assignments for sidecar containers. This fix ensures proper operation and security context enforcement. The release also brings enhanced robustness to Gateway API status reconciliation. Internal logic now intelligently compares desired and live states before writing, dramatically reducing redundant status updates and handling concurrent modifications more gracefully. This means a more stable control plane experience. Furthermore, the naming convention for auto-generated VirtualServices from HTTPRoutes has been refined for consistency, adopting a new scheme that directly reflects the merge key. While an internal detail, this can impact tools relying on generated resource names. Finally, internal integration tests gain greater flexibility with a new flag to control Gateway API deployment, alongside a fix for Kind cluster registry redirection. This patch release focuses on improving stability and correctness for specific deployment scenarios and advanced users. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially around ACME HTTP01 challenge handling and Ingress-Nginx compatibility. 📝 Summary cert-manager v1.18.1 delivers critical enhancements for ACME HTTP01 challenges and improved compatibility with Ingress-Nginx. This release introduces the ACMEHTTP01IngressPathTypeExact feature gate, now Beta and enabled by default, which switches the Ingress pathType to Exact for heightened security. This prevents misinterpretations of challenge paths and aligns with standard Ingress behaviors. A significant dependency upgrade bumps Ingress-Nginx to v1.12.3, coupled with a vital configuration change that disables strict-validate-path-type to prevent HTTP01 challenge failures caused by a bug in newer Ingress-Nginx versions. Furthermore, the ACME authorization timeout is extended from 20 seconds to 2 minutes, significantly improving reliability for challenges against slower ACME servers or under poor network conditions. The DefaultPrivateKeyRotationPolicyAlways feature gate is also promoted to Beta, ensuring consistent private key rotation. Review these changes to ensure optimal ACME challenge resolution and cluster stability. ...