1# Ambassador Pro CHANGELOG
2
3DO NOT EDIT THIS FILE FOR ANY NEW DEVELOPMENT.
4
5This is the CHANGELOG for the old "Ambassador Pro" product that was an
6add-on to the Ambassador API Gateway. In 1.0.0, Ambassador Pro and
7the Ambassador API Gateway were merged in to a combined "Ambassador
8Edge Stack" product.
9
10## 1.0.0 (2020-01-15)
11
12Behavior:
13
14 * Developer portal no longer requires the /openapi Mapping
15 * Renamed environment variable APRO_DEVPORTAL_CONTENT_URL to DEVPORTAL_CONTENT_URL
16 * Feature: Developer portal can check out a non-default branch. Control with DEVPORTAL_CONTENT_BRANCH env var
17 * Feature: Developer portal can use a subdir of a checkout. Control with DEVPORTAL_CONTENT_DIR env var
18 * `apictl traffic initialize` no longer waits for the traffic-proxy to become ready before exiting.
19 * Feature: Developer portal will show swagger documentation for up to five services (or more with appropriate license)
20 * Feature: local-devportal is now a standalone go binary with no external dependencies
21 * `v1` license keys were not being used so augment them to include emails
22 * The OAuth2 redirection endpoint has moved from `/callback` to `/.ambassador/oauth2/redirection-endpoint`. Migrating Pro users will need to notify thier IDP of the change.
23
24Other:
25
26 * `amb-core` and `amb-sidecar` have been merged in to a combined `aes` which is based on Ambassador OSS [version TBD].
27 * `login-gate-js`content has been updated for a clearer first time experience.
28
29## 0.11.0 (2019-12-10)
30
31Configuration:
32
33 * `JWT` Filter now has a `realm` setting to configure the realm mentioned in `WWW-Authenticate` of error responses.
34 * Feature: `JWT` Filter now has a FilterPolicy argument `scope` to preform `draft-ietf-oauth-token-exchange`-compatible Scope validation.
35 * Feature: `OAuth2` Filter now has a `.insteadOfRedirect.filters` FilterPolicy argument that lets you provide a list of filters to run; as if you were listing them directly in a FilterPolicy.
36 * Feature: `OAuth2` Filter now has a `extraAuthorizationParameters` setting to manually pass extra parameters to the IDP's authorization endpoint.
37 * Feature: `OAuth2` Filter now has a `accessTokenJWTFilter` setting to use a `JWT` filter for access token validation when `accessTokenValidation: jwt` or `accessTokenValidation: auto`.
38
39Behavior:
40
41 * Feature: `JWT` Filter now generates RFC 6750-compliant responses with the `WWW-Authenticate` header set.
42
43Other:
44
45 * Update Ambassador Core from Ambassador 0.85.0 (Envoy 1.11+half-way-to-1.12) to 0.86.0 (Envoy 1.12.2)
46
47## 0.10.0 (2019-11-11)
48
49Configuration:
50
51 * Feature: `FilterPolicy` may now set `ifRequestHeader` to only apply a `Filter` to requests with appropriate headers.
52 * Feature: `FilterPolicy` may now set `onDeny` and `onAllow` to modify how `Filter`s chain together.
53 * Feature: `JWT` Filter `injectRequestHeaderse` templates can now read the incoming HTTP request headers.
54 * Feature: `JWT` Filter `errorResponse` can now set HTTP headers of the error response.
55 * Beta feature: `OAuth2` Filter can now be configured to receive OAuth client credentials in the HTTP request header, and use them to obtain a client credentials grant. This is only currently tested with Okta.
56
57Behavior:
58
59 * The `OAuth2` filter's XSRF protection now works differently. You should use the `ambassador_xsrf.{name}.{namespace}` cookie instead of the `ambassador_session.{name}.{namespace}` cookie for XSRF-protection purposes.
60
61## 0.9.1 (2019-10-22)
62
63Configuration:
64
65 * The `JWT` and `OAuth2` Filter types support `renegotiateTLS`
66 * The `JWT` Filter now has an `errorResponse` argument that allows templating the filter's error response.
67
68Other:
69
70 * Update Ambassador Core from Ambassador 0.83.0 to 0.85.0
71
72## 0.9.0 (2019-10-08)
73
74Configuration
75
76 * The `OAuth2` filter now has a FilterPolicy argument `insteadOfRedirect` that can specify a different action to perform than redirecting to the IDP.
77
78Behavior:
79
80 * Feature: Developer portal URL can be changed by the user. Adjust the `ambassador-pro-devportal` `Mapping` CRD (or annotation) by changing the `prefix` to desired prefix and changing the `rewrite` to `/docs/`. The `ambassador-pro-devportal-api` can not be adjusted yet.
81 * Feature: The `OAuth2` filter can now perform OIDC-session RP-initiated logout when used with an identity provider that supports it.
82 * Bugfix: Properly return a 404 for unknown paths in the amb-sidecar; instead of serving the index page; this could happen if the devportal Mapping is misconfigured.
83 * Bugfix: Fix the "loaded filter" log info message.
84 * Bugfix: Don't publish the "dev-portal-server" Docker image; it was obviated by "amb-sidecar" in 0.8.0.
85 * Bugfix: The `JWT` Filter is no longer case-sensitive with the auth-scheme (`Bearer` vs `bearer`)
86 * Bugfix: The `JWT` Filter no longer accepts authorizations that are missing an auth-scheme
87
88Other:
89
90 * Update Ambassador Core from Ambassador 0.75.0 to 0.83.0
91 * Incorporate the Envoy 1.11.2 security patches in Ambassador Core
92 * Fast iteration on Developer Portal styling and content using a docker image inside a local checkout of Developer Portal content repo (see reference doc for usage guide)
93
94## 0.8.0 (2019-09-16)
95
96Configuration:
97
98 * `amb-sidecar` now takes additional configuration related to the developer portal.
99
100Behavior:
101
102 * Feature: The developer portal is now in "beta", and incorporated into amb-sidecar.
103 * Bugfix: The `External` Filter no longer erroneously follows redirects.
104 * Bugfix: Fixed a case-folding bug causing the `JWT` Filter to be inoperable.
105 * Enhancement: Errors in `Filter` resource definitions are now recorded and included in error messages.
106
107## 0.7.0 (2019-08-29)
108
109Configuration:
110
111 * `amb-sidecar`: The default value of `USE_STATSD` has changed from `true` to `false`.
112 * Bump license key schema v0 → v1. The developer portal requires a v1 license with the "devportal" feature enabled. Some future version of the other functionality will drop support for v0 license keys.
113 * The `JWT` Filter can now inject HTTP request headers; configured with the `injectRequestHeaders` field.
114
115Behavior:
116
117 * Fixed a resource leak in dev-portal-server
118
119Other:
120
121 * There is now a build of Ambassador with Certified Envoy named "amb-core".
122
123## 0.6.0 (2019-08-05)
124
125Configuration:
126
127 * The CRD field `ambassador_id` may now be a single string instead of a list of strings (this should have always been the case, but there was a bug in the parser).
128 * Everything is now on one port: `APRO_HTTP_PORT`, which defaults to `8500`.
129 * `LOG_LEVEL` no longer exists; everything obeys `APP_LOG_LEVEL`.
130 * The meaning of `REDIS_POOL_SIZE` has changed slightly; there are no longer separate connection pools for ratelimit and filtering; the maximum number of connections is now `REDIS_POOL_SIZE` instead of 2×`REDIS_POOL_SIZE`.
131 * The `amb-sidecar` RateLimitService can now report to statsd, and attempts to do so by default (`USE_STATSD`, `STATSD_HOST`, `STATSD_PORT`, `GOSTATS_FLUSH_INTERVAL_SECONDS`).
132
133Behavior:
134
135 * Now also handles gRPC requests for `envoy.service.auth.v2`, in addition to `envoy.service.auth.v2alpha`.
136 * Log a stacktrace at log-level "debug" whenever the HTTP client encounters an error.
137 * Fix bug where the wrong key was selected from a JWKS.
138 * Everything in amb-sidecar now runs as a single process.
139
140## 0.5.0 (2019-06-21)
141
142Configuration:
143
144 * Redis is now always required to be configured.
145 * The `amb-sidecar` environment variables `$APRO_PRIVATE_KEY_PATH` and `$APRO_PUBLIC_KEY_PATH` are replaced by a Kubernetes secret and the `$APRO_KEYPAIR_SECRET_NAME` and `$APRO_KEYPAIR_SECRET_NAMESPACE` environment variables.
146 * If the `$APRO_KEYPAIR_SECRET_NAME` Kubernetes secret (above) does not exist, `amb-sidecar` now needs the "create" permission for secrets in its ClusterRole.
147 * The `OAuth2` Filter now ignores the `audience` field setting. I expect it to make a come-back in 0.5.1 though.
148 * The `OAuth2` Filter now acts as if the `openid` scope value is always included in the FilterPolicy's `scopes` argument.
149 * The `OAuth2` Filter can verify Access Tokens with several different methods; configured with the `accessTokenValidation` field.
150
151Behavior:
152
153 * The `OAuth2` Filter is now strictly compliant with OAuth 2.0. It is verified to work properly with:
154 - Auth0
155 - Azure AD
156 - Google
157 - Keycloak
158 - Okta
159 - UAA
160 * The `OAuth2` Filter browser cookie has changed:
161 - It is now named `ambassador_session.{{filter_name}}.{{filter_namespace}}` instead of `access_token`.
162 - It is now an opaque string instead of a JWT Access Token. The Access Token is still available in the injected `Authorization` header.
163 * The `OAuth2` Filter will no longer consider a user-agent-provided `Authorization` header, it will only consider the cookie.
164 * The `OAuth2` Filter now supports Refresh Tokens; they must be requested by listing `offline_access` in the `scopes` argument in the FilterPolicy.
165 * The `OAuth2` Filter's `/callback` endpoint is no longer vulnerable to XSRF attacks
166 * The Developer Portal file descriptor leak is fixed.
167
168Other:
169
170 * Open Source dependency license compliance is now automated as part of the release machinery. Source releases for the Docker images are now present in the images themselves at `/*.opensource.tar.gz`.
171
172## 0.4.3 (2019-05-15)
173
174 * Add the Developer Portal (experimental; no documentation available yet)
175 * `apictl traffic initialize`: Correctly handle non-`default` namespaces
176 * `app-sidecar`: Respect the `APP_LOG_LEVEL` environment variable, same as `amb-sidecar`
177
178## 0.4.2 (2019-05-03)
179
180 * Turn down liveness and readiness probe logging from "info" to "debug"
181
182## 0.4.1 (2019-04-23)
183
184 * Add liveness and readiness probes
185
186## 0.4.0 (2019-04-18)
187
188 * Moved all of the default sidecar ports around; YAML will need to be adjusted (hence 0.4.0 instead of 0.3.2). Additionally, all of the ports are now configurable via environment variables
189
190 | Purpose | Variable | Old | New |
191 | ------- | -------- | --- | --- |
192 | Auth gRPC | APRO_AUTH_PORT | 8082 | 8500 |
193 | RLS gRPC | GRPC_PORT | 8081 | 8501 |
194 | RLS debug (HTTP) | DEBUG_PORT | 6070 | 8502 |
195 | RLS HTTP ??? | PORT | 7000 | 8503 |
196
197 * `apictl` no longer sets an imagePullSecret when deploying Pro things to the cluster (since the repo is now public)
198
199## 0.3.1 (2019-04-05)
200
201 * Support running the Ambassador sidecar as a non-root user
202
203## 0.3.0 (2019-04-03)
204
205 * New Filter type `External`
206 * Request IDs in the Pro logs are the same as the Request IDs in the Ambassador logs
207 * `OAuth2` Filter type supports `secretName` and `secretNamespace`
208 * Switch to using Ambassador OSS gRPC API
209 * No longer necessary to set `allowed_request_headers` or `allowed_authorization_headers` for `Plugin` Filters
210 * RLS logs requests as `info` instead of `warn`
211 * Officially support Okta as an IDP
212
213## 0.2.5 (2019-04-02)
214
215(0.3.0 was initially tagged as 0.2.5)
216
217## 0.2.4 (2019-03-19)
218
219 * `JWT` and `OAuth2` Filter types support `insecureTLS`
220 * `OAuth2` now handles JWTs with a `scope` claim that is a JSON list of scope values, instead of a JSON string containing a whitespace-separated list of scope values (such as those generated by UAA)
221
222## 0.2.3 (2019-03-13)
223
224 * Consul Connect integration no longer requires a license key
225
226## 0.2.2 (2019-03-11)
227
228 * Fix Consul certificate rotation
229
230## 0.2.1 (2019-03-08)
231
232 * Move the AuthService from port 8080 to 8082, and make it configurable with `APRO_AUTH_PORT`
233
234## 0.2.0 (2019-03-04)
235
236 * Have everything require license keys
237 * Differentiate between components when phoning-home to Scout
238 * Phone-home to kubernaut.io/scout, not metriton.datawire.io/scout
239 * Fix bug where `apictl traffic inject` wiped existing `imagePullSecrets`
240 * Support `AMBASSADOR_ID`, `AMBASSADOR_SINGLE_NAMESPACE`, and `AMBASSADOR_NAMESPACE`
241 * Log format changed
242 * OIDC support
243 * Replace `Tenant` and `Policy` CRDs with `Filter` and `FilterPolicy` CRDs
244 * Add JWT validation filter
245 * Add `apro-plugin-runner` (previously was in a separate OSS git repo)
246
247## 0.1.2 (2019-01-24)
248
249 * More readable logs in the event of a crash
250 * `apictl traffic` sets `imagePullSecret`
251 * Have `apictl` also look for the license key in `~/.config/` as a fallback on macOS. The paths it now looks in, from highest to lowest precedence, are:
252 - `$HOME/Library/Application Support/ambassador/license-key` (macOS only)
253 - `${XDG_CONFIG_HOME:-$HOME/.config}/ambassador/license-key`
254 - `$HOME/.ambassador.key`
255
256## 0.1.1 (2019-01-23)
257
258 - First release with combined rate-limiting and authentication.
View as plain text