1<!-- -*- fill-column: 100 -*- -->
2# CHANGELOG -- this is a GENERATED FILE, edit docs/releaseNotes.yml and "make generate" to change.
3
4## EMISSARY-INGRESS and AMBASSADOR EDGE STACK
5
6Emissary-ingress is a Kubernatives-native, self-service, open-source API gateway
7and ingress controller. It is a CNCF Incubation project, formerly known as the
8Ambassador API Gateway.
9
10Ambassador Edge Stack is a comprehensive, self-service solution for exposing,
11securing, and managing the boundary between end users and your Kubernetes services.
12The core of Ambassador Edge Stack is Emissary-ingress.
13
14**Note well:**
15
16- Ambassador Edge Stack provides all the capabilities of Emissary-ingress,
17 as well as additional capabilities including:
18
19 - Security features such as automatic TLS setup via ACME integration, OAuth/OpenID Connect
20 integration, rate limiting, and fine-grained access control; and
21 - Developer onboarding assistance, including an API catalog, Swagger/OpenAPI documentation
22 support, and a fully customizable developer portal.
23
24- Emissary-ingress can do everything that Ambassador Edge Stack can do, but you'll need to
25 write your own code to take advantage of the capabilities above.
26
27- Ambassador Edge Stack is free for all users: due to popular demand, Ambassador Edge Stack
28 offers a free usage tier of its core features, designed for startups.
29
30In general, references to "Ambassador" in documentation (including this CHANGELOG)
31refer both to Emissary-ingress and to the Ambassador Edge Stack.
32
33## UPCOMING BREAKING CHANGES
34
35### Emissary 3.0.0
36
37 - **No `protocol_version: v2`**: Support for specifying `protocol_version: v2` in `AuthService`,
38 `RateLimitService`, and `LogService` resources will be removed. These resources each have a
39 `protocol_version` field that controls whether Envoy speaks the `v2` transport API or the `v3`
40 transport API when speaking to that service. Due to Envoy's removal of all v2 Envoy APIs, the
41 `v2` value will no longer be supported. Note that `protocol_version: v2` is the default in
42 current versions of Emissary.
43
44 Users who use these resource types but don't explicitly say `protocol_version: v3` will need to
45 adjust their service implementations to understand the v3 protocols, and then update Emissary
46 resources to say `protocol_version` before upgrading to Emissary-ingress 3.0.0.
47
48 - **No `regex_type: unsafe`**: The `regex_type` field will be removed from the `ambassador`
49 `Module`, meaning that it will not be possible to instruct Envoy to use the [ECMAScript Regex][]
50 engine rather than the default [RE2][] engine.
51
52 Users who rely on the specific ECMAScript Regex syntax will need to rewrite their regular
53 expressions with RE2 syntax before upgrading to Emissary-ingress 3.0.0.
54
55 - **No Zipkin `collector_endpoint_version: HTTP_JSON_V1`**: Support for specifying
56 `collector_endpoint_version: HTTP_JSON_V1` for a Zipkin `TracingService` will be removed. The
57 `HTTP_JSON_V1` value corresponds to Zipkin's old API-v1, while the `HTTP_JSON` value corresponds
58 to the Zipkin's new API-v2.
59
60 For current versions of Emissary-ingress (>=1.14.0 and <3.0.0), the behavior is that if the
61 `TracingService` does not specify which Zipkin API to use, it will normally default to using
62 `HTTP_JSON`, but can be made to default to `HTTP_JSON_V1` by setting the
63 `AMBASSADOR_ENVOY_API_VERSION=V2` environment variable. In Emissary-ingress 3.0.0 this
64 environment variable will no longer have any impact on what the default Zipkin API is, and
65 explicitly setting the API in the `TracingService` will no longer support the `HTTP_JSON_V1`
66 value.
67
68 Users who rely on `HTTP_JSON_V1` will need to migrate their Emissary-ingress 2.3 install to use
69 either `HTTP_JSON` or `HTTP_PROTO` before upgrading to Emissary-ingress 3.0.0.
70
71With the removal of `regex_type: unsafe` and `collector_endpoint_version: HTTP_JSON_V1`, there will
72be no more user-visible effects of the `AMBASSADOR_ENVOY_API_VERSION` environment variable, and so
73it will be removed; but as it won't be user-visible this isn't considered a breaking change.
74
75[ECMASCript Regex]: https://en.cppreference.com/w/cpp/regex/ecmascript
76[RE2]: https://github.com/google/re2
77
78### Emissary 3.0.0 or later
79
80 - In a future version of Emissary-ingress, **no sooner than Emissary-ingress v3.0.0**, TLS secrets
81 in `Ingress` resources will not be able to use `.namespace` suffixes to cross namespaces.
82
83## RELEASE NOTES
84
85## [2.5.1] December 08, 2022
86[2.5.1]: https://github.com/emissary-ingress/emissary/compare/v2.5.0...v2.5.1
87
88### Emissary-ingress and Ambassador Edge Stack
89
90- Feature: Support for the `getambassador.io/v1` apiVersion has been re-introduced, in order to
91 facilitate smoother migrations from Emissary-ingress 1.y. Previously, in order to make migrations
92 possible, an "unserved" `v1` version was declared to Kubernetes, but was unsupported by
93 Emissary-ingress. That unserved `v1` could cause an excess of errors to be logged by the
94 Kubernetes Nodes (regardless of whether the installation was migrated from 1.y or was a fresh 2.y
95 install); fully supporting `v1` again should resolve these errors.
96
97- Security: Update Golang to release 1.19.4. Two CVE's were annouced in this z patch release.
98 CVE-2022-41720 only affects Windows environments and Emissary-ingress runs in linux. The second
99 one CVE-2022-41717 only affects HTTP/2 server connections exposed to external clients.
100 Emissary-ingress does not expose any Golang http servers to outside clients. The data-plane of
101 Envoy is not affected by either of these.
102
103- Security: Updated Golang to the latest z patch. We are not vulnerable to the CVE-2022-3602 that
104 was released in 1.19.3 and you can read more about it here:
105 <https://medium.com/ambassador-api-gateway/ambassador-labs-security-impact-assessment-of-nov-1-openssl-golang-vulnerabilities-f11b5ec37a7e>.
106 Updating to the latest z patch as part of our normal dependency update process and this will help
107 reduce the noise of security scanners.
108
109## [2.5.0] November 03, 2022
110[2.5.0]: https://github.com/emissary-ingress/emissary/compare/v2.4.0...v2.5.0
111
112### Emissary-ingress and Ambassador Edge Stack
113
114- Bugfix: If a `Host` or `TLSContext` contained a hostname with a `:` then when using the
115 diagnostics endpoints `ambassador/v0/diagd` then an error would be thrown due to the parsing logic
116 not being able to handle the extra colon. This has been fixed and Emissary-ingress will not throw
117 an error when parsing envoy metrics for the diagnostics user interface.
118
119- Security: Bump Go from 1.17.12 to 1.19.2. This is to keep the Go version current.
120
121## [2.4.0] September 19, 2022
122[2.4.0]: https://github.com/emissary-ingress/emissary/compare/v2.3.2...v2.4.0
123
124### Emissary-ingress and Ambassador Edge Stack
125
126- Feature: Previously the `Host` resource could only use secrets that are in the namespace as the
127 Host. The `tlsSecret` field in the Host has a new subfield `namespace` that will allow the use of
128 secrets from different namespaces.
129
130- Change: Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have
131 endpoints be inserted to clusters manually. This can help resolve with `503 UH` caused by
132 certification rotation relating to a delay between EDS + CDS. The default is `false`.
133
134- Bugfix: Previously, setting the `stats_name` for the `TracingService`, `RateLimitService` or the
135 `AuthService` would have no affect because it was not being properly passed to the Envoy cluster
136 config. This has been fixed and the `alt_stats_name` field in the cluster config is now set
137 correctly. (Thanks to <a href="https://github.com/psalaberria002">Paul</a>!)
138
139- Feature: The `AMBASSADOR_RECONFIG_MAX_DELAY` env var can be optionally set to batch changes for
140 the specified non-negative window period in seconds before doing an Envoy reconfiguration. Default
141 is "1" if not set.
142
143- Bugfix: Emissary-ingress 2.0.0 introduced a bug where a `TCPMapping` that uses SNI, instead of
144 using the hostname glob in the `TCPMapping`, uses the hostname glob in the `Host` that the TLS
145 termination configuration comes from.
146
147- Bugfix: Emissary-ingress 2.0.0 introduced a bug where a `TCPMapping` that terminates TLS must have
148 a corresponding `Host` that it can take the TLS configuration from. This was semi-intentional, but
149 didn't make much sense. You can now use a `TLSContext` without a `Host`as in Emissary-ingress 1.y
150 releases, or a `Host` with or without a `TLSContext` as in prior 2.y releases.
151
152- Bugfix: Prior releases of Emissary-ingress had the arbitrary limitation that a `TCPMapping` cannot
153 be used on the same port that HTTP is served on, even if TLS+SNI would make this possible.
154 Emissary-ingress now allows `TCPMappings` to be used on the same `Listener` port as HTTP `Hosts`,
155 as long as that `Listener` terminates TLS.
156
157## [1.14.5] TBD
158[1.14.5]: https://github.com/emissary-ingress/emissary/compare/v2.3.2...v1.14.5
159
160### Emissary-ingress and Ambassador Edge Stack
161
162- Bugfix: When using gzip compression, upstream services will no longer receive compressed data.
163 This bug was introduced in 1.14.0. The fix restores the default behavior of not sending compressed
164 data to upstream services. ([3818])
165
166[3818]: https://github.com/emissary-ingress/emissary/issues/3818
167
168## [2.3.2] August 01, 2022
169[2.3.2]: https://github.com/emissary-ingress/emissary/compare/v2.3.1...v2.3.2
170
171### Emissary-ingress and Ambassador Edge Stack
172
173- Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming
174 from emissary ingress before sending them to Ambassador cloud. This issue has been resolved to
175 ensure that all the nodes composing the emissary ingress cluster are reporting properly.
176
177- Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327,
178 CVE-2022-24675, CVE-2022-24921, CVE-2022-23772.
179
180- Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782,
181 CVE-2022-27781, CVE-2022-27780.
182
183- Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.
184
185- Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458
186
187## [1.14.4] June 13, 2022
188[1.14.4]: https://github.com/emissary-ingress/emissary/compare/v2.3.1...v1.14.4
189
190### Emissary-ingress and Ambassador Edge Stack
191
192- Security: We have backported patches from the Envoy 1.19.5 security update to Emissary-ingress's
193 1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. Emissary-ingress is not affected
194 by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it <a
195 href="https://github.com/emissary-ingress/emissary/issues/2846">does not support internal
196 redirects</a>, and does not use Envoy's built-in OAuth2 filter.
197
198## [2.3.1] June 09, 2022
199[2.3.1]: https://github.com/emissary-ingress/emissary/compare/v2.3.0...v2.3.1
200
201### Emissary-ingress and Ambassador Edge Stack
202
203- Bugfix: A regression was introduced in 2.3.0 that leaked zipkin default config fields into the
204 configuration for the other drivers (lightstep, etc...). This caused Emissary-ingress to crash on
205 startup. This issue has been resolved to ensure that the defaults are only applied when driver is
206 `zipkin` ([#4267])
207
208- Security: We have backported patches from the Envoy 1.19.5 security update to Emissary-ingress's
209 1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. Emissary-ingress is not affected
210 by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it <a
211 href="https://github.com/emissary-ingress/emissary/issues/2846">does not support internal
212 redirects</a>, and does not use Envoy's built-in OAuth2 filter.
213
214[#4267]: https://github.com/emissary-ingress/emissary/issues/4267
215
216## [2.3.0] June 06, 2022
217[2.3.0]: https://github.com/emissary-ingress/emissary/compare/v2.2.2...v2.3.0
218
219### Emissary-ingress and Ambassador Edge Stack
220
221- Security: Completely remove gdbm, pip, smtplib, and sqlite packages, as they are unused.
222
223- Feature: It is now possible to set `propagation_modes` in the `TracingService` config when using
224 lightstep as the driver. (Thanks to <a href="https://github.com/psalaberria002">Paul</a>!) ([#4179])
225
226- Feature: It is now possible to set `crl_secret` in `Host` and `TLSContext` resources to check peer
227 certificates against a certificate revocation list. ([#1743])
228
229- Feature: Previously, a `LogService` would always have Emissary-ingress communicate with the
230 external log service using the `envoy.service.accesslog.v2.AccessLogService` API. It is now
231 possible for the `LogService` to specify `protocol_version: v3` to use the newer
232 `envoy.service.accesslog.v3.AccessLogService` API instead. This functionality is not available if
233 you set the `AMBASSADOR_ENVOY_API_VERSION=V2` environment variable.
234
235- Bugfix: When CORS is specified (either in a `Mapping` or in the `Ambassador` `Module`), CORS
236 processing will happen before authentication. This corrects a problem where XHR to authenticated
237 endpoints would fail.
238
239- Bugfix: In 2.x releases of Emissary-ingress when there are multiple `Mapping`s that have the same
240 `metadata.name` across multiple namespaces, their old config would not properly be removed from
241 the cache when their config was updated. This resulted in an inability to update configuration for
242 groups of `Mapping`s that share the same name until the Emissary-ingress pods restarted.
243
244- Bugfix: It is now possible for a `TracingService` to specify `collector_endpoint_version:
245 HTTP_JSON_V1` when using xDS v3 to configure Envoy (which has been the default since
246 Emissary-ingress 1.14.0). The `HTTP_JSON_V1` value configures Envoy to speak to Zipkin using
247 Zipkin's old API-v1, while the `HTTP_JSON` value configures Envoy to speak to Zipkin using
248 Zipkin's new API-v2. In previous versions of Emissary-ingress it was only possible to use
249 `HTTP_JSON_V1` when explicitly setting the `AMBASSADOR_ENVOY_API_VERSION=V2` environment variable
250 to force use of xDS v2 to configure Envoy.
251
252[#4179]: https://github.com/emissary-ingress/emissary/pull/4179
253[#1743]: https://github.com/emissary-ingress/emissary/issues/1743
254
255## [2.2.2] February 25, 2022
256[2.2.2]: https://github.com/emissary-ingress/emissary/compare/v2.2.1...v2.2.2
257
258### Emissary-ingress and Ambassador Edge Stack
259
260- Change: You may now choose to enable TLS Secret validation by setting the
261 `AMBASSADOR_FORCE_SECRET_VALIDATION=true` environment variable. The default configuration does not
262 enforce secret validation.
263
264- Bugfix: Kubernetes Secrets that should contain an EC (Elliptic Curve) TLS Private Key are now
265 properly validated. ([4134])
266
267- Change: The new delay between two metrics syncs is now 30s. ([#4122])
268
269[4134]: https://github.com/emissary-ingress/emissary/issues/4134
270[#4122]: https://github.com/emissary-ingress/emissary/pull/4122
271
272## [1.14.3] February 25, 2022
273[1.14.3]: https://github.com/emissary-ingress/emissary/compare/v2.2.1...v1.14.3
274
275### Emissary-ingress and Ambassador Edge Stack
276
277- Security: Upgraded Envoy to address security vulnerabilities CVE-2021-43824, CVE-2021-43825,
278 CVE-2021-43826, CVE-2022-21654, and CVE-2022-21655.
279
280## [2.2.1] February 22, 2022
281[2.2.1]: https://github.com/emissary-ingress/emissary/compare/v2.2.0...v2.2.1
282
283### Emissary-ingress and Ambassador Edge Stack
284
285- Change: Support for the Envoy V2 API is deprecated as of Emissary-ingress v2.1, and will be
286 removed in Emissary-ingress v3.0. The `AMBASSADOR_ENVOY_API_VERSION` environment variable will be
287 removed at the same time. Only the Envoy V3 API will be supported (this has been the default since
288 Emissary-ingress v1.14.0).
289
290- Bugfix: The Ambassador Agent now correctly supports requests to cancel a rollout.
291
292## [2.2.0] February 10, 2022
293[2.2.0]: https://github.com/emissary-ingress/emissary/compare/v2.1.2...v2.2.0
294
295### Emissary-ingress and Ambassador Edge Stack
296
297- Change: Support for the Envoy V2 API is deprecated as of Emissary-ingress v2.1, and will be
298 removed in Emissary-ingress v3.0. The `AMBASSADOR_ENVOY_API_VERSION` environment variable will be
299 removed at the same time. Only the Envoy V3 API will be supported (this has been the default since
300 Emissary-ingress v1.14.0).
301
302- Change: Emissary-ingress will now watch for ConfigMap or Secret resources specified by the
303 `AGENT_CONFIG_RESOURCE_NAME` environment variable in order to allow all components (and not only
304 the Ambassador Agent) to authenticate requests to Ambassador Cloud.
305
306- Security: Emissary-ingress has updated Alpine to 3.15, and Python and Go dependencies to their
307 latest compatible versions, to incorporate numerous security patches.
308
309- Feature: Emissary-ingress now supports the metric `ambassador_log_level{label="debug"}` which will
310 be set to 1 if debug logging is enabled for the running Emissary instance, or to 0 if not. This
311 can help to be sure that a running production instance was not actually left doing debugging
312 logging, for example. (Thanks to <a href="https://github.com/jfrabaute">Fabrice</a>!) ([#3906])
313
314- Feature: Emissary-ingress is now leveraging a new Envoy Proxy patch that allows Envoy to accept
315 escaped '%' characters in its configuration. This means that error_response_overrides and other
316 custom user content can now contain '%' symbols escaped as '%%'. ([DW Envoy: 74]) ([Upstream Envoy: 19383])
317
318- Feature: Support for streaming Envoy metrics about the clusters to Ambassador Cloud. ([#4053])
319
320- Feature: The Ambassador agent now receives commands to manipulate Rollouts (pause, continue, and
321 abort are currently supported) via directives and executes them in the cluster. A report is sent
322 to Ambassador Cloud including the command ID, whether it ran successfully, and an error message in
323 case there was any. ([#4040])
324
325- Bugfix: Kubernetes Secrets that should contain TLS certificates are now validated before being
326 accepted for configuration. A Secret that contains an invalid TLS certificate will be logged as an
327 invalid resource. ([#3821])
328
329[#3906]: https://github.com/emissary-ingress/emissary/issues/3906
330[DW Envoy: 74]: https://github.com/datawire/envoy/pull/74
331[Upstream Envoy: 19383]: https://github.com/envoyproxy/envoy/pull/19383
332[#4053]: https://github.com/emissary-ingress/emissary/pull/4053
333[#4040]: https://github.com/emissary-ingress/emissary/pull/4040
334[#3821]: https://github.com/emissary-ingress/emissary/issues/3821
335
336### Ambassador Edge Stack only
337
338- Feature: You can now set `preserve_servers` in Ambassador Edge Stack's `DevPortal` resource to
339 configure the DevPortal to use server definitions from the OpenAPI document when displaying
340 connection information for services in the DevPortal.
341
342## [2.1.2] January 25, 2022
343[2.1.2]: https://github.com/emissary-ingress/emissary/compare/v2.1.0...v2.1.2
344
345### Emissary-ingress and Ambassador Edge Stack
346
347- Change: Support for the Envoy V2 API is deprecated as of Emissary-ingress v2.1, and will be
348 removed in Emissary-ingress v3.0. The `AMBASSADOR_ENVOY_API_VERSION` environment variable will be
349 removed at the same time. Only the Envoy V3 API will be supported (this has been the default since
350 Emissary-ingress v1.14.0).
351
352- Change: Docker BuildKit is enabled for all Emissary builds. Additionally, the Go build cache is
353 fully enabled when building images, speeding up repeated builds.
354
355- Bugfix: Emissary-ingress 2.1.0 generated invalid Envoy configuration for `getambassador.io/v2`
356 `Mappings` that set `spec.cors.origins` to a string rather than a list of strings; this has been
357 fixed, and these `Mappings` should once again function correctly.
358
359- Bugfix: Changes to the `weight` of `Mapping` in a canary group will now always be correctly
360 managed during reconfiguration; such changes could have been missed in earlier releases.
361
362- Bugfix: A `Mapping` that is not part of a canary group, but that has a `weight` less than 100,
363 will be correctly configured to receive all traffic as if the `weight` were 100.
364
365- Bugfix: Using `rewrite: ""` in a `Mapping` is correctly handled to mean "do not rewrite the path
366 at all".
367
368- Bugfix: Any `Mapping` that uses the `host_redirect` field is now properly discovered and used.
369 Thanks to <a href="https://github.com/gferon">Gabriel Féron</a> for contributing this bugfix! ([#3709])
370
371- Bugfix: `Mapping`s with DNS wildcard `hostname` will now be correctly matched with `Host`s.
372 Previously, the case where both the `Host` and the `Mapping` use DNS wildcards for their hostnames
373 could sometimes not correctly match when they should have.
374
375- Bugfix: If the `ambassador` `Module` sets a global default for `add_request_headers`,
376 `add_response_headers`, `remove_request_headers`, or `remove_response_headers`, it is often
377 desirable to be able to turn off that setting locally for a specific `Mapping`. For several
378 releases this has not been possible for `Mappings` that are native Kubernetes resources (as
379 opposed to annotations), as an empty value ("mask the global default") was erroneously considered
380 to be equivalent to unset ("inherit the global default"). This is now fixed.
381
382- Bugfix: It is now possible to set a `Mapping` `spec.error_response_overrides` `body.text_format`
383 to an empty string or `body.json_format` to an empty dict. Previously, this was possible for
384 annotations but not for native Kubernetes resources.
385
386- Bugfix: Resources that exist as `getambassador.io/config` annotations rather than as native
387 Kubernetes resources are now validated and internally converted to v3alpha1 and, the same as
388 native Kubernetes resources.
389
390- Bugfix: Resource validation errors are now reported more consistently; it was the case that in
391 some situations a validation error would not be reported.
392
393[#3709]: https://github.com/emissary-ingress/emissary/issues/3709
394
395## 2.1.1 not issued
396
397*Emissary-ingress 2.1.1 was not issued; Ambassador Edge Stack 2.1.1 uses Emissary-ingress 2.1.0.*
398
399## [2.1.0] December 16, 2021
400[2.1.0]: https://github.com/emissary-ingress/emissary/compare/v2.0.5...v2.1.0
401
402*Emissary-ingress 2.1.0 is not recommended; upgrade to 2.1.2 instead.*
403
404### Emissary-ingress and Ambassador Edge Stack
405
406- Change: Support for the Envoy V2 API is deprecated as of Emissary-ingress v2.1, and will be
407 removed in Emissary-ingress v3.0. The `AMBASSADOR_ENVOY_API_VERSION` environment variable will be
408 removed at the same time. Only the Envoy V3 API will be supported (this has been the default since
409 Emissary-ingress v1.14.0).
410
411- Feature: Emissary-ingress supports `getambassador.io/v2` CRDs, to simplify migration from
412 Emissary-ingress 1.X. **Note:** it is important to read the <a
413 href="https://www.getambassador.io/docs/emissary/latest/topics/install/migration-matrix">migration
414 documentation</a> before starting migration.
415
416- Bugfix: The incremental reconfiguration cache could miss some updates when multiple `Mapping`s had
417 the same `prefix` ("canary"ing multiple `Mapping`s together). This has been corrected, so that all
418 such updates correctly take effect. ([#3945])
419
420- Bugfix: When using Kubernetes Secrets to store ACME private keys (as the Edge Stack ACME client
421 does), an error would always be logged about the Secret not being present, even though it was
422 present, and everything was working correctly. This error is no longer logged.
423
424- Bugfix: When using gzip compression, upstream services will no longer receive compressed data.
425 This bug was introduced in 1.14.0. The fix restores the default behavior of not sending compressed
426 data to upstream services. ([#3818])
427
428- Security: Update to busybox 1.34.1 to resolve CVE-2021-28831, CVE-2021-42378, CVE-2021-42379,
429 CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385,
430 and CVE-2021-42386.
431
432- Security: Update Python dependencies to resolve CVE-2020-28493 (jinja2), CVE-2021-28363 (urllib3),
433 and CVE-2021-33503 (urllib3).
434
435- Security: Previous built images included some Python packages used only for test. These have now
436 been removed, resolving CVE-2020-29651.
437
438[#3945]: https://github.com/emissary-ingress/emissary/issues/3945
439[#3818]: https://github.com/emissary-ingress/emissary/issues/3818
440
441## [2.0.5] November 08, 2021
442[2.0.5]: https://github.com/emissary-ingress/emissary/compare/v2.0.4...v2.0.5
443
444### Emissary-ingress and Ambassador Edge Stack
445
446- Feature: It is now possible to set the `circuit_breakers` for `AuthServices`, exactly the same as
447 for `Mappings` and `TCPMappings`. This makes it possible to configure your `AuthService` to be
448 able to handle more than 1024 concurrent requests.
449
450- Bugfix: Any token delimited by '%' is now validated agains a whitelist of valid Envoy command
451 operators. Any mapping containing an `error_response_overrides` section with invalid command
452 operators will be discarded.
453
454- Bugfix: The `Host` CRD now correctly supports the `mappingSelector` element, as documented. As a
455 transition aid, `selector` is a synonym for `mappingSelector`; a future version of
456 Emissary-ingress will remove the `selector` element. ([#3902])
457
458[#3902]: https://github.com/emissary-ingress/emissary/issues/3902
459
460## [2.0.4] October 19, 2021
461[2.0.4]: https://github.com/emissary-ingress/emissary/compare/v2.0.3-ea...v2.0.4
462
463We're pleased to introduce Emissary-ingress 2.0.4 for general availability! The 2.X family
464introduces a number of changes to allow Emissary-ingress to more gracefully handle larger
465installations, reduce global configuration to better handle multitenant or multiorganizational
466installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a
467href="https://a8r.io/slack">Slack</a> and let us know what you think.
468
469### Emissary-ingress and Ambassador Edge Stack
470
471- Change: The `x.getambassador.io/v3alpha1` API version has become the `getambassador.io/v3alpha1`
472 API version. The `Ambassador-` prefixes from `x.getambassador.io/v3alpha1` resource kind names
473 (e.g. `AmbassadorHost`) have been removed for ease of migration from Emissary-ingress 1.x. As
474 with previous 2.0.x releases, you **must** supply a `Host` (`AmbassadorHost` in previous 2.0.x
475 releases) resource to terminate TLS: unlike in 1.x it is no longer sufficient to define a
476 `TLSContext` (although `TLSContext`s are still the best way to define TLS configuration
477 information to be shared across multiple `Host`s). **Note that `getambassador.io/v3alpha1` is the
478 only supported API version for 2.0.4** — full support for `getambassador.io/v2` will arrive
479 soon in a later 2.X version.
480
481- Feature: The `getambassador.io/v3alpha1` API version and the published chart and manifests have
482 been updated to support Kubernetes 1.22. Thanks to <a href="https://github.com/imoisharma">Mohit
483 Sharma</a> for contributions to this feature!
484
485- Feature: You can now set `dns_type` between `strict_dns` and `logical_dns` in a `Mapping` to
486 configure the Service Discovery Type.
487
488- Feature: You can now set `respect_dns_ttl` to `true` to force the DNS refresh rate for a `Mapping`
489 to be set to the record's TTL obtained from DNS resolution.
490
491- Feature: You can now set `buffer_limit_bytes` in the `ambassador` `Module` to to change the size
492 of the upstream read and write buffers. The default is 1MiB.
493
494- Bugfix: The release now shows its actual released version number, rather than the internal
495 development version number. ([#3854])
496
497- Bugfix: Large configurations no longer cause Emissary-ingress to be unable to communicate with
498 Ambassador Cloud. ([#3593])
499
500- Bugfix: The `l7Depth` element of the `Listener` CRD is properly supported.
501
502[#3854]: https://github.com/emissary-ingress/emissary/issues/3854
503[#3593]: https://github.com/emissary-ingress/emissary/issues/3593
504
505## [2.0.3-ea] September 16, 2021
506[2.0.3-ea]: https://github.com/emissary-ingress/emissary/compare/v2.0.2-ea...v2.0.3-ea
507
508We're pleased to introduce Emissary-ingress 2.0.3 as a **developer preview**. The 2.X family
509introduces a number of changes to allow Emissary-ingress to more gracefully handle larger
510installations, reduce global configuration to better handle multitenant or multiorganizational
511installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a
512href="https://a8r.io/slack">Slack</a> and let us know what you think.
513
514### Emissary-ingress and Ambassador Edge Stack
515
516- Feature: The environment variable `AES_LOG_LEVEL` now also sets the log level for the `diagd`
517 logger. ([#3686]) ([#3666])
518
519- Feature: You can now set `dns_type` in the `AmbassadorMapping` to configure how Envoy will use the
520 DNS for the service.
521
522- Bugfix: It is no longer necessary to set `DOCKER_BUILDKIT=0` when building Emissary. A future
523 change will fully support BuildKit. ([#3707])
524
525[#3686]: https://github.com/emissary-ingress/emissary/issues/3686
526[#3666]: https://github.com/emissary-ingress/emissary/issues/3666
527[#3707]: https://github.com/emissary-ingress/emissary/issues/3707
528
529## [2.0.2-ea] August 24, 2021
530[2.0.2-ea]: https://github.com/emissary-ingress/emissary/compare/v2.0.1-ea...v2.0.2-ea
531
532We're pleased to introduce Emissary-ingress 2.0.2 as a **developer preview**. The 2.X family
533introduces a number of changes to allow Emissary-ingress to more gracefully handle larger
534installations, reduce global configuration to better handle multitenant or multiorganizational
535installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a
536href="https://a8r.io/slack">Slack</a> and let us know what you think.
537
538### Emissary-ingress and Ambassador Edge Stack
539
540- Bugfix: Upgraded envoy to 1.17.4 to address security vulnerabilities CVE-2021-32777,
541 CVE-2021-32778, CVE-2021-32779, and CVE-2021-32781.
542
543- Feature: You can now set `allow_chunked_length` in the Ambassador Module to configure the same
544 value in Envoy.
545
546- Change: Envoy-configuration snapshots get saved (as `ambex-#.json`) in `/ambassador/snapshots`.
547 The number of snapshots is controlled by the `AMBASSADOR_AMBEX_SNAPSHOT_COUNT` environment
548 variable; set it to 0 to disable. The default is 30.
549
550## [2.0.1-ea] August 12, 2021
551[2.0.1-ea]: https://github.com/emissary-ingress/emissary/compare/v2.0.0-ea...v2.0.1-ea
552
553We're pleased to introduce Emissary-ingress 2.0.1 as a **developer preview**. The 2.X family
554introduces a number of changes to allow Emissary-ingress to more gracefully handle larger
555installations, reduce global configuration to better handle multitenant or multiorganizational
556installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a
557href="https://a8r.io/slack">Slack</a> and let us know what you think.
558
559### Emissary-ingress and Ambassador Edge Stack
560
561- Feature: Ambassador Agent reports sidecar process information and `AmbassadorMapping` OpenAPI
562 documentation to Ambassador Cloud to provide more visibility into services and clusters.
563
564- Feature: The optional `stats_prefix` element of the `AmbassadorListener` CRD now determines the
565 prefix of HTTP statistics emitted for a specific `AmbassadorListener`.
566
567- Feature: The optional `stats_name` element of `AmbassadorMapping`, `AmbassadorTCPMapping`,
568 `AuthService`, `LogService`, `RateLimitService`, and `TracingService` now sets the name under
569 which cluster statistics will be logged. The default is the `service`, with non-alphanumeric
570 characters replaced by underscores.
571
572- Bugfix: We have updated to `k8s.io/klog/v2` to track upstream and to quiet unnecessary log output.
573
574- Change: Logs now include subsecond time resolutions, rather than just seconds.
575
576- Change: Set `AMBASSADOR_AMBEX_NO_RATELIMIT` to `true` to completely disable ratelimiting Envoy
577 reconfiguration under memory pressure. This can help performance with the endpoint or Consul
578 resolvers, but could make OOMkills more likely with large configurations. The default is `false`,
579 meaning that the rate limiter is active.
580
581## [2.0.0-ea] June 24, 2021
582[2.0.0-ea]: https://github.com/emissary-ingress/emissary/compare/v1.14.2...v2.0.0-ea
583
584We're pleased to introduce Emissary-ingress 2.0.0 as a **developer preview**. The 2.X family
585introduces a number of changes to allow Emissary-ingress to more gracefully handle larger
586installations, reduce global configuration to better handle multitenant or multiorganizational
587installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a
588href="https://a8r.io/slack">Slack</a> and let us know what you think.
589
590### Emissary-ingress and Ambassador Edge Stack
591
592- Feature: Emissary-ingress 2.0.0 introduces API version `x.getambassador.io/v3alpha1` for
593 configuration changes that are not backwards compatible with the 1.X family. API versions
594 `getambassador.io/v0`, `getambassador.io/v1`, and `getambassador.io/v2` are deprecated. Further
595 details are available in the <a
596 href="https://www.getambassador.io/docs/emissary/latest/about/changes-2.x/#1-configuration-api-version-getambassadoriov3alpha1">Major
597 Changes in 2.X</a> document.
598
599- Feature: The new `AmbassadorListener` CRD defines where and how to listen for requests from the
600 network, and which `AmbassadorHost` definitions should be used to process those requests. Note
601 that the `AmbassadorListener` CRD is **mandatory** and consolidates *all* port configuration; see
602 the <a
603 href="https://www.getambassador.io/docs/emissary/latest/topics/running/listener">`AmbassadorListener`
604 documentation</a> for more details.
605
606- Feature: Where `AmbassadorMapping`'s `host` field is either an exact match or (with `host_regex`
607 set) a regex, the new `hostname` element is always a DNS glob. Use `hostname` instead of `host`
608 for best results.
609
610- Feature: The behavior of the Ambassador module `prune_unreachable_routes` field is now automatic,
611 which should reduce Envoy memory requirements for installations with many `AmbassadorHost`s
612
613- Bugfix: Each `AmbassadorHost` can specify its `requestPolicy.insecure.action` independently of any
614 other `AmbassadorHost`, allowing for HTTP routing as flexible as HTTPS routing. ([#2888])
615
616- Bugfix: Emissary-ingress 2.0.0 fixes a regression in detecting the Ambassador Kubernetes service
617 that could cause the wrong IP or hostname to be used in Ingress statuses -- thanks, <a
618 href="https://github.com/impl">Noah Fontes</a>!
619
620- Bugfix: Emissary-ingress 2.0.0 fixes a bug where mTLS could use the wrong configuration when SNI
621 and the `:authority` header didn't match
622
623- Change: The `TLSContext` `redirect_cleartext_from` and `AmbassadorHost`
624 `requestPolicy.insecure.additionalPort` elements are no longer supported. Use a
625 `AmbassadorListener` for this functionality instead.
626
627- Change: The `use_proxy_protocol` element of the Ambassador `Module` is no longer supported, as it
628 is now part of the `AmbassadorListener` resource (and can be set per-`AmbassadorListener` rather
629 than globally).
630
631- Change: An `AmbassadorMapping` will only be matched with an `AmbassadorHost` if the
632 `AmbassadorMapping`'s `host` or the `AmbassadorHost`'s `selector` (or both) are explicitly set,
633 and match. This change can significantly improve Emissary-ingress's memory footprint when many
634 `AmbassadorHost`s are involved. Further details are available in the <a
635 href="https://www.getambassador.io/docs/emissary/latest/about/changes-2.x/#host-and-mapping-association">Major
636 Changes in 2.X</a> document.
637
638- Change: An `AmbassadorHost` or `Ingress` resource is now required when terminating TLS -- simply
639 creating a `TLSContext` is not sufficient. Further details are available in the <a
640 href="https://www.getambassador.io/docs/emissary/latest/about/changes-2.x/#host-tlscontext-and-tls-termination">`AmbassadorHost`
641 CRD documentation.</a>
642
643- Change: By default, Emissary-ingress will configure Envoy using the V3 Envoy API. This change is
644 mostly transparent to users, but note that Envoy V3 does not support unsafe regular expressions
645 or, e.g., Zipkin's V1 collector protocol. Further details are available in the <a
646 href="https://www.getambassador.io/docs/emissary/latest/about/changes-2.x">Major Changes in
647 2.X</a> document.
648
649- Change: The `tls` module and the `tls` field in the Ambassador module are no longer supported.
650 Please use `TLSContext` resources instead.
651
652- Change: The environment variable `AMBASSADOR_FAST_RECONFIGURE` is now set by default, enabling the
653 higher-performance implementation of the code that Emissary-ingress uses to generate and validate
654 Envoy configurations.
655
656- Change: Service Preview and the `AGENT_SERVICE` environment variable are no longer supported. The
657 Telepresence product replaces this functionality.
658
659- Change: The `edgectl` CLI tool has been deprecated; please use the `emissary-ingress` helm chart
660 instead.
661
662[#2888]: https://github.com/datawire/ambassador/issues/2888
663
664## [1.14.2] September 29, 2021
665[1.14.2]: https://github.com/emissary-ingress/emissary/compare/v1.14.1...v1.14.2
666
667### Emissary-ingress and Ambassador Edge Stack
668
669- Feature: You can now set `respect_dns_ttl` in Ambassador Mappings. When true it configures that
670 upstream's refresh rate to be set to resource record’s TTL
671
672- Feature: You can now set `dns_type` in Ambassador Mappings to use Envoy's `logical_dns` resolution
673 instead of the default `strict_dns`.
674
675- Feature: You can now set `buffer_limit_bytes` in the `ambassador` `Module` to to change the size
676 of the upstream read and write buffers. The default is 1MiB.
677
678## [1.14.1] August 24, 2021
679[1.14.1]: https://github.com/emissary-ingress/emissary/compare/v1.14.0...v1.14.1
680
681### Emissary-ingress and Ambassador Edge Stack
682
683- Change: Upgraded Envoy to 1.17.4 to address security vulnerabilities CVE-2021-32777,
684 CVE-2021-32778, CVE-2021-32779, and CVE-2021-32781.
685
686## [1.14.0] August 19, 2021
687[1.14.0]: https://github.com/emissary-ingress/emissary/compare/v1.13.10...v1.14.0
688
689### Emissary-ingress and Ambassador Edge Stack
690
691- Change: Update from Envoy 1.15 to 1.17.3
692
693- Feature: You can now set `allow_chunked_length` in the Ambassador Module to configure the same
694 value in Envoy.
695
696- Change: `AMBASSADOR_ENVOY_API_VERSION` now defaults to `V3`
697
698- Change: Logs now include subsecond time resolutions, rather than just seconds.
699
700## [1.13.10] July 28, 2021
701[1.13.10]: https://github.com/emissary-ingress/emissary/compare/v1.13.9...v1.13.10
702
703### Emissary-ingress and Ambassador Edge Stack
704
705- Bugfix: Fixed a regression when specifying a comma separated string for `cors.origins` on the
706 `Mapping` resource. ([#3609](https://github.com/emissary-ingress/emissary/issues/3609))
707
708- Change: Envoy-configuration snapshots get saved (as `ambex-#.json`) in `/ambassador/snapshots`.
709 The number of snapshots is controlled by the `AMBASSADOR_AMBEX_SNAPSHOT_COUNT` environment
710 variable; set it to 0 to disable. The default is 30.
711
712- Change: Set `AMBASSADOR_AMBEX_NO_RATELIMIT` to `true` to completely disable ratelimiting Envoy
713 reconfiguration under memory pressure. This can help performance with the endpoint or Consul
714 resolvers, but could make OOMkills more likely with large configurations. The default is `false`,
715 meaning that the rate limiter is active.
716
717### Ambassador Edge Stack only
718
719- Bugfix: The `Mapping` resource can now specify `docs.timeout_ms` to set the timeout when the Dev
720 Portal is fetching API specifications.
721
722- Bugfix: The Dev Portal will now strip HTML tags when displaying search results, showing just the
723 actual content of the search result.
724
725- Change: Consul certificate-rotation logging now includes the fingerprints and validity timestamps
726 of certificates being rotated.
727
728## [1.13.9] June 30, 2021
729[1.13.9]: https://github.com/emissary-ingress/emissary/compare/v1.13.8...v1.13.9
730
731### Emissary-ingress and Ambassador Edge Stack
732
733- Bugfix: Configuring multiple TCPMappings with the same ports (but different hosts) no longer
734 generates invalid Envoy configuration.
735
736## [1.13.8] June 08, 2021
737[1.13.8]: https://github.com/emissary-ingress/emissary/compare/v1.13.7...v1.13.8
738
739### Emissary-ingress and Ambassador Edge Stack
740
741- Bugfix: Ambassador Agent now accurately reports up-to-date Endpoint information to Ambassador
742 Cloud
743
744- Feature: Ambassador Agent reports ConfigMaps and Deployments to Ambassador Cloud to provide a
745 better Argo Rollouts experience. See [Argo+Ambassador
746 documentation](https://www.getambassador.io/docs/argo) for more info.
747
748## [1.13.7] June 03, 2021
749[1.13.7]: https://github.com/datawire/ambassador/compare/v1.13.6...v1.13.7
750
751### Emissary-ingress and Ambassador Edge Stack
752
753- Feature: Add AMBASSADOR_JSON_LOGGING to enable JSON for most of the Ambassador control plane. Some
754 (but few) logs from gunicorn and the Kubernetes client-go package still log text.
755
756- Bugfix: Fixed a bug where the Consul resolver would not actually use Consul endpoints with
757 TCPMappings.
758
759- Change: Ambassador now calculates its own memory usage in a way that is more similar to how the
760 kernel OOMKiller tracks memory.
761
762## [1.13.6] May 24, 2021
763[1.13.6]: https://github.com/datawire/ambassador/compare/v1.13.5...v1.13.6
764
765### Emissary-ingress and Ambassador Edge Stack
766
767- Bugfix: Fixed a regression where Ambassador snapshot data was logged at the INFO label when using
768 `AMBASSADOR_LEGACY_MODE=true`.
769
770## [1.13.5] May 13, 2021
771[1.13.5]: https://github.com/datawire/ambassador/compare/v1.13.4...v1.13.5
772
773### Emissary-ingress and Ambassador Edge Stack
774
775- Bugfix: Fix a regression from 1.8.0 that prevented `ambassador` `Module` config keys `proper_case`
776 and `preserve_external_request_id` from working correctly.
777
778- Bugfix: Fixed a regression in detecting the Ambassador Kubernetes service that could cause the
779 wrong IP or hostname to be used in Ingress statuses (thanks, [Noah
780 Fontes](https://github.com/impl)!
781
782## [1.13.4] May 11, 2021
783[1.13.4]: https://github.com/datawire/ambassador/compare/v1.13.3...v1.13.4
784
785### Emissary-ingress and Ambassador Edge Stack
786
787- Security: Incorporate the Envoy 1.15.5 security update by adding the
788 `reject_requests_with_escaped_slashes` option to the Ambassador module.
789
790## [1.13.3] May 03, 2021
791[1.13.3]: https://github.com/datawire/ambassador/compare/v1.13.2...v1.13.3
792
793### Emissary Ingress and Ambassador Edge Stack
794
795- Bugfix: Fixed a regression that caused Ambassador to crash when loading the Edge Policy Console when any RateLimit resources exist ([#3348])
796
797## [1.13.2] April 29, 2021
798[1.13.2]: https://github.com/datawire/ambassador/compare/v1.13.1...v1.13.2
799
800### Emissary Ingress and Ambassador Edge Stack
801
802- Bugfix: Fixed a regression that caused endpoint routing to not work when defining mappings in service annotations ([#3369])
803
804[#3369]: https://github.com/datawire/ambassador/issues/3369
805
806## [1.13.1] April 22, 2021
807[1.13.1]: https://github.com/datawire/ambassador/compare/v1.13.0...v1.13.1
808
809### Emissary Ingress and Ambassador Edge Stack
810
811- Bugfix: Potentially increased CPU Usage for deployments with large numbers of Hosts ([#3358])
812
813[#3358]: https://github.com/datawire/ambassador/issues/3358
814
815## [1.13.0] April 20, 2021
816[1.13.0]: https://github.com/datawire/ambassador/compare/v1.12.4...v1.13.0
817
818### Emissary Ingress and Ambassador Edge Stack
819
820**Note**: Support for the deprecated `v2alpha` `protocol_version` has been removed from the `AuthService` and `RateLimitService`.
821
822- Feature: Added support for the [Mapping AuthService setting] `auth_context_extensions`, allowing supplying custom per-mapping information to external auth services (thanks, [Giridhar Pathak](https://github.com/gpathak)!).
823- Feature: Added support in ambassador-agent for reporting [Argo Rollouts] and [Argo Applications] to Ambassador Cloud
824- Feature: The [Ambassador Module configuration] now supports the `diagnostics.allow_non_local` flag to expose admin UI internally only ([#3074] -- thanks, [Fabrice](https://github.com/jfrabaute)!)
825- Feature: Ambassador will now use the Envoy v3 API internally when the AMBASSADOR_ENVOY_API_VERSION environment variable is set to "V3". By default, Ambassador will continue to use the v2 API.
826- Feature: The [Ambassador Agent] is now available (and deployed by default) for the API Gateway (https://app.getambassador.io).
827- Feature: The [Ambassador Module configuration] now supports `merge_slashes` which tells Ambassador to merge adjacent slashes when performing route matching. For example, when true, a request with URL '//foo/' would match a Mapping with prefix '/foo/'.
828- Feature: Basic support for a subset of the [Kubernetes Gateway API] has been added.
829- Feature: Ambassador now supports the `DD_ENTITY_ID` environment variable to set the `dd.internal.entity_id` statistics tag on metrics generated when using DogStatsD.
830- Bugfix: Make Knative paths match on prefix instead of the entire path to better align to the Knative specification ([#3224]).
831- Bugfix: The endpoint routing resolver will now properly watch services that include a scheme.
832- Bugfix: Environment variable interpolation works again for `ConsulResolver.Spec.Address` without setting `AMBASSADOR_LEGACY_MODE` ([#3182], [#3317])
833- Bugfix: Endpoint routing will now detect endpoint changes when your service field includes `.svc.cluster.local`. ([#3324])
834- Bugfix: Upgrade PyYAML to 5.4.1 ([#3349])
835- Change: The Helm chart has been moved into this repo, in the `charts/ambassador` directory.
836- Change: The `Mapping` CRD has been modified so that `kubectl get mappings` now has a column for not just the source path-prefix (`.spec.prefix`), but the source host (`.spec.host`) too.
837- Change: The yaml in yaml/docs is now generated from the contents of the helm chart in the `charts/ambassador` directory.
838- Change: Support for the deprecated `v2alpha` `protocol_version` has been removed from the `AuthService` and `RateLimitService`.
839
840[Ambassador Agent]: https://www.getambassador.io/docs/cloud/latest/service-catalog/quick-start/
841[Ambassador Module configuration]: https://getambassador.io/docs/edge-stack/latest/topics/running/ambassador/
842[Argo Applications]: https://www.getambassador.io/docs/argo/latest/quick-start/
843[Argo Rollouts]: https://www.getambassador.io/docs/argo/latest/quick-start/
844[Kubernetes Gateway API]: https://getambassador.io/docs/edge-stack/latest/topics/using/gateway-api/
845[Mapping AuthService setting]: https://getambassador.io/docs/edge-stack/latest/topics/using/authservice
846
847[#3074]: https://github.com/datawire/ambassador/issues/3074
848[#3182]: https://github.com/datawire/ambassador/issues/3182
849[#3224]: https://github.com/datawire/ambassador/issues/3224
850[#3317]: https://github.com/datawire/ambassador/issues/3317
851[#3324]: https://github.com/datawire/ambassador/issues/3324
852[#3349]: https://github.com/datawire/ambassador/issues/3349
853
854### Ambassador Edge Stack only
855
856- Feature: DevPortal: Added doc.display_name attribute to the Mapping CRD. This value allows for a custom name and documentation URL path of the service in the DevPortal.
857- Feature: DevPortal: Added `naming_scheme` enum to the DevPortal CRD. This enum controls the way services are displayed in the DevPortal. Supported values are `namespace.name` (current behavior) and `name.prefix`, which will use the Mapping name and Mapping prefix to display the services.
858- Feature: DevPortal: `DEVPORTAL_DOCS_BASE_PATH` environment variable makes the base path of service API documentation configurable.
859- Feature: DevPortal: DevPortal will now reload content on changes to Mapping and DevPortal resources.
860- Feature: DevPortal: DevPortal now supports a search endpoint at `/docs/api/search`
861- Feature: DevPortal search can be configured to only search over titles (with search.type=`title-only`in the DevPortal CRD) or to search over all content (search.type=`all-content`)
862- Feature: DevPortal search supports deep linking to openapi spec entries (must set `search.type=all-content` and `search.enabled=true` on the DevPortal CRD)
863- Feature: DevPortal: Trigger content refresh by hitting `/docs/api/refreshContent`
864- Feature: The AES ratelimit preview service now supports [burst ratelimiting] (aka token bucket ratelimiting).
865- Bugfix: The AES ratelimit preview no longer ignores LOCAL_CACHE_SIZE_IN_BYTES.
866- Bugfix: The AES ratelimit preview no longer ignores NEAR_LIMIT_RATIO.
867- Bugfix: The AES ratelimit preview no longer ignores EXPIRATION_JITTER_MAX_SECONDS.
868- Change: Silence DevPortal warnings when DevPortal cannot parse a hostname from a Mapping. (#3341)
869
870[burst ratelimiting]: https://getambassador.io/docs/edge-stack/latest/topics/using/rate-limits/rate-limits/
871
872[#3341]: https://github.com/datawire/ambassador/issues/3341
873
874## [1.12.4] April 19, 2021
875[1.12.4]: https://github.com/datawire/ambassador/compare/v1.12.3...v1.12.4
876
877Bugfix: Fix the Envoy base image build step and, as a result, correctly ship the Envoy 1.15.4 security updates.
878
879## [1.12.3] April 15, 2021
880[1.12.3]: https://github.com/datawire/ambassador/compare/v1.12.2...v1.12.3
881
882Bugfix: Incorporate the Envoy 1.15.4 security update.
883
884## [1.12.2] March 29, 2021
885[1.12.2]: https://github.com/datawire/ambassador/compare/v1.12.1...v1.12.2
886
887- Bugfix: Update OpenSSL to 1.1.1k to address CVE-2021-23840), CVE-2021-3450), CVE-2021-23841), CVE-2021-3449), CVE-2021-23839), CVE-2021-23840), CVE-2021-3450), CVE-2021-23841), CVE-2021-3449), and CVE-2021-23839)
888
889## [1.12.1] March 12, 2021
890[1.12.1]: https://github.com/datawire/ambassador/compare/v1.12.0...v1.12.1
891
892- Bugfix: The endpoint routing resolver will now properly watch services with mappings that define the service field with an explicit port.
893- Bugfix: Correctly manage cluster load assignments with very long cluster names and `AMBASSADOR_FAST_RECONFIGURE`
894
895## [1.12.0] March 08, 2021
896[1.12.0]: https://github.com/datawire/ambassador/compare/v1.11.2...v1.12.0
897
898### Ambasssador API Gateway + Ambassador Edge Stack
899
900- Feature: Endpoint routing is now much more performant, especially in situations where reconfigurations are frequent.
901- Feature: A scrubbed ambassador snapshot is now accessible outside the pod at `:8005/snapshot-external`. This port is exposed on the ambassador-admin Kubernetes service.
902- Feature: Ambassador now supports configuring the maximum lifetime of an upstream connection using `cluster_max_connection_lifetime_ms`. After the configured time, upstream connections are drained and closed, allowing an operator to set an upper bound on how long any upstream connection will remain open. This is useful when using Kubernetes Service resolvers (the default) and modifying label selectors for traffic shifting.
903- Feature: The Ambassador Module configuration now supports `cluster_request_timeout_ms` to set a default request `timeout_ms` for Mappings. This allows an operator to update the default request timeout (currently 3000ms) without needing to update every Mapping.
904- Feature: The Ambassador Module configuration now supports `suppress_envoy_headers` to prevent Ambassador from setting additional headers on requests and responses. These headers are typically used for diagnostic purposes and are safe to omit when they are not desired.
905- Feature: All Kubernetes services managed by Ambassador are automatically instrumented with service catalog discovery annotations.
906- Feature: [`headers_with_underscores_action`](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/core/protocol.proto#enum-core-httpprotocoloptions-headerswithunderscoresaction) is now configurable in the Ambassador `Module`.
907- Feature: The Ambassador Module configuration now supports `strip_matching_host_port` to control whether the port should be removed from the host/Authority header before any processing by request filters / routing. This behavior only applies if the port matches the associated Envoy listener port.
908- Bugfix: Ambassador now does a better job of cleaning up gRPC connections when shutting down.
909- Bugfix: Prevent potential reconcile loop when updating the status of an Ingress.
910- Bugfix: Update Python requirements, including addressing CVE-2020-36242 ([#3233])
911- Bugfix: Remove unnecessary logs about Kubernetes Secrets ([#3229])
912
913[#3229]: https://github.com/datawire/ambassador/issues/3229
914[#3233]: https://github.com/datawire/ambassador/issues/3233
915
916### Ambassador Edge Stack only
917
918- Feature: Added support for ambassador-agent deployment, reporting to Ambassador Cloud Service Catalog (https://app.getambassador.io)
919- Feature: `edgectl login` will automatically open your browser, allowing you to login into Service Catalog (https://app.getambassador.io)
920- Feature: `edgectl install` command allows you to install a new Ambassador Edge Stack automatically connected to Ambassador Cloud by passing a `--cloud-connect-token` argument.
921- Feature: `AES_AUTH_TIMEOUT` now allows you to configure the timeout of the AES authentication service. Defaults to 4s.
922- Bugfix: Prevent Dev Portal from sporadically responding with upstream connect timeout when loading content
923
924## [1.11.2] March 01, 2021
925[1.11.2]: https://github.com/datawire/ambassador/compare/v1.11.1...v1.11.2
926
927### Ambasssador API Gateway + Ambassador Edge Stack
928
929- Bugfix: Changes to endpoints when endpoint routing is not active will no longer cause reconfiguration
930- Bugfix: Correctly differentiate int values of 0 and Boolean values of `false` from non-existent attributes in CRDs ([#3212])
931- Bugfix: Correctly support Consul datacenters other than "dc1" without legacy mode.
932
933[#3212]: https://github.com/datawire/ambassador/issues/3212
934
935## [1.11.1] February 04, 2021
936[1.11.1]: https://github.com/datawire/ambassador/compare/v1.11.0...v1.11.1
937
938- Bugfix: Fix an issue that caused Dev Portal to sporadically respond with upstream connect timeout when loading content
939
940## [1.11.0] January 26, 2021
941[1.11.0]: https://github.com/datawire/ambassador/compare/v1.10.0...v1.11.0
942
943### Ambasssador API Gateway + Ambassador Edge Stack
944
945- Feature: Ambassador now reads the ENVOY_CONCURRENCY environment variable to optionally set the [--concurrency](https://www.envoyproxy.io/docs/envoy/latest/operations/cli#cmdoption-concurrency) command line option when launching Envoy. This controls the number of worker threads used to serve requests and can be used to fine-tune system resource usage.
946- Feature: The %DOWNSTREAM_PEER_CERT_V_START% and %DOWNSTREAM_PEER_CERT_V_END% command operators now support custom date formatting, similar to %START_TIME%. This can be used for both header formatting and access log formatting.
947- Feature: Eliminate the need to drain and recreate listeners when routing configuration is changed. This reduces both memory usage and disruption of in-flight requests.
948- Bugfix: Make sure that `labels` specifying headers with extra attributes are correctly supported again ([#3137]).
949- Bugfix: Support Consul services when the `ConsulResolver` and the `Mapping` aren't in the same namespace, and legacy mode is not enabled.
950- Bugfix: Fix failure to start when one or more IngressClasses are present in a cluster ([#3142]).
951- Bugfix: Properly handle Kubernetes 1.18 and greater when RBAC prohibits access to IngressClass resources.
952- Bugfix: Support `TLSContext` CA secrets with fast validation ([#3005]).
953- Bugfix: Dev Portal correctly handles transient failures when fetching content
954- Bugfix: Dev Portal sidebar pages have a stable order
955- Bugfix: Dev Portal pages are now marked cacheable
956
957### Ambassador Edge Stack only
958
959- Feature: RateLimit CRDs now suport specifying an `action` for each limit. Possible values include "Enforce" and "LogOnly", case insensitive. LogOnly may be used to implement dry run rules that do not actually enforce.
960- Feature: RateLimit CRDs now support specifying a symbolic `name` for each limit. This name can later be used in the access log to know which RateLimit, if any, applied to a request.
961- Feature: RateLimit metadata is now available using the `DYNAMIC_METADATA(envoy.http.filters.ratelimit: ... )` command operator in the Envoy access logs. See [Envoy Documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage) for more on using dynamic metadata in the access log.
962- Feature: OAuth2 Filter: The SameSite cookie attribute is now configurable.
963
964[#3005]: https://github.com/datawire/ambassador/issues/3005
965[#3137]: https://github.com/datawire/ambassador/issues/3137
966[#3142]: https://github.com/datawire/ambassador/issues/3142
967
968## [1.10.0] January 04, 2021
969[1.10.0]: https://github.com/datawire/ambassador/compare/v1.9.1...v1.10.0
970
971### Ambasssador API Gateway + Ambassador Edge Stack
972
973- Feature: The redirect response code returned by Ambassador is now configurable using `redirect_reponse_code` on `Mappings` that use `host_redirect`.
974- Feature: The redirect location header returned by Ambassador now supports prefix rewrites using `prefix_redirect` on `Mappings` that use `host_redirect`.
975- Feature: The redirect location header returned by Ambassador now supports regex rewrites using `regex_redirect` on `Mappings` that use `host_redirect`.
976- Feature: Expose `max_request_headers_kb` in the Ambassador `Module`. This directly exposes the same value in Envoy; see [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/network/http_connection_manager/v2/http_connection_manager.proto) for more information.
977- Feature: Support Istio mTLS certification rotation for Istio 1.5 and higher. See the [howto](https://www.getambassador.io/docs/edge-stack/latest/howtos/istio/) for details.
978- Feature: The Ambassador Module's `error_response_overrides` now support configuring an empty response body using `text_format`. Previously, empty response bodies could only be configured by specifying an empty file using `text_format_source`.
979- Feature: OAuth2 Filter: Support injecting HTTP header fields in to the request before passing on to the upstream service. Enables passing along `id_token` information to the upstream if it was returned by the IDP.
980- Bugfix: Fix the grpc external filter to properly cache grpc clients thereby avoiding initiating a separate connection to the external filter for each filtered request.
981- Bugfix: Fix a bug in the Mapping CRD where the `text_format_source` field was incorrectly defined as type `string` instead of an object, as documented.
982- Bugfix: The RBAC requirements when `AMBASSADOR_FAST_RECONFIGURE` is enabled now more-closely match the requirements when it's disabled.
983- Bugfix: Fix error reporting and required-field checks when fast validation is enabled. Note that fast validation is now the default; see below.
984- Change: **Fast validation is now the default**, so the `AMBASSADOR_FAST_VALIDATION` variable has been removed. The Golang boot sequence is also now the default. Set `AMBASSADOR_LEGACY_MODE=true` to disable these two behaviors.
985- Change: ambassador-consul-connect resources now get deployed into the `ambassador` namespace instead of the active namespace specified in the user's kubernetes context (usually `default`). Old resource cleanup is documented in the Ambassador Consul integration documentation.
986
987### Ambassador Edge Stack only
988
989- Default-off early access: Ratelimiting now supports redis clustering, local caching of exceeded ratelimits, and an upgraded redis client with improved scalability. Must set AES_RATELIMIT_PREVIEW=true to access these improvements.
990- Bugfix: OAuth2 Filter: Fix `insufficient_scope` error when validating Azure access tokens.
991- Bugfix: Filters: Fix a capitalization-related bug where sometimes existing headers are appended to when they should be overwritten.
992
993## [1.9.1] November 19, 2020
994[1.9.1]: https://github.com/datawire/ambassador/compare/v1.9.0...v1.9.1
995
996### Ambassador Edge Stack only
997
998- Bugfix: DevPortal: fix a crash when the `host` cannot be parsed as a valid hostname.
999
1000## [1.9.0] November 12, 2020
1001[1.9.0]: https://github.com/datawire/ambassador/compare/v1.8.1...v1.9.0
1002
1003### Ambasssador API Gateway + Ambassador Edge Stack
1004
1005- Feature: Support configuring the gRPC Statistics Envoy filter to enable telemetry of gRPC calls (see the `grpc_stats` configuration flag -- thanks, [Felipe Roveran](https://github.com/feliperoveran)!)
1006- Feature: The `RateLimitService` and `AuthService` configs now support switching between gRPC protocol versions `v2` and `v2alpha` (see the `protocol_version` setting)
1007- Feature: The `TracingService` Zipkin config now supports setting `collector_hostname` to tell Envoy which host header to set when sending spans to the collector
1008- Feature: Ambassador now supports custom error response mapping
1009- Bugfix: Ambassador will no longer mistakenly post notices regarding `regex_rewrite` and `rewrite` directive conflicts in `Mapping`s due to the latter's implicit default value of `/` (thanks, [obataku](https://github.com/obataku)!)
1010- Bugfix: The `/metrics` endpoint will no longer break if invoked before configuration is complete (thanks, [Markus Jevring](https://github.com/markusjevringsesame)!)
1011- Bugfix: Update Python requirements to address CVE-2020-25659
1012- Bugfix: Prevent mixing `Mapping`s with `host_redirect` set with `Mapping`s that don't in the same group
1013- Bugfix: `ConsulResolver` will now fallback to the `Address` of a Consul service if `Service.Address` is not set.
1014- Docs: Added instructions for building ambassador from source, within a docker container (thanks, [Rahul Kumar Saini](https://github.com/rahul-kumar-saini)!)
1015- Update: Upgrade Alpine 3.10→3.12, GNU libc 2.30→2.32, and Python 3.7→3.8
1016- Update: Knative serving tests were bumped from version 0.11.0 to version 0.18.0 (thanks, [Noah Fontes](https://github.com/impl)!)
1017
1018### Ambassador Edge Stack only
1019
1020- Change: The DevPortal no longer looks for documentation at `/.ambassador-internal/openapi-docs`. A new field in `Mappings`, `docs`, must be used for specifying the source for documentation. This can result in an empty Dev Portal after upgrading if `Mappings` do not include a `docs` attribute.
1021- Feature: How the `OAuth2` Filter authenticates itself to the identity provider is now configurable with the `clientAuthentication` setting.
1022- Feature: The `OAuth2` Filter can now use RFC 7523 JWT assertions to authenticate itself to the identity provider; this is usable with all grant types.
1023- Feature: When validating a JWT's scope, the `JWT` and `OAuth2` Filters now support not just RFC 8693 behavior, but also the behavior of various drafts leading to it, making JWT scope validation usable with more identity providers.
1024- Feature: The `OAuth2` Filter now has `inheritScopeArgument` and `stripInheritedScope` settings that can further customize the behavior of `accessTokenJWTFilter`.
1025- Feature: DevPortal: default configuration using the `ambassador` `DevPortal` resource.
1026- Change: The `OAuth2` Filter argument `scopes` has been renamed to `scope`, for consistency. The name `scopes` is deprecated, but will continue to work for backward compatibility.
1027- Bugfix: `OAuth2` Filter: Don't have `accessTokenValidation: auto` fall back to "userinfo" validation for a client_credentials grant; it doesn't make sense there and only serves to obscure a more useful error message.
1028
1029## [1.8.1] October 16, 2020
1030[1.8.1]: https://github.com/datawire/ambassador/compare/v1.8.0...v1.8.1
1031
1032### Ambasssador API Gateway + Ambassador Edge Stack
1033
1034- Bugfix: Ambassador no longer fails to configure Envoy listeners when a TracingService or LogService has a service name whose underlying cluster name has over 40 charcters.
1035- Bugfix: The Ambassador diagnostics page no longer returns HTTP 500 when a TracingService or LogService has a service name whose underlying cluster name has over 40 characters.
1036
1037## [1.8.0] October 08, 2020
1038[1.8.0]: https://github.com/datawire/ambassador/compare/v1.7.4...v1.8.0
1039
1040### Ambasssador API Gateway + Ambassador Edge Stack
1041
1042- Feature: HTTP IP Allow/Deny ranges are supported.
1043- Bugfix: Ambassador's health checks don't claim that Envoy has failed when reconfiguration taking a long time (thanks, [Fabrice](https://github.com/jfrabaute), for contributions here!).
1044- Bugfix: The `edgectl connect` command now works properly when using zsh on a Linux platform.
1045- Bugfix: The container no longer exits "successfully" when the Deployment specifies an invalid `command`.
1046
1047### Ambassador Edge Stack only
1048
1049- Feature: `RateLimit` CRDs now support setting a response body, configurable with the `errorResponse` setting.
1050- Bugfix: `External` `Filter` can now properly proxy the body to the configured `auth_service`
1051- Bugfix: The RBAC for AES now grants permission to "patch" `Events.v1.core` (previously it granted "create" but not "patch")
1052
1053## [1.7.4] October 06, 2020
1054[1.7.4]: https://github.com/datawire/ambassador/compare/v1.7.3...v1.7.4
1055
1056### Ambasssador API Gateway + Ambassador Edge Stack
1057
1058- Bugfix: Several regressions in the 1.7.x series are resolved by removing the ability to set `insecure.action` on a per-`Host`-resource basis, which was an ability added in 1.7.0. This reverts to the pre-1.7.0 behavior of having one `Host`'s insecure action "win" and be used for all `Host`s.
1059- Bugfix: Ambassador will no longer generate invalid Envoy configuration with duplicate clusters in certain scenarios when `AMBASSADOR_FAST_RECONFIGURE=true`.
1060- Enhancement: When `AMBASSADOR_FAST_RECONFIGURE=true` is set, Ambassador now logs information about memory usage.
1061
1062## [1.7.3] September 29, 2020
1063[1.7.3]: https://github.com/datawire/ambassador/compare/v1.7.2...v1.7.3
1064
1065### Ambasssador API Gateway + Ambassador Edge Stack
1066
1067- Incorporate the Envoy 1.15.1 security update.
1068- Bugfix: A regression introduced in 1.7.2 when `AMBASSADOR_FAST_RECONFIGURE=true` has been fixed where Host resources `tls.ca_secret` didn't work correctly.
1069- Bugfix: `TLSContext` resources and `spec.tls` in `Host` resources now correctly handle namespaces with `.` in them.
1070- Bugfix: Fix `spec.requestPolicy.insecure.action` for `Host` resources with a `*` wildcard in the hostname.
1071- Bugfix: Reduce lock contention while generating diagnostics.
1072
1073## [1.7.2] September 16, 2020
1074[1.7.2]: https://github.com/datawire/ambassador/compare/v1.7.1...v1.7.2
1075
1076### Ambasssador API Gateway + Ambassador Edge Stack
1077
1078- Bugfix: A regression introduced in 1.7.0 with the various `Host` resource `spec.requestPolicy.insecure.action` behaviors, including handling of X-Forwarded-Proto, has been fixed.
1079- Bugfix: Host resources no longer perform secret namespacing when the `AMBASSADOR_FAST_RECONFIGURE` flag is enabled.
1080
1081## [1.7.1] September 08, 2020
1082[1.7.1]: https://github.com/datawire/ambassador/compare/v1.7.0...v1.7.1
1083
1084### Ambasssador API Gateway + Ambassador Edge Stack
1085
1086- Bugfix: Support `envoy_validation_timeout` in the Ambassador Module to set the timeout for validating new Envoy configurations
1087
1088### Ambassador Edge Stack only
1089
1090- Bugfix: `consul_connect_integration` is now built correctly.
1091- Bugfix: The developer portal again supports requests for API documentation
1092
1093## [1.7.0] August 27, 2020
1094[1.7.0]: https://github.com/datawire/ambassador/compare/v1.6.2...v1.7.0
1095
1096### Ambassador API Gateway + Ambassador Edge Stack
1097
1098- Feature: Upgrade from Envoy 1.14.4 to 1.15.0.
1099- Bugfix: Correctly handle a `Host` object with incompatible manually-specified `TLSContext`
1100- Feature: The Ambassador control-plane now publishes Prometheus metrics alongside the existing Envoy data-plane metrics under the `/metrics` endpoint on port 8877.
1101- Default-off early access: Experimental changes to allow Ambassador to more quickly process configuration changes (especially with larger configurations) have been added. The `AMBASSADOR_FAST_RECONFIGURE` env var must be set to enable this. `AMBASSADOR_FAST_VALIDATION` should also be set for maximum benefit.
1102- Bugfix: Fixed insecure route action behavior. Host security policies no longer affect other Hosts.
1103
1104### Ambassador API Gateway only
1105
1106- Bugfix: Fixes regression in 1.5.1 that caused it to not correctly know its own version number, leading to notifications about an available upgrade despite being on the most recent version.
1107
1108### Ambassador Edge Stack only
1109
1110- Feature: DevPortal can now discover openapi documentation from `Mapping`s that set `host` and `headers`
1111- Feature: `edgectl install` will automatically enable Service Preview with a Preview URL on the Host resource it creates.
1112- Feature: Service Preview will inject an `x-service-preview-path` header in filtered requests with the original request prefix to allow for context propagation.
1113- Feature: Service Preview can intercept gRPC requests using the `--grpc` flag on the `edgectl intercept add` command and the `getambassador.io/inject-traffic-agent-grpc: "true"` annotation when using automatic Traffic-Agent injection.
1114- Feature: The `TracingService` Zipkin config now supports setting `collector_endpoint_version` to tell Envoy to use Zipkin v2.
1115- Feature: You can now inject request and/or response headers from a `RateLimit`.
1116- Bugfix: Don't crash during startup if Redis is down.
1117- Bugfix: Service Preview correctly uses the Host default `Path` value for the `spec.previewUrl.type` field.
1118- Bugfix: The `JWT`, `OAuth2`, and other Filters are now better about reusing connections for outgoing HTTP requests.
1119- Bugfix: Fixed a potential deadlock in the HTTP cache used for fetching JWKS and such for `Filters`.
1120- Bugfix: Internal Ambassador data is no longer exposed to the `/.ambassador-internal/` endpoints used by the DevPortal.
1121- Bugfix: Problems with license key limits will no longer trigger spurious HTTP 429 errors. Using the `RateLimit` resource beyond 5rps without any form of license key will still trigger 429 responses, but now with a `X-Ambassador-Message` header indicating that's what happned.
1122- Bugfix: When multiple `RateLimit`s overlap, it is supposed to enforce the strictest limit; but the strictness comparison didn't correctly handle comparing limits with different units.
1123- Change: The Redis settings have been adjusted to default to the pre-1.6.0 behavior, and have been adjusted to be easier to understand.
1124- Feature: `consul_connect_integration` is now part of the AES image.
1125- Bugfix: `consul_connect_integration` now correctly handles certificates from Hashicorp Vault.
1126
1127## [1.6.2] July 30, 2020
1128[1.6.2]: https://github.com/datawire/ambassador/compare/v1.6.1...v1.6.2
1129
1130### Ambassador API Gateway + Ambassador Edge Stack
1131
1132- Bugfix: The (new in 1.6.0) `Host.spec.tls` and `Host.spec.tlsContext` fields now work when `AMBASSADOR_FAST_VALIDATION=fast` is not set.
1133- Bugfix: Setting `use_websocket: true` on a `Mapping` now only affects routes generated from that `Mapping`, instead of affecting all routes on that port.
1134- Feature: It is now possible to "upgrade" to non-HTTP protocols other than WebSocket; the new `allow_upgrade` is a generalization of `use_websocket`.
1135
1136### Ambassador Edge Stack only
1137
1138- Bugfix: The `Host.spec.requestPolicy.insecure.additionalPort` field works again.
1139- Bugfix: The `Host.spec.ambassadorId` is once again handled in addition to `.ambassador_id`; allowing hosts written by older versions AES prior to 1.6.0 to continue working.
1140- Bugfix: Fix a redirect loop that could occur when using using multiple `protectedOrigins` in a `Host`.
1141
1142## [1.6.1] July 23, 2020
1143[1.6.1]: https://github.com/datawire/ambassador/compare/v1.6.0...v1.6.1
1144
1145### Ambassador API Gateway + Ambassador Edge Stack
1146
1147- Bugfix: Mapping with `https` scheme for service are correctly parsed.
1148- Bugfix: Mapping with both a scheme and a hostname of `localhost` is now handled correctly.
1149- Bugfix: ConsulResolver now works again for Mappings outside of Ambassador's namespace.
1150
1151## [1.6.0] July 21, 2020
1152[1.6.0]: https://github.com/datawire/ambassador/compare/v1.5.5...v1.6.0
1153
1154### Ambassador API Gateway + Ambassador Edge Stack
1155
1156- Incorporate the Envoy 1.14.4 security update.
1157- API CHANGE: Turning off the Diagnostics UI via the Ambassador Module now disables access to the UI from both inside and outside the Ambassador Pod.
1158- API CHANGE: Default changes updating `Mapping` status from default-on to default-off; see below.
1159- Feature: Add support for circuit breakers in TCP mapping (thanks, [Pierre Fersing](https://github.com/PierreF)!)
1160- Feature: Ambassador CRDs now include schema. This enables validation by `kubectl apply`.
1161- Feature: Advanced TLS configuration can be specified in `Host` resource via `tlsContext` and `tls` fields.
1162- Feature: Implement sampling percentage in tracing service.
1163- Performance improvement: Diagnostics are generated on demand rather than on every reconfig.
1164- Performance improvement: Experimental fast validation of the contents of Ambassador resources has been added. The `AMBASSADOR_FAST_VALIDATION` env var must be set to enable this.
1165- Internal: Configuration endpoints used internally by Ambassador are no longer accessible from outside the Ambassador Pod.
1166- Bugfix: `envoy_log_format` can now be set with `envoy_log_type: json`.
1167- Docs: Fixed OAuth2 documentation spelling errors (thanks, [Travis Byrum](https://github.com/travisbyrum)!)
1168
1169As previously announced, the default value of `AMBASSADOR_UPDATE_MAPPING_STATUS`
1170has now changed from `true` to `false`; Ambassador will no longer attempt to
1171update the `Status` of a `Mapping` unless you explicitly set
1172`AMBASSADOR_UPDATE_MAPPING_STATUS=true` in the environment. If you do not have
1173tooling that relies on `Mapping` status updates, we do not recommend setting
1174`AMBASSADOR_UPDATE_MAPPING_STATUS`.
1175
1176**In Ambassador 1.7**, TLS secrets in `Ingress` resources will not be able to use
1177`.namespace` suffixes to cross namespaces.
1178
1179### Ambassador Edge Stack only
1180
1181- Feature: The Edge Policy Console's Debugging page now has a "Log Out" button to terminate all EPC sessions.
1182- Feature: `X-Content-Type-Options: nosniff` to response headers are now set for the Edge Policy Console, to prevent MIME confusion attacks.
1183- Feature: The `OAuth2` Filter now has a `allowMalformedAccessToken` setting to enable use with IDPs that generate access tokens that are not compliant with RFC 6750.
1184- Bugfix: All JWT Filter errors are now formatted per the specified `errorResponse`.
1185- Feature: Options for making Redis connection pooling configurable.
1186- Bugfix: User is now directed to the correct URL after clicking in Microsoft Office.
1187- Feature: The Console's Dashboard page has speedometer gauges to visualize Rate Limited and Authenticated traffic.
1188
1189## [1.5.5] June 30, 2020
1190[1.5.5]: https://github.com/datawire/ambassador/compare/v1.5.4...v1.5.5
1191
1192### Ambassador API Gateway + Ambassador Edge Stack
1193
1194- Incorporate the Envoy 1.14.3 security update.
1195
1196## [1.5.4] June 23, 2020
1197[1.5.4]: https://github.com/datawire/ambassador/compare/v1.5.3...v1.5.4
1198
1199### Ambassador API Gateway + Ambassador Edge Stack
1200
1201- Bugfix: Allow disabling `Mapping`-status updates (RECOMMENDED: see below)
1202- Bugfix: Logging has been made _much_ quieter; the default Envoy log level has been turned down from "warning" to "error"
1203- Ambassador now logs timing information about reconfigures
1204
1205We recommend that users set `AMBASSADOR_UPDATE_MAPPING_STATUS=false`
1206in the environment to tell Ambassador not to update `Mapping` statuses
1207unless you have some script that relies on `Mapping` status updates.
1208The default value of `AMBASSADOR_UPDATE_MAPPING_STATUS` will change to
1209`false` in Ambassador 1.6.
1210
1211## [1.5.3] June 16, 2020
1212[1.5.3]: https://github.com/datawire/ambassador/compare/v1.5.2...v1.5.3
1213
1214### Ambassador API Gateway + Ambassador Edge Stack
1215
1216- Bugfix: Restore Envoy listener drain time to its pre-Ambassador 1.3.0 default of 10 minutes.
1217- Bugfix: Read Knative ingress generation from the correct place in the Kubernetes object
1218
1219### Ambassador Edge Stack only
1220
1221- Bugfix: Allow deletion of ProjectControllers.
1222- Bugfix: Fix regression introduced in 1.4.2 where the `OAuth2` AuthorizationCode filter no longer works when behind another gateway that rewrites the request hostname. The behavior here is now controllable via the `internalOrigin` sub-field.
1223
1224## [1.5.2] June 10, 2020
1225[1.5.2]: https://github.com/datawire/ambassador/compare/v1.5.1...v1.5.2
1226
1227### Ambassador API Gateway + Ambassador Edge Stack
1228
1229- Incorporate the [Envoy 1.14.2](https://www.envoyproxy.io/docs/envoy/v1.14.2/intro/version_history#june-8-2020) security update.
1230- Upgrade the base Docker images used by several tests (thanks, [Daniel Sutton](https://github.com/ducksecops)!).
1231
1232### Ambassador Edge Stack only
1233
1234- Feature (BETA): Added an in-cluster micro CI/CD system to enable building, staging, and publishing of GitHub projects from source. This has been included in previous versions as an alpha, but disabled by default. It is now in BETA.
1235- Bugfix: The `DEVPORTAL_CONTENT_URL` environment variable now properly handles `file:///` URLs to refer to volume-mounted content.
1236- Bugfix: `acmeProvider.authority: none` is no longer case sensitive
1237- Bugfix: `edgectl connect` works again on Ubuntu and other Linux setups with old versions of nss-mdns (older than version 0.11)
1238- Bugfix: `edgectl` works again on Windows
1239- Bugfix: The Edge Policy Console now correctly creates FilterPolicy resources
1240
1241## [1.5.1] June 05, 2020
1242[1.5.1]: https://github.com/datawire/ambassador/compare/v1.5.0...v1.5.1
1243
1244### Ambassador API Gateway + Ambassador Edge Stack
1245
1246- Bugfix: Logging has been made _much_ quieter
1247- Bugfix: A service that somehow has no hostname should no longer cause an exception
1248
1249## [1.5.0] May 28, 2020
1250[1.5.0]: https://github.com/datawire/ambassador/compare/v1.4.3...v1.5.0
1251
1252### Ambassador API Gateway + Ambassador Edge Stack
1253
1254- Change: Switched from quay.io back to DockerHub as our primary publication point. **If you are using your own Kubernetes manifests, you will have to update them!** Datawire's Helm charts and published YAML have already been updated.
1255- Feature: switch to Envoy 1.14.1
1256- Feature: Allow defaults for `add_request_header`, `remove_request_header`, `add_response_header`, and `remove_response_header`
1257- Feature: Inform Knative of the route to the Ambassador service if available (thanks, [Noah Fontes](https://github.com/impl)!)
1258- Feature: Support the path and timeout options of the Knative ingress path rules (thanks, [Noah Fontes](https://github.com/impl)!)
1259- Feature: Allow preserving `X-Request-ID` on requests from external clients (thanks, [Prakhar Joshi](https://github.com/prakharjoshi)!)
1260- Feature: Mappings now support query parameters (thanks, [Phil Peble](https://github.com/ppeble)!)
1261- Feature: Allow setting the Envoy shared-memory base ID (thanks, [Phil Peble](https://github.com/ppeble)!)
1262- Feature: Additional security configurations not set on default YAMLs
1263- Feature: Let Ambassador configure `regex_rewrite` for advanced forwarding
1264- Bugfix: Only update Knative ingress CRDs when the generation changes (thanks, [Noah Fontes](https://github.com/impl)!)
1265- Bugfix: Now behaves properly when `AMBASSADOR_SINGLE_NAMESPACE` is set to an empty string; rather than getting in to a weird in-between state
1266- Bugfix: The websocket library used by the test suite has been upgraded to incorporate security fixes (thanks, [Andrew Allbright](https://github.com/aallbrig)!)
1267- Bugfix: Fixed evaluation of label selectors causing the wrong IP to be put in to Ingress resource statuses
1268- Bugfix: The `watt` (port 8002) and `ambex` (port 8003) components now bind to localhost instead of 0.0.0.0, so they are no longer erroneously available from outside the Pod
1269
1270### Ambassador Edge Stack only
1271
1272- Feature: `edgectl upgrade` allows upgrading API Gateway installations to AES
1273- Feature: `edgectl intercept` can generate preview-urls for Host resources that enabled the feature
1274- Feature: `edgectl install` will now automatically install the Service Preview components (ambassador-injector, telepresence-proxy) and scoped RBAC
1275- Feature: Rate-limited 429 responses now include the `Retry-After` header
1276- Feature: The `JWT` Filter now makes `hasKey` and `doNotSet` functions available to header field templates; in order to facilitate only conditionally setting a header field.
1277- Feature: The `OAuth2` Filter now has an `expirationSafetyMargin` setting that will cause an access token to be treated as expired sooner, in order to have a safety margin of time to send it to the upstream Resource Server that grants insufficient leeway.
1278- Feature: The `JWT` Filter now has `leewayFor{ExpiresAt,IssuedAt,NotBefore}` settings for configuring leeway when validating the timestamps of a token.
1279- Feature: The environment variables `REDIS{,_PERSECOND}_{USERNAME,PASSWORD,TLS_ENABLED,TLS_INSECURE}` may now be used to further configure how the Ambassador Edge Stack communicates with Redis.
1280- Bugfix: Don't start the dev portal running if `POLL_EVERY_SECS` is 0
1281- Bugfix: Now no longer needs cluster-wide RBAC when running with `AMBASSADOR_SINGLE_NAMESPACE`.
1282- Bugfix: The `OAuth2` Filter now validates the reported-to-Client scope of an Access Token even if a separate `accessTokenJWTFilter` is configured.
1283- Bugfix: The `OAuth2` Filter now sends the user back to the identity provider to upgrade the scope if they request an endpoint that requires broader scope than initially requested; instead of erroring.
1284- Bugfix: The `OAuth2` Filter will no longer send RFC 7235 challenges back to the user agent if it would not accept RFC 7235 credentials (previously it only avoided sending HTTP 401 challenges, but still sent 400 or 403 challenges).
1285- Bugfix: The `amb-sidecar` (port 8500) component now binds to localhost instead of 0.0.0.0, so it is no longer erroneously available from outside the Pod
1286
1287## [1.4.3] May 14, 2020
1288[1.4.3]: https://github.com/datawire/ambassador/compare/v1.4.2...v1.4.3
1289
1290### Ambassador Edge Stack only
1291
1292- Bugfix: Don't generate spurious 403s in the logs when using the Edge Policy Console.
1293
1294## [1.4.2] April 22, 2020
1295[1.4.2]: https://github.com/datawire/ambassador/compare/v1.4.1...v1.4.2
1296
1297### Ambassador Edge Stack only
1298
1299- Bugfix: The Traffic Agent binds to port 9900 by default. That port can be configured in the Agent's Pod spec.
1300 - For more about using the Traffic Agent, see the [Service Preview documentation](https://www.getambassador.io/docs/edge-stack/latest/topics/using/edgectl/#configuring-service-preview).
1301- Bugfix: The `OAuth2` Filter redirection-endpoint now handles various XSRF errors more consistently (the way we meant it to in 1.2.1)
1302- Bugfix: The `OAuth2` Filter now supports multiple authentication domains that share the same credentials.
1303 - For more about using multiple domains, see the [OAuth2 `Filter` documentation](https://www.getambassador.io/docs/edge-stack/1.4/topics/using/filters/oauth2/).
1304- Bugfix: The ACME client now obeys `AMBASSADOR_ID`
1305- Feature (ALPHA): Added an in-cluster micro CI/CD system to enable building, staging, and publishing of GitHub projects from source. This is disabled by default.
1306
1307## [1.4.1] April 15, 2020
1308[1.4.1]: https://github.com/datawire/ambassador/compare/v1.4.0...v1.4.1
1309
1310### Ambassador Edge Stack only
1311
1312- Internal: `edgectl install` uses Helm under the hood
1313
1314## [1.4.0] April 08, 2020
1315[1.4.0]: https://github.com/datawire/ambassador/compare/v1.3.2...v1.4.0
1316
1317### Ambassador API Gateway + Ambassador Edge Stack
1318
1319- Feature: Support Ingress Path types improvements from networking.k8s.io/v1beta1 on Kubernetes 1.18+
1320- Feature: Support Ingress hostname wildcards
1321- Feature: Support for the IngressClass Resource, added to networking.k8s.io/v1beta1 on Kubernetes 1.18+
1322 - For more about new Ingress support, see the [Ingress Controller documentation](https://getambassador.io/docs/edge-stack/1.4/topics/running/ingress-controller).
1323- Feature: `Mapping`s support the `cluster_tag` attribute to control the name of the generated Envoy cluster (thanks, [Stefan Sedich](https://github.com/stefansedich)!)
1324 - See the [Advanced Mapping Configuration documentation](https://getambassador.io/docs/edge-stack/1.4/topics/using/mappings) for more.
1325- Feature: Support Envoy's ability to force response headers to canonical HTTP case (thanks, [Puneet Loya](https://github.com/puneetloya)!)
1326 - See the [Ambassador Module documentation](https://getambassador.io/docs/edge-stack/1.4/topics/running/ambassador) for more.
1327- Bugfix: Correctly ignore Kubernetes services with no metadata (thanks, [Fabrice](https://github.com/jfrabaute)!)
1328
1329### Ambassador Edge Stack only
1330
1331- Feature: `edgectl install` output has clearer formatting
1332- Feature: `edgectl install` offers help when installation does not succeed
1333- Feature: `edgectl install` uploads installer and AES logs to a private area upon failure so Datawire support can help
1334- Bugfix: The "Filters" tab in the webui no longer renders the value of OAuth client secrets that are stored in Kubernetes secrets.
1335- Bugfix: The ACME client of of one Ambassador install will no longer interfere with the ACME client of another Ambassador install in the same namespace with a different AMBASSADOR_ID.
1336- Bugfix: `edgectl intercept` supports matching headers values against regular expressions once more
1337- Bugfix: `edgectl install` correctly handles more local and cluster environments
1338 - For more about `edgectl` improvements, see the [Service Preview and Edge Control documentation](https://getambassador.io/docs/edge-stack/1.4/topics/using/edgectl).
1339
1340## [1.3.2] April 01, 2020
1341[1.3.2]: https://github.com/datawire/ambassador/compare/v1.3.1...v1.3.2
1342
1343### Ambassador Edge Stack only
1344
1345- Bugfix: `edgectl install` correctly installs on Amazon EKS and other clusters that provide load balancers with fixed DNS names
1346- Bugfix: `edgectl install` when using Helm once again works as documented
1347- Bugfix: `edgectl install` console logs are improved and neatened
1348- Bugfix: `edgectl install --verbose` output is improved
1349- Bugfix: `edgectl install` automatically opens documentation pages for some errors
1350- Bugfix: `edgectl install` help text is improved
1351
1352## [1.3.1] March 24, 2020
1353[1.3.1]: https://github.com/datawire/ambassador/compare/v1.3.0...v1.3.1
1354
1355### Ambassador Edge Stack only
1356
1357- Bugfix: `edgectl install` will not install on top of a running Ambassador
1358- Bugfix: `edgectl install` can detect and report if `kubectl` is missing
1359- Bugfix: `edgectl install` can detect and report if it cannot talk to a Kubernetes cluster
1360- Bugfix: When using the `Authorization Code` grant type for `OAuth2`, expired tokens are correctly handled so that the user will be prompted to renew
1361- Bugfix: When using the `Password` grant type for `OAuth2`, authentication sessions are properly associated with each user
1362- Bugfix: When using the `Password` grant type for `OAuth2`, you can set up multiple `Filter`s to allow requesting different scopes for different endpoints
1363
1364## [1.3.0] March 17, 2020
1365[1.3.0]: https://github.com/datawire/ambassador/compare/v1.2.2...v1.3.0
1366
1367### Ambassador Edge Stack only
1368
1369- Feature: Support username and password as headers for OAuth2 authentication (`grantType: Password`)
1370- Feature: `edgectl install` provides better feedback for clusters that are unreachable from the public Internet
1371- Feature: `edgectl install` supports KIND clusters (thanks, [@factorypreset](https://github.com/factorypreset)!)
1372- Feature: `edgectl intercept` supports HTTPS
1373- Feature: Ambassador Edge Stack Docker image is ~150MB smaller
1374- Feature: The Edge Policy Console can be fully disabled with the `diagnostics.enabled` element in the `ambassador` Module
1375- Feature: `aes-plugin-runner` now allows passing in `docker run` flags after the main argument list.
1376- Bugfix: Ambassador Edge Stack doesn't crash if the Developer Portal content URL is not accessible
1377- Bugfix: `edgectl connect` does a better job handling clusters with many services
1378- Bugfix: The `Plugin` Filter now correctly sets `request.TLS` to nil/non-nil based on if the original request was encrypted or not.
1379- Change: There is no longer a separate traffic-proxy image; that functionality is now part of the main AES image. Set `command: ["traffic-manager"]` to use it.
1380
1381## [1.2.2] March 04, 2020
1382[1.2.2]: https://github.com/datawire/ambassador/compare/v1.2.1...v1.2.2
1383
1384### Ambassador Edge Stack only
1385
1386- Internal: Fix an error in Edge Stack update checks
1387
1388## [1.2.1] March 03, 2020
1389[1.2.1]: https://github.com/datawire/ambassador/compare/v1.2.0...v1.2.1
1390
1391Edge Stack users SHOULD NOT use this release, and should instead use 1.2.2.
1392
1393### Ambassador API Gateway + Ambassador Edge Stack
1394
1395- Bugfix: re-support PROXY protocol when terminating TLS ([#2348])
1396- Bugfix: Incorporate the Envoy 1.12.3 security update
1397
1398### Ambassador Edge Stack only
1399
1400- Bugfix: The `aes-plugin-runner` binary for GNU/Linux is now statically linked (instead of being linked against musl libc), so it should now work on either musl libc or GNU libc systems
1401- Feature (ALPHA): An `aes-plugin-runner` binary for Windows is now produced. (It is un-tested as of yet.)
1402- Bugfix: The `OAuth2` Filter redirection-endpoint now handles various XSRF errors more consistently
1403- Change: The `OAuth2` Filter redirection-endpoint now handles XSRF errors by redirecting back to the identity provider
1404
1405[#2348]: https://github.com/datawire/ambassador/issues/2348
1406
1407## [1.2.0] February 24, 2020
1408[1.2.0]: https://github.com/datawire/ambassador/compare/v1.1.1...v1.2.0
1409
1410### Ambassador API Gateway + Ambassador Edge Stack
1411
1412- Feature: add idle_timeout_ms support for common HTTP listener (thanks, Jordan Neufeld!) ([#2155])
1413- Feature: allow override of bind addresses, including for IPv6! (thanks to [Josue Diaz](https://github.com/josuesdiaz)!) ([#2293])
1414- Bugfix: Support Istio mTLS secrets natively (thanks, [Phil Peble](https://github.com/ppeble)!) ([#1475])
1415- Bugfix: TLS custom secret with period in name doesn't work (thanks, [Phil Peble](https://github.com/ppeble)!) ([#1255])
1416- Bugfix: Honor ingress.class when running with Knative
1417- Internal: Fix CRD-versioning issue in CI tests (thanks, [Ricky Taylor](https://github.com/ricky26)!)
1418- Bugfix: Stop using deprecated Envoy configuration elements
1419- Bugfix: Resume building a debuggable Envoy binary
1420
1421### Ambassador Edge Stack only
1422
1423- Change: The `ambassador` service now uses the default `externalTrafficPolicy` of `Cluster` rather than explicitly setting it to `Local`. This is a safer setting for GKE where the `Local` policy can cause outages when ambassador is updated. See https://stackoverflow.com/questions/60121956/are-hitless-rolling-updates-possible-on-gke-with-externaltrafficpolicy-local for details.
1424- Feature: `edgectl install` provides a much cleaner, quicker experience when installing Ambassador Edge Stack
1425- Feature: Ambassador Edge Stack supports the Ambassador operator for automated management and upgrade
1426- Feature: `ifRequestHeader` can now have `valueRegex` instead of `value`
1427- Feature: The `OAuth2` Filter now has `useSessionCookies` option to have cookies expire when the browser closes, rather than at a fixed duration
1428- Feature: `ifRequestHeader` now has `negate: bool` to invert the match
1429- Bugfix: The RBAC for `Ingress` now supports the `networking.k8s.io` `apiGroup`
1430- Bugfix: Quiet Dev Portal debug logs
1431- Bugfix: The Edge Policy Console is much less chatty when logged out
1432- Change: The intercept agent is now incorporated into the `aes` image
1433- Change: The `OAuth2` Filter no longer sets cookies when `insteadOfRedirect` triggers
1434- Change: The `OAuth2` Filter more frequently adjusts the cookies
1435
1436[#1475]: https://github.com/datawire/ambassador/issues/1475
1437[#1255]: https://github.com/datawire/ambassador/issues/1255
1438[#2155]: https://github.com/datawire/ambassador/issues/2155
1439[#2293]: https://github.com/datawire/ambassador/issues/2293
1440
1441## [1.1.1] February 12, 2020
1442[1.1.1]: https://github.com/datawire/ambassador/compare/v1.1.0...v1.1.1
1443
1444### Ambassador API Gateway + Ambassador Edge Stack
1445
1446- Bugfix: Load explicitly referenced secrets in another namespace, even when `AMBASSADOR_SINGLE_NAMESPACE` (thanks, [Thibault Cohen](https://github.com/titilambert)!) ([#2202])
1447- Bugfix: Fix Host support for choosing cleartext or TLS ([#2279])
1448- Bugfix: Fix intermittent error when rendering `/ambassador/v0/diag/`
1449- Internal: Various CLI tooling improvements
1450
1451[#2202]: https://github.com/datawire/ambassador/issues/2202
1452[#2279]: https://github.com/datawire/ambassador/pull/2279
1453
1454### Ambassador Edge Stack only
1455
1456- Feature: The Policy Console can now set the log level to "trace" (in addition to "info" or "debug")
1457- Bugfix: Don't have the Policy Console poll for snapshots when logged out
1458- Bugfix: Do a better job of noticing when the license key changes
1459- Bugfix: `aes-plugin-runner --version` now works properly
1460- Bugfix: Only serve the custom CONGRATULATIONS! 404 page on `/`
1461- Change: The `OAuth2` Filter `stateTTL` setting is now ignored; the lifetime of state-tokens is now managed automatically
1462
1463## [1.1.0] January 28, 2020
1464[1.1.0]: https://github.com/datawire/ambassador/compare/v1.0.0...v1.1.0
1465
1466(Note that Ambassador 1.1.0 is identical to Ambassador 1.1.0-rc.0, from January 24, 2020.
1467 Also, we're now using "-rc.N" rather than just "-rcN", for better compliance with
1468 [SemVer](https://www.semver.org/).
1469
1470### Ambassador API Gateway + Ambassador Edge Stack
1471
1472- Feature: support resources with the same name but in different namespaces ([#2226], [#2198])
1473- Feature: support DNS overrides in `edgectl`
1474- Bugfix: Reduce log noise about "kubestatus" updates
1475- Bugfix: manage the diagnostics snapshot cache more aggressively to reduce memory footprint
1476- Bugfix: re-enable Docker demo mode (and improve the test to make sure we don't break it again!) ([#2227])
1477- Bugfix: correct potential issue with building edgectl on Windows
1478- Internal: fix an error with an undefined Python type in the TLS test (thanks, [Christian Clauss](https://github.com/cclauss)!)
1479
1480### Ambassador Edge Stack only
1481
1482- Feature: make the `External` filter type fully compatible with the `AuthService` type
1483- Docs: add instructions for what to do after downloading `edgectl`
1484- Bugfix: make it much faster to apply the Edge Stack License
1485- Bugfix: make sure the ACME terms-of-service link is always shown
1486- Bugfix: make the Edge Policy Console more performant
1487
1488[#2198]: https://github.com/datawire/ambassador/issues/2198
1489[#2226]: https://github.com/datawire/ambassador/issues/2226
1490[#2227]: https://github.com/datawire/ambassador/issues/2227
1491
1492## [1.0.0] January 15, 2020
1493[1.0.0]: https://github.com/datawire/ambassador/compare/v0.86.1...v1.0.0
1494
1495### Caution!
1496
1497All of Ambassador's CRDs have been switched to `apiVersion: getambassador.io/v2`, and
1498**your resources will be upgraded when you apply the new CRDs**. We recommend that you
1499follow the [migration instructions](https://getambassador.io/early-access/user-guide/upgrade-to-edge-stack/) and check your installation's
1500behavior before upgrading your CRDs.
1501
1502## Ambassador API Gateway + Ambassador Edge Stack
1503
1504### Breaking changes
1505
1506- When a resource specifies a service or secret name without a corresponding namespace, Ambassador will now
1507 look for the service or secret in the namespace of the resource that mentioned it. In the past, Ambassador
1508 would look in the namespace in which Ambassador was running.
1509
1510### Features
1511
1512- The Host CR provides an easy way to tell Ambassador about domains it should expect to handle, and
1513 how it should handle secure and insecure requests for those domains
1514- Redirection from HTTP to HTTPS defaults to ON when termination contexts are present
1515- Mapping and Host CRs, as well as Ingress resources, get Status updates to provide better feedback
1516- Improve performance of processing events from Kubernetes
1517- Automatic HTTPS should work with any ACME clients doing the http-01 challenge
1518
1519### Bugfixes
1520
1521- CORS now happens before rate limiting
1522- The reconfiguration engine is better protected from exceptions
1523- Don’t try to check for upgrades on every UI snapshot update
1524- Reduced reconfiguration churn
1525- Don't force SNI routes to be lower-priority than non-SNI routes
1526- Knative mappings fallback to the Ambassador namespace if no namespace is specified
1527- Fix `ambassador_id` handling for Knative resources
1528- Treat `ambassadorId` as a synonym for `ambassador_id` (`ambassadorId` is the Protobuf 3 canonical form of `ambassador_id`)
1529
1530### Ambassador Edge Stack
1531
1532Ambassador Edge Stack incorporates the functionality of the old Ambassador Pro product.
1533
1534- Authentication and ratelimiting are now available under a free community license
1535- Given a Host CR, Ambassador can manage TLS certificates using ACME (or you can manage them by hand)
1536- There is now an `edgectl` program that you can use for interacting with Ambassador from the command line
1537- There is a web user-interface for Ambassador
1538- BREAKING CHANGE: `APP_LOG_LEVEL` is now `AES_LOG_LEVEL`
1539
1540See the [`CHANGELOG.old-pro.md`](./CHANGELOG.old-pro.md) file for the changelog of
1541the old Ambassador Pro product.
1542
1543## [1.0.0-rc6] January 15, 2020
1544[1.0.0-rc6]: https://github.com/datawire/ambassador/compare/v1.0.0-rc4...v1.0.0-rc6
1545
1546 - AES: Bugfix: Fix ACME client with multiple replicas
1547 - AES: Bugfix: Fix ACME client race conditions with the API server and WATT
1548 - AES: Bugfix: Don't crash in the ACME client if Redis is unavailable
1549
1550## [1.0.0-rc4] January 13, 2020
1551[1.0.0-rc4]: https://github.com/datawire/ambassador/compare/v1.0.0-rc1...v1.0.0-rc4
1552
1553- Change: Less verbose yet more useful Ambassador pod logs
1554- Bugfix: Various bugfixes for listeners and route rejection
1555- Bugfix: Don't append the service namespace for `localhost`
1556- AES: Bugfix: Fix rendering mapping labels YAML in the webui
1557- AES: Bugfix: Organize help output from `edgectl` so it is easier to read
1558- AES: Bugfix: Various bugfixes around ACME support with manually-configured TLSContexts
1559- AES: Change: Don't disable scout or enable extra-verbose logging when migrating from OSS
1560- AES: BREAKING CHANGE: `APP_LOG_LEVEL` is now `AES_LOG_LEVEL`
1561
1562## [1.0.0-rc1] January 11, 2020
1563[1.0.0-rc1]: https://github.com/datawire/ambassador/compare/v1.0.0-rc0...v1.0.0-rc1
1564
1565- Internal: Improvements to release machinery
1566- Internal: Fix the dev shell
1567- Internal: Adjust KAT tests to work with the Edge Stack
1568
1569## [1.0.0-rc0] January 10, 2020
1570[1.0.0-rc0]: https://github.com/datawire/ambassador/compare/v1.0.0-ea13...v1.0.0-rc0
1571
1572- BREAKING CHANGE: Rename Host CR status field `reason` to `errorReason`
1573- Feature: Host CRs now default `.spec.hostname` to `.metadata.name`
1574- Feature: Host CRs now have a `requestPolicy` field to control redirecting from cleartext to TLS
1575- Feature: Redirecting from cleartext to TLS no longer interferes with ACME http-01 challenges
1576- Feature: Improved `edgectl` help and informational messages
1577- Bugfix: Host CR status is now a sub-resource
1578- Bugfix: Have diagd snapshot JSON not include "serialization" keys (which could potentially leak secrets)
1579- Bugfix: Fix `ambassador_id` handling for Knative resources
1580- Bugfix: Use the correct namespace for resources found via annotations
1581- Bugfix: Treat `ambassadorId` as a synonym for `ambassador_id` (`ambassadorId` is the Protobuf 3 canonical form of `ambassador_id`)
1582- Internal: Allow passing a `DOCKER_NETWORK` variable to the build-system
1583
1584## [1.0.0-ea13] January 09, 2020
1585[1.0.0-ea13]: https://github.com/datawire/ambassador/compare/v1.0.0-ea12...v1.0.0-ea13
1586
1587- Bugfix: Knative mappings populate and fallback to the Ambassador namespace if unspecified
1588- Internal: Knative tests for versions 0.7.1 and 0.8.0 were removed
1589- Internal: Knative tests for version 0.11.0 were added
1590- Internal: Improved performance with Edge Stack using /ambassador/v0/diag/ with an optional `patch_client` query param to send a partial representation in JSON Patch format, reducing the memory and network traffic for large deployments
1591- Internal: Silencing warnings from `which` in docs preflight-check
1592
1593## [1.0.0-ea12] January 08, 2020
1594[1.0.0-ea12]: https://github.com/datawire/ambassador/compare/v1.0.0-ea9...v1.0.0-ea12
1595
1596- BREAKING CHANGE: When a resource specifies a service or secret name without a corresponding namespace, Ambassador uses the namespace of the resource. In the past, Ambassador would use its own namespace.
1597- Bugfix: Add the appropriate label so Ingress works with Edge Stack
1598- Bugfix: Remove superfluous imagePullSecret
1599- Bugfix: Fix various admin UI quirks, especially in Firefox
1600 - Bogus warnings about duplicate resources
1601 - Drag-and-drop reordering of rate limit configuration
1602 - Missing icons
1603- Internal: Drop duplicated resources earlier in the processing chain
1604- Internal: Streamline code generation from protobufs
1605- Internal: Automated broken-link checks in the documentation
1606
1607## [1.0.0-ea9] December 23, 2019
1608[1.0.0-ea9]: https://github.com/datawire/ambassador/compare/v1.0.0-ea7...v1.0.0-ea9
1609
1610- Bugfix: Use proper executable name for Windows edgectl
1611- Bugfix: Don't force SNI routes to be lower-priority than non-SNI routes
1612- Bugfix: Prevent the self-signed fallback context from conflicting with a manual context
1613
1614## [1.0.0-ea7] December 19, 2019
1615[1.0.0-ea7]: https://github.com/datawire/ambassador/compare/v1.0.0-ea6...v1.0.0-ea7
1616
1617- Bugfix: UI buttons can hide themselves
1618- Bugfix: Developer Portal API acquisition
1619- Bugfix: Developer Portal internal routing
1620- Internal: Better JS console usage
1621- Internal: Rationalize usage reporting for Edge Stack
1622
1623## [1.0.0-ea6] December 18, 2019
1624[1.0.0-ea6]: https://github.com/datawire/ambassador/compare/v1.0.0-ea5...v1.0.0-ea6
1625
1626- Feature: Improve performance of processing events from Kubernetes
1627- Feature: Automatic HTTPS should work with any ACME clients doing the http-01 challenge
1628- Internal: General improvements to test infrastructure
1629- Internal: Improved the release process
1630
1631`ambassador-internal-access-control` `Filter` and `FilterPolicy` are now
1632created internally. Remove them from your cluster if upgrading from a
1633previous version.
1634
1635## [1.0.0-ea5] December 17, 2019
1636[1.0.0-ea5]: https://github.com/datawire/ambassador/compare/v1.0.0-ea3...v1.0.0-ea5
1637
1638- Internal: Improved the reliability of CI
1639- Internal: Improved the release process
1640
1641## [1.0.0-ea3] December 16, 2019
1642[1.0.0-ea3]: https://github.com/datawire/ambassador/compare/v1.0.0-ea1...v1.0.0-ea3
1643
1644- Feature: initial edgectl support for Windows!
1645- UX: be explicit that seeing the license applied can take a few minutes
1646- Bugfix: don’t try to check for upgrades on every UI snapshot update
1647- Bugfix: don’t activate the fallback TLSContext if its secret is not available
1648- Bugfix: first cut at reducing reconfiguration churn
1649
1650## [1.0.0-ea1] December 10, 2019
1651[1.0.0-ea1]: https://github.com/datawire/ambassador/compare/v0.85.0...v1.0.0-ea1
1652
1653### Caution!
1654
1655All of Ambassador's CRDs have been switched to `apiVersion: getambassador.io/v2`, and
1656**your resources will be upgraded when you apply the new CRDs**. We recommend that you
1657follow the [migration instructions](https://getambassador.io/early-access/user-guide/upgrade-to-edge-stack/) and check your installation's
1658behavior before upgrading your CRDs.
1659
1660### Features
1661
1662- Authentication and ratelimiting are now available under a free community license
1663- The Host CRD provides an easy way to tell Ambassador about domains it should expect to handle
1664- Given a Host CRD, Ambassador can manage TLS certificates using ACME (or you can manage them by hand)
1665- Redirection from HTTP to HTTPS defaults to ON when termination contexts are present
1666- Mapping and Host CRDs, as well as Ingress resources, get Status updates to provide better feedback
1667
1668### Bugfixes
1669
1670- CVE-2019–18801, CVE-2019–18802, and CVE-2019–18836 are fixed by including Envoy 1.12.2
1671- CORS now happens before rate limiting
1672- The reconfiguration engine is better protected from exceptions
1673
1674## [0.86.1] December 10, 2019
1675[0.86.1]: https://github.com/datawire/ambassador/compare/v0.84.1...v0.86.1
1676
1677- Envoy updated to 1.12.2 for security fixes
1678- Envoy TCP keepalives are now supported (thanks, [Bartek Kowalczyk](https://github.com/KowalczykBartek)!)
1679- Envoy remote access logs are now supported
1680- Correctly handle upgrades when the `LogService` CRD is not present
1681
1682(Ambassador 0.86.0 was superseded by Ambassador 0.86.1.)
1683
1684## [0.85.0] October 22, 2019
1685[0.85.0]: https://github.com/datawire/ambassador/compare/v0.84.1...v0.85.0
1686
1687### Features
1688
1689- Support configuring the Envoy access log format (thanks to [John Esmet](https://github.com/esmet)!)
1690
1691## [0.84.1] October 20, 2019
1692[0.84.1]: https://github.com/datawire/ambassador/compare/v0.84.0...v0.84.1
1693
1694### Major changes:
1695- Bugfix: Fix /ambassador permissions to allow running as non-root - Thanks @dmayle (https://github.com/dmayle) for reporting the bug.
1696
1697## [0.84.0] October 18, 2019
1698[0.84.0]: https://github.com/datawire/ambassador/compare/v0.83.0...v0.84.0
1699
1700### Features:
1701
1702- Support setting window_bits for the GZip filter (thanks to [Florent Delannoy](https://github.com/Pluies)!)
1703- Correctly support tuning the regex_max_size, and bump its default to 200 (thanks to [Paul Salaberria](https://github.com/psalaberria002)!)
1704- Support setting redirect_cleartext_from in a TLSContext
1705
1706### Bugfixes:
1707
1708- Correctly update loadbalancer status of Ingress resources
1709- Don't enable diagd debugging in the test suite unless explicitly requested (thanks to [Jonathan Suever](https://github.com/suever)!)
1710- Switch to an Envoy release build
1711
1712### Developer Notes:
1713
1714- Many many things about the build system have changed under the hood!
1715 - Start with `make help`, and
1716 - Join our [Slack channel](https://d6e.co/slack) for more help!
1717
1718## [0.83.0] October 08, 2019
1719[0.83.0]: https://github.com/datawire/ambassador/compare/v0.82.0...v0.83.0
1720
1721### Major changes:
1722- Update Ambassador to address CVE-2019-15225 and CVE-2019-15226.
1723
1724NOTE: this switches the default regex engine! See the documentation for the `ambassador` `Module` for more.
1725
1726## [0.82.0] October 02, 2019
1727[0.82.0]: https://github.com/datawire/ambassador/compare/v0.81.0...v0.82.0
1728
1729### Major changes:
1730- Feature: Arrange for the Prometheus metrics endpoint to also return associated headers (thanks, [Jennifer Wu](https://github.com/jhsiaomei)!)
1731- Feature: Support setting a TLS origination context when doing TLS to a RateLimitService (thanks, [Phil Peble](https://github.com/ppeble)!)
1732- Feature: Allow configuring Envoy's access log path (thanks, [Jonathan Suever](https://github.com/suever)!)
1733- Update: Switch to Python 3.7 and Alpine 3.10
1734
1735### Developer notes:
1736- Switch back to the latest mypy (currently 0.730)
1737- Environment variable KAT_IMAGE_PULL_POLICY can override the imagePullPolicy when running KAT tests
1738- Updated Generated Envoy Golang APIs
1739
1740## [0.81.0] September 26, 2019
1741[0.81.0]: https://github.com/datawire/ambassador/compare/v0.80.0...v0.81.0
1742
1743### Major changes:
1744- Feature: ${} environment variable interpolation is supported in all Ambassador configuration resources (thanks, [Stefan Sedich](https://github.com/stefansedich)!)
1745- Feature: DataDog APM tracing is now supported (thanks again, [Stefan Sedich](https://github.com/stefansedich)!)
1746- Bugfix: Fix an error in the TLSContext schema (thanks, [@georgekaz](https://github.com/georgekaz)!)
1747
1748### Developer notes:
1749- Test services can now be built, deployed, and tested more easily (see BUILDING.md)
1750- `mypy` is temporarily pinned to version 0.720.
1751
1752## [0.80.0] September 20, 2019
1753[0.80.0]: https://github.com/datawire/ambassador/compare/v0.78.0...v0.80.0
1754
1755### Major changes:
1756- Feature: Basic support for the Kubernetes Ingress resource
1757- Feature: Basic reporting for some common configuration errors (lack of Mappings, lack of TLS contexts)
1758- Bugfix: Update Envoy to prevent crashing when updating AuthService under load
1759
1760### Developer notes
1761- Golang components now use Go 1.13
1762- Ambassador build now _requires_ clean type hinting
1763- KAT client and server have been pulled back into the Ambassador repo
1764
1765## [0.78.0] September 11, 2019
1766[0.78.0]: https://github.com/datawire/ambassador/compare/v0.77.0...v0.78.0
1767
1768### Major changes:
1769- Feature: Support setting cipher_suites and ecdh_curves in TLSContext - #1782 (Thanks @teejaded)
1770- Feature: Make 128-bits traceids the default - #1794 (Thanks @Pluies)
1771- Feature: Set cap_net_bind_service to allow binding to low ports - #1720 (Thanks @swalberg)
1772
1773### Minor changes:
1774- Testing: Add test that ambassador cli does not crash when called with --help - #1806 (Thanks @rokostik)
1775
1776## [0.77.0] September 05, 2019
1777[0.77.0]: https://github.com/datawire/ambassador/compare/v0.76.0...v0.77.0
1778
1779- (Feature) Support the `least_request` load balancer policy (thanks, [Steve Flanders](https://github.com/flands)!)
1780- (Misc) Many test and release-engineering improvements under the hood
1781
1782## [0.76.0] August 26, 2019
1783[0.76.0]: https://github.com/datawire/ambassador/compare/v0.75.0...v0.76.0
1784
1785- circuit breakers now properly handle overriding a global circuit breaker within a Mapping ([#1767])
1786- support for Knative 0.8.0 ([#1732])
1787
1788[#1767]: https://github.com/datawire/ambassador/issues/1767
1789[#1732]: https://github.com/datawire/ambassador/issues/1732
1790
1791## [0.75.0] August 13, 2019
1792[0.75.0]: https://github.com/datawire/ambassador/compare/0.74.1...0.75.0
1793
1794- (Feature) Update to Envoy 1.11.1, including security fixes
1795- (Feature) You can use a `TLSContext` without a `secret` to set origination options ([#1708])
1796- (Feature) Canary deployments can now use multiple `host_rewrite` values ([#1159])
1797- (Bugfix) Make sure that Ambassador won't mistakenly complain about the number of RateLimit and Tracing services (thanks, [Christian Claus](https://github.com/cclauss)!)
1798
1799[#1159]: https://github.com/datawire/ambassador/issues/1159
1800[#1708]: https://github.com/datawire/ambassador/issues/1708
1801
1802## [0.74.1] August 06, 2019
1803[0.74.1]: https://github.com/datawire/ambassador/compare/0.74.0...0.74.1
1804
1805- (bugfix) Make sure that updates properly trigger reconfigures ([#1727])
1806- (misc) Arrange for startup logging to have timestamps
1807
1808[#1727]: https://github.com/datawire/ambassador/issues/1727
1809
1810## [0.74.0] July 30, 2019
1811[0.74.0]: https://github.com/datawire/ambassador/compare/0.73.0...0.74.0
1812
1813- Bugfix: Make sure that the pod dies if Envoy dies
1814- Bugfix: Correctly allow setting `timeout_ms` for `AuthService` (thanks, [John Esmet!](https://www.github.com/esmet)!)
1815- Feature: Permit configuring `cluster_idle_timeout_ms` for upstream services (thanks, [John Esmet!](https://www.github.com/esmet)!) ([#1542])
1816
1817[#1542]: https://github.com/datawire/ambassador/issues/1542
1818
1819## [0.73.0] July 11, 2019
1820[0.73.0]: https://github.com/datawire/ambassador/compare/0.72.0...0.73.0
1821
1822- Feature: Experimental native support for Knative! ([#1579])
1823- Feature: Better Linkerd interoperability! ([#1578], [#1594])
1824
1825- Feature: Add a legend for the colors of service names on the diagnostic overview (thanks, [Wyatt Pearsall](https://github.com/wpears)!)
1826- Feature: Allow switching Envoy to output JSON logs (thanks, [Pedro Tavares](https://github.com/ServerlessP)!)
1827- Feature: Allow setting `AMBASSADOR_LABEL_SELECTOR` and `AMBASSADOR_FIELD_SELECTOR` to let Ambassador use Kubernetes selectors to determine which things to read (thanks, [John Esmet](https://github.com/esmet)!) ([#1292])
1828- Feature: Allow configuring retries for `AuthService` (thanks, [Kevin Dagostino](https://github.com/TonkWorks)!) ([#1622], [#1461])
1829
1830- Bugfix: Allow Ambassador to ride through Envoy-validation timeouts (thanks, [John Morrisey](https://github.com/jwm)!)
1831- Bugfix: Allow Ambassador to ride through parse errors on input resources (thanks, [Andrei Predoiu](https://github.com/Andrei-Predoiu)!) ([#1625])
1832- Bugfix: Allow '.' in a `secret` name to just be a '.' ([#1255])
1833
1834- Bugfix: Allow manually defining an Ambassador `Service` resource, same as any other resource
1835- Bugfix: Prevent spurious duplicate-resource errors when loading config from the filesystem
1836
1837[#1255]: https://github.com/datawire/ambassador/issues/1255
1838[#1292]: https://github.com/datawire/ambassador/issues/1292
1839[#1461]: https://github.com/datawire/ambassador/issues/1461
1840[#1578]: https://github.com/datawire/ambassador/issues/1578
1841[#1579]: https://github.com/datawire/ambassador/issues/1579
1842[#1594]: https://github.com/datawire/ambassador/issues/1594
1843[#1622]: https://github.com/datawire/ambassador/issues/1622
1844[#1625]: https://github.com/datawire/ambassador/issues/1625
1845
1846## [0.72.0] June 13, 2019
1847[0.72.0]: https://github.com/datawire/ambassador/compare/0.71.0...0.72.0
1848
1849- Envoy: Update Envoy to commit 8f57f7d765
1850- Bugfix: Auth spans are now properly connected to requests ([#1414])
1851- Bugfix: `include_body` now works correctly ([#1531], [#1595])
1852- Bugfix: `x_forwarded_proto_redirect` works again (thanks to [Kyle Martin](https://github.com/KyleMartin901)!) ([#1571])
1853- Bugfix: Ambassador works correctly with read-only filesystems (thanks, [Niko Kurtti](https://github.com/n1koo)!) ([#1614], [#1619])
1854- Bugfix: Correctly render groups associated with a given resolver in diagnostics JSON output
1855- Feature: Give the Ambassador CLI a way to specify the directory into which to write secrets.
1856
1857[#1414]: https://github.com/datawire/ambassador/issues/1414
1858[#1531]: https://github.com/datawire/ambassador/issues/1531
1859[#1571]: https://github.com/datawire/ambassador/issues/1571
1860[#1595]: https://github.com/datawire/ambassador/issues/1595
1861[#1614]: https://github.com/datawire/ambassador/issues/1614
1862[#1619]: https://github.com/datawire/ambassador/issues/1619
1863
1864## [0.71.0] June 06, 2019
1865[0.71.0]: https://github.com/datawire/ambassador/compare/0.70.1...0.71.0
1866
1867- Feature: GZIP support [#744]
1868- Feature: diag UI shows active Resolvers [#1453]
1869- Feature: CRDs exist for Resolvers [#1563]
1870- Feature: Resolvers with custom names work, even as CRDs [#1497]
1871- Feature: The `/metrics` endpoint provides direct access to Prometheus-format stats (thanks to [Rotem Tamir](https://github.com/rotemtam)!)
1872- Bugfix: `statsd-exporter` now correctly defaults to port 8125 (thanks to [Jonathan Suever](https://github.com/suever)!)
1873- Bugfix: redirect_cleartext_from no longer strips the URL path [#1463]
1874- Bugfix: canary weights of 0 and 100 work correctly [#1379]
1875- Bugfix: `docker run` works again for the Ambassador demo, and is part of our tests now [#1569]
1876- Bugfix: Scout `DEBUG` messages don’t get leaked into the diag UI [#1573]
1877- Maintenance: warn of upcoming protocol version changes
1878- Maintenance: check in with Scout every 24 hours, but no more than twice per day
1879
1880[#744]: https://github.com/datawire/ambassador/issues/744
1881[#1379]: https://github.com/datawire/ambassador/issues/1379
1882[#1453]: https://github.com/datawire/ambassador/issues/1453
1883[#1463]: https://github.com/datawire/ambassador/issues/1463
1884[#1497]: https://github.com/datawire/ambassador/issues/1497
1885[#1563]: https://github.com/datawire/ambassador/issues/1563
1886[#1569]: https://github.com/datawire/ambassador/issues/1569
1887[#1573]: https://github.com/datawire/ambassador/issues/1573
1888
1889## [0.70.1] May 24, 2019
1890[0.70.1]: https://github.com/datawire/ambassador/compare/0.70.0...0.70.1
1891
1892### Minor changes:
1893- Bugfix: Disable CRD support if Ambassador cannot access them
1894- Upgrade: Upgrade to watt 0.5.1
1895
1896## [0.70.0] May 20, 2019
1897[0.70.0]: https://github.com/datawire/ambassador/compare/0.61.0...0.70.0
1898
1899### Major changes:
1900- Feature: Support CRDs in the `getambassador.io` API group for configuration ([#482])
1901- Feature: Update to Envoy 1.10
1902
1903### Minor changes:
1904- Feature: Support removing request headers (thanks @ysaakpr!)
1905- Bugfix: `watt` should better coalesce calls to the watch hook on startup
1906- Bugfix: Ambassador no longer uses ports 7000 or 18000 ([#1526], [#1527])
1907
1908[#482]: https://github.com/datawire/ambassador/issues/482
1909[#1526]: https://github.com/datawire/ambassador/issues/1526
1910[#1527]: https://github.com/datawire/ambassador/issues/1527
1911
1912## [0.61.1] May 16, 2019
1913[0.61.1]: https://github.com/datawire/ambassador/compare/0.61.0...0.61.1
1914
1915- Bugfix: Make sure that Consul discovery properly handles the datacenter name ([#1533])
1916- Bugfix: Make sure that the feature-walk code is protected against clusters with no endpoints at all ([#1532])
1917
1918[#1532]: https://github.com/datawire/ambassador/issues/1532
1919[#1533]: https://github.com/datawire/ambassador/issues/1533
1920
1921## [0.61.0] May 08, 2019
1922[0.61.0]: https://github.com/datawire/ambassador/compare/0.60.3...0.61.0
1923
1924Ambassador 0.61.0 metadata
1925
1926### Changes:
1927- Feature: Support for minimum and maximum TLS versions (#689)
1928- Feature: Allow choosing whether to append or overwrite when adding request or response headers (#1481) - thanks to @ysaakpr
1929- Feature: Support for circuit breakers (#360)
1930- Feature: Support for automatic retries (#1127) - thanks to @l1v3
1931- Feature: Support for shadow traffic weighting - thanks to @nemo83
1932- Feature: Support for HTTP/1.0 (#988) - thanks to @cyrus-mc
1933- Bugfix: Problem with local Consul agent resolver and non-standard HTTP port (#1508)
1934- Bugfix: Round each mapping's weight to an integer to prevent invalid Envoy configurations when using weights (#1289) - thanks to @esmet
1935- Bugfix: Fix deadlock on invalid Envoy configuration (#1491) - thanks to @esmet
1936- Bugfix: Fixed LightStep gRPC TracingService (#1189) - thanks to @sbaum1994
1937## [0.60.3] May 01, 2019
1938[0.60.3]: https://github.com/datawire/ambassador/compare/0.60.2...0.60.3
1939
1940### Changes since 0.60.2
1941
1942- When scanning its configuration for secrets and endpoints that must be watched, 0.60.2 could fail with certain configurations if TLS termination but not origination was active. Those failures are fixed now.
1943
1944## [0.60.2] April 29, 2019
1945[0.60.2]: https://github.com/datawire/ambassador/compare/0.60.1...0.60.2
1946
1947### Changes since 0.60.1
1948
1949- Ambassador is now much more careful about which endpoints and secrets it pays attention to. ([#1465] again -- thanks to [@flands](https://github.com/flands) and @seandon for the help here!)
1950
1951[#1465]: https://github.com/datawire/ambassador/issues/1465
1952
1953## [0.60.1] April 25, 2019
1954[0.60.1]: https://github.com/datawire/ambassador/compare/0.60.0...0.60.1
1955
1956### Changes since 0.60.0
1957
1958- Speed up initial parsing of WATT snapshots considerably ([#1465])
1959- Don't look at secrets in the kube-system namespace, or for service-account tokens.
1960- Make sure that secrets we do look at are correctly associated with their namespaces ([#1467] -- thanks to @flands and @derrickburns for their contributions here!)
1961- Allow tuning the number of input snapshots retained for debugging
1962- Include the grab-snapshots.py script to help with debuggability
1963
1964[#1465]: https://github.com/datawire/ambassador/issues/1465
1965[#1467]: https://github.com/datawire/ambassador/issues/1467
1966
1967## [0.60.0] April 23, 2019
1968[0.60.0]: https://github.com/datawire/ambassador/compare/0.53.1...0.60.0
1969
1970### Changes since 0.53.1
1971
1972- BREAKING CHANGE: Ambassador listens on 8080 and 8443 by default so it does not need to run as root
1973- Ambassador natively supports using Consul for service discovery
1974- `AMBASSADOR_ENABLE_ENDPOINTS` is no longer needed; configure using the `Resolver` resource instead
1975- Support for the Maglev load balancing algorithm
1976- Support `connect_timeout_ms`. Thanks to Pétur Erlingsson.
1977- Support for `idle_timeout_ms` Thanks to Aaron Triplett.
1978- Ambassador will properly reload renewed Let's Encrypt certificates (#1416). Thanks to Matthew Ceroni.
1979- Ambassador will now properly redirect from HTTP to HTTPS based on `x-forwarded-proto` (#1233).
1980- The `case_sensitive` field now works when `host_redirect` is set to true (#699). Thanks to Peter Choi and Christopher Coté.
1981
1982## [0.53.1] April 05, 2019
1983[0.53.1]: https://github.com/datawire/ambassador/compare/0.52.1...0.53.1
1984
1985(0.53.0 was immediately supplanted by 0.53.1.)
1986
1987## SECURITY FIXES
1988
1989Ambassador 0.53.1 addresses two security issues in Envoy Proxy, CVE-2019-9900 and CVE-2019-9901:
1990
1991- CVE-2019-9900 (Score 8.3/High). When parsing HTTP/1.x header values, Envoy 1.9 and before does not reject embedded zero characters (NUL, ASCII 0x0).
1992
1993- CVE-2019-9901 (Score 8.3/High). Envoy does not normalize HTTP URL paths in Envoy 1.9 and before.
1994
1995Since these issues can potentially allow a remote attacker to use maliciously-crafted URLs to bypass
1996authentication, anyone running an Ambassador prior to 0.53.1 should upgrade.
1997
1998### UPCOMING CHANGES
1999
2000Ambassador 0.60 will listen on ports 8080/8443 by default. The diagnostics service in Ambassador 0.52.0
2001will try to warn you if your configuration will be affected by this change.
2002
2003## Other changes since 0.52.1
2004
2005- `AuthService` version `ambassador/v1` can now explicitly configure how much body data is sent
2006 to the external authentication service.
2007
2008## [0.52.1] March 26, 2019
2009[0.52.1]: https://github.com/datawire/ambassador/compare/0.52.0...0.52.1
2010
2011### Changes since 0.52.0
2012
2013- You can specify the `AMBASSADOR_NO_SECRETS` environment variable to prevent Ambassador from
2014 watching Kubernetes secrets at all (thanks [@esmet](https://github.com/esmet)!) ([#1293])
2015- The services used when you do `docker run ambassador --demo` have been moved into the Docker image,
2016 to remove external dependencies from the Ambassador quickstart.
2017
2018[#1293]: https://github.com/datawire/ambassador/issues/1293
2019
2020## [0.52.0] March 21, 2019
2021[0.52.0]: https://github.com/datawire/ambassador/compare/0.51.2...0.52.0
2022
2023### Changes since 0.51.2
2024
2025- Initial support for endpoint routing, rather than relying on `kube-proxy` ([#1031])
2026 - set `AMBASSADOR_ENABLE_ENDPOINTS` in the environment to allow this
2027- Initial support for Envoy ring hashing and session affinity (requires endpoint routing!)
2028- Support Lua filters (thanks to [@lolletsoc](https://github.com/lolletsoc)!)
2029- Support gRPC-Web (thanks to [@gertvdijk](https://github.com/gertvdijk)!) ([#456])
2030- Support for gRPC HTTP 1.1 bridge (thanks to [@rotemtam](https://github.com/rotemtam)!)
2031- Allow configuring `num-trusted-hosts` for `X-Forwarded-For`
2032- External auth services using gRPC can now correctly add new headers ([#1313])
2033- External auth services correctly add trace spans
2034- Ambassador should respond to changes more quickly now ([#1294], [#1318])
2035- Ambassador startup should be faster now
2036
2037[#456]: https://github.com/datawire/ambassador/issues/456
2038[#1031]: https://github.com/datawire/ambassador/issues/1031
2039[#1294]: https://github.com/datawire/ambassador/issues/1294
2040[#1313]: https://github.com/datawire/ambassador/issues/1313
2041[#1318]: https://github.com/datawire/ambassador/issues/1318
2042
2043## [0.51.2] March 12, 2019
2044[0.51.2]: https://github.com/datawire/ambassador/compare/0.51.1...0.51.2
2045
2046### Changes since 0.51.1
2047
2048- Cookies are now correctly handled when using external auth services... really. ([#1211])
2049
2050[#1211]: https://github.com/datawire/ambassador/issues/1211
2051
2052## [0.51.1] March 11, 2019
2053[0.51.1]: https://github.com/datawire/ambassador/compare/0.51.0...0.51.1
2054
2055### Changes since 0.51.0
2056
2057- Ambassador correctly handles services in namespaces other than the one Ambassador is running in.
2058
2059## [0.51.0] March 08, 2019
2060[0.51.0]: https://github.com/datawire/ambassador/compare/0.50.3...0.51.0
2061
2062**0.51.0 is not recommended: upgrade to 0.51.1.**
2063
2064### Changes since 0.50.3
2065
2066- Ambassador can now route any TCP connection, using the new `TCPMapping` resource. ([#420])
2067- Cookies are now correctly handled when using external auth services ([#1211])
2068- Lots of work in docs and testing under the hood
2069
2070[#420]: https://github.com/datawire/ambassador/issues/420
2071[#1211]: https://github.com/datawire/ambassador/issues/1211
2072
2073### Limitations in 0.51.0
2074
2075At present, you cannot mix HTTP and HTTPS upstream `service`s in any Ambassador resource. This restriction will be lifted in a future Ambassador release.
2076
2077## [0.50.3] February 21, 2019
2078[0.50.3]: https://github.com/datawire/ambassador/compare/0.50.2...0.50.3
2079
2080### Fixes since 0.50.2
2081
2082- Ambassador saves configuration snapshots as it manages configuration changes. 0.50.3 keeps only 5 snapshots,
2083 to bound its disk usage. The most recent snapshot has no suffix; the `-1` suffix is the next most recent, and
2084 the `-4` suffix is the oldest.
2085- Ambassador will not check for available updates more often than once every four hours.
2086
2087### Limitations in 0.50.3
2088
2089At present, you cannot mix HTTP and HTTPS upstream `service`s in any Ambassador resource. This restriction will be lifted in a future Ambassador release.
2090
2091## [0.50.2] February 15, 2019
2092[0.50.2]: https://github.com/datawire/ambassador/compare/0.50.1...0.50.2
2093
2094### Important fixes since 0.50.1
2095
2096- Ambassador no longer requires annotations in order to start -- with no configuration, it will launch with only the diagnostics service available. ([#1203])
2097- If external auth changes headers, routing will happen based on the changed values. ([#1226])
2098
2099### Other changes since 0.50.1
2100
2101- Ambassador will no longer log errors about Envoy statistics being unavaible before startup is complete ([#1216])
2102- The `tls` attribute is again available to control the client certificate offered by an `AuthService` ([#1202])
2103
2104### Limitations in 0.50.2
2105
2106At present, you cannot mix HTTP and HTTPS upstream `service`s in any Ambassador resource. This restriction will be lifted in a future Ambassador release.
2107
2108[#1202]: https://github.com/datawire/ambassador/issues/1202
2109[#1203]: https://github.com/datawire/ambassador/issues/1203
2110[#1216]: https://github.com/datawire/ambassador/issues/1216
2111[#1226]: https://github.com/datawire/ambassador/issues/1226
2112
2113## [0.50.1] February 07, 2019
2114[0.50.1]: https://github.com/datawire/ambassador/compare/0.50.0...0.50.1
2115
2116**0.50.1 is not recommended: upgrade to 0.52.0.**
2117
2118### Changes since 0.50.0
2119
2120- Ambassador defaults to only doing IPv4 DNS lookups. IPv6 can be enabled in the Ambassador module or in a Mapping. ([#944])
2121- An invalid Envoy configuration should not cause Ambassador to hang.
2122- Testing using `docker run` and `docker compose` is supported again. ([#1160])
2123- Configuration from the filesystem is supported again, but see the "Running Ambassador" documentation for more.
2124- Datawire's default Ambassador YAML no longer asks for any permissions for `ConfigMap`s.
2125
2126[#944]: https://github.com/datawire/ambassador/issues/944
2127[#1160]: https://github.com/datawire/ambassador/issues/1160
2128
2129## [0.50.0] January 29, 2019
2130[0.50.0]: https://github.com/datawire/ambassador/compare/0.50.0-rc6...0.50.0
2131
2132**Ambassador 0.50.0 is a major rearchitecture of Ambassador onto Envoy V2 using the ADS. See the "BREAKING NEWS"
2133section above for more information.**
2134
2135(Note that Ambassador 0.50.0-rc7 and -rc8 were internal releases.)
2136
2137### Changes since 0.50.0-rc6
2138
2139- `AMBASSADOR_SINGLE_NAMESPACE` is finally correctly supported and properly tested ([#1098])
2140- Ambassador won't throw an exception for name collisions between resources ([#1155])
2141- A TLS `Module` can now coexist with SNI (the TLS `Module` effectively defines a fallback cert) ([#1156])
2142- `ambassador dump --diag` no longer requires you to explicitly state `--v1` or `--v2`
2143
2144### Limitations in 0.50.0 GA
2145
2146- Configuration from the filesystem is not supported in 0.50.0. It will be resupported in 0.50.1.
2147- A `TLSContext` referencing a `secret` in another namespace will not function when `AMBASSADOR_SINGLE_NAMESPACE` is set.
2148
2149[#1098]: https://github.com/datawire/ambassador/issues/1098
2150[#1155]: https://github.com/datawire/ambassador/issues/1155
2151[#1156]: https://github.com/datawire/ambassador/issues/1156
2152
2153## [0.50.0-rc6] January 28, 2019
2154[0.50.0-rc6]: https://github.com/datawire/ambassador/compare/0.50.0-rc5...0.50.0-rc6
2155
2156**Ambassador 0.50.0-rc6 is a release candidate**.
2157
2158### Changes since 0.50.0-rc5
2159
2160- Ambassador watches certificates and automatically updates TLS on certificate changes ([#474])
2161- Ambassador no longer saves secrets it hasn't been told to use to disk ([#1093])
2162- Ambassador correctly honors `AMBASSADOR_SINGLE_NAMESPACE` rather than trying to access all namespaces ([#1098])
2163- Ambassador correctly honors the `AMBASSADOR_CONFIG_BASE_DIR` setting again ([#1118])
2164- Configuration changes take effect much more quickly than in RC5 ([#1148])
2165- `redirect_cleartext_from` works with no configured secret, to support TLS termination at a downstream load balancer ([#1104])
2166- `redirect_cleartext_from` works with the `PROXY` protocol ([#1115])
2167- Multiple `AuthService` resources (for canary deployments) work again ([#1106])
2168- `AuthService` with `allow_request_body` works correctly with an empty body and no `Content-Length` header ([#1140])
2169- `Mapping` supports the `bypass_auth` attribute to bypass authentication (thanks, @patricksanders! [#174])
2170- The diagnostic service no longer needs to re-parse the configuration on every page load ([#483])
2171- Startup is now faster and more stable
2172- The Makefile should do the right thing if your PATH has spaces in it (thanks, @er1c!)
2173- Lots of Helm chart, statsd, and doc improvements (thanks, @Flydiverny, @alexgervais, @bartlett, @victortv7, and @zencircle!)
2174
2175[#174]: https://github.com/datawire/ambassador/issues/174
2176[#474]: https://github.com/datawire/ambassador/issues/474
2177[#483]: https://github.com/datawire/ambassador/issues/483
2178[#1093]: https://github.com/datawire/ambassador/issues/1093
2179[#1098]: https://github.com/datawire/ambassador/issues/1098
2180[#1104]: https://github.com/datawire/ambassador/issues/1104
2181[#1106]: https://github.com/datawire/ambassador/issues/1106
2182[#1115]: https://github.com/datawire/ambassador/issues/1115
2183[#1118]: https://github.com/datawire/ambassador/issues/1118
2184[#1140]: https://github.com/datawire/ambassador/issues/1140
2185[#1148]: https://github.com/datawire/ambassador/issues/1148
2186
2187## [0.50.0-rc5] January 14, 2019
2188[0.50.0-rc5]: https://github.com/datawire/ambassador/compare/0.50.0-rc4...0.50.0-rc5
2189
2190**Ambassador 0.50.0-rc5 is a release candidate**.
2191
2192### Changes since 0.50.0-rc4
2193
2194- Websocket connections will now be authenticated if an AuthService is configured [#1026]
2195- Client certificate authentication should function whether configured from a TLSContext resource or from the the old-style TLS module (this is the full fix for [#993])
2196- Ambassador can now switch listening ports without a restart (e.g. switching from cleartext to TLS) [#1100]
2197- TLS origination certificates (including Istio mTLS) should now function [#1071]
2198- The diagnostics service should function in all cases. [#1096]
2199- The Ambassador image is significantly (~500MB) smaller than RC4.
2200
2201[#933]: https://github.com/datawire/ambassador/issues/993
2202[#1026]: https://github.com/datawire/ambassador/issues/1026
2203[#1071]: https://github.com/datawire/ambassador/issues/1071
2204[#1096]: https://github.com/datawire/ambassador/issues/1096
2205[#1100]: https://github.com/datawire/ambassador/issues/1100
2206
2207## [0.50.0-rc4] January 09, 2019
2208[0.50.0-rc4]: https://github.com/datawire/ambassador/compare/0.50.0-rc3...0.50.0-rc4
2209
2210**Ambassador 0.50.0-rc4 is a release candidate**, and fully supports running under Microsoft Azure.
2211
2212### Changes since 0.50.0-rc3
2213
2214- Ambassador fully supports running under Azure [#1039]
2215- The `proto` attribute of a v1 `AuthService` is now optional, and defaults to `http`
2216- Ambassador will warn about the use of v0 configuration resources.
2217
2218[#1039]: https://github.com/datawire/ambassador/issues/1039
2219
2220## [0.50.0-rc3] January 03, 2019
2221[0.50.0-rc3]: https://github.com/datawire/ambassador/compare/0.50.0-rc2...0.50.0-rc3
2222
2223**Ambassador 0.50.0-rc3 is a release candidate**, but see below for an important warning about Azure.
2224
2225### Microsoft Azure
2226
2227There is a known issue with recently-created Microsoft Azure clusters where Ambassador will stop receiving service
2228updates after running for a short time. This will be fixed in 0.50.0-GA.
2229
2230### Changes since 0.50.0-rc2
2231
2232- The `Location` and `Set-Cookie` headers should always be allowed from the auth service when using an `ambassador/v0` config [#1054]
2233- `add_response_headers` (parallel to `add_request_headers`) is now supported (thanks, @n1koo!)
2234- `host_redirect` and `shadow` both now work correctly [#1057], [#1069]
2235- Kat is able to give better information when it cannot parse a YAML specification.
2236
2237[#1054]: https://github.com/datawire/ambassador/issues/1054
2238[#1057]: https://github.com/datawire/ambassador/issues/1057
2239[#1069]: https://github.com/datawire/ambassador/issues/1069
2240
2241## [0.50.0-rc2] December 24, 2018
2242[0.50.0-rc2]: https://github.com/datawire/ambassador/compare/0.50.0-rc1...0.50.0-rc2
2243
2244**Ambassador 0.50.0-rc2 fixes some significant TLS bugs found in RC1.**
2245
2246### Changes since 0.50.0-rc1:
2247
2248- TLS client certificate verification should function correctly (including requiring client certs).
2249- TLS context handling (especially with multiple contexts and origination contexts) has been made more consistent and correct.
2250 - Ambassador is now much more careful about reporting errors in TLS configuration (especially around missing keys).
2251 - You can reference a secret in another namespace with `secret: $secret_name.$namespace`.
2252 - Ambassador will now save certificates loaded from Kubernetes to `$AMBASSADOR_CONFIG_BASE_DIR/$namespace/secrets/$secret_name`.
2253- `use_proxy_proto` should be correctly supported [#1050].
2254- `AuthService` v1 will default its `proto` to `http` (thanks @flands!)
2255- The JSON diagnostics service supports filtering: requesting `/ambassador/v0/diag/?json=true&filter=errors`, for example, will return only the errors element from the diagnostic output.
2256
2257[#1050]: https://github.com/datawire/ambassador/issues/1050
2258
2259## [0.50.0-rc1] December 19, 2018
2260[0.50.0-rc1]: https://github.com/datawire/ambassador/compare/0.50.0-ea7...0.50.0-rc1
2261
2262**Ambassador 0.50.0-rc1 is a release candidate.**
2263
2264### Changes since 0.50.0-ea7:
2265
2266- Websockets should work happily with external authentication [#1026]
2267- A `TracingService` using a long cluster name works now [#1025]
2268- TLS origination certificates are no longer offered to clients when Ambassador does TLS termination [#983]
2269- Ambassador will listen on port 443 only if TLS termination contexts are present; a TLS origination context will not cause the switch
2270- The diagnostics service is working, and correctly reporting errors, again. [#1019]
2271- `timeout_ms` in a `Mapping` works correctly again [#990]
2272- Ambassador sends additional anonymized usage data to help Datawire prioritize bug fixes, etc.
2273 See `docs/ambassador/running.md` for more information, including how to disable this function.
2274
2275[#983]: https://github.com/datawire/ambassador/issues/983
2276[#990]: https://github.com/datawire/ambassador/issues/990
2277[#1019]: https://github.com/datawire/ambassador/issues/1019
2278[#1025]: https://github.com/datawire/ambassador/issues/1025
2279[#1026]: https://github.com/datawire/ambassador/issues/1026
2280
2281## [0.50.0-ea7] November 19, 2018
2282[0.50.0-ea7]: https://github.com/datawire/ambassador/compare/0.50.0-ea6...0.50.0-ea7
2283
2284**Ambassador 0.50.0-ea7 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.**
2285
2286### Upcoming major changes:
2287
2288- **API version `ambassador/v0` will be officially deprecated in Ambassador 0.50.0.**
2289 API version `ambassador/v1` will the minimum recommended version for resources in Ambassador 0.50.0.
2290
2291- Some resources will change between `ambassador/v0` and `ambassador/v1`.
2292 - For example, the `Mapping` resource will no longer support `rate_limits` as that functionality will
2293 be subsumed by `labels`.
2294
2295### Changes since 0.50.0-ea6:
2296
2297- Ambassador now supports `labels` for all `Mapping`s.
2298- Configuration of rate limits for a `Mapping` is now handled by providing `labels` in the domain configured
2299 for the `RateLimitService` (by default, this is "ambassador").
2300- Ambassador, once again, supports `statsd` for statistics gathering.
2301- The Envoy `buffer` filter is supported.
2302- Ambassador can now use GRPC to call the external authentication service, and also include the message body
2303 in the auth call.
2304- It's now possible to use environment variables to modify the configuration directory (thanks @n1koo!).
2305- Setting environment variable `AMBASSADOR_KUBEWATCH_NO_RETRY` will cause the Ambassador pod to exit, and be
2306 rescheduled, if it loses its connection to the Kubernetes API server.
2307- Many dependencies have been updated, most notably including switching to kube-client 8.0.0.
2308
2309## [0.50.0-ea6] November 19, 2018
2310[0.50.0-ea6]: https://github.com/datawire/ambassador/compare/0.50.0-ea5...0.50.0-ea6
2311
2312**Ambassador 0.50.0-ea6 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.**
2313
2314### Changes since 0.50.0-ea5:
2315
2316- `alpn_protocols` is now supported in the `TLS` module and `TLSContext`s
2317- Using `TLSContext`s to provide TLS termination contexts will correctly switch Ambassador to listening on port 443.
2318- `redirect_cleartext_from` is now supported with SNI
2319- Zipkin `TracingService` configuration now supports 128-bit trace IDs and shared span contexts (thanks, @alexgervais!)
2320- Zipkin should correctly trace calls to external auth services (thanks, @alexgervais!)
2321- `AuthService` configurations now allow separately configuring headers allowed from the client to the auth service, and from the auth service upstream
2322- Ambassador won't endlessly append `:annotation` to K8s resources
2323- The Ambassador CLI no longer requires certificate files to be present when dumping configurations
2324- `make mypy` will run full type checks on Ambassador to help developers
2325
2326## [0.50.0-ea5] November 06, 2018
2327[0.50.0-ea5]: https://github.com/datawire/ambassador/compare/0.50.0-ea4...0.50.0-ea5
2328
2329**Ambassador 0.50.0-ea5 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.**
2330
2331### Changes since 0.50.0-ea4:
2332
2333- **`use_remote_address` is now set to `true` by default.** If you need the old behavior, you will need to manually set `use_remote_address` to `false` in the `ambassador` `Module`.
2334- Ambassador 0.50.0-ea5 **supports SNI!** See the docs for more here.
2335- Header matching is now supported again, including `host` and `method` headers.
2336
2337## [0.50.0-ea4] October 31, 2018
2338[0.50.0-ea4]: https://github.com/datawire/ambassador/compare/0.50.0-ea3...0.50.0-ea4
2339
2340**Ambassador 0.50.0-ea4 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.**
2341
2342### Changes since 0.50.0-ea3:
2343
2344- Ambassador 0.50.0-ea4 uses Envoy 1.8.0.
2345- `RateLimitService` is now supported. **You will need to restart Ambassador if you change the `RateLimitService` configuration.** We expect to lift this restriction in a later release; for now, the diag service will warn you when a restart is required.
2346 - The `RateLimitService` also has a new `timeout_ms` attribute, which allows overriding the default request timeout of 20ms.
2347- GRPC is provisionally supported, but still needs improvements in test coverage.
2348- Ambassador will correctly include its EA number when checking for updates.
2349
2350## [0.50.0-ea3] October 21, 2018
2351[0.50.0-ea3]: https://github.com/datawire/ambassador/compare/0.50.0-ea2...0.50.0-ea3
2352
2353**Ambassador 0.50.0-ea3 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.**
2354
2355### Changes since 0.50.0-ea2:
2356
2357- `TracingService` is now supported. **You will need to restart Ambassador if you change the `TracingService` configuration.** We expect to lift this restriction in a later release; for now, the diag service will warn you when a restart is required.
2358- Websockets are now supported, **including** mapping the same websocket prefix to multiple upstream services for canary releases or load balancing.
2359- KAT supports full debug logs by individual `Test` or `Query`.
2360
2361**Ambassador 0.50.0 is not yet feature-complete. Read the Limitations and Breaking Changes sections in the 0.50.0-ea1 section below for more information.**
2362
2363## [0.50.0-ea2] October 16, 2018
2364[0.50.0-ea2]: https://github.com/datawire/ambassador/compare/0.50.0-ea1...0.50.0-ea2
2365
2366**Ambassador 0.50.0-ea2 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.**
2367
2368### Changes since 0.50.0-ea1:
2369
2370- Attempting to enable TLS termination without supplying a valid cert secret will result in HTTP on port 80, rather than HTTP on port 443. **No error will be displayed in the diagnostic service yet.** This is a bug and will be fixed in `-ea3`.
2371- CORS is now supported.
2372- Logs are no longer full of accesses from the diagnostic service.
2373- KAT supports isolating OptionTests.
2374- The diagnostics service now shows the V2 config actually in use, not V1.
2375- `make` will no longer rebuild the Python venv so aggressively.
2376
2377**Ambassador 0.50.0 is not yet feature-complete. Read the Limitations and Breaking Changes sections in the 0.50.0-ea1 section below for more information.**
2378
2379## [0.50.0-ea1] October 11, 2018
2380[0.50.0-ea1]: https://github.com/datawire/ambassador/compare/0.40.0...0.50.0-ea1
2381
2382**Ambassador 0.50.0-ea1 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.**
2383
2384### Ambassador 0.50.0 is not yet feature-complete. Limitations:
2385
2386- `RateLimitService` and `TracingService` resources are not currently supported.
2387- WebSockets are not currently supported.
2388- CORS is not currently supported.
2389- GRPC is not currently supported.
2390- TLS termination is not
2391- `statsd` integration has not been tested.
2392- The logs are very cluttered.
2393- Configuration directly from the filesystem isn’t supported.
2394- The diagnostics service cannot correctly drill down by source file, though it can drill down by route or other resources.
2395- Helm installation has not been tested.
2396- `AuthService` does not currently have full support for configuring headers to be sent to the extauth service. At present it sends all the headers listed in `allowed_headers` plus:
2397 - `Authorization`
2398 - `Cookie`
2399 - `Forwarded`
2400 - `From`
2401 - `Host`
2402 - `Proxy-Authenticate`
2403 - `Proxy-Authorization`
2404 - `Set-Cookie`
2405 - `User-Agent`
2406 - `X-Forwarded-For`
2407 - `X-Forwarded-Host`
2408 - `X-Forwarded`
2409 - `X-Gateway-Proto`
2410 - `WWW-Authenticate`
2411
2412### **BREAKING CHANGES** from 0.40.0
2413
2414- Configuration from a `ConfigMap` is no longer supported.
2415- The authentication `Module` is no longer supported; use `AuthService` instead (which you probably already were).
2416- External authentication now uses the core Envoy `envoy.ext_authz` filter, rather than the custom Datawire auth filter.
2417 - `ext_authz` speaks the same protocol, and your existing external auth services should work, however:
2418 - `ext_authz` does _not_ send all the request headers to the external auth service (see above in `Limitations`).
2419- Circuit breakers and outlier detection are not supported. They will be reintroduced in a later Ambassador release.
2420- Ambassador now _requires_ a TLS `Module` to enable TLS termination, where previous versions would automatically enable termation if the `ambassador-certs` secret was present. A minimal `Module` for the same behavior is:
2421
2422 ---
2423 kind: Module
2424 name: tls
2425 config:
2426 server:
2427 secret: ambassador-certs
2428
2429## [0.40.2] November 26, 2018
2430[0.40.2]: https://github.com/datawire/ambassador/compare/0.40.1...0.40.2
2431
2432### Minor changes:
2433- Feature: Support using environment variables to modify the configuration directory (thanks @n1koo!)
2434- Feature: In Helmfile, support `volumeMounts` (thanks @kyschouv!)
2435- Bugfix: In Helmfile, correctly quote `.Values.namespace.single` (thanks @bobby!)
2436- Bugfix: In Helmfile, correctly support `Nodeport` in HTTP and HTTPS (thanks @n1koo!)
2437
2438## [0.40.1] October 29, 2018
2439[0.40.1]: https://github.com/datawire/ambassador/compare/0.40.0...0.40.1
2440
2441### Minor changes:
2442- Feature: Support running Ambassador as a `Daemonset` via Helm (thanks @DipeshMitthalal!)
2443- Feature: Switch to Envoy commit 5f795fe2 to fix a crash if attempting to add headers after using an AuthService (#647, #680)
2444
2445## [0.40.0] September 25, 2018
2446[0.40.0]: https://github.com/datawire/ambassador/compare/0.39.0...0.40.0
2447
2448### Minor changes:
2449
2450- Feature: Allow users to override the `STATSD_HOST` value (#810). Thanks to @rsyvarth.
2451- Feature: Support LightStep distributed tracing (#796). Thanks to @alexgervais.
2452- Feature: Add service label in Helm chart (#778). Thanks to @sarce.
2453- Feature: Add support for load balancer IP in Helm chart (#765). Thanks to @larsha.
2454- Feature: Support prometheus mapping configurations (#746). Thanks to @bcatcho.
2455- Feature: Add support for `loadBalancerSourceRanges` to Helm chart (#764). Thanks to @mtbdeano.
2456- Feature: Support for namespaces and Ambassador ID in Helm chart (#588, #643). Thanks to @MichielDeMey and @jstol.
2457- Bugfix: Add AMBASSADOR_VERIFY_SSL_FALSE flag (#782, #807). Thanks to @sonrier.
2458- Bugfix: Fix Ambassador single namespace in Helm chart (#827). Thanks to @sarce.
2459- Bugfix: Fix Helm templates and default values (#826).
2460- Bugfix: Add `stats-sink` back to Helm chart (#763).
2461- Bugfix: Allow setting `timeout_ms` to 0 for gRPC streaming services (#545). Thanks to @lovers36.
2462- Bugfix: Update Flask to 0.12.3.
2463
2464## [0.39.0] August 30, 2018
2465[0.39.0]: https://github.com/datawire/ambassador/compare/0.38.0...0.39.0
2466
2467### Major Changes:
2468
2469- Bugfix: The statsd container has been removed by default in order to avoid DoSing Kubernetes DNS. The functionality can be re-enabled by setting the `STATSD_ENABLED` environment variable to `true` in the Ambassador deployment YAML (#568).
2470- Docs: Added detailed Ambassador + Istio Integration Documentation on monitoring and distributed tracing. - @feitnomore
2471
2472### Minor Changes:
2473
2474- Docs: Added instructions for running Ambassador with Docker Compose. - @bcatcho
2475- Bugfix: Fix Ambassador to more aggressively reconnect to Kubernetes (#554). - @nmatsui
2476- Feature: Diagnostic view displays AuthService, RateLimitService, and TracingService (#730). - @alexgervais
2477- Feature: Enable Ambassador to tag tracing spans with request headers via `tag_headers`. - @alexgervais
2478
2479## [0.38.0] August 08, 2018
2480[0.38.0]: https://github.com/datawire/ambassador/compare/0.37.0...0.38.0
2481
2482### Major changes:
2483- Feature: Default CORS configuration can now be set - @KowalczykBartek
2484- Bugfix: Ambassador does not crash with empty YAML config anymore - @rohan47
2485
2486### Minor changes:
2487- DevEx: `master` is now latest, `stable` tracks the latest released version
2488- DevEx: release-prep target added to Makefile to facilitate releasing process
2489- DevEx: all tests now run in parallel, consuming lesser time
2490- Bugfix: Ambassador SIGCHLD messages are less scary looking now
2491
2492## [0.37.0] July 31, 2018:
2493[0.37.0]: https://github.com/datawire/ambassador/compare/0.36.0...0.37.0
2494
2495### Major changes:
2496- Feature: Added support for request tracing (by Alex Gervais)
2497
2498## [0.36.0] July 26, 2018:
2499[0.36.0]: https://github.com/datawire/ambassador/compare/0.35.3...0.36.0
2500
2501### Major changes:
2502- Fix: HEAD requests no longer cause segfaults
2503- Feature: TLS can now be configured with arbitrary secret names, instead of predefined secrets
2504- Change: The Envoy dynamic header value `%CLIENT_IP%` is no longer supported. Use `%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%` instead. (This is due to a change in Envoy 1.7.0.)
2505
2506## [0.35.3] July 18, 2018: **READ THE WARNING ABOVE**
2507[0.35.3]: https://github.com/datawire/ambassador/compare/0.35.2...0.35.3
2508
2509### Changed
2510
2511Major changes:
2512- Ambassador is now based on Envoy v1.7.0
2513- Support for X-FORWARDED-PROTO based redirection, generally used with Layer 7 load balancers
2514- Support for port based redirection using `redirect_cleartext_from`, generally used with Layer 4 load balancers
2515- Specifying HTTP and HTTPS target ports in Helm chart
2516
2517Other changes:
2518- End-to-end tests can now be run with `make e2e` command
2519- Helm release automation has been fixed
2520- Mutliple end-to-end tests are now executed in parallel, taking lesser time
2521- Huge revamp to documentation around unit tests
2522- Documentation changes
2523
2524## [0.35.2] July 05, 2018: **READ THE WARNING ABOVE**
2525[0.35.2]: https://github.com/datawire/ambassador/compare/0.35.1...0.35.2
2526
2527### Changed
2528
2529- 0.35.2 is almost entirely about updates to Datawire testing infrastructure.
2530- The only user-visible change is that Ambassador will do a better job of showing which Kubernetes objects define Ambassador configuration objects when using `AMBASSADOR_ID` to run multiple Ambassadors in the same cluster.
2531
2532## [0.35.1] June 25, 2018: **READ THE WARNING ABOVE**
2533[0.35.1]: https://github.com/datawire/ambassador/compare/0.35.0...0.35.1
2534
2535### Changed
2536
2537- Properly support supplying additional TLS configuration (such as `redirect_cleartext_from`) when using certificates from a Kubernetes `Secret`
2538- Update Helm chart to allow customizing annotations on the deployed `ambassador` Kubernetes `Service` (thanks @psychopenguin!)
2539
2540## [0.35.0] June 25, 2018: **READ THE WARNING ABOVE**
2541[0.35.0]: https://github.com/datawire/ambassador/compare/0.34.3...0.35.0
2542
2543### Changed
2544
2545- 0.35.0 re-supports websockets, but see the **BREAKING NEWS** for an important caveat.
2546- 0.35.0 supports running as non-root. See the **BREAKING NEWS** above for more information.
2547- Make sure regex matches properly handle backslashes, and properly display in the diagnostics service (thanks @alexgervais!).
2548- Prevent kubewatch from falling into an endless spinloop (thanks @mechpen!).
2549- Support YAML array syntax for CORS array elements.
2550
2551## [0.34.3] June 13, 2018: **READ THE WARNING ABOVE**
2552[0.34.3]: https://github.com/datawire/ambassador/compare/0.34.2...0.34.3
2553
2554### Changed
2555
2556- **0.34.3 cannot support websockets**: see the **WARNING** above.
2557- Fix a possible crash if no annotations are found at all (#519).
2558- Improve logging around service watching and such.
2559
2560## [0.34.2] June 11, 2018: **READ THE WARNING ABOVE**
2561[0.34.2]: https://github.com/datawire/ambassador/compare/0.34.1...0.34.2
2562
2563### Changed
2564
2565- **0.34.2 cannot support websockets**: see the **WARNING** above.
2566- Ambassador is now based on Envoy 1.6.0!
2567- Ambassador external auth services can now modify existing headers in place, as well as adding new headers.
2568- Re-support the `ambassador-cacert` secret for configuring TLS client-certificate authentication. **Note well** that a couple of things have changed in setting this up: you'll use the key `tls.crt`, not `fullchain.pem`. See https://www.getambassador.io/reference/auth-tls-certs for more.
2569
2570## [0.34.1] June 04, 2018
2571[0.34.1]: https://github.com/datawire/ambassador/compare/0.34.0...0.34.1
2572
2573### Bugfixes
2574
2575- Unbuffer log output for better diagnostics.
2576- Switch to gunicorn instead of Werkzeug for the diag service.
2577- Use the YAML we release as the basis for end-to-end testing.
2578
2579## [0.34.0] May 16, 2018
2580[0.34.0]: https://github.com/datawire/ambassador/compare/0.33.1...0.34.0
2581
2582### Changed
2583
2584- When originating TLS, use the `host_rewrite` value to set outgoing SNI. If no `host_rewrite` is set, do not use SNI.
2585- Allow disabling external access to the diagnostics service (with thanks to @alexgervais and @dougwilson).
2586
2587## [0.33.1] May 16, 2018
2588[0.33.1]: https://github.com/datawire/ambassador/compare/0.33.0...0.33.1
2589
2590### Changed
2591
2592- Fix YAML error on statsd pod.
2593
2594## [0.33.0] May 14, 2018
2595[0.33.0]: https://github.com/datawire/ambassador/compare/v0.32.2...0.33.0
2596
2597### Changed
2598
2599- Fix support for `host_redirect` in a `Mapping`. **See the `Mapping` documentation** for more details: the definition of the `host_redirect` attribute has changed.
2600
2601## [0.32.2] May 02, 2018
2602[0.32.2]: https://github.com/datawire/ambassador/compare/v0.32.0...v0.32.2
2603
2604(Note that 0.32.1 was an internal release.)
2605
2606### Changed
2607
2608- Fix a bad bootstrap CSS inclusion that would cause the diagnostic service to render incorrectly.
2609
2610## [0.32.0] April 27, 2018
2611[0.32.0]: https://github.com/datawire/ambassador/compare/v0.31.0...v0.32.0
2612
2613### Changed
2614
2615- Traffic shadowing is supported using the `shadow` attribute in a `Mapping`
2616- Multiple Ambassadors can now run more happily in a single cluster
2617- The diagnostic service will now show you what `AuthService` configuration is active
2618- The `tls` keyword now works for `AuthService` just like it does for `Mapping` (thanks @dvavili!)
2619
2620## [0.31.0] April 12, 2018
2621[0.31.0]: https://github.com/datawire/ambassador/compare/v0.30.2...v0.31.0
2622
2623### Changed
2624
2625- Rate limiting is now supported (thanks, @alexgervais!) See the docs for more detail here.
2626- The `statsd` container has been quieted down yet more (thanks again, @alexgervais!).
2627
2628## [0.30.2] March 26, 2018
2629[0.30.2]: https://github.com/datawire/ambassador/compare/v0.30.1...v0.30.2
2630
2631### Changed
2632
2633- drop the JavaScript `statsd` for a simple `socat`-based forwarder
2634- ship an Ambassador Helm chart (thanks @stefanprodan!)
2635 - Interested in testing Helm? See below!
2636- disable Istio automatic sidecar injection (thanks @majelbstoat!)
2637- clean up some doc issues (thanks @lavoiedn and @endrec!)
2638
2639To test Helm, make sure you have `helm` installed and that you have `tiller` properly set up for your RBAC configuration. Then:
2640
2641```
2642helm repo add datawire https://www.getambassador.io
2643
2644helm upgrade --install --wait my-release datawire/ambassador
2645```
2646
2647You can also use `adminService.type=LoadBalancer`.
2648
2649## [0.30.1] March 26, 2018
2650[0.30.1]: https://github.com/datawire/ambassador/compare/v0.30.0...v0.30.1
2651
2652### Fixed
2653
2654- The `tls` module is now able to override TLS settings probed from the `ambassador-certs` secret
2655
2656## [0.30.0] March 23, 2018
2657[0.30.0]: https://github.com/datawire/ambassador/compare/v0.29.0...v0.30.0
2658
2659### Changed
2660
2661- Support regex matching for `prefix` (thanks @radu-c!)
2662- Fix docs around `AuthService` usage
2663
2664## [0.29.0] March 15, 2018
2665[0.29.0]: https://github.com/datawire/ambassador/compare/v0.28.2...v0.29.0
2666
2667### Changed
2668
2669- Default restart timings have been increased. **This will cause Ambassador to respond to service changes less quickly**; by default, you'll see changes appear within 15 seconds.
2670- Liveness and readiness checks are now enabled after 30 seconds, rather than 3 seconds, if you use our published YAML.
2671- The `statsd` container is now based on `mhart/alpine-node:9` rather than `:7`.
2672- `envoy_override` has been reenabled in `Mapping`s.
2673
2674## [0.28.1] March 05, 2018 (and [0.28.0] on March 02, 2018)
2675[0.28.1]: https://github.com/datawire/ambassador/compare/v0.26.0...v0.28.1
2676[0.28.0]: https://github.com/datawire/ambassador/compare/v0.26.0...v0.28.1
2677
2678(Note that 0.28.1 is identical to 0.28.0, and 0.27.0 was an internal release. These are related to the way CI generates tags, which we'll be revamping soon.)
2679
2680### Changed
2681
2682- Support tuning Envoy restart parameters
2683- Support `host_regex`, `method_regex`, and `regex_headers` to allow regular expression matches in `Mappings`
2684- Support `use_proxy_proto` and `use_remote_address` in the `ambassador` module
2685- Fine-tune the way we sort a `Mapping` based on its constraints
2686- Support manually setting the `precedence` of a `Mapping`, so that there's an escape hatch when the automagic sorting gets it wrong
2687- Expose `alpn_protocols` in the `tls` module (thanks @technicianted!)
2688- Make logs a lot quieter
2689- Reorganize and update documentation
2690- Make sure that `ambassador dump --k8s` will work correctly
2691- Remove a dependency on a `ConfigMap` for upgrade checks
2692
2693## [0.26.0] February 13, 2018
2694[0.26.0]: https://github.com/datawire/ambassador/compare/v0.25.0...v0.26.0
2695
2696### Changed
2697
2698- The `authentication` module is deprecated in favor of the `AuthService` resource type.
2699- Support redirecting cleartext connections on port 80 to HTTPS on port 443
2700- Streamline end-to-end tests and, hopefully, allow them to work well without Kubernaut
2701- Clean up some documentation (thanks @lavoiedn!)
2702
2703## [0.25.0] February 06, 2018
2704[0.25.0]: https://github.com/datawire/ambassador/compare/v0.23.0...v0.25.0
2705
2706(Note that 0.24.0 was an internal release.)
2707
2708### Changed
2709
2710- CORS support (thanks @alexgervais!)
2711- Updated docs for
2712 - GKE
2713 - Ambassador + Istio
2714 - Ordering of `Mappings`
2715 - Prometheus with Ambassador
2716- Support multiple external authentication service instances, so that canarying `extauth` services is possible
2717- Correctly support `timeout_ms` in a `Mapping`
2718- Various build tweaks and end-to-end test speedups
2719
2720## [0.23.0] January 17, 2018
2721[0.23.0]: https://github.com/datawire/ambassador/compare/v0.22.0...v0.23.0
2722
2723### Changed
2724
2725- Clean up build docs (thanks @alexgervais!)
2726- Support `add_request_headers` for, uh, adding requests headers (thanks @alexgervais!)
2727- Make end-to-end tests and Travis build process a bit more robust
2728- Pin to Kubernaut 0.1.39
2729- Document the use of the `develop` branch
2730- Don't default to `imagePullAlways`
2731- Switch to Alpine base with a stripped Envoy image
2732
2733## [0.22.0] January 17, 2018
2734[0.22.0]: https://github.com/datawire/ambassador/compare/v0.21.1...v0.22.0
2735
2736### Changed
2737
2738- Switched to using `quay.io` rather than DockerHub. **If you are not using Datawire's published Kubernetes manifests, you will have to update your manifests!**
2739- Switched to building over Alpine rather than Ubuntu. (We're still using an unstripped Envoy; that'll change soon.)
2740- Switched to a proper production configuration for the `statsd` pod, so that it hopefully chews up less memory.
2741- Make sure that Ambassador won't generate cluster names that are too long for Envoy.
2742- Fix a bug where Ambassador could crash if there were too many egregious errors in its configuration.
2743
2744## [0.21.1] January 11, 2018
2745[0.21.1]: https://github.com/datawire/ambassador/compare/v0.21.0...v0.21.1
2746
2747### Changed
2748
2749- Ambassador will no longer generate cluster names that exceed Envoy's 60-character limit.
2750
2751## [0.21.0] January 03, 2018
2752[0.21.0]: https://github.com/datawire/ambassador/compare/v0.20.1...v0.21.0
2753
2754### Changed
2755
2756- If `AMBASSADOR_SINGLE_NAMESPACE` is present in the environment, Ambassador will only look for services in its own namespace.
2757- Ambassador `Mapping` objects now correctly support `host_redirect`, `path_redirect`, `host_rewrite`, `auto_host_rewrite`, `case_sensitive`, `use_websocket`, `timeout_ms`, and `priority`.
2758
2759## [0.20.1] December 22, 2017
2760[0.20.1]: https://github.com/datawire/ambassador/compare/v0.20.0...v0.20.1
2761
2762### Changed
2763
2764- If Ambassador finds an empty YAML document, it will now ignore it rather than raising an exception.
2765- Includes the namespace of a service from an annotation in the name of its generated YAML file.
2766- Always process inputs in the same order from run to run.
2767
2768## [0.20.0] December 18, 2017
2769[0.20.0]: https://github.com/datawire/ambassador/compare/v0.19.2...v0.20.0
2770
2771### Changed
2772
2773- Switch to Envoy 1.5 under the hood.
2774- Refocus the diagnostic service to better reflect what's actually visible when you're working at Ambassador's level.
2775- Allow the diagnostic service to display, and change, the Envoy log level.
2776
2777## [0.19.2] December 12, 2017
2778[0.19.2]: https://github.com/datawire/ambassador/compare/v0.19.1...v0.19.2
2779
2780### Changed
2781
2782- Arrange for logs from the subsystem that watches for Kubernetes service changes (kubewatch) to have timestamps and such.
2783- Only do new-version checks every four hours.
2784
2785## [0.19.1] December 04, 2017
2786[0.19.1]: https://github.com/datawire/ambassador/compare/v0.19.0...v0.19.1
2787
2788### Changed
2789
2790- Allow the diag service to look good (well, OK, not too horrible anyway) when Ambassador is running with TLS termination.
2791- Show clusters on the overview page again.
2792- The diag service now shows you the "health" of a cluster by computing it from the number of requests to a given service that didn't involve a 5xx status code, rather than just forwarding Envoy's stat, since we don't configure Envoy's stat in a meaningful way yet.
2793- Make sure that the tests correctly reported failures (sigh).
2794- Allow updating out-of-date diagnostic reports without requiring multiple test runs.
2795
2796## [0.19.0] November 30, 2017
2797[0.19.0]: https://github.com/datawire/ambassador/compare/v0.18.2...v0.19.0
2798
2799### Changed
2800
2801- Ambassador can now use HTTPS upstream services: just use a `service` that starts with `https://` to enable it.
2802 - By default, Ambassador will not offer a certificate when using HTTPS to connect to a service, but it is possible to configure certificates. Please [contact us on Slack](https://d6e.co/slack) if you need to do this.
2803- HTTP access logs appear in the normal Kubernetes logs for Ambassador.
2804- It’s now possible to tell `ambassador config` to read Kubernetes manifests from the filesystem and build a configuration from the annotations in them (use the `--k8s` switch).
2805- Documentation on using Ambassador with Istio now reflects Ambassador 0.19.0 and Istio 0.2.12.
2806
2807## [0.18.2] November 28, 2017
2808[0.18.2]: https://github.com/datawire/ambassador/compare/v0.18.0...v0.18.2
2809
2810### Changed
2811
2812- The diagnostics service will now tell you when updates are available.
2813
2814## [0.18.0] November 20, 2017
2815[0.18.0]: https://github.com/datawire/ambassador/compare/v0.17.0...v0.18.0
2816
2817### Changed
2818
2819- The Host header is no longer overwritten when Ambassador talks to an external auth service. It will now retain whatever value the client passes there.
2820
2821### Fixed
2822
2823- Checks for updates weren’t working, and they have been restored. At present you’ll only see them in the Kubernetes logs if you’re using annotations to configure Ambassador — they’ll start showing up in the diagnostics service in the next release or so.
2824
2825## [0.17.0] November 14, 2017
2826[0.17.0]: https://github.com/datawire/ambassador/compare/v0.16.0...v0.17.0
2827
2828### Changed
2829
2830- Allow Mappings to require matches on HTTP headers and `Host`
2831- Update tests, docs, and diagnostic service for header matching
2832
2833### Fixed
2834
2835- Published YAML resource files will no longer overwrite annotations on the Ambassador `service` when creating the Ambassador `deployment`
2836
2837## [0.16.0] November 10, 2017
2838[0.16.0]: https://github.com/datawire/ambassador/compare/v0.15.0...v0.16.0
2839
2840### Changed
2841
2842- Support configuring Ambassador via `annotations` on Kubernetes `service`s
2843- No need for volume mounts! Ambassador can read configuration and TLS-certificate information directly from Kubernetes to simplify your Kubernetes YAML
2844- Expose more configuration elements for Envoy `route`s: `host_redirect`, `path_redirect`, `host_rewrite`, `auto_host_rewrite`, `case_sensitive`, `use_websocket`, `timeout_ms`, and `priority` get transparently copied
2845
2846### Fixed
2847
2848- Reenable support for gRPC
2849
2850## [0.15.0] October 16, 2017
2851[0.15.0]: https://github.com/datawire/ambassador/compare/v0.14.2...v0.15.0
2852
2853### Changed
2854
2855- Allow `docker run` to start Ambassador with a simple default configuration for testing
2856- Support `host_rewrite` in mappings to force the HTTP `Host` header value for services that need it
2857- Support `envoy_override` in mappings for odd situations
2858- Allow asking the diagnostic service for JSON output rather than HTML
2859
2860## [0.14.2] October 12, 2017
2861[0.14.2]: https://github.com/datawire/ambassador/compare/v0.14.0...v0.14.2
2862
2863### Changed
2864
2865- Allow the diagnostic service to show configuration errors.
2866
2867## [0.14.0] October 05, 2017
2868[0.14.0]: https://github.com/datawire/ambassador/compare/v0.13.0...v0.14.0
2869
2870### Changed
2871
2872- Have a diagnostic service!
2873- Support `cert_required` in TLS config
2874
2875## [0.13.0] September 25, 2017
2876[0.13.0]: https://github.com/datawire/ambassador/compare/v0.12.1...v0.13.0
2877
2878### Changed
2879
2880- Support using IP addresses for services.
2881- Check for collisions, so that trying to e.g. map the same prefix twice will report an error.
2882- Enable liveness and readiness probes, and have Kubernetes perform them by default.
2883- Document the presence of the template-override escape hatch.
2884
2885## [0.12.1] September 22, 2017
2886[0.12.1]: https://github.com/datawire/ambassador/compare/v0.12.0...v0.12.1
2887
2888### Changed
2889
2890- Notify (in the logs) if a new version of Ambassador is available.
2891
2892## [0.12.0] September 21, 2017
2893[0.12.0]: https://github.com/datawire/ambassador/compare/v0.11.2...v0.12.0
2894
2895### Changed
2896
2897- Support for non-default Kubernetes namespaces.
2898- Infrastructure for checking if a new version of Ambassador is available.
2899
2900## [0.11.2] September 20, 2017
2901[0.11.2]: https://github.com/datawire/ambassador/compare/v0.11.1...v0.11.2
2902
2903### Changed
2904
2905- Better schema verification.
2906
2907## [0.11.1] September 18, 2017
2908[0.11.1]: https://github.com/datawire/ambassador/compare/v0.11.0...v0.11.1
2909
2910### Changed
2911
2912- Do schema verification of input YAML files.
2913
2914## [0.11.0] September 18, 2017
2915[0.11.0]: https://github.com/datawire/ambassador/compare/v0.10.14...v0.11.0
2916
2917### Changed
2918
2919- Declarative Ambassador! Configuration is now via YAML files rather than REST calls
2920- The `ambassador-store` service is no longer needed.
2921
2922## [0.10.14] September 15, 2017
2923[0.10.14]: https://github.com/datawire/ambassador/compare/v0.10.13...v0.10.14
2924
2925### Fixed
2926
2927- Update `demo-qotm.yaml` with the correct image tag.
2928
2929## [0.10.13] September 05, 2017
2930[0.10.13]: https://github.com/datawire/ambassador/compare/v0.10.12...v0.10.13
2931
2932### Changed
2933
2934- Properly support proxying all methods to an external authentication service, with headers intact, rather than moving request headers into the body of an HTTP POST.
2935
2936## [0.10.12] August 02, 2017
2937[0.10.12]: https://github.com/datawire/ambassador/compare/v0.10.10...v0.10.12
2938
2939### Changed
2940
2941- Make TLS work with standard K8s TLS secrets, and completely ditch push-cert and push-cacert.
2942
2943### Fixed
2944
2945- Move Ambassador out from behind Envoy, so that you can use Ambassador to fix things if you completely botch your Envoy config.
2946- Let Ambassador keep running if Envoy totally chokes and dies, but make sure the pod dies if Ambassador loses access to its storage.
2947
2948## [0.10.10] August 01, 2017
2949[0.10.10]: https://github.com/datawire/ambassador/compare/v0.10.7...v0.10.10
2950
2951### Fixed
2952
2953- Fix broken doc paths and simplify building as a developer. 0.10.8, 0.10.9, and 0.10.10 were all stops along the way to getting this done; hopefully we'll be able to reduce version churn from here on out.
2954
2955## [0.10.7] July 25, 2017
2956[0.10.7]: https://github.com/datawire/ambassador/compare/v0.10.6...v0.10.7
2957
2958### Changed
2959- More CI-build tweaks.
2960
2961## [0.10.6] July 25, 2017
2962[0.10.6]: https://github.com/datawire/ambassador/compare/v0.10.5...v0.10.6
2963
2964### Changed
2965- Fix automagic master build tagging
2966
2967## [0.10.5] July 25, 2017
2968[0.10.5]: https://github.com/datawire/ambassador/compare/v0.10.1...v0.10.5
2969
2970### Changed
2971- Many changes to the build process and versioning. In particular, CI no longer has to commit files.
2972
2973## [0.10.1] July 03, 2017
2974[0.10.1]: https://github.com/datawire/ambassador/compare/v0.10.0...v0.10.1
2975
2976### Added
2977- Changelog
2978
2979
2980## [0.10.0] June 30, 2017
2981[0.10.0]: https://github.com/datawire/ambassador/compare/v0.9.1...v0.10.0
2982[grpc-0.10.0]: https://github.com/datawire/ambassador/blob/v0.10.0/docs/user-guide/grpc.md
2983
2984### Added
2985- Ambassador supports [GRPC services][grpc-0.10.0] (and other HTTP/2-only services) using the GRPC module
2986
2987### Fixed
2988- Minor typo in Ambassador's `Dockerfile` that break some versions of Docker
2989
2990
2991## [0.9.1] June 28, 2017
2992[0.9.1]: https://github.com/datawire/ambassador/compare/v0.9.0...v0.9.1
2993[building-0.9.1]: https://github.com/datawire/ambassador/blob/v0.9.1/BUILDING.md
2994
2995### Changed
2996- Made development a little easier by automating dev version numbers so that modified Docker images update in Kubernetes
2997- Updated [`BUILDING.md`][building-0.9.1]
2998
2999
3000## [0.9.0] June 23, 2017
3001[0.9.0]: https://github.com/datawire/ambassador/compare/v0.8.12...v0.9.0
3002[start-0.9.0]: https://github.com/datawire/ambassador/blob/v0.9.0/docs/user-guide/getting-started.md
3003[concepts-0.9.0]: https://github.com/datawire/ambassador/blob/v0.9.0/docs/user-guide/mappings.md
3004
3005### Added
3006- Ambassador supports HTTP Basic Auth
3007- Ambassador now has the concept of _modules_ to enable and configure optional features such as auth
3008- Ambassador now has the concept of _consumers_ to represent end-users of mapped services
3009- Ambassador supports auth via an external auth server
3010
3011Basic auth is covered in [Getting Started][start-0.9.0]. Learn about modules and consumers and see an example of external auth in [About Mappings, Modules, and Consumers][concepts-0.9.0].
3012
3013### Changed
3014- State management (via Ambassador store) has been refactored
3015- Switched to [Ambassador-Envoy] for the base Docker image
3016
3017
3018## [0.8.12] June 07, 2017
3019[0.8.12]: https://github.com/datawire/ambassador/compare/v0.8.11...v0.8.12
3020
3021### Added
3022- Mappings can now be updated
3023
3024
3025## [0.8.11] May 24, 2017
3026[0.8.11]: https://github.com/datawire/ambassador/compare/v0.8.10...v0.8.11
3027[istio-0.8.11]: https://github.com/datawire/ambassador/blob/v0.8.11/docs/user-guide/with-istio.md
3028[stats-0.8.11]: https://github.com/datawire/ambassador/blob/v0.8.11/docs/user-guide/statistics.md
3029
3030### Added
3031- Ambassador interoperates with [Istio] -- see [Ambassador and Istio][istio-0.8.11]
3032- There is additional documentation for [statistics and monitoring][stats-0.8.11]
3033
3034### Fixed
3035- Bug in mapping change detection
3036- Release machinery issues
3037
3038
3039## [0.8.6] May 05, 2017
3040[0.8.6]: https://github.com/datawire/ambassador/compare/v0.8.5...v0.8.6
3041
3042### Added
3043- Ambassador releases are now performed by Travis CI
3044
3045
3046## [0.8.2] May 04, 2017
3047[0.8.2]: https://github.com/datawire/ambassador/compare/v0.8.1...v0.8.2
3048
3049### Changed
3050- Documentation updates
3051
3052
3053## [0.8.0] May 02, 2017
3054[0.8.0]: https://github.com/datawire/ambassador/compare/v0.7.0...v0.8.0
3055[client-tls-0.8.0]: https://github.com/datawire/ambassador/blob/v0.8.0/README.md#using-tls-for-client-auth
3056
3057### Added
3058- [Ambassador has a website!][Ambassador]
3059- Ambassador supports auth via [TLS client certificates][client-tls-0.8.0]
3060- There are some additional helper scripts in the `scripts` directory
3061
3062### Changed
3063- Ambassador's admin interface is now on local port 8888 while mappings are available on port 80/443 depending on whether TLS is enabled
3064- Multiple instances of Ambassador talking to the same Ambassador Store pod will pick up each other's changes automatically
3065
3066
3067## [0.7.0] May 01, 2017
3068[0.7.0]: https://github.com/datawire/ambassador/compare/v0.6.0...v0.7.0
3069[start-0.7.0]: https://github.com/datawire/ambassador/blob/v0.7.0/README.md#mappings
3070
3071### Added
3072- Ambassador can rewrite the request URL path prefix before forwarding the request to your service (covered in [Getting Started][start-0.7.0])
3073- Ambassador supports additional stats aggregators: Datadog, Grafana
3074
3075### Changed
3076- _Services_ are now known as _mappings_
3077- Minikube is supported again
3078
3079
3080## [0.6.0] April 28, 2017
3081[0.6.0]: https://github.com/datawire/ambassador/compare/v0.5.2...v0.6.0
3082
3083### Removed
3084- The Ambassador SDS has been removed; Ambassador routes to service names
3085
3086
3087## [0.5.2] April 26, 2017
3088[0.5.2]: https://github.com/datawire/ambassador/compare/v0.5.0...v0.5.2
3089
3090### Added
3091- Ambassador includes a local `statsd` so that full stats from Envoy can be collected and pushed to a stats aggregator (Prometheus is supported)
3092
3093### Changed
3094- It's easier to develop Ambassador thanks to improved build documentation and `Makefile` fixes
3095
3096
3097## [0.5.0] April 13, 2017
3098[0.5.0]: https://github.com/datawire/ambassador/compare/v0.4.0...v0.5.0
3099
3100### Added
3101- Ambassador supports inbound TLS
3102- YAML for a demo user service is now included
3103
3104### Changed
3105- The `geturl` script supports Minikube and handles AWS better
3106- Documentation and code cleanup
3107
3108
3109## [0.4.0] April 07, 2017
3110[0.4.0]: https://github.com/datawire/ambassador/compare/v0.3.3...v0.4.0
3111
3112### Changed
3113- Ambassador now reconfigures Envoy automatically once changes have settled for five seconds
3114- Envoy stats and Ambassador stats are separate
3115- Mappings no longer require specifying the port as it is not needed
3116
3117### Fixed
3118- SDS does the right thing with unnamed ports
3119
3120
3121## [0.3.1] April 06, 2017
3122[0.3.1]: https://github.com/datawire/ambassador/compare/v0.3.0...v0.3.1
3123
3124### Added
3125- Envoy stats accessible through Ambassador
3126- Basic interpretation of cluster stats
3127
3128### Changed
3129- Split up `ambassador.py` into multiple files
3130- Switch to a debug build of Envoy
3131
3132
3133## [0.1.9] April 03, 2017
3134[0.1.9]: https://github.com/datawire/ambassador/compare/v0.1.8...v0.1.9
3135
3136### Changed
3137- Ambassador configuration on `/ambassador-config/` prefix rather than exposed on port 8001
3138- Updated to current Envoy and pinned the Envoy version
3139- Use Bumpversion for version management
3140- Conditionalized Docker push
3141
3142### Fixed
3143- Ambassador keeps running with an empty services list (part 2)
3144
3145
3146## [0.1.5] March 31, 2017
3147[0.1.5]: https://github.com/datawire/ambassador/compare/v0.1.4...v0.1.5
3148
3149### Fixed
3150- Ambassador SDS correctly handles ports
3151
3152
3153## [0.1.4] March 31, 2017
3154[0.1.4]: https://github.com/datawire/ambassador/compare/v0.1.3...v0.1.4
3155
3156### Changed
3157- Ambassador keeps running with an empty services list
3158- Easier to run with [Telepresence]
3159
3160
3161## [0.1.3] March 31, 2017
3162[0.1.3]: https://github.com/datawire/ambassador/compare/82ed5e4...v0.1.3
3163
3164### Added
3165- Initial Ambassador
3166- Ambassador service discovery service
3167- Documentation
3168
3169
3170Based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). Ambassador follows [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
3171
3172[Ambassador]: https://www.getambassador.io/
3173[Ambassador-Envoy]: https://github.com/datawire/ambassador-envoy
3174[Telepresence]: http://telepresence.io
3175[Istio]: https://istio.io/
View as plain text