# -*- fill-column: 100 -*-
# This file should be placed in the folder for the version of the
# product that's meant to be documented. A `/release-notes` page will
# be automatically generated and populated at build time.
#
# Note that an entry needs to be added to the `doc-links.yml` file in
# order to surface the release notes in the table of contents.
#
# The YAML in this file should contain:
#
# changelog: An (optional) URL to the CHANGELOG for the product.
# items: An array of releases with the following attributes:
# - version: The (optional) version number of the release, if applicable.
# - date: The date of the release in the format YYYY-MM-DD.
# - notes: An array of noteworthy changes included in the release, each having the following attributes:
# - type: The type of change, one of `bugfix`, `feature`, `security` or `change`.
# - title: A short title of the noteworthy change.
# - body: >-
# Two or three sentences describing the change and why it
# is noteworthy. This is HTML, not plain text or
# markdown. It is handy to use YAML's ">-" feature to
# allow line-wrapping.
# - image: >-
# The URL of an image that visually represents the
# noteworthy change. This path is relative to the
# `release-notes` directory; if this file is
# `FOO/releaseNotes.yml`, then the image paths are
# relative to `FOO/release-notes/`.
# - docs: The path to the documentation page where additional information can be found.
# - href: A path from the root to a resource on the getambassador website, takes precedence over a docs link.
changelog: https://github.com/emissary-ingress/emissary/blob/$branch$/CHANGELOG.md
items:
- version: 2.5.1
date: '2022-12-08'
notes:
- title: Re-add support for getambassador.io/v1
type: feature
body: >-
Support for the getambassador.io/v1 apiVersion has been re-introduced, in
order to facilitate smoother migrations from $productName$ 1.y. Previously, in order to
make migrations possible, an "unserved" v1 version was declared to
Kubernetes, but was unsupported by $productName$. That unserved v1 could
cause an excess of errors to be logged by the Kubernetes Nodes (regardless of whether the
installation was migrated from 1.y or was a fresh 2.y install); fully supporting
v1 again should resolve these errors.
- title: Update Golang to 1.19.4
type: security
body: >-
Update Golang to release 1.19.4. Two CVE's were annouced in this z patch release.
CVE-2022-41720 only affects Windows environments and $productName$ runs in linux. The second one
CVE-2022-41717 only affects HTTP/2 server connections exposed to external clients. $productName$ does
not expose any Golang http servers to outside clients. The data-plane of Envoy
is not affected by either of these.
- title: Update Golang to 1.19.3
type: security
body: >-
Updated Golang to the latest z patch. We are not vulnerable to the CVE-2022-3602 that was
released in 1.19.3 and you can read more about it here: .
Updating to the latest z patch as part of our normal dependency update process
and this will help reduce the noise of security scanners.
- version: 2.5.0
date: '2022-11-03'
notes:
- title: Diagnostics stats properly handles parsing envoy metrics with colons
type: bugfix
body: >-
If a Host or TLSContext contained a hostname with a : then when using the
diagnostics endpoints ambassador/v0/diagd then an error would be thrown due to the parsing logic not
being able to handle the extra colon. This has been fixed and $productName$ will not throw an error when parsing
envoy metrics for the diagnostics user interface.
- title: Bump Golang to 1.19.2
type: security
body: >-
Bump Go from 1.17.12 to 1.19.2. This is to keep the Go version current.
- version: 2.4.0
date: '2022-09-19'
prevVersion: 2.3.2
notes:
- title: Add support for Host resources using secrets from different namespaces
type: feature
body: >-
Previously the Host resource could only use secrets that are in the namespace as the
Host. The tlsSecret field in the Host has a new subfield namespace that will allow
the use of secrets from different namespaces.
- title: Allow bypassing of EDS for manual endpoint insertion
type: change
body: >-
Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be
inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to
a delay between EDS + CDS. The default is `false`.
- title: Properly populate alt_state_name for Tracing, Auth and RateLimit Services
type: bugfix
body: >-
Previously, setting the stats_name for the TracingService, RateLimitService
or the AuthService would have no affect because it was not being properly passed to the Envoy cluster
config. This has been fixed and the alt_stats_name field in the cluster config is now set correctly.
(Thanks to Paul!)
- title: Add support for config change batch window before reconfiguring Envoy
type: feature
body: >-
The AMBASSADOR_RECONFIG_MAX_DELAY env var can be optionally set to batch changes for the specified
non-negative window period in seconds before doing an Envoy reconfiguration. Default is "1" if not set.
- title: TCPMappings use correct SNI configuration
type: bugfix
body: >-
$productName$ 2.0.0 introduced a bug where a TCPMapping that uses SNI,
instead of using the hostname glob in the TCPMapping, uses the hostname glob
in the Host that the TLS termination configuration comes from.
- title: TCPMappings configure TLS termination without a Host resource
type: bugfix
body: >-
$productName$ 2.0.0 introduced a bug where a TCPMapping that terminates TLS
must have a corresponding Host that it can take the TLS configuration from.
This was semi-intentional, but didn't make much sense. You can now use a
TLSContext without a Hostas in $productName$ 1.y releases, or a
Host with or without a TLSContext as in prior 2.y releases.
- title: TCPMappings and HTTP Hosts can coexist on Listeners that terminate TLS
type: bugfix
body: >-
Prior releases of $productName$ had the arbitrary limitation that a
TCPMapping cannot be used on the same port that HTTP is served on, even if
TLS+SNI would make this possible. $productName$ now allows TCPMappings to be
used on the same Listener port as HTTP Hosts, as long as that
Listener terminates TLS.
- version: 1.14.5
date: 'TBD'
notes:
- title: When using gzip, upstreams will no longer receive encoded data
type: bugfix
body: >-
When using gzip compression, upstream services will no longer receive compressed
data. This bug was introduced in 1.14.0. The fix restores the default behavior of
not sending compressed data to upstream services.
github:
- title: 3818
link: https://github.com/emissary-ingress/emissary/issues/3818
docs: https://github.com/emissary-ingress/emissary/issues/3818
- version: 2.3.2
date: '2022-08-01'
prevVersion: 2.3.1
notes:
- title: Fix regression in the agent for the metrics transfer.
type: bugfix
body: >-
A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from
emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure
that all the nodes composing the emissary ingress cluster are reporting properly.
- title: Update Golang to 1.17.12
type: security
body: >-
Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675,
CVE-2022-24921, CVE-2022-23772.
- title: Update Curl to 7.80.0-r2
type: security
body: >-
Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781,
CVE-2022-27780.
- title: Update openSSL-dev to 1.1.1q-r0
type: security
body: >-
Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.
- title: Update ncurses to 1.1.1q-r0
type: security
body: >-
Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458
- version: 1.14.4
date: '2022-06-13'
notes:
- title: Envoy security updates
type: security
body: >-
We have backported patches from the Envoy 1.19.5 security update to $productName$'s
1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. $productName$ is not
affected by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it does not support internal
redirects, and does not use Envoy's built-in OAuth2 filter.
docs: https://groups.google.com/g/envoy-announce/c/8nP3Kn4jV7k
- version: 2.3.1
date: '2022-06-09'
notes:
- title: fix regression in tracing service config
type: bugfix
body: >-
A regression was introduced in 2.3.0 that leaked zipkin default config fields into the configuration
for the other drivers (lightstep, etc...). This caused $productName$ to crash on startup. This issue has been resolved
to ensure that the defaults are only applied when driver is zipkin
github:
- title: "#4267"
link: https://github.com/emissary-ingress/emissary/issues/4267
- title: Envoy security updates
type: security
body: >-
We have backported patches from the Envoy 1.19.5 security update to $productName$'s
1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. $productName$ is not
affected by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it does not support internal
redirects, and does not use Envoy's built-in OAuth2 filter.
docs: https://groups.google.com/g/envoy-announce/c/8nP3Kn4jV7k
- version: 2.3.0
date: '2022-06-06'
notes:
- title: Remove unused packages
type: security
body: >-
Completely remove gdbm, pip, smtplib, and sqlite packages, as they are unused.
- title: Allow setting propagation modes for Lightstep tracing
type: feature
body: >-
It is now possible to set propagation_modes in the
TracingService config when using lightstep as the driver.
(Thanks to Paul!)
github:
- title: "#4179"
link: https://github.com/emissary-ingress/emissary/pull/4179
- title: Added support for TLS certificate revocation list
type: feature
body: >-
It is now possible to set `crl_secret` in `Host` and `TLSContext` resources
to check peer certificates against a certificate revocation list.
github:
- title: "#1743"
link: https://github.com/emissary-ingress/emissary/issues/1743
- title: Added support for the LogService v3 transport protocol
type: feature
body: >-
Previously, a LogService would always have $productName$ communicate with the
external log service using the envoy.service.accesslog.v2.AccessLogService
API. It is now possible for the LogService to specify
protocol_version: v3 to use the newer
envoy.service.accesslog.v3.AccessLogService API instead. This functionality
is not available if you set the AMBASSADOR_ENVOY_API_VERSION=V2 environment
variable.
- title: CORS now happens before auth
type: bugfix
body: >-
When CORS is specified (either in a Mapping or in the Ambassador
Module), CORS processing will happen before authentication. This corrects a
problem where XHR to authenticated endpoints would fail.
- title: Correctly handle caching of Mappings with the same name in different namespaces
type: bugfix
body: >-
In 2.x releases of $productName$ when there are multiple Mappings that have the same
metadata.name across multiple namespaces, their old config would not properly be removed
from the cache when their config was updated. This resulted in an inability to update configuration
for groups of Mappings that share the same name until the $productName$ pods restarted.
- title: Fix support for Zipkin API-v1 with Envoy xDS-v3
type: bugfix
body: >-
It is now possible for a TracingService to specify
collector_endpoint_version: HTTP_JSON_V1 when using xDS v3 to configure Envoy
(which has been the default since $productName$ 1.14.0). The HTTP_JSON_V1
value configures Envoy to speak to Zipkin using Zipkin's old API-v1, while the
HTTP_JSON value configures Envoy to speak to Zipkin using Zipkin's new
API-v2. In previous versions of $productName$ it was only possible to use
HTTP_JSON_V1 when explicitly setting the
AMBASSADOR_ENVOY_API_VERSION=V2 environment variable to force use of xDS v2
to configure Envoy.
- version: 2.2.2
date: '2022-02-25'
prevVersion: 2.2.1
notes:
- title: TLS Secret validation is now opt-in
type: change
body: >-
You may now choose to enable TLS Secret validation by setting the
AMBASSADOR_FORCE_SECRET_VALIDATION=true environment variable. The default configuration does not
enforce secret validation.
- title: Correctly validate EC (Elliptic Curve) Private Keys
type: bugfix
body: >-
Kubernetes Secrets that should contain an EC (Elliptic Curve) TLS Private Key are now properly validated.
github:
- title: 4134
link: https://github.com/emissary-ingress/emissary/issues/4134
docs: https://github.com/emissary-ingress/emissary/issues/4134
- title: Decrease metric sync frequency
type: change
body: >-
The new delay between two metrics syncs is now 30s.
github:
- title: "#4122"
link: https://github.com/emissary-ingress/emissary/pull/4122
- version: 1.14.3
date: '2022-02-25'
notes:
- title: Envoy security updates
type: security
body: >-
Upgraded Envoy to address security vulnerabilities CVE-2021-43824, CVE-2021-43825, CVE-2021-43826,
CVE-2022-21654, and CVE-2022-21655.
docs: https://groups.google.com/g/envoy-announce/c/bIUgEDKHl4g
- version: 2.2.1
date: '2022-02-22'
notes:
- title: Envoy V2 API deprecation
type: change
body: >-
Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$
v3.0. The AMBASSADOR_ENVOY_API_VERSION environment variable will be removed at the same
time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0).
- title: Correctly support canceling rollouts
type: bugfix
body: >-
The Ambassador Agent now correctly supports requests to cancel a rollout.
docs: ../../../argo/latest/howtos/manage-rollouts-using-cloud
- version: 2.2.0
date: '2022-02-10'
notes:
- title: Envoy V2 API deprecation
type: change
body: >-
Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$
v3.0. The AMBASSADOR_ENVOY_API_VERSION environment variable will be removed at the same
time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0).
- title: Emissary-ingress will watch for Cloud Connect Tokens
type: change
body: >-
$productName$ will now watch for ConfigMap or Secret resources specified by the
AGENT_CONFIG_RESOURCE_NAME environment variable in order to allow all
components (and not only the Ambassador Agent) to authenticate requests to
Ambassador Cloud.
image: ./v2.2.0-cloud.png
- title: Update Alpine and libraries
type: security
body: >-
$productName$ has updated Alpine to 3.15, and Python and Go dependencies
to their latest compatible versions, to incorporate numerous security patches.
- title: Support a log-level metric
type: feature
body: >-
$productName$ now supports the metric ambassador_log_level{label="debug"}
which will be set to 1 if debug logging is enabled for the running Emissary
instance, or to 0 if not. This can help to be sure that a running production
instance was not actually left doing debugging logging, for example.
(Thanks to Fabrice!)
github:
- title: "#3906"
link: https://github.com/emissary-ingress/emissary/issues/3906
docs: topics/running/statistics/8877-metrics/
- title: Envoy configuration % escaping
type: feature
body: >-
$productName$ is now leveraging a new Envoy Proxy patch that allows Envoy to accept escaped
'%' characters in its configuration. This means that error_response_overrides and other
custom user content can now contain '%' symbols escaped as '%%'.
docs: topics/running/custom-error-responses
github:
- title: "DW Envoy: 74"
link: https://github.com/datawire/envoy/pull/74
- title: "Upstream Envoy: 19383"
link: https://github.com/envoyproxy/envoy/pull/19383
image: ./v2.2.0-percent-escape.png
- title: Stream metrics from Envoy to Ambassador Cloud
type: feature
body: >-
Support for streaming Envoy metrics about the clusters to Ambassador Cloud.
github:
- title: "#4053"
link: https://github.com/emissary-ingress/emissary/pull/4053
docs: https://github.com/emissary-ingress/emissary/pull/4053
- title: Support received commands to pause, continue and abort a Rollout via Agent directives
type: feature
body: >-
The Ambassador agent now receives commands to manipulate Rollouts (pause, continue, and
abort are currently supported) via directives and executes them in the cluster. A report
is sent to Ambassador Cloud including the command ID, whether it ran successfully, and
an error message in case there was any.
github:
- title: "#4040"
link: https://github.com/emissary-ingress/emissary/pull/4040
docs: https://github.com/emissary-ingress/emissary/pull/4040
- title: Validate certificates in TLS Secrets
type: bugfix
body: >-
Kubernetes Secrets that should contain TLS certificates are now validated before being
accepted for configuration. A Secret that contains an invalid TLS certificate will be logged
as an invalid resource.
github:
- title: "#3821"
link: https://github.com/emissary-ingress/emissary/issues/3821
docs: ../topics/running/tls
image: ./v2.2.0-tls-cert-validation.png
edgeStackNotes:
- title: Devportal support for using API server definitions from OpenAPI docs
type: feature
body: >-
You can now set preserve_servers in Ambassador Edge Stack's
DevPortal resource to configure the DevPortal to use server definitions from
the OpenAPI document when displaying connection information for services in the DevPortal.
- version: 2.1.2
prevVersion: 2.1.0
date: '2022-01-25'
notes:
- title: Envoy V2 API deprecation
type: change
body: >-
Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$
v3.0. The AMBASSADOR_ENVOY_API_VERSION environment variable will be removed at the same
time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0).
- title: Docker BuildKit always used for builds
type: change
body: >-
Docker BuildKit is enabled for all Emissary builds. Additionally, the Go
build cache is fully enabled when building images, speeding up repeated builds.
docs: https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md
- title: Fix support for for v2 Mappings with CORS
type: bugfix
body: >-
Emissary-ingress 2.1.0 generated invalid Envoy configuration for
getambassador.io/v2 Mappings that set
spec.cors.origins to a string rather than a list of strings; this has been
fixed, and these Mappings should once again function correctly.
docs: topics/using/cors/#the-cors-attribute
image: ./v2.1.2-mapping-cors.png
- title: Correctly handle canary Mapping weights when reconfiguring
type: bugfix
body: >-
Changes to the weight of Mapping in a canary group
will now always be correctly managed during reconfiguration; such changes could
have been missed in earlier releases.
docs: topics/using/canary/#the-weight-attribute
- title: Correctly handle solitary Mappings with explicit weights
type: bugfix
body: >-
A Mapping that is not part of a canary group, but that has a
weight less than 100, will be correctly configured to receive all
traffic as if the weight were 100.
docs: topics/using/canary/#the-weight-attribute
image: ./v2.1.2-mapping-less-weighted.png
- title: Correctly handle empty rewrite in a Mapping
type: bugfix
body: >-
Using rewrite: "" in a Mapping is correctly handled
to mean "do not rewrite the path at all".
docs: topics/using/rewrites
image: ./v2.1.2-mapping-no-rewrite.png
- title: Correctly use Mappings with host redirects
type: bugfix
body: >-
Any Mapping that uses the host_redirect field is now properly discovered and used. Thanks
to Gabriel Féron for contributing this bugfix!
github:
- title: "#3709"
link: https://github.com/emissary-ingress/emissary/issues/3709
docs: https://github.com/emissary-ingress/emissary/issues/3709
- title: Correctly handle DNS wildcards when associating Hosts and Mappings
type: bugfix
body: >-
Mappings with DNS wildcard hostname will now be correctly
matched with Hosts. Previously, the case where both the Host
and the Mapping use DNS wildcards for their hostnames could sometimes
not correctly match when they should have.
docs: howtos/configure-communications/
image: ./v2.1.2-host-mapping-matching.png
- title: Fix overriding global settings for adding or removing headers
type: bugfix
body: >-
If the ambassador Module sets a global default for
add_request_headers, add_response_headers,
remove_request_headers, or remove_response_headers, it is often
desirable to be able to turn off that setting locally for a specific Mapping.
For several releases this has not been possible for Mappings that are native
Kubernetes resources (as opposed to annotations), as an empty value ("mask the global
default") was erroneously considered to be equivalent to unset ("inherit the global
default"). This is now fixed.
docs: topics/using/defaults/
- title: Fix empty error_response_override bodies
type: bugfix
body: >-
It is now possible to set a Mapping
spec.error_response_overrides body.text_format to an empty
string or body.json_format to an empty dict. Previously, this was possible
for annotations but not for native Kubernetes resources.
docs: topics/running/custom-error-responses/
- title: Annotation conversion and validation
type: bugfix
body: >-
Resources that exist as getambassador.io/config annotations rather than as
native Kubernetes resources are now validated and internally converted to v3alpha1 and,
the same as native Kubernetes resources.
image: ./v2.1.2-annotations.png
- title: Validation error reporting
type: bugfix
body: >-
Resource validation errors are now reported more consistently; it was the case that in
some situations a validation error would not be reported.
- version: 2.1.1
date: 'N/A'
notes:
- title: Never issued
type: change
isHeadline: true
body: >-
Emissary-ingress 2.1.1 was not issued; Ambassador Edge Stack 2.1.1 uses
Emissary-ingress 2.1.0.
- version: 2.1.0
date: '2021-12-16'
notes:
- title: Not recommended; upgrade to 2.1.2 instead
type: change
isHeadline: true
body: >-
Emissary-ingress 2.1.0 is not recommended; upgrade to 2.1.2 instead.
- title: Envoy V2 API deprecation
type: change
body: >-
Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$
v3.0. The AMBASSADOR_ENVOY_API_VERSION environment variable will be removed at the same
time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0).
- title: Smoother migrations with support for getambassador.io/v2 CRDs
type: feature
body: >-
$productName$ supports getambassador.io/v2 CRDs, to simplify migration from $productName$
1.X. Note: it is important to read the migration
documentation before starting migration.
docs: topics/install/migration-matrix
image: ./v2.1.0-smoother-migration.png
- title: Correctly handle all changing canary configurations
type: bugfix
body: >-
The incremental reconfiguration cache could miss some updates when multiple
Mappings had the same prefix ("canary"ing multiple
Mappings together). This has been corrected, so that all such
updates correctly take effect.
github:
- title: "#3945"
link: https://github.com/emissary-ingress/emissary/issues/3945
docs: https://github.com/emissary-ingress/emissary/issues/3945
image: ./v2.1.0-canary.png
- title: Secrets used for ACME private keys will not log errors
type: bugfix
body: >-
When using Kubernetes Secrets to store ACME private keys (as the Edge Stack
ACME client does), an error would always be logged about the Secret not being
present, even though it was present, and everything was working correctly.
This error is no longer logged.
- title: When using gzip, upstreams will no longer receive encoded data
type: bugfix
body: >-
When using gzip compression, upstream services will no longer receive compressed
data. This bug was introduced in 1.14.0. The fix restores the default behavior of
not sending compressed data to upstream services.
github:
- title: "#3818"
link: https://github.com/emissary-ingress/emissary/issues/3818
docs: https://github.com/emissary-ingress/emissary/issues/3818
image: ./v2.1.0-gzip-enabled.png
- title: Update to busybox 1.34.1
type: security
body: >-
Update to busybox 1.34.1 to resolve CVE-2021-28831, CVE-2021-42378,
CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383,
CVE-2021-42384, CVE-2021-42385, and CVE-2021-42386.
- title: Update Python dependencies
type: security
body: >-
Update Python dependencies to resolve CVE-2020-28493 (jinja2), CVE-2021-28363
(urllib3), and CVE-2021-33503 (urllib3).
- title: Remove test-only code from the built image
type: security
body: >-
Previous built images included some Python packages used only for test. These
have now been removed, resolving CVE-2020-29651.
- version: 2.0.5
date: '2021-11-08'
notes:
- title: AuthService circuit breakers
type: feature
body: >-
It is now possible to set the circuit_breakers for AuthServices,
exactly the same as for Mappings and TCPMappings. This makes it
possible to configure your AuthService to be able to handle more than 1024
concurrent requests.
docs: topics/running/services/auth-service/
image: ./v2.0.5-auth-circuit-breaker.png
- title: Improved validity checking for error response overrides
type: bugfix
body: >-
Any token delimited by '%' is now validated agains a whitelist of valid
Envoy command operators. Any mapping containing an error_response_overrides
section with invalid command operators will be discarded.
docs: topics/running/custom-error-responses
- title: mappingSelector is now correctly supported in the Host CRD
type: bugfix
body: >-
The Host CRD now correctly supports the mappingSelector
element, as documented. As a transition aid, selector is a synonym for
mappingSelector; a future version of $productName$ will remove the
selector element.
github:
- title: "#3902"
link: https://github.com/emissary-ingress/emissary/issues/3902
docs: https://github.com/emissary-ingress/emissary/issues/3902
image: ./v2.0.5-mappingselector.png
- version: 2.0.4
date: '2021-10-19'
notes:
- title: General availability!
type: feature
body: >-
We're pleased to introduce $productName$ 2.0.4 for general availability! The
2.X family introduces a number of changes to allow $productName$ to more
gracefully handle larger installations, reduce global configuration to better
handle multitenant or multiorganizational installations, reduce memory footprint, and
improve performance. We welcome feedback!! Join us on
Slack and let us know what you think.
isHeadline: true
docs: about/changes-2.x
image: ./emissary-ga.png
- title: API version getambassador.io/v3alpha1
type: change
body: >-
The x.getambassador.io/v3alpha1 API version has become the
getambassador.io/v3alpha1 API version. The Ambassador- prefixes
from x.getambassador.io/v3alpha1 resource kind names
(e.g. AmbassadorHost) have been removed for ease of migration from
$productName$ 1.x. As with previous 2.0.x releases, you must supply a
Host (AmbassadorHost in previous 2.0.x releases) resource to
terminate TLS: unlike in 1.x it is no longer sufficient to define a
TLSContext (although TLSContexts are still the best way to
define TLS configuration information to be shared across multiple Hosts).
Note that getambassador.io/v3alpha1 is the only supported API version for
2.0.4 — full support for getambassador.io/v2 will arrive soon in a
later 2.X version.
docs: about/changes-2.x
image: ./v2.0.4-v3alpha1.png
- title: Support for Kubernetes 1.22
type: feature
body: >-
The getambassador.io/v3alpha1 API version and the published chart
and manifests have been updated to support Kubernetes 1.22. Thanks to
Mohit Sharma for contributions to
this feature!
docs: about/changes-2.x
image: ./v2.0.4-k8s-1.22.png
- title: Mappings support configuring strict or logical DNS
type: feature
body: >-
You can now set dns_type between strict_dns and
logical_dns in a Mapping to configure the Service
Discovery Type.
docs: topics/using/mappings/#dns-configuration-for-mappings
image: ./v2.0.4-mapping-dns-type.png
- title: Mappings support controlling DNS refresh with DNS TTL
type: feature
body: >-
You can now set respect_dns_ttl to true to force the
DNS refresh rate for a Mapping to be set to the record's TTL
obtained from DNS resolution.
docs: topics/using/mappings/#dns-configuration-for-mappings
- title: Support configuring upstream buffer sizes
type: feature
body: >-
You can now set buffer_limit_bytes in the ambassador
Module to to change the size of the upstream read and write buffers.
The default is 1MiB.
docs: topics/running/ambassador/#modify-default-buffer-size
- title: Version number reported correctly
type: bugfix
body: >-
The release now shows its actual released version number, rather than
the internal development version number.
github:
- title: "#3854"
link: https://github.com/emissary-ingress/emissary/issues/3854
docs: https://github.com/emissary-ingress/emissary/issues/3854
image: ./v2.0.4-version.png
- title: Large configurations work correctly with Ambassador Cloud
type: bugfix
body: >-
Large configurations no longer cause $productName$ to be unable
to communicate with Ambassador Cloud.
github:
- title: "#3593"
link: https://github.com/emissary-ingress/emissary/issues/3593
docs: https://github.com/emissary-ingress/emissary/issues/3593
- title: Listeners correctly support l7Depth
type: bugfix
body: >-
The l7Depth element of the Listener CRD is
properly supported.
docs: topics/running/listener#l7depth
image: ./v2.0.4-l7depth.png
- version: 2.0.3-ea
date: '2021-09-16'
notes:
- title: Developer Preview!
body: We're pleased to introduce $productName$ 2.0.3 as a developer preview. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on Slack and let us know what you think.
type: change
isHeadline: true
docs: about/changes-2.x
- title: AES_LOG_LEVEL more widely effective
body: The environment variable AES_LOG_LEVEL now also sets the log level for the diagd logger.
type: feature
docs: topics/running/running/
github:
- title: "#3686"
link: https://github.com/emissary-ingress/emissary/issues/3686
- title: "#3666"
link: https://github.com/emissary-ingress/emissary/issues/3666
- title: AmbassadorMapping supports setting the DNS type
body: You can now set dns_type in the AmbassadorMapping to configure how Envoy will use the DNS for the service.
type: feature
docs: topics/using/mappings/#using-dns_type
- title: Building Emissary no longer requires setting DOCKER_BUILDKIT
body: It is no longer necessary to set DOCKER_BUILDKIT=0 when building Emissary. A future change will fully support BuildKit.
type: bugfix
docs: https://github.com/emissary-ingress/emissary/issues/3707
github:
- title: "#3707"
link: https://github.com/emissary-ingress/emissary/issues/3707
- version: 2.0.2-ea
date: '2021-08-24'
notes:
- title: Developer Preview!
body: We're pleased to introduce $productName$ 2.0.2 as a developer preview. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on Slack and let us know what you think.
type: change
isHeadline: true
docs: about/changes-2.x
- title: Envoy security updates
type: bugfix
body: "Upgraded envoy to 1.17.4 to address security vulnerabilities CVE-2021-32777, CVE-2021-32778, CVE-2021-32779, and CVE-2021-32781."
docs: https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE?pli=1
- title: Expose Envoy's allow_chunked_length HTTPProtocolOption
type: feature
body: "You can now set allow_chunked_length in the Ambassador Module to configure the same value in Envoy."
docs: topics/running/ambassador/#content-length-headers
- title: Envoy-configuration snapshots saved
type: change
body: Envoy-configuration snapshots get saved (as ambex-#.json) in /ambassador/snapshots. The number of snapshots is controlled by the AMBASSADOR_AMBEX_SNAPSHOT_COUNT environment variable; set it to 0 to disable. The default is 30.
docs: topics/running/running/
- version: 2.0.1-ea
date: "2021-08-12"
notes:
- title: Developer Preview!
body: We're pleased to introduce $productName$ 2.0.1 as a developer preview. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on Slack and let us know what you think.
type: change
isHeadline: true
docs: about/changes-2.x
- title: Improved Ambassador Cloud visibility
type: feature
body: Ambassador Agent reports sidecar process information and AmbassadorMapping OpenAPI documentation to Ambassador Cloud to provide more visibility into services and clusters.
docs: /docs/cloud/latest/service-catalog/quick-start/
- title: Configurable per-AmbassadorListener statistics prefix
body: The optional stats_prefix element of the AmbassadorListener CRD now determines the prefix of HTTP statistics emitted for a specific AmbassadorListener.
type: feature
docs: topics/running/listener
- title: Configurable statistics names
body: The optional stats_name element of AmbassadorMapping, AmbassadorTCPMapping, AuthService, LogService, RateLimitService, and TracingService now sets the name under which cluster statistics will be logged. The default is the service, with non-alphanumeric characters replaced by underscores.
type: feature
docs: topics/running/statistics
- title: Updated klog to reduce log noise
type: bugfix
body: We have updated to k8s.io/klog/v2 to track upstream and to quiet unnecessary log output.
docs: https://github.com/emissary-ingress/emissary/issues/3603
- title: Subsecond time resolution in logs
type: change
body: Logs now include subsecond time resolutions, rather than just seconds.
docs: https://github.com/emissary-ingress/emissary/pull/3650
- title: Configurable Envoy-configuration rate limiting
type: change
body: Set AMBASSADOR_AMBEX_NO_RATELIMIT to true to completely disable ratelimiting Envoy reconfiguration under memory pressure. This can help performance with the endpoint or Consul resolvers, but could make OOMkills more likely with large configurations. The default is false, meaning that the rate limiter is active.
docs: topics/concepts/rate-limiting-at-the-edge/
- version: 2.0.0-ea
date: "2021-06-24"
notes:
- title: Developer Preview!
body: We're pleased to introduce $productName$ 2.0.0 as a developer preview. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on Slack and let us know what you think.
type: change
docs: about/changes-2.x
isHeadline: true
- title: Configuration API v3alpha1
body: >-
$productName$ 2.0.0 introduces API version x.getambassador.io/v3alpha1 for
configuration changes that are not backwards compatible with the 1.X family. API versions
getambassador.io/v0, getambassador.io/v1, and
getambassador.io/v2 are deprecated. Further details are available in the Major Changes
in 2.X document.
type: feature
docs: about/changes-2.x/#1-configuration-api-version-getambassadoriov3alpha1
image: ./edge-stack-2.0.0-v3alpha1.png
- title: The AmbassadorListener Resource
body: The new AmbassadorListener CRD defines where and how to listen for requests from the network, and which AmbassadorHost definitions should be used to process those requests. Note that the AmbassadorListener CRD is mandatory and consolidates all port configuration; see the AmbassadorListener documentation for more details.
type: feature
docs: topics/running/listener
image: ./edge-stack-2.0.0-listener.png
- title: AmbassadorMapping hostname DNS glob support
body: >-
Where AmbassadorMapping's host field is either an exact match or (with host_regex set) a regex,
the new hostname element is always a DNS glob. Use hostname instead of host for best results.
docs: about/changes-2.x/#ambassadorhost-and-ambassadormapping-association
type: feature
- title: Memory usage improvements for installations with many AmbassadorHosts
body: The behavior of the Ambassador module prune_unreachable_routes field is now automatic, which should reduce Envoy memory requirements for installations with many AmbassadorHosts
docs: topics/running/ambassador/#prune-unreachable-routes
image: ./edge-stack-2.0.0-prune_routes.png
type: feature
- title: Independent Host actions supported
body: Each AmbassadorHost can specify its requestPolicy.insecure.action independently of any other AmbassadorHost, allowing for HTTP routing as flexible as HTTPS routing.
docs: topics/running/host-crd/#secure-and-insecure-requests
github:
- title: "#2888"
link: https://github.com/datawire/ambassador/issues/2888
image: ./edge-stack-2.0.0-insecure_action_hosts.png
type: bugfix
- title: Correctly set Ingress resource status in all cases
body: $productName$ 2.0.0 fixes a regression in detecting the Ambassador Kubernetes service that could cause the wrong IP or hostname to be used in Ingress statuses -- thanks, Noah Fontes!
docs: topics/running/ingress-controller
type: bugfix
image: ./edge-stack-2.0.0-ingressstatus.png
- title: Stricter mTLS enforcement
body: $productName$ 2.0.0 fixes a bug where mTLS could use the wrong configuration when SNI and the :authority header didn't match
type: bugfix
- title: Port configuration outside AmbassadorListener has been moved to AmbassadorListener
body: The TLSContext redirect_cleartext_from and AmbassadorHost requestPolicy.insecure.additionalPort elements are no longer supported. Use a AmbassadorListener for this functionality instead.
type: change
docs: about/changes-2.x/#tlscontext-redirect_cleartext_from-and-host-insecureadditionalport
- title: PROXY protocol configuration has been moved to AmbassadorListener
body: The use_proxy_protocol element of the Ambassador Module is no longer supported, as it is now part of the AmbassadorListener resource (and can be set per-AmbassadorListener rather than globally).
type: change
docs: about/changes-2.x/#proxy-protocol-configuration
- title: Stricter rules for AmbassadorHost/AmbassadorMapping association
body: An AmbassadorMapping will only be matched with an AmbassadorHost if the AmbassadorMapping's host or the AmbassadorHost's selector (or both) are explicitly set, and match. This change can significantly improve $productName$'s memory footprint when many AmbassadorHosts are involved. Further details are available in the Major Changes in 2.X document.
docs: about/changes-2.x/#host-and-mapping-association
type: change
- title: AmbassadorHost or Ingress now required for TLS termination
body: An AmbassadorHost or Ingress resource is now required when terminating TLS -- simply creating a TLSContext is not sufficient. Further details are available in the AmbassadorHost CRD documentation.
docs: about/changes-2.x/#host-tlscontext-and-tls-termination
type: change
image: ./edge-stack-2.0.0-host_crd.png
- title: Envoy V3 APIs
body: By default, $productName$ will configure Envoy using the V3 Envoy API. This change is mostly transparent to users, but note that Envoy V3 does not support unsafe regular expressions or, e.g., Zipkin's V1 collector protocol. Further details are available in the Major Changes in 2.X document.
type: change
docs: about/changes-2.x/#envoy-v3-api-by-default
- title: Module-based TLS no longer supported
body: The tls module and the tls field in the Ambassador module are no longer supported. Please use TLSContext resources instead.
docs: about/changes-2.x/#tls-the-ambassador-module-and-the-tls-module
image: ./edge-stack-2.0.0-tlscontext.png
type: change
- title: Higher performance while generating Envoy configuration now enabled by default
body: The environment variable AMBASSADOR_FAST_RECONFIGURE is now set by default, enabling the higher-performance implementation of the code that $productName$ uses to generate and validate Envoy configurations.
docs: topics/running/scaling/#ambassador_fast_reconfigure-and-ambassador_legacy_mode-flags
type: change
- title: Service Preview no longer supported
body: >-
Service Preview and the AGENT_SERVICE environment variable are no longer supported.
The Telepresence product replaces this functionality.
docs: https://www.getambassador.io/docs/telepresence/
type: change
- title: edgectl no longer supported
body: The edgectl CLI tool has been deprecated; please use the emissary-ingress helm chart instead.
docs: topics/install/helm/
type: change
- version: 1.14.2
date: '2021-09-29'
notes:
- title: Mappings support controlling DNS refresh with DNS TTL
type: feature
body: >-
You can now set respect_dns_ttl in Ambassador Mappings. When true it
configures that upstream's refresh rate to be set to resource record’s TTL
docs: topics/using/mappings/#dns-configuration-for-mappings
- title: Mappings support configuring strict or logical DNS
type: feature
body: >-
You can now set dns_type in Ambassador Mappings to use Envoy's
logical_dns resolution instead of the default strict_dns.
docs: topics/using/mappings/#dns-configuration-for-mappings
- title: Support configuring upstream buffer size
type: feature
body: >-
You can now set buffer_limit_bytes in the ambassador
Module to to change the size of the upstream read and write buffers.
The default is 1MiB.
docs: topics/running/ambassador/#modify-default-buffer-size
- version: 1.14.1
date: '2021-08-24'
notes:
- title: Envoy security updates
type: change
body: >-
Upgraded Envoy to 1.17.4 to address security vulnerabilities CVE-2021-32777,
CVE-2021-32778, CVE-2021-32779, and CVE-2021-32781.
docs: https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE
- version: 1.14.0
date: "2021-08-19"
notes:
- title: Envoy upgraded to 1.17.3!
type: change
body: >-
Update from Envoy 1.15 to 1.17.3
docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history
- title: Expose Envoy's allow_chunked_length HTTPProtocolOption
type: feature
body: >-
You can now set allow_chunked_length in the Ambassador Module to configure
the same value in Envoy.
docs: topics/running/ambassador/#content-length-headers
- title: Default Envoy API version is now V3
type: change
body: >-
AMBASSADOR_ENVOY_API_VERSION now defaults to V3
docs: topics/running/running/#ambassador_envoy_api_version
- title: Subsecond time resolution in logs
type: change
body: Logs now include subsecond time resolutions, rather than just seconds.
docs: https://github.com/emissary-ingress/emissary/pull/3650
- version: 1.13.10
date: '2021-07-28'
notes:
- title: Fix for CORS origins configuration on the Mapping resource
type: bugfix
body: >-
Fixed a regression when specifying a comma separated string for cors.origins
on the Mapping resource.
([#3609](https://github.com/emissary-ingress/emissary/issues/3609))
docs: topics/using/cors
image: ../images/emissary-1.13.10-cors-origin.png
- title: New Envoy-configuration snapshots for debugging
body: "Envoy-configuration snapshots get saved (as ambex-#.json) in /ambassador/snapshots. The number of snapshots is controlled by the AMBASSADOR_AMBEX_SNAPSHOT_COUNT environment variable; set it to 0 to disable. The default is 30."
type: change
docs: topics/running/environment/
- title: Optionally remove ratelimiting for Envoy reconfiguration
body: >-
Set AMBASSADOR_AMBEX_NO_RATELIMIT to true to completely disable
ratelimiting Envoy reconfiguration under memory pressure. This can help performance with
the endpoint or Consul resolvers, but could make OOMkills more likely with large
configurations. The default is false, meaning that the rate limiter is
active.
type: change
docs: topics/running/environment/
edgeStackNotes:
- title: Mappings support configuring the DevPortal fetch timeout
type: bugfix
body: >-
The Mapping resource can now specify docs.timeout_ms to set the
timeout when the Dev Portal is fetching API specifications.
docs: topics/using/dev-portal
image: ../images/edge-stack-1.13.10-docs-timeout.png
- title: Dev Portal will strip HTML tags when displaying results
type: bugfix
body: >-
The Dev Portal will now strip HTML tags when displaying search results, showing just the
actual content of the search result.
docs: topics/using/dev-portal
- title: Consul certificate rotation logs more information
type: change
body: >-
Consul certificate-rotation logging now includes the fingerprints and validity timestamps
of certificates being rotated.
docs: howtos/consul/
image: ../images/edge-stack-1.13.10-consul-cert-log.png
- version: 1.13.9
date: '2021-06-30'
notes:
- title: Fix for TCPMappings
body: >-
Configuring multiple TCPMappings with the same ports (but different hosts) no longer
generates invalid Envoy configuration.
type: bugfix
docs: topics/using/tcpmappings/
- version: 1.13.8
date: '2021-06-08'
notes:
- title: Fix Ambassador Cloud Service Details
body: >-
Ambassador Agent now accurately reports up-to-date Endpoint information to Ambassador
Cloud
type: bugfix
docs: tutorials/getting-started/#3-connect-your-cluster-to-ambassador-cloud
image: ../images/edge-stack-1.13.8-cloud-bugfix.png
- title: Improved Argo Rollouts Experience with Ambassador Cloud
body: >-
Ambassador Agent reports ConfigMaps and Deployments to Ambassador Cloud to provide a
better Argo Rollouts experience. See [Argo+Ambassador
documentation](https://www.getambassador.io/docs/argo) for more info.
type: feature
docs: https://www.getambassador.io/docs/argo
- version: 1.13.7
date: '2021-06-03'
notes:
- title: JSON logging support
body: >-
Add AMBASSADOR_JSON_LOGGING to enable JSON for most of the Ambassador control plane. Some
(but few) logs from gunicorn and the Kubernetes client-go package still log text.
image: ../images/edge-stack-1.13.7-json-logging.png
docs: topics/running/running/#log-format
type: feature
- title: Consul resolver bugfix with TCPMappings
body: >-
Fixed a bug where the Consul resolver would not actually use Consul endpoints with
TCPMappings.
image: ../images/edge-stack-1.13.7-tcpmapping-consul.png
docs: topics/running/resolvers/#the-consul-resolver
type: bugfix
- title: Memory usage calculation improvements
body: >-
Ambassador now calculates its own memory usage in a way that is more similar to how the
kernel OOMKiller tracks memory.
image: ../images/edge-stack-1.13.7-memory.png
docs: topics/running/scaling/#inspecting-ambassador-performance
type: change
- version: 1.13.6
date: '2021-05-24'
notes:
- title: Quieter logs in legacy mode
type: bugfix
body: >-
Fixed a regression where Ambassador snapshot data was logged at the INFO label
when using AMBASSADOR_LEGACY_MODE=true.
- version: 1.13.5
date: '2021-05-13'
notes:
- title: Correctly support proper_case and preserve_external_request_id
type: bugfix
body: >-
Fix a regression from 1.8.0 that prevented ambassador Module
config keys proper_case and preserve_external_request_id
from working correctly.
docs: topics/running/ambassador/#header-case
- title: Correctly support Ingress statuses in all cases
type: bugfix
body: >-
Fixed a regression in detecting the Ambassador Kubernetes service that could cause the
wrong IP or hostname to be used in Ingress statuses (thanks, [Noah
Fontes](https://github.com/impl)!
docs: topics/running/ingress-controller
- version: 1.13.4
date: '2021-05-11'
notes:
- title: Envoy 1.15.5
body: >-
Incorporate the Envoy 1.15.5 security update by adding the
reject_requests_with_escaped_slashes option to the Ambassador module.
image: ../images/edge-stack-1.13.4.png
docs: topics/running/ambassador/#rejecting-client-requests-with-escaped-slashes
type: security
# Don't go any further back than 1.13.4.