1# -*- fill-column: 100 -*-
2
3# This file should be placed in the folder for the version of the
4# product that's meant to be documented. A `/release-notes` page will
5# be automatically generated and populated at build time.
6#
7# Note that an entry needs to be added to the `doc-links.yml` file in
8# order to surface the release notes in the table of contents.
9#
10# The YAML in this file should contain:
11#
12# changelog: An (optional) URL to the CHANGELOG for the product.
13# items: An array of releases with the following attributes:
14# - version: The (optional) version number of the release, if applicable.
15# - date: The date of the release in the format YYYY-MM-DD.
16# - notes: An array of noteworthy changes included in the release, each having the following attributes:
17# - type: The type of change, one of `bugfix`, `feature`, `security` or `change`.
18# - title: A short title of the noteworthy change.
19# - body: >-
20# Two or three sentences describing the change and why it
21# is noteworthy. This is HTML, not plain text or
22# markdown. It is handy to use YAML's ">-" feature to
23# allow line-wrapping.
24# - image: >-
25# The URL of an image that visually represents the
26# noteworthy change. This path is relative to the
27# `release-notes` directory; if this file is
28# `FOO/releaseNotes.yml`, then the image paths are
29# relative to `FOO/release-notes/`.
30# - docs: The path to the documentation page where additional information can be found.
31# - href: A path from the root to a resource on the getambassador website, takes precedence over a docs link.
32
33changelog: https://github.com/emissary-ingress/emissary/blob/$branch$/CHANGELOG.md
34items:
35 - version: 3.6.0
36 prevVersion: 3.5.0
37 date: '2023-04-17'
38 notes:
39 - title: Upgrade to Envoy 1.25.4
40 type: feature
41 body: >-
42 This upgrades $productName$ to be built on Envoy v1.25.4. This provides $productName$ with the latest
43 security patches, performances enhancments, and features offered by the envoy proxy.
44
45 - version: 3.5.0
46 prevVersion: 3.4.0
47 date: '2023-02-15'
48 notes:
49 - title: Update to golang 1.20.1
50 type: security
51 body: >-
52 Upgrading to the latest release of Golang as part of our general dependency upgrade process. This includes
53 security fixes for CVE-2022-41725, CVE-2022-41723.
54
55 - title: TracingService support for native OpenTelemetry driver
56 type: feature
57 body: >-
58 In Envoy 1.24, experimental support for a native OpenTelemetry tracing driver
59 was introduced that allows exporting spans in the otlp format. Many
60 Observability platforms accept that format and is the recommend
61 replacement for the LightStep driver. $productName$ now supports setting the
62 <code>TracingService.spec.driver=opentelemetry</code> to export spans in
63 otlp format.<br/><br/>
64
65 Thanks to <a href="https://github.com/psalaberria002">Paul</a> for helping us
66 get this tested and implemented!
67
68 - title: Fix envoy config generation when including port in Host.hostname
69 type: bugfix
70 body: >-
71 When wanting to expose traffic to clients on ports other than 80/443, users will set
72 a port in the Host.hostname (eg.<code>Host.hostname=example.com:8500</code>. The config
73 generated allowed matching on the :authority header. This worked in v1.Y series due to the
74 way emissary was generating Envoy configuration under a single wild-card virtual_host and matching
75 on :authority.
76
77
78 In v2.Y/v3.Y+, the way emissary generates Envoy configuration changed to address memory pressure and improve
79 route lookup speed in Envoy. However, when including a port in the hostname, an incorrect configuration was
80 generated with an sni match including the port. This has been fixed and the correct envoy configuration is
81 being generated.
82 github:
83 - title: "fix: hostname port issue"
84 link: https://github.com/emissary-ingress/emissary/pull/4816
85
86 - title: Add support for resolving port names in Ingress resource
87 type: change
88 body: >-
89 Previously, specifying backend ports by name in Ingress was not supported and would result in defaulting
90 to port 80. This allows emissary-ingress to now resolve port names for backend services. If the port number
91 cannot be resolved by the name (e.g named port in the Service doesn't exist) then it defaults back
92 to the original behavior.
93 (Thanks to <a href="https://github.com/antonu17">Anton Ustyuzhanin</a>!).
94 github:
95 - title: "#4809"
96 link: https://github.com/emissary-ingress/emissary/pull/4809
97
98 - title: Add starupProbe to emissary-apiext server
99 type: change
100 body: >-
101 The <code>emissary-apiext</code> server is a Kubernetes Conversion Webhook that converts between the
102 Emissary-ingress CRD versions. On startup, it ensures that a self-signed cert is available
103 so that K8s API Server can talk to the conversion webhook (*TLS is required by K8s*). We
104 have introduced a startupProbe to ensure that emissary-apiext server has enough time to
105 configure the webhooks before running liveness and readiness probes. This is to ensure
106 slow startup doesn't cause K8s to needlessly restart the pod.
107
108
109 - version: 3.4.0
110 prevVersion: 3.3.0
111 date: '2023-01-03'
112 notes:
113 - title: Re-add support for getambassador.io/v1
114 type: feature
115 body: >-
116 Support for the <code>getambassador.io/v1</code> apiVersion has been re-introduced, in
117 order to facilitate smoother migrations from $productName$ 1.y. Previously, in order to
118 make migrations possible, an "unserved" <code>v1</code> version was declared to
119 Kubernetes, but was unsupported by $productName$. That unserved <code>v1</code> could
120 cause an excess of errors to be logged by the Kubernetes Nodes (regardless of whether the
121 installation was migrated from 1.y or was a fresh 2.y install); fully supporting
122 <code>v1</code> again should resolve these errors.
123
124 - title: Add support for active health checking configuration.
125 type: feature
126 body: >-
127 It is now possible to configure active healhchecking for upstreams within a <code>Mapping</code>.
128 If the upstream fails its configured health check then Envoy will mark the upstream as unhealthy and no longer send
129 traffic to that upstream. Single pods within a group may can be marked as unhealthy. The healthy pods will continue to receive
130 traffic normally while the unhealthy pods will not receive any traffic until they recover by passing the health check.
131
132 - title: Add environment variables to the healthcheck server.
133 type: feature
134 body: >-
135 The healthcheck server's bind address, bind port and IP family can now be configured using environment variables:
136
137 - `AMBASSADOR_HEALTHCHECK_BIND_ADDRESS`: The address to bind the healthcheck server to.
138
139 - `AMBASSADOR_HEALTHCHECK_BIND_PORT`: The port to bind the healthcheck server to.
140
141 - `AMBASSADOR_HEALTHCHECK_IP_FAMILY`: The IP family to use for the healthcheck server.
142
143 This allows the healthcheck server to be configured to use IPv6-only k8s environments.
144 (Thanks to <a href="https://github.com/TimonOmsk">Dmitry Golushko</a>!).
145
146 - title: Upgrade to Envoy 1.24.1
147 type: feature
148 body: >-
149 This upgrades $productName$ to be built on Envoy v1.24.1. One notable change is that
150 the team at LightStep and Envoy Maintainers have decided to no longer support the
151 native *LightStep* tracing driver in favor of using the Open Telemetry driver. The code
152 for LightStep driver has been completely removed from Envoy code base so $productName$
153 will no longer support it either.
154
155 The recommended upgrade path is to leverage a supported Tracing driver such as `Zipkin`
156 and use the [Open Telemetry Collector](https://opentelemetry.io/docs/collector/) to
157 collect and forward Observabity data to LightStep.
158
159 - title: Add option to enable envoy readiness endpoint from worker
160 type: feature
161 body: >-
162 /ready endpoint used by emissary is using the admin port (8001 by default).
163 This generates a problem during config reloads with large configs as the
164 admin thread is blocking so the /ready endpoint can be very slow to
165 answer (in the order of several seconds, even more).
166 The new feature allows to enable a specific envoy listener that can answer /ready calls
167 from the workers so the endpoint is always fast and it does not suffers from single threaded
168 admin thread slowness on config reloads and other slow endpoints handled by the admin thread
169 Configure the listener port using AMBASSADOR_READY_PORT and enable access log using
170 AMBASSADOR_READY_LOG environment variables.
171 docs: https://www.getambassador.io/docs/emissary/latest/topics/running/environment/
172
173 - version: 3.3.0
174 prevVersion: 3.2.0
175 date: '2022-11-02'
176 notes:
177 - title: Update Golang to 1.19.2
178 type: security
179 body: >-
180 Updated Golang to 1.19.2 to address the CVEs: CVE-2022-2879, CVE-2022-2880, CVE-2022-41715.
181
182 - title: Fix regression in http to https redirects with AuthService
183 type: bugfix
184 body: >-
185 By default $productName$ adds routes for http to https redirection. When
186 an AuthService is applied in v2.Y of $productName$, Envoy would skip the
187 ext_authz call for non-tls http request and would perform the https
188 redirect. In Envoy 1.20+ the behavior has changed where Envoy will
189 always call the ext_authz filter and must be disabled on a per route
190 basis.
191
192 This new behavior change introduced a regression in v3.0 of
193 $productName$ when it was upgraded to Envoy 1.22. The http to https
194 redirection no longer works when an AuthService was applied. This fix
195 restores the previous behavior by disabling the ext_authz call on the
196 https redirect routes.
197 github:
198 - title: "#4620"
199 link: https://github.com/emissary-ingress/emissary/issues/4620
200
201 - title: Fix regression in host_redirects with AuthService
202 type: bugfix
203 body: >-
204 When an AuthService is applied in v2.Y of $productName$,
205 Envoy would skip the ext_authz call for all redirect routes and
206 would perform the redirect. In Envoy 1.20+ the behavior has changed
207 where Envoy will always call the ext_authz filter so it must be
208 disabled on a per route basis.
209
210 This new behavior change introduced a regression in v3.0 of
211 $productName$ when it was upgraded to Envoy 1.22. The host_redirect
212 would call an AuthService prior to redirect if applied. This fix
213 restores the previous behavior by disabling the ext_authz call on the
214 host_redirect routes.
215 github:
216 - title: "#4640"
217 link: https://github.com/emissary-ingress/emissary/issues/4640
218
219 - title: Fixed finding ingress resource tls secrets
220 type: bugfix
221 body: >-
222 Previous versions of $productName$ required a workaround using <code>TLSContexts</code> to find tls secrets referenced from
223 <code>Ingress</code> resources. Now tls secrets referenced are properly detected without requiring an additional <code>TLSContext</code> to
224 reference them.
225 (Thanks to <a href="https://github.com/olemarkus">Ole Markus</a>!).
226
227 - version: 3.2.0
228 prevVersion: 3.1.0
229 date: '2022-09-26'
230 notes:
231 - title: Envoy upgraded to 1.23
232 type: change
233 body: >-
234 The envoy version included in $productName$ has been upgraded from 1.22 to the latest patch
235 release of 1.23. This provides $productName$ with the latest security patches, performances enhancments,
236 and features offered by the envoy proxy.
237 docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.23/v1.23.0
238 - title: Fixed <code>mappingSelector</code> associating <code>Hosts</code> with <code>Mappings</code>
239 type: change
240 body: >-
241 Changes to label matching will change how <code>Hosts</code> are associated with <code>Mappings</code>. There was a bug with label
242 selectors that was causing <code>Hosts</code> to be incorrectly being associated with more <code>Mappings</code> than intended.
243 If any single label from the selector was matched then the <code>Host</code> would be associated with the <code>Mapping</code>.
244 Now it has been updated to correctly only associate a <code>Host</code> with a <code>Mapping</code> if <b>all</b> labels required by
245 the selector are present. This brings the <code>mappingSelector</code> field in-line with how label selectors are used
246 in Kubernetes. To avoid unexpected behaviour after the upgrade, add all labels that Hosts have in their
247 <code>mappingSelector</code> to <code>Mappings</code> you want to associate with the <code>Host</code>. You can opt-out of the new behaviour
248 by setting the environment variable <code>DISABLE_STRICT_LABEL_SELECTORS</code> to <code>"true"</code> (default: <code>"false"</code>).
249 (Thanks to <a href="https://github.com/f-herceg">Filip Herceg</a> and <a href="https://github.com/dynajoe">Joe Andaverde</a>!).
250 - title: Add support for Host resources using secrets from different namespaces
251 type: feature
252 body: >-
253 Previously the <code>Host</code> resource could only use secrets that are in the namespace as the
254 Host. The <code>tlsSecret</code> field in the Host has a new subfield <code>namespace</code> that will allow
255 the use of secrets from different namespaces.
256 - title: Allow bypassing of EDS for manual endpoint insertion
257 type: change
258 body: >-
259 Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be
260 inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to
261 a delay between EDS + CDS. The default is `false`.
262 - title: Correctly manage cluster names when service names are very long
263 type: bugfix
264 body: >-
265 Distinct services with names that are the same in the first forty characters
266 will no longer be incorrectly mapped to the same cluster.
267 github:
268 - title: "#4354"
269 link: https://github.com/emissary-ingress/emissary/issues/4354
270 - title: Add failure_mode_deny option to the RateLimitService
271 type: feature
272 body: >-
273 By default, when Envoy is unable to communicate with the configured
274 RateLimitService then it will allow traffic through. The
275 <code>RateLimitService</code> resource now exposes the
276 <a href="https://www.envoyproxy.io/docs/envoy/v1.23.0/configuration/http/http_filters/rate_limit_filter">failure_mode_deny</a>
277 option. Set <code>failure_mode_deny: true</code>, then Envoy will
278 deny traffic when it is unable to communicate to the RateLimitService
279 returning a 500.
280 docs: https://www.getambassador.io/docs/emissary/latest/topics/running/services/rate-limit-service/
281 - title: Properly populate alt_state_name for Tracing, Auth and RateLimit Services
282 type: bugfix
283 body: >-
284 Previously, setting the <code>stats_name</code> for the <code>TracingService</code>, <code>RateLimitService</code>
285 or the <code>AuthService</code> would have no affect because it was not being properly passed to the Envoy cluster
286 config. This has been fixed and the <code>alt_stats_name</code> field in the cluster config is now set correctly.
287 (Thanks to <a href="https://github.com/psalaberria002">Paul</a>!)
288 - title: Add support for config change batch window before reconfiguring Envoy
289 type: feature
290 body: >-
291 The <code>AMBASSADOR_RECONFIG_MAX_DELAY</code> env var can be optionally set to batch changes for the specified
292 non-negative window period in seconds before doing an Envoy reconfiguration. Default is "1" if not set.
293 - title: Diagnostics stats properly handles parsing envoy metrics with colons
294 type: bugfix
295 body: >-
296 If a <code>Host</code> or <code>TLSContext</code> contained a hostname with a <code>:</code> when using the
297 diagnostics endpoints <code>ambassador/v0/diagd</code> then an error would be thrown due to the parsing logic not
298 being able to handle the extra colon. This has been fixed and $productName$ will not throw an error when parsing
299 envoy metrics for the diagnostics user interface.
300 - title: Allow setting custom_tags for traces
301 type: feature
302 body: >-
303 It is now possible to set <code>custom_tags</code> in the
304 <code>TracingService</code>. Trace tags can be set based on
305 literal values, environment variables, or request headers.
306 (Thanks to <a href="https://github.com/psalaberria002">Paul</a>!)
307 github:
308 - title: "#4181"
309 link: https://github.com/emissary-ingress/emissary/pull/4181
310 - title: TCPMappings use correct SNI configuration
311 type: bugfix
312 body: >-
313 $productName$ 2.0.0 introduced a bug where a <code>TCPMapping</code> that uses SNI,
314 instead of using the hostname glob in the <code>TCPMapping</code>, uses the hostname glob
315 in the <code>Host</code> that the TLS termination configuration comes from.
316 - title: TCPMappings configure TLS termination without a Host resource
317 type: bugfix
318 body: >-
319 $productName$ 2.0.0 introduced a bug where a <code>TCPMapping</code> that terminates TLS
320 must have a corresponding <code>Host</code> that it can take the TLS configuration from.
321 This was semi-intentional, but didn't make much sense. You can now use a
322 <code>TLSContext</code> without a <code>Host</code>as in $productName$ 1.y releases, or a
323 <code>Host</code> with or without a <code>TLSContext</code> as in prior 2.y releases.
324 - title: TCPMappings and HTTP Hosts can coexist on Listeners that terminate TLS
325 type: bugfix
326 body: >-
327 Prior releases of $productName$ had the arbitrary limitation that a
328 <code>TCPMapping</code> cannot be used on the same port that HTTP is served on, even if
329 TLS+SNI would make this possible. $productName$ now allows <code>TCPMappings</code> to be
330 used on the same <code>Listener</code> port as HTTP <code>Hosts</code>, as long as that
331 <code>Listener</code> terminates TLS.
332 - title: Update Golang to 1.19.1
333 type: security
334 body: >-
335 Updated Golang to 1.19.1 to address the CVEs: CVE-2022-27664, CVE-2022-32190.
336
337 - version: 3.1.0
338 date: '2022-08-01'
339 notes:
340 - title: Add support for OpenAPI 2 contracts
341 type: feature
342 body: >-
343 The agent is now able to parse api contracts using swagger 2, and to convert them to OpenAPI 3, making them
344 available for use in the dev portal.
345 - title: Add new secrets sync directive to the Agent
346 type: feature
347 body: >-
348 Adds a new command to the agent directive service to manage secrets. This allows
349 a third party product to manage CRDs that depend upon a secret.
350 - title: Add additional pprof endpoints
351 type: feature
352 body: >-
353 Add additional pprof endpoints to allow for profiling $productName$:
354 - CPU profiles (/debug/pprof/profile)
355 - tracing (/debug/pprof/trace)
356 - command line running (/debug/pprof/cmdline)
357 - program counters (/debug/pprof/symbol)
358 - title: Default YAML enables the diagnostics interface from non-local clients on the admin service port
359 type: change
360 body: >-
361 In the standard published <code>.yaml</code> files, the <code>Module</code> resource enables serving
362 remote client requests to the <code>:8877/ambassador/v0/diag/</code> endpoint.
363 The associated Helm chart release also now enables it by default.
364 - title: fix regression in the agent for the metrics transfer.
365 type: bugfix
366 body: >-
367 A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from
368 emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure
369 that all the nodes composing the emissary ingress cluster are reporting properly.
370 - title: Update Golang to 1.17.12
371 type: security
372 body: >-
373 Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675,
374 CVE-2022-24921, CVE-2022-23772.
375 - title: Update Curl to 7.80.0-r2
376 type: security
377 body: >-
378 Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781,
379 CVE-2022-27780.
380 - title: Update openSSL-dev to 1.1.1q-r0
381 type: security
382 body: >-
383 Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.
384 - title: Update ncurses to 1.1.1q-r0
385 type: security
386 body: >-
387 Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458
388
389 - version: 3.0.0
390 prevVersion: 2.3.1
391 date: '2022-06-27'
392 notes:
393 - title: Envoy upgraded to 1.22
394 type: change
395 body: >-
396 The envoy version included in $productName$ has been upgraded from 1.17 to the latest patch
397 release of 1.22. This provides $productName$ with the latest security patches, performances enhancments,
398 and features offered by the envoy proxy. One notable change that will effect users is the removal
399 of support for V2 tranport protocol. See below for more information.
400 docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.22/v1.22.0
401 - title: Envoy xDS v2 API removal, removal of ECMAScript regexes
402 type: change
403 body: >-
404 $productName$ can no longer be made to configure Envoy using the v2 xDS configuration API;
405 it now always uses the v3 xDS API to configure Envoy. This change should be mostly
406 invisible to users, with one notable exception: It removes support for <code>regex_type:
407 unsafe</code>.
408
409 The <code>regex_type</code> field will is removed from the <code>ambassador</code>
410 <code>Module</code>, meaning that it is not be possible to instruct Envoy to use the <a
411 href="https://en.cppreference.com/w/cpp/regex/ecmascript">ECMAScript Regex</a> engine
412 rather than the default <a href="https://github.com/google/re2">RE2</a> engine.
413
414 Users who rely on the specific ECMAScript Regex syntax will need to rewrite their regular
415 expressions with RE2 syntax before upgrading to $productName$ 3.0.0.
416
417 As the xDS version is no longer configurable and the range of supported Zipkin protocols
418 is reduced (see below), the AMBASSADOR_ENVOY_API_VERSION environment variable has been removed.
419 - title: Support for protocol_version v2 is removed
420 type: change
421 body: >-
422 With the ugprade to Envoy 1.22, $productName$ no longer supports the V2 transport protocol.
423 The <code>AuthService</code>, <code>LogService</code> and the <code>RateLimitService</code>
424 will only support the v3 protocol_version. If protocol_version is not specified, the default
425 value of <code>v2</code> will cause an error to be posted. Therefore, you will need to set it
426 to <code>protocol_version: "v3"</code>. If upgrading from a previous version you will want
427 to set it to "v3" and ensure it is working before upgrading to $productName$ 3.Y.
428 - title: Support for Zipkin HTTP_JSON_V1 protocol is removed
429 type: change
430 body: >-
431 With the upgrade to Envoy 1.22, the <code>zipkin</code> driver for the <code>TraceService</code>
432 no longer supports setting the <code>collector_endpoint_version: HTTP_JSON_V1</code>. This was removed
433 in Envoy 1.20 - <a href="https://github.com/envoyproxy/envoy/commit/db74e313b3651588e59c671af45077714ac32cef" />.
434 The new default will be <code>collector_endpoint_version: HTTP_JSON</code>, regardless of the
435 <code>AMBASSADOR_ENVOY_API_VERSION</code> environment variable.
436 - title: Default YAML disables the diagnostics interface
437 type: change
438 body: >-
439 In the standard published <code>.yaml</code> files, now included is a <code>Module</code>
440 resource that disables the <code>/ambassador/v0/</code> → <code>127.0.0.1:8878</code>
441 synthetic mapping. We have long recommended to turn this off for production use; it is
442 now off in the standard YAML. The associated Helm chart release also now disables it by
443 default. A later apiVersion (<code>getambassador.io/v3alpha2</code> or later) will likely
444 change the <code>Module</code> CRD so that it is disabled if unspecified; but in the
445 mean-time, the default install procedure will now specify it to be disabled.
446 - title: No longer publish obsolete YAML manifest files
447 type: change
448 body: >-
449 This release does not include the publishing of
450 <code>emissary-emissaryns-agent.yaml</code>, <code>emissary-defaultns-agent.yaml</code>,
451 <code>emissary-emissaryns-migration.yaml</code>, or
452 <code>emissary-defaultns-migration.yaml</code> files. All four of these files existed
453 solely as part of the migration process from 1;y, but since 2.2.0 the
454 <code>*-migration.yaml</code> files have not been part of the migration instructions, and
455 while the <code>*-agent.yaml</code> files remained part of the instructions they were
456 actually unnescessary.
457 - title: Metric naming change for grpc_stats
458 type: change
459 body: >-
460 The previous version of $productName$ was based on Envoy 1.17 and when using grpc_stats
461 with <code>all_methods</code> or <code>services</code> set, it would output metrics in
462 the following format <code>envoy_cluster_grpc_{ServiceName}_{statname}</code>. When
463 neither of these fields are set it would be aggregated to <code>envoy_cluster_grpc_{statname}</code>.
464
465 The new behavior since Envoy 1.18 will produce metrics in the following format
466 <code>envoy_cluster_grpc_{MethodName}_statsname</code> and <code>envoy_cluster_grpc_statsname</code>.
467
468 After further investigation we found that Envoy doesn't properly parse service
469 names such as <code>cncf.telepresence.Manager/Status</code>. In the future, we will work
470 upstream Envoy to get this parsing logic fixed to ensure consistent metric naming.
471 - title: Default behavior for empty grpc_stats changed
472 type: bugfix
473 body: >-
474 Previously setting <code>grpc_stats</code> in the <code>ambassador</code> <code>Module</code>
475 without setting either <code>grpc_stats.services</code> or <code>grpc_stats.all_methods</code>
476 would result in crashing. Now it behaves as if <code>grpc_stats.all_methods=false</code>.
477 - title: Downstream HTTP/3 support
478 type: feature
479 body: >-
480 With the ugprade to Envoy 1.22, $productName$ can now be configured to listen for HTTP/3
481 connections using QUIC and the UDP network protocol. It currently only supports for connections
482 between downstream clients and $productName$.
483
484 - version: 2.5.0
485 date: 'TBD'
486 prevVersion: 2.4.0
487 notes:
488 - title: Fixed <code>mappingSelector</code> associating <code>Hosts</code> with <code>Mappings</code>
489 type: change
490 body: >-
491 Changes to label matching will change how <code>Hosts</code> are associated with <code>Mappings</code>. There was a bug with label
492 selectors that was causing <code>Hosts</code> to be incorrectly being associated with more <code>Mappings</code> than intended.
493 If any single label from the selector was matched then the <code>Host</code> would be associated with the <code>Mapping</code>.
494 Now it has been updated to correctly only associate a <code>Host</code> with a <code>Mapping</code> if <b>all</b> labels required by
495 the selector are present. This brings the <code>mappingSelector</code> field in-line with how label selectors are used
496 in Kubernetes. To avoid unexpected behaviour after the upgrade, add all labels that Hosts have in their
497 <code>mappingSelector</code> to <code>Mappings</code> you want to associate with the <code>Host</code>. You can opt-out of the new behaviour
498 by setting the environment variable <code>DISABLE_STRICT_LABEL_SELECTORS</code> to <code>"true"</code> (default: <code>"false"</code>).
499 (Thanks to <a href="https://github.com/f-herceg">Filip Herceg</a> and <a href="https://github.com/dynajoe">Joe Andaverde</a>!).
500
501 - version: 2.4.0
502 date: '2022-09-19'
503 prevVersion: 2.3.2
504 notes:
505 - title: Add support for Host resources using secrets from different namespaces
506 type: feature
507 body: >-
508 Previously the <code>Host</code> resource could only use secrets that are in the namespace as the
509 Host. The <code>tlsSecret</code> field in the Host has a new subfield <code>namespace</code> that will allow
510 the use of secrets from different namespaces.
511
512 - title: Allow bypassing of EDS for manual endpoint insertion
513 type: change
514 body: >-
515 Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be
516 inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to
517 a delay between EDS + CDS. The default is `false`.
518
519 - title: Properly populate alt_state_name for Tracing, Auth and RateLimit Services
520 type: bugfix
521 body: >-
522 Previously, setting the <code>stats_name</code> for the <code>TracingService</code>, <code>RateLimitService</code>
523 or the <code>AuthService</code> would have no affect because it was not being properly passed to the Envoy cluster
524 config. This has been fixed and the <code>alt_stats_name</code> field in the cluster config is now set correctly.
525 (Thanks to <a href="https://github.com/psalaberria002">Paul</a>!)
526
527 - title: Add support for config change batch window before reconfiguring Envoy
528 type: feature
529 body: >-
530 The <code>AMBASSADOR_RECONFIG_MAX_DELAY</code> env var can be optionally set to batch changes for the specified
531 non-negative window period in seconds before doing an Envoy reconfiguration. Default is "1" if not set.
532
533 - title: TCPMappings use correct SNI configuration
534 type: bugfix
535 body: >-
536 $productName$ 2.0.0 introduced a bug where a <code>TCPMapping</code> that uses SNI,
537 instead of using the hostname glob in the <code>TCPMapping</code>, uses the hostname glob
538 in the <code>Host</code> that the TLS termination configuration comes from.
539
540 - title: TCPMappings configure TLS termination without a Host resource
541 type: bugfix
542 body: >-
543 $productName$ 2.0.0 introduced a bug where a <code>TCPMapping</code> that terminates TLS
544 must have a corresponding <code>Host</code> that it can take the TLS configuration from.
545 This was semi-intentional, but didn't make much sense. You can now use a
546 <code>TLSContext</code> without a <code>Host</code>as in $productName$ 1.y releases, or a
547 <code>Host</code> with or without a <code>TLSContext</code> as in prior 2.y releases.
548
549 - title: TCPMappings and HTTP Hosts can coexist on Listeners that terminate TLS
550 type: bugfix
551 body: >-
552 Prior releases of $productName$ had the arbitrary limitation that a
553 <code>TCPMapping</code> cannot be used on the same port that HTTP is served on, even if
554 TLS+SNI would make this possible. $productName$ now allows <code>TCPMappings</code> to be
555 used on the same <code>Listener</code> port as HTTP <code>Hosts</code>, as long as that
556 <code>Listener</code> terminates TLS.
557
558 - version: 1.14.5
559 date: 'TBD'
560 notes:
561 - title: When using gzip, upstreams will no longer receive encoded data
562 type: bugfix
563 body: >-
564 When using gzip compression, upstream services will no longer receive compressed
565 data. This bug was introduced in 1.14.0. The fix restores the default behavior of
566 not sending compressed data to upstream services.
567 github:
568 - title: 3818
569 link: https://github.com/emissary-ingress/emissary/issues/3818
570 docs: https://github.com/emissary-ingress/emissary/issues/3818
571
572 - version: 2.3.2
573 date: '2022-08-01'
574 prevVersion: 2.3.1
575 notes:
576 - title: Fix regression in the agent for the metrics transfer.
577 type: bugfix
578 body: >-
579 A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from
580 emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure
581 that all the nodes composing the emissary ingress cluster are reporting properly.
582 - title: Update Golang to 1.17.12
583 type: security
584 body: >-
585 Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675,
586 CVE-2022-24921, CVE-2022-23772.
587 - title: Update Curl to 7.80.0-r2
588 type: security
589 body: >-
590 Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781,
591 CVE-2022-27780.
592 - title: Update openSSL-dev to 1.1.1q-r0
593 type: security
594 body: >-
595 Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.
596 - title: Update ncurses to 1.1.1q-r0
597 type: security
598 body: >-
599 Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458
600
601 - version: 1.14.4
602 date: '2022-06-13'
603 notes:
604 - title: Envoy security updates
605 type: security
606 body: >-
607 We have backported patches from the Envoy 1.19.5 security update to $productName$'s
608 1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. $productName$ is not
609 affected by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it <a
610 href="https://github.com/emissary-ingress/emissary/issues/2846">does not support internal
611 redirects</a>, and does not use Envoy's built-in OAuth2 filter.
612 docs: https://groups.google.com/g/envoy-announce/c/8nP3Kn4jV7k
613
614 - version: 2.3.1
615 date: '2022-06-09'
616 notes:
617 - title: fix regression in tracing service config
618 type: bugfix
619 body: >-
620 A regression was introduced in 2.3.0 that leaked zipkin default config fields into the configuration
621 for the other drivers (lightstep, etc...). This caused $productName$ to crash on startup. This issue has been resolved
622 to ensure that the defaults are only applied when driver is <code>zipkin</code>
623 github:
624 - title: "#4267"
625 link: https://github.com/emissary-ingress/emissary/issues/4267
626 - title: Envoy security updates
627 type: security
628 body: >-
629 We have backported patches from the Envoy 1.19.5 security update to $productName$'s
630 1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. $productName$ is not
631 affected by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it <a
632 href="https://github.com/emissary-ingress/emissary/issues/2846">does not support internal
633 redirects</a>, and does not use Envoy's built-in OAuth2 filter.
634 docs: https://groups.google.com/g/envoy-announce/c/8nP3Kn4jV7k
635 - version: 2.3.0
636 date: '2022-06-06'
637 notes:
638 - title: Remove unused packages
639 type: security
640 body: >-
641 Completely remove gdbm, pip, smtplib, and sqlite packages, as they are unused.
642 - title: Allow setting propagation modes for Lightstep tracing
643 type: feature
644 body: >-
645 It is now possible to set <code>propagation_modes</code> in the
646 <code>TracingService</code> config when using lightstep as the driver.
647 (Thanks to <a href="https://github.com/psalaberria002">Paul</a>!)
648 github:
649 - title: "#4179"
650 link: https://github.com/emissary-ingress/emissary/pull/4179
651 - title: Added support for TLS certificate revocation list
652 type: feature
653 body: >-
654 It is now possible to set `crl_secret` in `Host` and `TLSContext` resources
655 to check peer certificates against a certificate revocation list.
656 github:
657 - title: "#1743"
658 link: https://github.com/emissary-ingress/emissary/issues/1743
659 - title: Added support for the LogService v3 transport protocol
660 type: feature
661 body: >-
662 Previously, a <code>LogService</code> would always have $productName$ communicate with the
663 external log service using the <code>envoy.service.accesslog.v2.AccessLogService</code>
664 API. It is now possible for the <code>LogService</code> to specify
665 <code>protocol_version: v3</code> to use the newer
666 <code>envoy.service.accesslog.v3.AccessLogService</code> API instead. This functionality
667 is not available if you set the <code>AMBASSADOR_ENVOY_API_VERSION=V2</code> environment
668 variable.
669 - title: CORS now happens before auth
670 type: bugfix
671 body: >-
672 When CORS is specified (either in a <code>Mapping</code> or in the <code>Ambassador</code>
673 <code>Module</code>), CORS processing will happen before authentication. This corrects a
674 problem where XHR to authenticated endpoints would fail.
675 - title: Correctly handle caching of Mappings with the same name in different namespaces
676 type: bugfix
677 body: >-
678 In 2.x releases of $productName$ when there are multiple <code>Mapping</code>s that have the same
679 <code>metadata.name</code> across multiple namespaces, their old config would not properly be removed
680 from the cache when their config was updated. This resulted in an inability to update configuration
681 for groups of <code>Mapping</code>s that share the same name until the $productName$ pods restarted.
682 - title: Fix support for Zipkin API-v1 with Envoy xDS-v3
683 type: bugfix
684 body: >-
685 It is now possible for a <code>TracingService</code> to specify
686 <code>collector_endpoint_version: HTTP_JSON_V1</code> when using xDS v3 to configure Envoy
687 (which has been the default since $productName$ 1.14.0). The <code>HTTP_JSON_V1</code>
688 value configures Envoy to speak to Zipkin using Zipkin's old API-v1, while the
689 <code>HTTP_JSON</code> value configures Envoy to speak to Zipkin using Zipkin's new
690 API-v2. In previous versions of $productName$ it was only possible to use
691 <code>HTTP_JSON_V1</code> when explicitly setting the
692 <code>AMBASSADOR_ENVOY_API_VERSION=V2</code> environment variable to force use of xDS v2
693 to configure Envoy.
694
695 - version: 2.2.2
696 date: '2022-02-25'
697 prevVersion: 2.2.1
698 notes:
699 - title: TLS Secret validation is now opt-in
700 type: change
701 body: >-
702 You may now choose to enable TLS Secret validation by setting the
703 <code>AMBASSADOR_FORCE_SECRET_VALIDATION=true</code> environment variable. The default configuration does not
704 enforce secret validation.
705
706 - title: Correctly validate EC (Elliptic Curve) Private Keys
707 type: bugfix
708 body: >-
709 Kubernetes Secrets that should contain an EC (Elliptic Curve) TLS Private Key are now properly validated.
710 github:
711 - title: 4134
712 link: https://github.com/emissary-ingress/emissary/issues/4134
713 docs: https://github.com/emissary-ingress/emissary/issues/4134
714
715 - title: Decrease metric sync frequency
716 type: change
717 body: >-
718 The new delay between two metrics syncs is now 30s.
719 github:
720 - title: "#4122"
721 link: https://github.com/emissary-ingress/emissary/pull/4122
722
723 - version: 1.14.3
724 date: '2022-02-25'
725 notes:
726 - title: Envoy security updates
727 type: security
728 body: >-
729 Upgraded Envoy to address security vulnerabilities CVE-2021-43824, CVE-2021-43825, CVE-2021-43826,
730 CVE-2022-21654, and CVE-2022-21655.
731 docs: https://groups.google.com/g/envoy-announce/c/bIUgEDKHl4g
732
733 - version: 2.2.1
734 date: '2022-02-22'
735 notes:
736 - title: Envoy V2 API deprecation
737 type: change
738 body: >-
739 Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$
740 v3.0. The <code>AMBASSADOR_ENVOY_API_VERSION</code> environment variable will be removed at the same
741 time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0).
742
743 - title: Correctly support canceling rollouts
744 type: bugfix
745 body: >-
746 The Ambassador Agent now correctly supports requests to cancel a rollout.
747 docs: ../../../argo/latest/howtos/manage-rollouts-using-cloud
748
749 - version: 2.2.0
750 date: '2022-02-10'
751 notes:
752 - title: Envoy V2 API deprecation
753 type: change
754 body: >-
755 Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$
756 v3.0. The <code>AMBASSADOR_ENVOY_API_VERSION</code> environment variable will be removed at the same
757 time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0).
758
759 - title: Emissary-ingress will watch for Cloud Connect Tokens
760 type: change
761 body: >-
762 $productName$ will now watch for ConfigMap or Secret resources specified by the
763 <code>AGENT_CONFIG_RESOURCE_NAME</code> environment variable in order to allow all
764 components (and not only the Ambassador Agent) to authenticate requests to
765 Ambassador Cloud.
766 image: ./v2.2.0-cloud.png
767
768 - title: Update Alpine and libraries
769 type: security
770 body: >-
771 $productName$ has updated Alpine to 3.15, and Python and Go dependencies
772 to their latest compatible versions, to incorporate numerous security patches.
773
774 - title: Support a log-level metric
775 type: feature
776 body: >-
777 $productName$ now supports the metric <code>ambassador_log_level{label="debug"}</code>
778 which will be set to 1 if debug logging is enabled for the running Emissary
779 instance, or to 0 if not. This can help to be sure that a running production
780 instance was not actually left doing debugging logging, for example.
781 (Thanks to <a href="https://github.com/jfrabaute">Fabrice</a>!)
782 github:
783 - title: "#3906"
784 link: https://github.com/emissary-ingress/emissary/issues/3906
785 docs: topics/running/statistics/8877-metrics/
786
787 - title: Envoy configuration % escaping
788 type: feature
789 body: >-
790 $productName$ is now leveraging a new Envoy Proxy patch that allows Envoy to accept escaped
791 '%' characters in its configuration. This means that error_response_overrides and other
792 custom user content can now contain '%' symbols escaped as '%%'.
793 docs: topics/running/custom-error-responses
794 github:
795 - title: "DW Envoy: 74"
796 link: https://github.com/datawire/envoy/pull/74
797 - title: "Upstream Envoy: 19383"
798 link: https://github.com/envoyproxy/envoy/pull/19383
799 image: ./v2.2.0-percent-escape.png
800
801 - title: Stream metrics from Envoy to Ambassador Cloud
802 type: feature
803 body: >-
804 Support for streaming Envoy metrics about the clusters to Ambassador Cloud.
805 github:
806 - title: "#4053"
807 link: https://github.com/emissary-ingress/emissary/pull/4053
808 docs: https://github.com/emissary-ingress/emissary/pull/4053
809
810 - title: Support received commands to pause, continue and abort a Rollout via Agent directives
811 type: feature
812 body: >-
813 The Ambassador agent now receives commands to manipulate Rollouts (pause, continue, and
814 abort are currently supported) via directives and executes them in the cluster. A report
815 is sent to Ambassador Cloud including the command ID, whether it ran successfully, and
816 an error message in case there was any.
817 github:
818 - title: "#4040"
819 link: https://github.com/emissary-ingress/emissary/pull/4040
820 docs: https://github.com/emissary-ingress/emissary/pull/4040
821
822 - title: Validate certificates in TLS Secrets
823 type: bugfix
824 body: >-
825 Kubernetes Secrets that should contain TLS certificates are now validated before being
826 accepted for configuration. A Secret that contains an invalid TLS certificate will be logged
827 as an invalid resource.
828 github:
829 - title: "#3821"
830 link: https://github.com/emissary-ingress/emissary/issues/3821
831 docs: ../topics/running/tls
832 image: ./v2.2.0-tls-cert-validation.png
833
834 edgeStackNotes:
835 - title: Devportal support for using API server definitions from OpenAPI docs
836 type: feature
837 body: >-
838 You can now set <code>preserve_servers</code> in Ambassador Edge Stack's
839 <code>DevPortal</code> resource to configure the DevPortal to use server definitions from
840 the OpenAPI document when displaying connection information for services in the DevPortal.
841
842 - version: 2.1.2
843 prevVersion: 2.1.0
844 date: '2022-01-25'
845 notes:
846 - title: Envoy V2 API deprecation
847 type: change
848 body: >-
849 Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$
850 v3.0. The <code>AMBASSADOR_ENVOY_API_VERSION</code> environment variable will be removed at the same
851 time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0).
852
853 - title: Docker BuildKit always used for builds
854 type: change
855 body: >-
856 Docker BuildKit is enabled for all Emissary builds. Additionally, the Go
857 build cache is fully enabled when building images, speeding up repeated builds.
858 docs: https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md
859
860 - title: Fix support for for v2 Mappings with CORS
861 type: bugfix
862 body: >-
863 Emissary-ingress 2.1.0 generated invalid Envoy configuration for
864 <code>getambassador.io/v2</code> <code>Mappings</code> that set
865 <code>spec.cors.origins</code> to a string rather than a list of strings; this has been
866 fixed, and these <code>Mappings</code> should once again function correctly.
867 docs: topics/using/cors/#the-cors-attribute
868 image: ./v2.1.2-mapping-cors.png
869
870 - title: Correctly handle canary Mapping weights when reconfiguring
871 type: bugfix
872 body: >-
873 Changes to the <code>weight</code> of <code>Mapping</code> in a canary group
874 will now always be correctly managed during reconfiguration; such changes could
875 have been missed in earlier releases.
876 docs: topics/using/canary/#the-weight-attribute
877
878 - title: Correctly handle solitary Mappings with explicit weights
879 type: bugfix
880 body: >-
881 A <code>Mapping</code> that is not part of a canary group, but that has a
882 <code>weight</code> less than 100, will be correctly configured to receive all
883 traffic as if the <code>weight</code> were 100.
884 docs: topics/using/canary/#the-weight-attribute
885 image: ./v2.1.2-mapping-less-weighted.png
886
887 - title: Correctly handle empty rewrite in a Mapping
888 type: bugfix
889 body: >-
890 Using <code>rewrite: ""</code> in a <code>Mapping</code> is correctly handled
891 to mean "do not rewrite the path at all".
892 docs: topics/using/rewrites
893 image: ./v2.1.2-mapping-no-rewrite.png
894
895 - title: Correctly use Mappings with host redirects
896 type: bugfix
897 body: >-
898 Any <code>Mapping</code> that uses the <code>host_redirect</code> field is now properly discovered and used. Thanks
899 to <a href="https://github.com/gferon">Gabriel Féron</a> for contributing this bugfix!
900 github:
901 - title: "#3709"
902 link: https://github.com/emissary-ingress/emissary/issues/3709
903 docs: https://github.com/emissary-ingress/emissary/issues/3709
904
905 - title: Correctly handle DNS wildcards when associating Hosts and Mappings
906 type: bugfix
907 body: >-
908 <code>Mapping</code>s with DNS wildcard <code>hostname</code> will now be correctly
909 matched with <code>Host</code>s. Previously, the case where both the <code>Host</code>
910 and the <code>Mapping</code> use DNS wildcards for their hostnames could sometimes
911 not correctly match when they should have.
912 docs: howtos/configure-communications/
913 image: ./v2.1.2-host-mapping-matching.png
914
915 - title: Fix overriding global settings for adding or removing headers
916 type: bugfix
917 body: >-
918 If the <code>ambassador</code> <code>Module</code> sets a global default for
919 <code>add_request_headers</code>, <code>add_response_headers</code>,
920 <code>remove_request_headers</code>, or <code>remove_response_headers</code>, it is often
921 desirable to be able to turn off that setting locally for a specific <code>Mapping</code>.
922 For several releases this has not been possible for <code>Mappings</code> that are native
923 Kubernetes resources (as opposed to annotations), as an empty value ("mask the global
924 default") was erroneously considered to be equivalent to unset ("inherit the global
925 default"). This is now fixed.
926 docs: topics/using/defaults/
927
928 - title: Fix empty error_response_override bodies
929 type: bugfix
930 body: >-
931 It is now possible to set a <code>Mapping</code>
932 <code>spec.error_response_overrides</code> <code>body.text_format</code> to an empty
933 string or <code>body.json_format</code> to an empty dict. Previously, this was possible
934 for annotations but not for native Kubernetes resources.
935 docs: topics/running/custom-error-responses/
936
937 - title: Annotation conversion and validation
938 type: bugfix
939 body: >-
940 Resources that exist as <code>getambassador.io/config</code> annotations rather than as
941 native Kubernetes resources are now validated and internally converted to v3alpha1 and,
942 the same as native Kubernetes resources.
943 image: ./v2.1.2-annotations.png
944
945 - title: Validation error reporting
946 type: bugfix
947 body: >-
948 Resource validation errors are now reported more consistently; it was the case that in
949 some situations a validation error would not be reported.
950
951 - version: 2.1.1
952 date: 'N/A'
953 notes:
954 - title: Never issued
955 type: change
956 isHeadline: true
957 body: >-
958 <i>Emissary-ingress 2.1.1 was not issued; Ambassador Edge Stack 2.1.1 uses
959 Emissary-ingress 2.1.0.</i>
960
961 - version: 2.1.0
962 date: '2021-12-16'
963 notes:
964 - title: Not recommended; upgrade to 2.1.2 instead
965 type: change
966 isHeadline: true
967 body: >-
968 <i>Emissary-ingress 2.1.0 is not recommended; upgrade to 2.1.2 instead.</i>
969
970 - title: Envoy V2 API deprecation
971 type: change
972 body: >-
973 Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$
974 v3.0. The <code>AMBASSADOR_ENVOY_API_VERSION</code> environment variable will be removed at the same
975 time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0).
976
977 - title: Smoother migrations with support for getambassador.io/v2 CRDs
978 type: feature
979 body: >-
980 $productName$ supports <code>getambassador.io/v2</code> CRDs, to simplify migration from $productName$
981 1.X. <b>Note:</b> it is important to read the <a href="../topics/install/migration-matrix">migration
982 documentation</a> before starting migration.
983 docs: topics/install/migration-matrix
984 image: ./v2.1.0-smoother-migration.png
985
986 - title: Correctly handle all changing canary configurations
987 type: bugfix
988 body: >-
989 The incremental reconfiguration cache could miss some updates when multiple
990 <code>Mapping</code>s had the same <code>prefix</code> ("canary"ing multiple
991 <code>Mapping</code>s together). This has been corrected, so that all such
992 updates correctly take effect.
993 github:
994 - title: "#3945"
995 link: https://github.com/emissary-ingress/emissary/issues/3945
996 docs: https://github.com/emissary-ingress/emissary/issues/3945
997 image: ./v2.1.0-canary.png
998
999 - title: Secrets used for ACME private keys will not log errors
1000 type: bugfix
1001 body: >-
1002 When using Kubernetes Secrets to store ACME private keys (as the Edge Stack
1003 ACME client does), an error would always be logged about the Secret not being
1004 present, even though it was present, and everything was working correctly.
1005 This error is no longer logged.
1006
1007 - title: When using gzip, upstreams will no longer receive encoded data
1008 type: bugfix
1009 body: >-
1010 When using gzip compression, upstream services will no longer receive compressed
1011 data. This bug was introduced in 1.14.0. The fix restores the default behavior of
1012 not sending compressed data to upstream services.
1013 github:
1014 - title: "#3818"
1015 link: https://github.com/emissary-ingress/emissary/issues/3818
1016 docs: https://github.com/emissary-ingress/emissary/issues/3818
1017 image: ./v2.1.0-gzip-enabled.png
1018
1019 - title: Update to busybox 1.34.1
1020 type: security
1021 body: >-
1022 Update to busybox 1.34.1 to resolve CVE-2021-28831, CVE-2021-42378,
1023 CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383,
1024 CVE-2021-42384, CVE-2021-42385, and CVE-2021-42386.
1025
1026 - title: Update Python dependencies
1027 type: security
1028 body: >-
1029 Update Python dependencies to resolve CVE-2020-28493 (jinja2), CVE-2021-28363
1030 (urllib3), and CVE-2021-33503 (urllib3).
1031
1032 - title: Remove test-only code from the built image
1033 type: security
1034 body: >-
1035 Previous built images included some Python packages used only for test. These
1036 have now been removed, resolving CVE-2020-29651.
1037
1038 - version: 2.0.5
1039 date: '2021-11-08'
1040 notes:
1041 - title: AuthService circuit breakers
1042 type: feature
1043 body: >-
1044 It is now possible to set the <code>circuit_breakers</code> for <code>AuthServices</code>,
1045 exactly the same as for <code>Mappings</code> and <code>TCPMappings</code>. This makes it
1046 possible to configure your <code>AuthService</code> to be able to handle more than 1024
1047 concurrent requests.
1048 docs: topics/running/services/auth-service/
1049 image: ./v2.0.5-auth-circuit-breaker.png
1050
1051 - title: Improved validity checking for error response overrides
1052 type: bugfix
1053 body: >-
1054 Any token delimited by '%' is now validated agains a whitelist of valid
1055 Envoy command operators. Any mapping containing an <code>error_response_overrides</code>
1056 section with invalid command operators will be discarded.
1057 docs: topics/running/custom-error-responses
1058
1059 - title: mappingSelector is now correctly supported in the Host CRD
1060 type: bugfix
1061 body: >-
1062 The <code>Host</code> CRD now correctly supports the <code>mappingSelector</code>
1063 element, as documented. As a transition aid, <code>selector</code> is a synonym for
1064 <code>mappingSelector</code>; a future version of $productName$ will remove the
1065 <code>selector</code> element.
1066 github:
1067 - title: "#3902"
1068 link: https://github.com/emissary-ingress/emissary/issues/3902
1069 docs: https://github.com/emissary-ingress/emissary/issues/3902
1070 image: ./v2.0.5-mappingselector.png
1071
1072 - version: 2.0.4
1073 date: '2021-10-19'
1074 notes:
1075 - title: General availability!
1076 type: feature
1077 body: >-
1078 We're pleased to introduce $productName$ 2.0.4 for general availability! The
1079 2.X family introduces a number of changes to allow $productName$ to more
1080 gracefully handle larger installations, reduce global configuration to better
1081 handle multitenant or multiorganizational installations, reduce memory footprint, and
1082 improve performance. We welcome feedback!! Join us on
1083 <a href="https://a8r.io/slack">Slack</a> and let us know what you think.
1084 isHeadline: true
1085 docs: about/changes-2.x
1086 image: ./emissary-ga.png
1087
1088 - title: API version getambassador.io/v3alpha1
1089 type: change
1090 body: >-
1091 The <code>x.getambassador.io/v3alpha1</code> API version has become the
1092 <code>getambassador.io/v3alpha1</code> API version. The <code>Ambassador-</code> prefixes
1093 from <code>x.getambassador.io/v3alpha1</code> resource kind names
1094 (e.g. <code>AmbassadorHost</code>) have been removed for ease of migration from
1095 $productName$ 1.x. As with previous 2.0.x releases, you <b>must</b> supply a
1096 <code>Host</code> (<code>AmbassadorHost</code> in previous 2.0.x releases) resource to
1097 terminate TLS: unlike in 1.x it is no longer sufficient to define a
1098 <code>TLSContext</code> (although <code>TLSContext</code>s are still the best way to
1099 define TLS configuration information to be shared across multiple <code>Host</code>s).
1100 <b>Note that <code>getambassador.io/v3alpha1</code> is the only supported API version for
1101 2.0.4</b> — full support for <code>getambassador.io/v2</code> will arrive soon in a
1102 later 2.X version.
1103 docs: about/changes-2.x
1104 image: ./v2.0.4-v3alpha1.png
1105
1106 - title: Support for Kubernetes 1.22
1107 type: feature
1108 body: >-
1109 The <code>getambassador.io/v3alpha1</code> API version and the published chart
1110 and manifests have been updated to support Kubernetes 1.22. Thanks to
1111 <a href="https://github.com/imoisharma">Mohit Sharma</a> for contributions to
1112 this feature!
1113 docs: about/changes-2.x
1114 image: ./v2.0.4-k8s-1.22.png
1115
1116 - title: Mappings support configuring strict or logical DNS
1117 type: feature
1118 body: >-
1119 You can now set <code>dns_type</code> between <code>strict_dns</code> and
1120 <code>logical_dns</code> in a <code>Mapping</code> to configure the Service
1121 Discovery Type.
1122 docs: topics/using/mappings/#dns-configuration-for-mappings
1123 image: ./v2.0.4-mapping-dns-type.png
1124
1125 - title: Mappings support controlling DNS refresh with DNS TTL
1126 type: feature
1127 body: >-
1128 You can now set <code>respect_dns_ttl</code> to <code>true</code> to force the
1129 DNS refresh rate for a <code>Mapping</code> to be set to the record's TTL
1130 obtained from DNS resolution.
1131 docs: topics/using/mappings/#dns-configuration-for-mappings
1132
1133 - title: Support configuring upstream buffer sizes
1134 type: feature
1135 body: >-
1136 You can now set <code>buffer_limit_bytes</code> in the <code>ambassador</code>
1137 <code>Module</code> to to change the size of the upstream read and write buffers.
1138 The default is 1MiB.
1139 docs: topics/running/ambassador/#modify-default-buffer-size
1140
1141 - title: Version number reported correctly
1142 type: bugfix
1143 body: >-
1144 The release now shows its actual released version number, rather than
1145 the internal development version number.
1146 github:
1147 - title: "#3854"
1148 link: https://github.com/emissary-ingress/emissary/issues/3854
1149 docs: https://github.com/emissary-ingress/emissary/issues/3854
1150 image: ./v2.0.4-version.png
1151
1152 - title: Large configurations work correctly with Ambassador Cloud
1153 type: bugfix
1154 body: >-
1155 Large configurations no longer cause $productName$ to be unable
1156 to communicate with Ambassador Cloud.
1157 github:
1158 - title: "#3593"
1159 link: https://github.com/emissary-ingress/emissary/issues/3593
1160 docs: https://github.com/emissary-ingress/emissary/issues/3593
1161
1162 - title: Listeners correctly support l7Depth
1163 type: bugfix
1164 body: >-
1165 The <code>l7Depth</code> element of the <code>Listener</code> CRD is
1166 properly supported.
1167 docs: topics/running/listener#l7depth
1168 image: ./v2.0.4-l7depth.png
1169
1170 - version: 2.0.3-ea
1171 date: '2021-09-16'
1172 notes:
1173 - title: Developer Preview!
1174 body: We're pleased to introduce $productName$ 2.0.3 as a <b>developer preview</b>. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a href="https://a8r.io/slack">Slack</a> and let us know what you think.
1175 type: change
1176 isHeadline: true
1177 docs: about/changes-2.x
1178
1179 - title: AES_LOG_LEVEL more widely effective
1180 body: The environment variable <code>AES_LOG_LEVEL</code> now also sets the log level for the <code>diagd</code> logger.
1181 type: feature
1182 docs: topics/running/running/
1183 github:
1184 - title: "#3686"
1185 link: https://github.com/emissary-ingress/emissary/issues/3686
1186 - title: "#3666"
1187 link: https://github.com/emissary-ingress/emissary/issues/3666
1188
1189 - title: AmbassadorMapping supports setting the DNS type
1190 body: You can now set <code>dns_type</code> in the <code>AmbassadorMapping</code> to configure how Envoy will use the DNS for the service.
1191 type: feature
1192 docs: topics/using/mappings/#using-dns_type
1193
1194 - title: Building Emissary no longer requires setting DOCKER_BUILDKIT
1195 body: It is no longer necessary to set <code>DOCKER_BUILDKIT=0</code> when building Emissary. A future change will fully support BuildKit.
1196 type: bugfix
1197 docs: https://github.com/emissary-ingress/emissary/issues/3707
1198 github:
1199 - title: "#3707"
1200 link: https://github.com/emissary-ingress/emissary/issues/3707
1201
1202 - version: 2.0.2-ea
1203 date: '2021-08-24'
1204 notes:
1205 - title: Developer Preview!
1206 body: We're pleased to introduce $productName$ 2.0.2 as a <b>developer preview</b>. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a href="https://a8r.io/slack">Slack</a> and let us know what you think.
1207 type: change
1208 isHeadline: true
1209 docs: about/changes-2.x
1210
1211 - title: Envoy security updates
1212 type: bugfix
1213 body: "Upgraded envoy to 1.17.4 to address security vulnerabilities CVE-2021-32777, CVE-2021-32778, CVE-2021-32779, and CVE-2021-32781."
1214 docs: https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE?pli=1
1215
1216 - title: Expose Envoy's allow_chunked_length HTTPProtocolOption
1217 type: feature
1218 body: "You can now set <code>allow_chunked_length</code> in the Ambassador Module to configure the same value in Envoy."
1219 docs: topics/running/ambassador/#content-length-headers
1220
1221 - title: Envoy-configuration snapshots saved
1222 type: change
1223 body: Envoy-configuration snapshots get saved (as <code>ambex-#.json</code>) in <code>/ambassador/snapshots</code>. The number of snapshots is controlled by the <code>AMBASSADOR_AMBEX_SNAPSHOT_COUNT</code> environment variable; set it to 0 to disable. The default is 30.
1224 docs: topics/running/running/
1225
1226 - version: 2.0.1-ea
1227 date: '2021-08-12'
1228 notes:
1229 - title: Developer Preview!
1230 body: We're pleased to introduce $productName$ 2.0.1 as a <b>developer preview</b>. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a href="https://a8r.io/slack">Slack</a> and let us know what you think.
1231 type: change
1232 isHeadline: true
1233 docs: about/changes-2.x
1234
1235 - title: Improved Ambassador Cloud visibility
1236 type: feature
1237 body: Ambassador Agent reports sidecar process information and <code>AmbassadorMapping</code> OpenAPI documentation to Ambassador Cloud to provide more visibility into services and clusters.
1238 docs: /docs/cloud/latest/service-catalog/quick-start/
1239
1240 - title: Configurable per-AmbassadorListener statistics prefix
1241 body: The optional <code>stats_prefix</code> element of the <code>AmbassadorListener</code> CRD now determines the prefix of HTTP statistics emitted for a specific <code>AmbassadorListener</code>.
1242 type: feature
1243 docs: topics/running/listener
1244
1245 - title: Configurable statistics names
1246 body: The optional <code>stats_name</code> element of <code>AmbassadorMapping</code>, <code>AmbassadorTCPMapping</code>, <code>AuthService</code>, <code>LogService</code>, <code>RateLimitService</code>, and <code>TracingService</code> now sets the name under which cluster statistics will be logged. The default is the <code>service</code>, with non-alphanumeric characters replaced by underscores.
1247 type: feature
1248 docs: topics/running/statistics
1249
1250 - title: Updated klog to reduce log noise
1251 type: bugfix
1252 body: We have updated to <code>k8s.io/klog/v2</code> to track upstream and to quiet unnecessary log output.
1253 docs: https://github.com/emissary-ingress/emissary/issues/3603
1254
1255 - title: Subsecond time resolution in logs
1256 type: change
1257 body: Logs now include subsecond time resolutions, rather than just seconds.
1258 docs: https://github.com/emissary-ingress/emissary/pull/3650
1259
1260 - title: Configurable Envoy-configuration rate limiting
1261 type: change
1262 body: Set <code>AMBASSADOR_AMBEX_NO_RATELIMIT</code> to <code>true</code> to completely disable ratelimiting Envoy reconfiguration under memory pressure. This can help performance with the endpoint or Consul resolvers, but could make OOMkills more likely with large configurations. The default is <code>false</code>, meaning that the rate limiter is active.
1263 docs: topics/concepts/rate-limiting-at-the-edge/
1264
1265 - version: 2.0.0-ea
1266 date: '2021-06-24'
1267 notes:
1268 - title: Developer Preview!
1269 body: We're pleased to introduce $productName$ 2.0.0 as a <b>developer preview</b>. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a href="https://a8r.io/slack">Slack</a> and let us know what you think.
1270 type: change
1271 docs: about/changes-2.x
1272 isHeadline: true
1273
1274 - title: Configuration API v3alpha1
1275 body: >-
1276 $productName$ 2.0.0 introduces API version <code>x.getambassador.io/v3alpha1</code> for
1277 configuration changes that are not backwards compatible with the 1.X family. API versions
1278 <code>getambassador.io/v0</code>, <code>getambassador.io/v1</code>, and
1279 <code>getambassador.io/v2</code> are deprecated. Further details are available in the <a
1280 href="../about/changes-2.x/#1-configuration-api-version-getambassadoriov3alpha1">Major Changes
1281 in 2.X</a> document.
1282 type: feature
1283 docs: about/changes-2.x/#1-configuration-api-version-getambassadoriov3alpha1
1284 image: ./edge-stack-2.0.0-v3alpha1.png
1285
1286 - title: The AmbassadorListener Resource
1287 body: The new <code>AmbassadorListener</code> CRD defines where and how to listen for requests from the network, and which <code>AmbassadorHost</code> definitions should be used to process those requests. Note that the <code>AmbassadorListener</code> CRD is <b>mandatory</b> and consolidates <i>all</i> port configuration; see the <a href="../topics/running/listener"><code>AmbassadorListener</code> documentation</a> for more details.
1288 type: feature
1289 docs: topics/running/listener
1290 image: ./edge-stack-2.0.0-listener.png
1291
1292 - title: AmbassadorMapping hostname DNS glob support
1293 body: >-
1294 Where <code>AmbassadorMapping</code>'s <code>host</code> field is either an exact match or (with <code>host_regex</code> set) a regex,
1295 the new <code>hostname</code> element is always a DNS glob. Use <code>hostname</code> instead of <code>host</code> for best results.
1296 docs: about/changes-2.x/#ambassadorhost-and-ambassadormapping-association
1297 type: feature
1298
1299 - title: Memory usage improvements for installations with many AmbassadorHosts
1300 body: The behavior of the Ambassador module <code>prune_unreachable_routes</code> field is now automatic, which should reduce Envoy memory requirements for installations with many <code>AmbassadorHost</code>s
1301 docs: topics/running/ambassador/#prune-unreachable-routes
1302 image: ./edge-stack-2.0.0-prune_routes.png
1303 type: feature
1304
1305 - title: Independent Host actions supported
1306 body: Each <code>AmbassadorHost</code> can specify its <code>requestPolicy.insecure.action</code> independently of any other <code>AmbassadorHost</code>, allowing for HTTP routing as flexible as HTTPS routing.
1307 docs: topics/running/host-crd/#secure-and-insecure-requests
1308 github:
1309 - title: "#2888"
1310 link: https://github.com/datawire/ambassador/issues/2888
1311 image: ./edge-stack-2.0.0-insecure_action_hosts.png
1312 type: bugfix
1313
1314 - title: Correctly set Ingress resource status in all cases
1315 body: $productName$ 2.0.0 fixes a regression in detecting the Ambassador Kubernetes service that could cause the wrong IP or hostname to be used in Ingress statuses -- thanks, <a href="https://github.com/impl">Noah Fontes</a>!
1316 docs: topics/running/ingress-controller
1317 type: bugfix
1318 image: ./edge-stack-2.0.0-ingressstatus.png
1319
1320 - title: Stricter mTLS enforcement
1321 body: $productName$ 2.0.0 fixes a bug where mTLS could use the wrong configuration when SNI and the <code>:authority</code> header didn't match
1322 type: bugfix
1323
1324 - title: Port configuration outside AmbassadorListener has been moved to AmbassadorListener
1325 body: The <code>TLSContext</code> <code>redirect_cleartext_from</code> and <code>AmbassadorHost</code> <code>requestPolicy.insecure.additionalPort</code> elements are no longer supported. Use a <code>AmbassadorListener</code> for this functionality instead.
1326 type: change
1327 docs: about/changes-2.x/#tlscontext-redirect_cleartext_from-and-host-insecureadditionalport
1328
1329 - title: PROXY protocol configuration has been moved to AmbassadorListener
1330 body: The <code>use_proxy_protocol</code> element of the Ambassador <code>Module</code> is no longer supported, as it is now part of the <code>AmbassadorListener</code> resource (and can be set per-<code>AmbassadorListener</code> rather than globally).
1331 type: change
1332 docs: about/changes-2.x/#proxy-protocol-configuration
1333
1334 - title: Stricter rules for AmbassadorHost/AmbassadorMapping association
1335 body: An <code>AmbassadorMapping</code> will only be matched with an <code>AmbassadorHost</code> if the <code>AmbassadorMapping</code>'s <code>host</code> or the <code>AmbassadorHost</code>'s <code>selector</code> (or both) are explicitly set, and match. This change can significantly improve $productName$'s memory footprint when many <code>AmbassadorHost</code>s are involved. Further details are available in the <a href="../about/changes-2.x/#host-and-mapping-association">Major Changes in 2.X</a> document.
1336 docs: about/changes-2.x/#host-and-mapping-association
1337 type: change
1338
1339 - title: AmbassadorHost or Ingress now required for TLS termination
1340 body: An <code>AmbassadorHost</code> or <code>Ingress</code> resource is now required when terminating TLS -- simply creating a <code>TLSContext</code> is not sufficient. Further details are available in the <a href="../about/changes-2.x/#host-tlscontext-and-tls-termination"><code>AmbassadorHost</code> CRD documentation.</a>
1341 docs: about/changes-2.x/#host-tlscontext-and-tls-termination
1342 type: change
1343 image: ./edge-stack-2.0.0-host_crd.png
1344
1345 - title: Envoy V3 APIs
1346 body: By default, $productName$ will configure Envoy using the V3 Envoy API. This change is mostly transparent to users, but note that Envoy V3 does not support unsafe regular expressions or, e.g., Zipkin's V1 collector protocol. Further details are available in the <a href="../about/changes-2.x">Major Changes in 2.X</a> document.
1347 type: change
1348 docs: about/changes-2.x/#envoy-v3-api-by-default
1349
1350 - title: Module-based TLS no longer supported
1351 body: The <code>tls</code> module and the <code>tls</code> field in the Ambassador module are no longer supported. Please use <code>TLSContext</code> resources instead.
1352 docs: about/changes-2.x/#tls-the-ambassador-module-and-the-tls-module
1353 image: ./edge-stack-2.0.0-tlscontext.png
1354 type: change
1355
1356 - title: Higher performance while generating Envoy configuration now enabled by default
1357 body: The environment variable <code>AMBASSADOR_FAST_RECONFIGURE</code> is now set by default, enabling the higher-performance implementation of the code that $productName$ uses to generate and validate Envoy configurations.
1358 docs: topics/running/scaling/#ambassador_fast_reconfigure-and-ambassador_legacy_mode-flags
1359 type: change
1360
1361 - title: Service Preview no longer supported
1362 body: >-
1363 Service Preview and the <code>AGENT_SERVICE</code> environment variable are no longer supported.
1364 The Telepresence product replaces this functionality.
1365 docs: https://www.getambassador.io/docs/telepresence/
1366 type: change
1367
1368 - title: edgectl no longer supported
1369 body: The <code>edgectl</code> CLI tool has been deprecated; please use the <code>emissary-ingress</code> helm chart instead.
1370 docs: topics/install/helm/
1371 type: change
1372
1373 - version: 1.14.2
1374 date: '2021-09-29'
1375 notes:
1376 - title: Mappings support controlling DNS refresh with DNS TTL
1377 type: feature
1378 body: >-
1379 You can now set <code>respect_dns_ttl</code> in Ambassador Mappings. When true it
1380 configures that upstream's refresh rate to be set to resource record’s TTL
1381 docs: topics/using/mappings/#dns-configuration-for-mappings
1382
1383 - title: Mappings support configuring strict or logical DNS
1384 type: feature
1385 body: >-
1386 You can now set <code>dns_type</code> in Ambassador Mappings to use Envoy's
1387 <code>logical_dns</code> resolution instead of the default <code>strict_dns</code>.
1388 docs: topics/using/mappings/#dns-configuration-for-mappings
1389
1390 - title: Support configuring upstream buffer size
1391 type: feature
1392 body: >-
1393 You can now set <code>buffer_limit_bytes</code> in the <code>ambassador</code>
1394 <code>Module</code> to to change the size of the upstream read and write buffers.
1395 The default is 1MiB.
1396 docs: topics/running/ambassador/#modify-default-buffer-size
1397
1398 - version: 1.14.1
1399 date: '2021-08-24'
1400 notes:
1401 - title: Envoy security updates
1402 type: change
1403 body: >-
1404 Upgraded Envoy to 1.17.4 to address security vulnerabilities CVE-2021-32777,
1405 CVE-2021-32778, CVE-2021-32779, and CVE-2021-32781.
1406 docs: https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE
1407
1408 - version: 1.14.0
1409 date: '2021-08-19'
1410 notes:
1411 - title: Envoy upgraded to 1.17.3!
1412 type: change
1413 body: >-
1414 Update from Envoy 1.15 to 1.17.3
1415 docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history
1416
1417 - title: Expose Envoy's allow_chunked_length HTTPProtocolOption
1418 type: feature
1419 body: >-
1420 You can now set <code>allow_chunked_length</code> in the Ambassador Module to configure
1421 the same value in Envoy.
1422 docs: topics/running/ambassador/#content-length-headers
1423
1424 - title: Default Envoy API version is now V3
1425 type: change
1426 body: >-
1427 <code>AMBASSADOR_ENVOY_API_VERSION</code> now defaults to <code>V3</code>
1428 docs: topics/running/running/#ambassador_envoy_api_version
1429
1430 - title: Subsecond time resolution in logs
1431 type: change
1432 body: Logs now include subsecond time resolutions, rather than just seconds.
1433 docs: https://github.com/emissary-ingress/emissary/pull/3650
1434
1435 - version: 1.13.10
1436 date: '2021-07-28'
1437 notes:
1438 - title: Fix for CORS origins configuration on the Mapping resource
1439 type: bugfix
1440 body: >-
1441 Fixed a regression when specifying a comma separated string for <code>cors.origins</code>
1442 on the <code>Mapping</code> resource.
1443 ([#3609](https://github.com/emissary-ingress/emissary/issues/3609))
1444 docs: topics/using/cors
1445 image: ../images/emissary-1.13.10-cors-origin.png
1446
1447 - title: New Envoy-configuration snapshots for debugging
1448 body: "Envoy-configuration snapshots get saved (as <code>ambex-#.json</code>) in <code>/ambassador/snapshots</code>. The number of snapshots is controlled by the <code>AMBASSADOR_AMBEX_SNAPSHOT_COUNT</code> environment variable; set it to 0 to disable. The default is 30."
1449 type: change
1450 docs: topics/running/environment/
1451
1452 - title: Optionally remove ratelimiting for Envoy reconfiguration
1453 body: >-
1454 Set <code>AMBASSADOR_AMBEX_NO_RATELIMIT</code> to <code>true</code> to completely disable
1455 ratelimiting Envoy reconfiguration under memory pressure. This can help performance with
1456 the endpoint or Consul resolvers, but could make OOMkills more likely with large
1457 configurations. The default is <code>false</code>, meaning that the rate limiter is
1458 active.
1459 type: change
1460 docs: topics/running/environment/
1461
1462 edgeStackNotes:
1463 - title: Mappings support configuring the DevPortal fetch timeout
1464 type: bugfix
1465 body: >-
1466 The <code>Mapping</code> resource can now specify <code>docs.timeout_ms</code> to set the
1467 timeout when the Dev Portal is fetching API specifications.
1468 docs: topics/using/dev-portal
1469 image: ../images/edge-stack-1.13.10-docs-timeout.png
1470
1471 - title: Dev Portal will strip HTML tags when displaying results
1472 type: bugfix
1473 body: >-
1474 The Dev Portal will now strip HTML tags when displaying search results, showing just the
1475 actual content of the search result.
1476 docs: topics/using/dev-portal
1477
1478 - title: Consul certificate rotation logs more information
1479 type: change
1480 body: >-
1481 Consul certificate-rotation logging now includes the fingerprints and validity timestamps
1482 of certificates being rotated.
1483 docs: howtos/consul/
1484 image: ../images/edge-stack-1.13.10-consul-cert-log.png
1485
1486 - version: 1.13.9
1487 date: '2021-06-30'
1488 notes:
1489 - title: Fix for TCPMappings
1490 body: >-
1491 Configuring multiple TCPMappings with the same ports (but different hosts) no longer
1492 generates invalid Envoy configuration.
1493 type: bugfix
1494 docs: topics/using/tcpmappings/
1495
1496 - version: 1.13.8
1497 date: '2021-06-08'
1498 notes:
1499 - title: Fix Ambassador Cloud Service Details
1500 body: >-
1501 Ambassador Agent now accurately reports up-to-date Endpoint information to Ambassador
1502 Cloud
1503 type: bugfix
1504 docs: tutorials/getting-started/#3-connect-your-cluster-to-ambassador-cloud
1505 image: ../images/edge-stack-1.13.8-cloud-bugfix.png
1506
1507 - title: Improved Argo Rollouts Experience with Ambassador Cloud
1508 body: >-
1509 Ambassador Agent reports ConfigMaps and Deployments to Ambassador Cloud to provide a
1510 better Argo Rollouts experience. See [Argo+Ambassador
1511 documentation](https://www.getambassador.io/docs/argo) for more info.
1512 type: feature
1513 docs: https://www.getambassador.io/docs/argo
1514
1515 - version: 1.13.7
1516 date: '2021-06-03'
1517 notes:
1518 - title: JSON logging support
1519 body: >-
1520 Add AMBASSADOR_JSON_LOGGING to enable JSON for most of the Ambassador control plane. Some
1521 (but few) logs from gunicorn and the Kubernetes client-go package still log text.
1522 image: ../images/edge-stack-1.13.7-json-logging.png
1523 docs: topics/running/running/#log-format
1524 type: feature
1525
1526 - title: Consul resolver bugfix with TCPMappings
1527 body: >-
1528 Fixed a bug where the Consul resolver would not actually use Consul endpoints with
1529 TCPMappings.
1530 image: ../images/edge-stack-1.13.7-tcpmapping-consul.png
1531 docs: topics/running/resolvers/#the-consul-resolver
1532 type: bugfix
1533
1534 - title: Memory usage calculation improvements
1535 body: >-
1536 Ambassador now calculates its own memory usage in a way that is more similar to how the
1537 kernel OOMKiller tracks memory.
1538 image: ../images/edge-stack-1.13.7-memory.png
1539 docs: topics/running/scaling/#inspecting-ambassador-performance
1540 type: change
1541
1542 - version: 1.13.6
1543 date: '2021-05-24'
1544 notes:
1545 - title: Quieter logs in legacy mode
1546 type: bugfix
1547 body: >-
1548 Fixed a regression where Ambassador snapshot data was logged at the INFO label
1549 when using <code>AMBASSADOR_LEGACY_MODE=true</code>.
1550
1551 - version: 1.13.5
1552 date: '2021-05-13'
1553 notes:
1554 - title: Correctly support proper_case and preserve_external_request_id
1555 type: bugfix
1556 body: >-
1557 Fix a regression from 1.8.0 that prevented <code>ambassador</code> <code>Module</code>
1558 config keys <code>proper_case</code> and <code>preserve_external_request_id</code>
1559 from working correctly.
1560 docs: topics/running/ambassador/#header-case
1561
1562 - title: Correctly support Ingress statuses in all cases
1563 type: bugfix
1564 body: >-
1565 Fixed a regression in detecting the Ambassador Kubernetes service that could cause the
1566 wrong IP or hostname to be used in Ingress statuses (thanks, [Noah
1567 Fontes](https://github.com/impl)!
1568 docs: topics/running/ingress-controller
1569
1570 - version: 1.13.4
1571 date: '2021-05-11'
1572 notes:
1573 - title: Envoy 1.15.5
1574 body: >-
1575 Incorporate the Envoy 1.15.5 security update by adding the
1576 <code>reject_requests_with_escaped_slashes</code> option to the Ambassador module.
1577 image: ../images/edge-stack-1.13.4.png
1578 docs: topics/running/ambassador/#rejecting-client-requests-with-escaped-slashes
1579 type: security
1580
1581# Don't go any further back than 1.13.4.
View as plain text