# -*- fill-column: 100 -*- # This file should be placed in the folder for the version of the # product that's meant to be documented. A `/release-notes` page will # be automatically generated and populated at build time. # # Note that an entry needs to be added to the `doc-links.yml` file in # order to surface the release notes in the table of contents. # # The YAML in this file should contain: # # changelog: An (optional) URL to the CHANGELOG for the product. # items: An array of releases with the following attributes: # - version: The (optional) version number of the release, if applicable. # - date: The date of the release in the format YYYY-MM-DD. # - notes: An array of noteworthy changes included in the release, each having the following attributes: # - type: The type of change, one of `bugfix`, `feature`, `security` or `change`. # - title: A short title of the noteworthy change. # - body: >- # Two or three sentences describing the change and why it # is noteworthy. This is HTML, not plain text or # markdown. It is handy to use YAML's ">-" feature to # allow line-wrapping. # - image: >- # The URL of an image that visually represents the # noteworthy change. This path is relative to the # `release-notes` directory; if this file is # `FOO/releaseNotes.yml`, then the image paths are # relative to `FOO/release-notes/`. # - docs: The path to the documentation page where additional information can be found. # - href: A path from the root to a resource on the getambassador website, takes precedence over a docs link. changelog: https://github.com/emissary-ingress/emissary/blob/$branch$/CHANGELOG.md items: - version: 3.6.0 prevVersion: 3.5.0 date: '2023-04-17' notes: - title: Upgrade to Envoy 1.25.4 type: feature body: >- This upgrades $productName$ to be built on Envoy v1.25.4. This provides $productName$ with the latest security patches, performances enhancments, and features offered by the envoy proxy. - version: 3.5.0 prevVersion: 3.4.0 date: '2023-02-15' notes: - title: Update to golang 1.20.1 type: security body: >- Upgrading to the latest release of Golang as part of our general dependency upgrade process. This includes security fixes for CVE-2022-41725, CVE-2022-41723. - title: TracingService support for native OpenTelemetry driver type: feature body: >- In Envoy 1.24, experimental support for a native OpenTelemetry tracing driver was introduced that allows exporting spans in the otlp format. Many Observability platforms accept that format and is the recommend replacement for the LightStep driver. $productName$ now supports setting the TracingService.spec.driver=opentelemetry to export spans in otlp format.

Thanks to Paul for helping us get this tested and implemented! - title: Fix envoy config generation when including port in Host.hostname type: bugfix body: >- When wanting to expose traffic to clients on ports other than 80/443, users will set a port in the Host.hostname (eg.Host.hostname=example.com:8500. The config generated allowed matching on the :authority header. This worked in v1.Y series due to the way emissary was generating Envoy configuration under a single wild-card virtual_host and matching on :authority. In v2.Y/v3.Y+, the way emissary generates Envoy configuration changed to address memory pressure and improve route lookup speed in Envoy. However, when including a port in the hostname, an incorrect configuration was generated with an sni match including the port. This has been fixed and the correct envoy configuration is being generated. github: - title: "fix: hostname port issue" link: https://github.com/emissary-ingress/emissary/pull/4816 - title: Add support for resolving port names in Ingress resource type: change body: >- Previously, specifying backend ports by name in Ingress was not supported and would result in defaulting to port 80. This allows emissary-ingress to now resolve port names for backend services. If the port number cannot be resolved by the name (e.g named port in the Service doesn't exist) then it defaults back to the original behavior. (Thanks to Anton Ustyuzhanin!). github: - title: "#4809" link: https://github.com/emissary-ingress/emissary/pull/4809 - title: Add starupProbe to emissary-apiext server type: change body: >- The emissary-apiext server is a Kubernetes Conversion Webhook that converts between the Emissary-ingress CRD versions. On startup, it ensures that a self-signed cert is available so that K8s API Server can talk to the conversion webhook (*TLS is required by K8s*). We have introduced a startupProbe to ensure that emissary-apiext server has enough time to configure the webhooks before running liveness and readiness probes. This is to ensure slow startup doesn't cause K8s to needlessly restart the pod. - version: 3.4.0 prevVersion: 3.3.0 date: '2023-01-03' notes: - title: Re-add support for getambassador.io/v1 type: feature body: >- Support for the getambassador.io/v1 apiVersion has been re-introduced, in order to facilitate smoother migrations from $productName$ 1.y. Previously, in order to make migrations possible, an "unserved" v1 version was declared to Kubernetes, but was unsupported by $productName$. That unserved v1 could cause an excess of errors to be logged by the Kubernetes Nodes (regardless of whether the installation was migrated from 1.y or was a fresh 2.y install); fully supporting v1 again should resolve these errors. - title: Add support for active health checking configuration. type: feature body: >- It is now possible to configure active healhchecking for upstreams within a Mapping. If the upstream fails its configured health check then Envoy will mark the upstream as unhealthy and no longer send traffic to that upstream. Single pods within a group may can be marked as unhealthy. The healthy pods will continue to receive traffic normally while the unhealthy pods will not receive any traffic until they recover by passing the health check. - title: Add environment variables to the healthcheck server. type: feature body: >- The healthcheck server's bind address, bind port and IP family can now be configured using environment variables: - `AMBASSADOR_HEALTHCHECK_BIND_ADDRESS`: The address to bind the healthcheck server to. - `AMBASSADOR_HEALTHCHECK_BIND_PORT`: The port to bind the healthcheck server to. - `AMBASSADOR_HEALTHCHECK_IP_FAMILY`: The IP family to use for the healthcheck server. This allows the healthcheck server to be configured to use IPv6-only k8s environments. (Thanks to Dmitry Golushko!). - title: Upgrade to Envoy 1.24.1 type: feature body: >- This upgrades $productName$ to be built on Envoy v1.24.1. One notable change is that the team at LightStep and Envoy Maintainers have decided to no longer support the native *LightStep* tracing driver in favor of using the Open Telemetry driver. The code for LightStep driver has been completely removed from Envoy code base so $productName$ will no longer support it either. The recommended upgrade path is to leverage a supported Tracing driver such as `Zipkin` and use the [Open Telemetry Collector](https://opentelemetry.io/docs/collector/) to collect and forward Observabity data to LightStep. - title: Add option to enable envoy readiness endpoint from worker type: feature body: >- /ready endpoint used by emissary is using the admin port (8001 by default). This generates a problem during config reloads with large configs as the admin thread is blocking so the /ready endpoint can be very slow to answer (in the order of several seconds, even more). The new feature allows to enable a specific envoy listener that can answer /ready calls from the workers so the endpoint is always fast and it does not suffers from single threaded admin thread slowness on config reloads and other slow endpoints handled by the admin thread Configure the listener port using AMBASSADOR_READY_PORT and enable access log using AMBASSADOR_READY_LOG environment variables. docs: https://www.getambassador.io/docs/emissary/latest/topics/running/environment/ - version: 3.3.0 prevVersion: 3.2.0 date: '2022-11-02' notes: - title: Update Golang to 1.19.2 type: security body: >- Updated Golang to 1.19.2 to address the CVEs: CVE-2022-2879, CVE-2022-2880, CVE-2022-41715. - title: Fix regression in http to https redirects with AuthService type: bugfix body: >- By default $productName$ adds routes for http to https redirection. When an AuthService is applied in v2.Y of $productName$, Envoy would skip the ext_authz call for non-tls http request and would perform the https redirect. In Envoy 1.20+ the behavior has changed where Envoy will always call the ext_authz filter and must be disabled on a per route basis. This new behavior change introduced a regression in v3.0 of $productName$ when it was upgraded to Envoy 1.22. The http to https redirection no longer works when an AuthService was applied. This fix restores the previous behavior by disabling the ext_authz call on the https redirect routes. github: - title: "#4620" link: https://github.com/emissary-ingress/emissary/issues/4620 - title: Fix regression in host_redirects with AuthService type: bugfix body: >- When an AuthService is applied in v2.Y of $productName$, Envoy would skip the ext_authz call for all redirect routes and would perform the redirect. In Envoy 1.20+ the behavior has changed where Envoy will always call the ext_authz filter so it must be disabled on a per route basis. This new behavior change introduced a regression in v3.0 of $productName$ when it was upgraded to Envoy 1.22. The host_redirect would call an AuthService prior to redirect if applied. This fix restores the previous behavior by disabling the ext_authz call on the host_redirect routes. github: - title: "#4640" link: https://github.com/emissary-ingress/emissary/issues/4640 - title: Fixed finding ingress resource tls secrets type: bugfix body: >- Previous versions of $productName$ required a workaround using TLSContexts to find tls secrets referenced from Ingress resources. Now tls secrets referenced are properly detected without requiring an additional TLSContext to reference them. (Thanks to Ole Markus!). - version: 3.2.0 prevVersion: 3.1.0 date: '2022-09-26' notes: - title: Envoy upgraded to 1.23 type: change body: >- The envoy version included in $productName$ has been upgraded from 1.22 to the latest patch release of 1.23. This provides $productName$ with the latest security patches, performances enhancments, and features offered by the envoy proxy. docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.23/v1.23.0 - title: Fixed mappingSelector associating Hosts with Mappings type: change body: >- Changes to label matching will change how Hosts are associated with Mappings. There was a bug with label selectors that was causing Hosts to be incorrectly being associated with more Mappings than intended. If any single label from the selector was matched then the Host would be associated with the Mapping. Now it has been updated to correctly only associate a Host with a Mapping if all labels required by the selector are present. This brings the mappingSelector field in-line with how label selectors are used in Kubernetes. To avoid unexpected behaviour after the upgrade, add all labels that Hosts have in their mappingSelector to Mappings you want to associate with the Host. You can opt-out of the new behaviour by setting the environment variable DISABLE_STRICT_LABEL_SELECTORS to "true" (default: "false"). (Thanks to Filip Herceg and Joe Andaverde!). - title: Add support for Host resources using secrets from different namespaces type: feature body: >- Previously the Host resource could only use secrets that are in the namespace as the Host. The tlsSecret field in the Host has a new subfield namespace that will allow the use of secrets from different namespaces. - title: Allow bypassing of EDS for manual endpoint insertion type: change body: >- Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to a delay between EDS + CDS. The default is `false`. - title: Correctly manage cluster names when service names are very long type: bugfix body: >- Distinct services with names that are the same in the first forty characters will no longer be incorrectly mapped to the same cluster. github: - title: "#4354" link: https://github.com/emissary-ingress/emissary/issues/4354 - title: Add failure_mode_deny option to the RateLimitService type: feature body: >- By default, when Envoy is unable to communicate with the configured RateLimitService then it will allow traffic through. The RateLimitService resource now exposes the failure_mode_deny option. Set failure_mode_deny: true, then Envoy will deny traffic when it is unable to communicate to the RateLimitService returning a 500. docs: https://www.getambassador.io/docs/emissary/latest/topics/running/services/rate-limit-service/ - title: Properly populate alt_state_name for Tracing, Auth and RateLimit Services type: bugfix body: >- Previously, setting the stats_name for the TracingService, RateLimitService or the AuthService would have no affect because it was not being properly passed to the Envoy cluster config. This has been fixed and the alt_stats_name field in the cluster config is now set correctly. (Thanks to Paul!) - title: Add support for config change batch window before reconfiguring Envoy type: feature body: >- The AMBASSADOR_RECONFIG_MAX_DELAY env var can be optionally set to batch changes for the specified non-negative window period in seconds before doing an Envoy reconfiguration. Default is "1" if not set. - title: Diagnostics stats properly handles parsing envoy metrics with colons type: bugfix body: >- If a Host or TLSContext contained a hostname with a : when using the diagnostics endpoints ambassador/v0/diagd then an error would be thrown due to the parsing logic not being able to handle the extra colon. This has been fixed and $productName$ will not throw an error when parsing envoy metrics for the diagnostics user interface. - title: Allow setting custom_tags for traces type: feature body: >- It is now possible to set custom_tags in the TracingService. Trace tags can be set based on literal values, environment variables, or request headers. (Thanks to Paul!) github: - title: "#4181" link: https://github.com/emissary-ingress/emissary/pull/4181 - title: TCPMappings use correct SNI configuration type: bugfix body: >- $productName$ 2.0.0 introduced a bug where a TCPMapping that uses SNI, instead of using the hostname glob in the TCPMapping, uses the hostname glob in the Host that the TLS termination configuration comes from. - title: TCPMappings configure TLS termination without a Host resource type: bugfix body: >- $productName$ 2.0.0 introduced a bug where a TCPMapping that terminates TLS must have a corresponding Host that it can take the TLS configuration from. This was semi-intentional, but didn't make much sense. You can now use a TLSContext without a Hostas in $productName$ 1.y releases, or a Host with or without a TLSContext as in prior 2.y releases. - title: TCPMappings and HTTP Hosts can coexist on Listeners that terminate TLS type: bugfix body: >- Prior releases of $productName$ had the arbitrary limitation that a TCPMapping cannot be used on the same port that HTTP is served on, even if TLS+SNI would make this possible. $productName$ now allows TCPMappings to be used on the same Listener port as HTTP Hosts, as long as that Listener terminates TLS. - title: Update Golang to 1.19.1 type: security body: >- Updated Golang to 1.19.1 to address the CVEs: CVE-2022-27664, CVE-2022-32190. - version: 3.1.0 date: '2022-08-01' notes: - title: Add support for OpenAPI 2 contracts type: feature body: >- The agent is now able to parse api contracts using swagger 2, and to convert them to OpenAPI 3, making them available for use in the dev portal. - title: Add new secrets sync directive to the Agent type: feature body: >- Adds a new command to the agent directive service to manage secrets. This allows a third party product to manage CRDs that depend upon a secret. - title: Add additional pprof endpoints type: feature body: >- Add additional pprof endpoints to allow for profiling $productName$: - CPU profiles (/debug/pprof/profile) - tracing (/debug/pprof/trace) - command line running (/debug/pprof/cmdline) - program counters (/debug/pprof/symbol) - title: Default YAML enables the diagnostics interface from non-local clients on the admin service port type: change body: >- In the standard published .yaml files, the Module resource enables serving remote client requests to the :8877/ambassador/v0/diag/ endpoint. The associated Helm chart release also now enables it by default. - title: fix regression in the agent for the metrics transfer. type: bugfix body: >- A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure that all the nodes composing the emissary ingress cluster are reporting properly. - title: Update Golang to 1.17.12 type: security body: >- Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, CVE-2022-24921, CVE-2022-23772. - title: Update Curl to 7.80.0-r2 type: security body: >- Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, CVE-2022-27780. - title: Update openSSL-dev to 1.1.1q-r0 type: security body: >- Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. - title: Update ncurses to 1.1.1q-r0 type: security body: >- Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 - version: 3.0.0 prevVersion: 2.3.1 date: '2022-06-27' notes: - title: Envoy upgraded to 1.22 type: change body: >- The envoy version included in $productName$ has been upgraded from 1.17 to the latest patch release of 1.22. This provides $productName$ with the latest security patches, performances enhancments, and features offered by the envoy proxy. One notable change that will effect users is the removal of support for V2 tranport protocol. See below for more information. docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.22/v1.22.0 - title: Envoy xDS v2 API removal, removal of ECMAScript regexes type: change body: >- $productName$ can no longer be made to configure Envoy using the v2 xDS configuration API; it now always uses the v3 xDS API to configure Envoy. This change should be mostly invisible to users, with one notable exception: It removes support for regex_type: unsafe. The regex_type field will is removed from the ambassador Module, meaning that it is not be possible to instruct Envoy to use the ECMAScript Regex engine rather than the default RE2 engine. Users who rely on the specific ECMAScript Regex syntax will need to rewrite their regular expressions with RE2 syntax before upgrading to $productName$ 3.0.0. As the xDS version is no longer configurable and the range of supported Zipkin protocols is reduced (see below), the AMBASSADOR_ENVOY_API_VERSION environment variable has been removed. - title: Support for protocol_version v2 is removed type: change body: >- With the ugprade to Envoy 1.22, $productName$ no longer supports the V2 transport protocol. The AuthService, LogService and the RateLimitService will only support the v3 protocol_version. If protocol_version is not specified, the default value of v2 will cause an error to be posted. Therefore, you will need to set it to protocol_version: "v3". If upgrading from a previous version you will want to set it to "v3" and ensure it is working before upgrading to $productName$ 3.Y. - title: Support for Zipkin HTTP_JSON_V1 protocol is removed type: change body: >- With the upgrade to Envoy 1.22, the zipkin driver for the TraceService no longer supports setting the collector_endpoint_version: HTTP_JSON_V1. This was removed in Envoy 1.20 - . The new default will be collector_endpoint_version: HTTP_JSON, regardless of the AMBASSADOR_ENVOY_API_VERSION environment variable. - title: Default YAML disables the diagnostics interface type: change body: >- In the standard published .yaml files, now included is a Module resource that disables the /ambassador/v0/127.0.0.1:8878 synthetic mapping. We have long recommended to turn this off for production use; it is now off in the standard YAML. The associated Helm chart release also now disables it by default. A later apiVersion (getambassador.io/v3alpha2 or later) will likely change the Module CRD so that it is disabled if unspecified; but in the mean-time, the default install procedure will now specify it to be disabled. - title: No longer publish obsolete YAML manifest files type: change body: >- This release does not include the publishing of emissary-emissaryns-agent.yaml, emissary-defaultns-agent.yaml, emissary-emissaryns-migration.yaml, or emissary-defaultns-migration.yaml files. All four of these files existed solely as part of the migration process from 1;y, but since 2.2.0 the *-migration.yaml files have not been part of the migration instructions, and while the *-agent.yaml files remained part of the instructions they were actually unnescessary. - title: Metric naming change for grpc_stats type: change body: >- The previous version of $productName$ was based on Envoy 1.17 and when using grpc_stats with all_methods or services set, it would output metrics in the following format envoy_cluster_grpc_{ServiceName}_{statname}. When neither of these fields are set it would be aggregated to envoy_cluster_grpc_{statname}. The new behavior since Envoy 1.18 will produce metrics in the following format envoy_cluster_grpc_{MethodName}_statsname and envoy_cluster_grpc_statsname. After further investigation we found that Envoy doesn't properly parse service names such as cncf.telepresence.Manager/Status. In the future, we will work upstream Envoy to get this parsing logic fixed to ensure consistent metric naming. - title: Default behavior for empty grpc_stats changed type: bugfix body: >- Previously setting grpc_stats in the ambassador Module without setting either grpc_stats.services or grpc_stats.all_methods would result in crashing. Now it behaves as if grpc_stats.all_methods=false. - title: Downstream HTTP/3 support type: feature body: >- With the ugprade to Envoy 1.22, $productName$ can now be configured to listen for HTTP/3 connections using QUIC and the UDP network protocol. It currently only supports for connections between downstream clients and $productName$. - version: 2.5.0 date: 'TBD' prevVersion: 2.4.0 notes: - title: Fixed mappingSelector associating Hosts with Mappings type: change body: >- Changes to label matching will change how Hosts are associated with Mappings. There was a bug with label selectors that was causing Hosts to be incorrectly being associated with more Mappings than intended. If any single label from the selector was matched then the Host would be associated with the Mapping. Now it has been updated to correctly only associate a Host with a Mapping if all labels required by the selector are present. This brings the mappingSelector field in-line with how label selectors are used in Kubernetes. To avoid unexpected behaviour after the upgrade, add all labels that Hosts have in their mappingSelector to Mappings you want to associate with the Host. You can opt-out of the new behaviour by setting the environment variable DISABLE_STRICT_LABEL_SELECTORS to "true" (default: "false"). (Thanks to Filip Herceg and Joe Andaverde!). - version: 2.4.0 date: '2022-09-19' prevVersion: 2.3.2 notes: - title: Add support for Host resources using secrets from different namespaces type: feature body: >- Previously the Host resource could only use secrets that are in the namespace as the Host. The tlsSecret field in the Host has a new subfield namespace that will allow the use of secrets from different namespaces. - title: Allow bypassing of EDS for manual endpoint insertion type: change body: >- Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to a delay between EDS + CDS. The default is `false`. - title: Properly populate alt_state_name for Tracing, Auth and RateLimit Services type: bugfix body: >- Previously, setting the stats_name for the TracingService, RateLimitService or the AuthService would have no affect because it was not being properly passed to the Envoy cluster config. This has been fixed and the alt_stats_name field in the cluster config is now set correctly. (Thanks to Paul!) - title: Add support for config change batch window before reconfiguring Envoy type: feature body: >- The AMBASSADOR_RECONFIG_MAX_DELAY env var can be optionally set to batch changes for the specified non-negative window period in seconds before doing an Envoy reconfiguration. Default is "1" if not set. - title: TCPMappings use correct SNI configuration type: bugfix body: >- $productName$ 2.0.0 introduced a bug where a TCPMapping that uses SNI, instead of using the hostname glob in the TCPMapping, uses the hostname glob in the Host that the TLS termination configuration comes from. - title: TCPMappings configure TLS termination without a Host resource type: bugfix body: >- $productName$ 2.0.0 introduced a bug where a TCPMapping that terminates TLS must have a corresponding Host that it can take the TLS configuration from. This was semi-intentional, but didn't make much sense. You can now use a TLSContext without a Hostas in $productName$ 1.y releases, or a Host with or without a TLSContext as in prior 2.y releases. - title: TCPMappings and HTTP Hosts can coexist on Listeners that terminate TLS type: bugfix body: >- Prior releases of $productName$ had the arbitrary limitation that a TCPMapping cannot be used on the same port that HTTP is served on, even if TLS+SNI would make this possible. $productName$ now allows TCPMappings to be used on the same Listener port as HTTP Hosts, as long as that Listener terminates TLS. - version: 1.14.5 date: 'TBD' notes: - title: When using gzip, upstreams will no longer receive encoded data type: bugfix body: >- When using gzip compression, upstream services will no longer receive compressed data. This bug was introduced in 1.14.0. The fix restores the default behavior of not sending compressed data to upstream services. github: - title: 3818 link: https://github.com/emissary-ingress/emissary/issues/3818 docs: https://github.com/emissary-ingress/emissary/issues/3818 - version: 2.3.2 date: '2022-08-01' prevVersion: 2.3.1 notes: - title: Fix regression in the agent for the metrics transfer. type: bugfix body: >- A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure that all the nodes composing the emissary ingress cluster are reporting properly. - title: Update Golang to 1.17.12 type: security body: >- Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, CVE-2022-24921, CVE-2022-23772. - title: Update Curl to 7.80.0-r2 type: security body: >- Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, CVE-2022-27780. - title: Update openSSL-dev to 1.1.1q-r0 type: security body: >- Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. - title: Update ncurses to 1.1.1q-r0 type: security body: >- Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 - version: 1.14.4 date: '2022-06-13' notes: - title: Envoy security updates type: security body: >- We have backported patches from the Envoy 1.19.5 security update to $productName$'s 1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. $productName$ is not affected by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it does not support internal redirects, and does not use Envoy's built-in OAuth2 filter. docs: https://groups.google.com/g/envoy-announce/c/8nP3Kn4jV7k - version: 2.3.1 date: '2022-06-09' notes: - title: fix regression in tracing service config type: bugfix body: >- A regression was introduced in 2.3.0 that leaked zipkin default config fields into the configuration for the other drivers (lightstep, etc...). This caused $productName$ to crash on startup. This issue has been resolved to ensure that the defaults are only applied when driver is zipkin github: - title: "#4267" link: https://github.com/emissary-ingress/emissary/issues/4267 - title: Envoy security updates type: security body: >- We have backported patches from the Envoy 1.19.5 security update to $productName$'s 1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. $productName$ is not affected by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it does not support internal redirects, and does not use Envoy's built-in OAuth2 filter. docs: https://groups.google.com/g/envoy-announce/c/8nP3Kn4jV7k - version: 2.3.0 date: '2022-06-06' notes: - title: Remove unused packages type: security body: >- Completely remove gdbm, pip, smtplib, and sqlite packages, as they are unused. - title: Allow setting propagation modes for Lightstep tracing type: feature body: >- It is now possible to set propagation_modes in the TracingService config when using lightstep as the driver. (Thanks to Paul!) github: - title: "#4179" link: https://github.com/emissary-ingress/emissary/pull/4179 - title: Added support for TLS certificate revocation list type: feature body: >- It is now possible to set `crl_secret` in `Host` and `TLSContext` resources to check peer certificates against a certificate revocation list. github: - title: "#1743" link: https://github.com/emissary-ingress/emissary/issues/1743 - title: Added support for the LogService v3 transport protocol type: feature body: >- Previously, a LogService would always have $productName$ communicate with the external log service using the envoy.service.accesslog.v2.AccessLogService API. It is now possible for the LogService to specify protocol_version: v3 to use the newer envoy.service.accesslog.v3.AccessLogService API instead. This functionality is not available if you set the AMBASSADOR_ENVOY_API_VERSION=V2 environment variable. - title: CORS now happens before auth type: bugfix body: >- When CORS is specified (either in a Mapping or in the Ambassador Module), CORS processing will happen before authentication. This corrects a problem where XHR to authenticated endpoints would fail. - title: Correctly handle caching of Mappings with the same name in different namespaces type: bugfix body: >- In 2.x releases of $productName$ when there are multiple Mappings that have the same metadata.name across multiple namespaces, their old config would not properly be removed from the cache when their config was updated. This resulted in an inability to update configuration for groups of Mappings that share the same name until the $productName$ pods restarted. - title: Fix support for Zipkin API-v1 with Envoy xDS-v3 type: bugfix body: >- It is now possible for a TracingService to specify collector_endpoint_version: HTTP_JSON_V1 when using xDS v3 to configure Envoy (which has been the default since $productName$ 1.14.0). The HTTP_JSON_V1 value configures Envoy to speak to Zipkin using Zipkin's old API-v1, while the HTTP_JSON value configures Envoy to speak to Zipkin using Zipkin's new API-v2. In previous versions of $productName$ it was only possible to use HTTP_JSON_V1 when explicitly setting the AMBASSADOR_ENVOY_API_VERSION=V2 environment variable to force use of xDS v2 to configure Envoy. - version: 2.2.2 date: '2022-02-25' prevVersion: 2.2.1 notes: - title: TLS Secret validation is now opt-in type: change body: >- You may now choose to enable TLS Secret validation by setting the AMBASSADOR_FORCE_SECRET_VALIDATION=true environment variable. The default configuration does not enforce secret validation. - title: Correctly validate EC (Elliptic Curve) Private Keys type: bugfix body: >- Kubernetes Secrets that should contain an EC (Elliptic Curve) TLS Private Key are now properly validated. github: - title: 4134 link: https://github.com/emissary-ingress/emissary/issues/4134 docs: https://github.com/emissary-ingress/emissary/issues/4134 - title: Decrease metric sync frequency type: change body: >- The new delay between two metrics syncs is now 30s. github: - title: "#4122" link: https://github.com/emissary-ingress/emissary/pull/4122 - version: 1.14.3 date: '2022-02-25' notes: - title: Envoy security updates type: security body: >- Upgraded Envoy to address security vulnerabilities CVE-2021-43824, CVE-2021-43825, CVE-2021-43826, CVE-2022-21654, and CVE-2022-21655. docs: https://groups.google.com/g/envoy-announce/c/bIUgEDKHl4g - version: 2.2.1 date: '2022-02-22' notes: - title: Envoy V2 API deprecation type: change body: >- Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$ v3.0. The AMBASSADOR_ENVOY_API_VERSION environment variable will be removed at the same time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0). - title: Correctly support canceling rollouts type: bugfix body: >- The Ambassador Agent now correctly supports requests to cancel a rollout. docs: ../../../argo/latest/howtos/manage-rollouts-using-cloud - version: 2.2.0 date: '2022-02-10' notes: - title: Envoy V2 API deprecation type: change body: >- Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$ v3.0. The AMBASSADOR_ENVOY_API_VERSION environment variable will be removed at the same time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0). - title: Emissary-ingress will watch for Cloud Connect Tokens type: change body: >- $productName$ will now watch for ConfigMap or Secret resources specified by the AGENT_CONFIG_RESOURCE_NAME environment variable in order to allow all components (and not only the Ambassador Agent) to authenticate requests to Ambassador Cloud. image: ./v2.2.0-cloud.png - title: Update Alpine and libraries type: security body: >- $productName$ has updated Alpine to 3.15, and Python and Go dependencies to their latest compatible versions, to incorporate numerous security patches. - title: Support a log-level metric type: feature body: >- $productName$ now supports the metric ambassador_log_level{label="debug"} which will be set to 1 if debug logging is enabled for the running Emissary instance, or to 0 if not. This can help to be sure that a running production instance was not actually left doing debugging logging, for example. (Thanks to Fabrice!) github: - title: "#3906" link: https://github.com/emissary-ingress/emissary/issues/3906 docs: topics/running/statistics/8877-metrics/ - title: Envoy configuration % escaping type: feature body: >- $productName$ is now leveraging a new Envoy Proxy patch that allows Envoy to accept escaped '%' characters in its configuration. This means that error_response_overrides and other custom user content can now contain '%' symbols escaped as '%%'. docs: topics/running/custom-error-responses github: - title: "DW Envoy: 74" link: https://github.com/datawire/envoy/pull/74 - title: "Upstream Envoy: 19383" link: https://github.com/envoyproxy/envoy/pull/19383 image: ./v2.2.0-percent-escape.png - title: Stream metrics from Envoy to Ambassador Cloud type: feature body: >- Support for streaming Envoy metrics about the clusters to Ambassador Cloud. github: - title: "#4053" link: https://github.com/emissary-ingress/emissary/pull/4053 docs: https://github.com/emissary-ingress/emissary/pull/4053 - title: Support received commands to pause, continue and abort a Rollout via Agent directives type: feature body: >- The Ambassador agent now receives commands to manipulate Rollouts (pause, continue, and abort are currently supported) via directives and executes them in the cluster. A report is sent to Ambassador Cloud including the command ID, whether it ran successfully, and an error message in case there was any. github: - title: "#4040" link: https://github.com/emissary-ingress/emissary/pull/4040 docs: https://github.com/emissary-ingress/emissary/pull/4040 - title: Validate certificates in TLS Secrets type: bugfix body: >- Kubernetes Secrets that should contain TLS certificates are now validated before being accepted for configuration. A Secret that contains an invalid TLS certificate will be logged as an invalid resource. github: - title: "#3821" link: https://github.com/emissary-ingress/emissary/issues/3821 docs: ../topics/running/tls image: ./v2.2.0-tls-cert-validation.png edgeStackNotes: - title: Devportal support for using API server definitions from OpenAPI docs type: feature body: >- You can now set preserve_servers in Ambassador Edge Stack's DevPortal resource to configure the DevPortal to use server definitions from the OpenAPI document when displaying connection information for services in the DevPortal. - version: 2.1.2 prevVersion: 2.1.0 date: '2022-01-25' notes: - title: Envoy V2 API deprecation type: change body: >- Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$ v3.0. The AMBASSADOR_ENVOY_API_VERSION environment variable will be removed at the same time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0). - title: Docker BuildKit always used for builds type: change body: >- Docker BuildKit is enabled for all Emissary builds. Additionally, the Go build cache is fully enabled when building images, speeding up repeated builds. docs: https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md - title: Fix support for for v2 Mappings with CORS type: bugfix body: >- Emissary-ingress 2.1.0 generated invalid Envoy configuration for getambassador.io/v2 Mappings that set spec.cors.origins to a string rather than a list of strings; this has been fixed, and these Mappings should once again function correctly. docs: topics/using/cors/#the-cors-attribute image: ./v2.1.2-mapping-cors.png - title: Correctly handle canary Mapping weights when reconfiguring type: bugfix body: >- Changes to the weight of Mapping in a canary group will now always be correctly managed during reconfiguration; such changes could have been missed in earlier releases. docs: topics/using/canary/#the-weight-attribute - title: Correctly handle solitary Mappings with explicit weights type: bugfix body: >- A Mapping that is not part of a canary group, but that has a weight less than 100, will be correctly configured to receive all traffic as if the weight were 100. docs: topics/using/canary/#the-weight-attribute image: ./v2.1.2-mapping-less-weighted.png - title: Correctly handle empty rewrite in a Mapping type: bugfix body: >- Using rewrite: "" in a Mapping is correctly handled to mean "do not rewrite the path at all". docs: topics/using/rewrites image: ./v2.1.2-mapping-no-rewrite.png - title: Correctly use Mappings with host redirects type: bugfix body: >- Any Mapping that uses the host_redirect field is now properly discovered and used. Thanks to Gabriel Féron for contributing this bugfix! github: - title: "#3709" link: https://github.com/emissary-ingress/emissary/issues/3709 docs: https://github.com/emissary-ingress/emissary/issues/3709 - title: Correctly handle DNS wildcards when associating Hosts and Mappings type: bugfix body: >- Mappings with DNS wildcard hostname will now be correctly matched with Hosts. Previously, the case where both the Host and the Mapping use DNS wildcards for their hostnames could sometimes not correctly match when they should have. docs: howtos/configure-communications/ image: ./v2.1.2-host-mapping-matching.png - title: Fix overriding global settings for adding or removing headers type: bugfix body: >- If the ambassador Module sets a global default for add_request_headers, add_response_headers, remove_request_headers, or remove_response_headers, it is often desirable to be able to turn off that setting locally for a specific Mapping. For several releases this has not been possible for Mappings that are native Kubernetes resources (as opposed to annotations), as an empty value ("mask the global default") was erroneously considered to be equivalent to unset ("inherit the global default"). This is now fixed. docs: topics/using/defaults/ - title: Fix empty error_response_override bodies type: bugfix body: >- It is now possible to set a Mapping spec.error_response_overrides body.text_format to an empty string or body.json_format to an empty dict. Previously, this was possible for annotations but not for native Kubernetes resources. docs: topics/running/custom-error-responses/ - title: Annotation conversion and validation type: bugfix body: >- Resources that exist as getambassador.io/config annotations rather than as native Kubernetes resources are now validated and internally converted to v3alpha1 and, the same as native Kubernetes resources. image: ./v2.1.2-annotations.png - title: Validation error reporting type: bugfix body: >- Resource validation errors are now reported more consistently; it was the case that in some situations a validation error would not be reported. - version: 2.1.1 date: 'N/A' notes: - title: Never issued type: change isHeadline: true body: >- Emissary-ingress 2.1.1 was not issued; Ambassador Edge Stack 2.1.1 uses Emissary-ingress 2.1.0. - version: 2.1.0 date: '2021-12-16' notes: - title: Not recommended; upgrade to 2.1.2 instead type: change isHeadline: true body: >- Emissary-ingress 2.1.0 is not recommended; upgrade to 2.1.2 instead. - title: Envoy V2 API deprecation type: change body: >- Support for the Envoy V2 API is deprecated as of $productName$ v2.1, and will be removed in $productName$ v3.0. The AMBASSADOR_ENVOY_API_VERSION environment variable will be removed at the same time. Only the Envoy V3 API will be supported (this has been the default since $productName$ v1.14.0). - title: Smoother migrations with support for getambassador.io/v2 CRDs type: feature body: >- $productName$ supports getambassador.io/v2 CRDs, to simplify migration from $productName$ 1.X. Note: it is important to read the migration documentation before starting migration. docs: topics/install/migration-matrix image: ./v2.1.0-smoother-migration.png - title: Correctly handle all changing canary configurations type: bugfix body: >- The incremental reconfiguration cache could miss some updates when multiple Mappings had the same prefix ("canary"ing multiple Mappings together). This has been corrected, so that all such updates correctly take effect. github: - title: "#3945" link: https://github.com/emissary-ingress/emissary/issues/3945 docs: https://github.com/emissary-ingress/emissary/issues/3945 image: ./v2.1.0-canary.png - title: Secrets used for ACME private keys will not log errors type: bugfix body: >- When using Kubernetes Secrets to store ACME private keys (as the Edge Stack ACME client does), an error would always be logged about the Secret not being present, even though it was present, and everything was working correctly. This error is no longer logged. - title: When using gzip, upstreams will no longer receive encoded data type: bugfix body: >- When using gzip compression, upstream services will no longer receive compressed data. This bug was introduced in 1.14.0. The fix restores the default behavior of not sending compressed data to upstream services. github: - title: "#3818" link: https://github.com/emissary-ingress/emissary/issues/3818 docs: https://github.com/emissary-ingress/emissary/issues/3818 image: ./v2.1.0-gzip-enabled.png - title: Update to busybox 1.34.1 type: security body: >- Update to busybox 1.34.1 to resolve CVE-2021-28831, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, and CVE-2021-42386. - title: Update Python dependencies type: security body: >- Update Python dependencies to resolve CVE-2020-28493 (jinja2), CVE-2021-28363 (urllib3), and CVE-2021-33503 (urllib3). - title: Remove test-only code from the built image type: security body: >- Previous built images included some Python packages used only for test. These have now been removed, resolving CVE-2020-29651. - version: 2.0.5 date: '2021-11-08' notes: - title: AuthService circuit breakers type: feature body: >- It is now possible to set the circuit_breakers for AuthServices, exactly the same as for Mappings and TCPMappings. This makes it possible to configure your AuthService to be able to handle more than 1024 concurrent requests. docs: topics/running/services/auth-service/ image: ./v2.0.5-auth-circuit-breaker.png - title: Improved validity checking for error response overrides type: bugfix body: >- Any token delimited by '%' is now validated agains a whitelist of valid Envoy command operators. Any mapping containing an error_response_overrides section with invalid command operators will be discarded. docs: topics/running/custom-error-responses - title: mappingSelector is now correctly supported in the Host CRD type: bugfix body: >- The Host CRD now correctly supports the mappingSelector element, as documented. As a transition aid, selector is a synonym for mappingSelector; a future version of $productName$ will remove the selector element. github: - title: "#3902" link: https://github.com/emissary-ingress/emissary/issues/3902 docs: https://github.com/emissary-ingress/emissary/issues/3902 image: ./v2.0.5-mappingselector.png - version: 2.0.4 date: '2021-10-19' notes: - title: General availability! type: feature body: >- We're pleased to introduce $productName$ 2.0.4 for general availability! The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on Slack and let us know what you think. isHeadline: true docs: about/changes-2.x image: ./emissary-ga.png - title: API version getambassador.io/v3alpha1 type: change body: >- The x.getambassador.io/v3alpha1 API version has become the getambassador.io/v3alpha1 API version. The Ambassador- prefixes from x.getambassador.io/v3alpha1 resource kind names (e.g. AmbassadorHost) have been removed for ease of migration from $productName$ 1.x. As with previous 2.0.x releases, you must supply a Host (AmbassadorHost in previous 2.0.x releases) resource to terminate TLS: unlike in 1.x it is no longer sufficient to define a TLSContext (although TLSContexts are still the best way to define TLS configuration information to be shared across multiple Hosts). Note that getambassador.io/v3alpha1 is the only supported API version for 2.0.4 — full support for getambassador.io/v2 will arrive soon in a later 2.X version. docs: about/changes-2.x image: ./v2.0.4-v3alpha1.png - title: Support for Kubernetes 1.22 type: feature body: >- The getambassador.io/v3alpha1 API version and the published chart and manifests have been updated to support Kubernetes 1.22. Thanks to Mohit Sharma for contributions to this feature! docs: about/changes-2.x image: ./v2.0.4-k8s-1.22.png - title: Mappings support configuring strict or logical DNS type: feature body: >- You can now set dns_type between strict_dns and logical_dns in a Mapping to configure the Service Discovery Type. docs: topics/using/mappings/#dns-configuration-for-mappings image: ./v2.0.4-mapping-dns-type.png - title: Mappings support controlling DNS refresh with DNS TTL type: feature body: >- You can now set respect_dns_ttl to true to force the DNS refresh rate for a Mapping to be set to the record's TTL obtained from DNS resolution. docs: topics/using/mappings/#dns-configuration-for-mappings - title: Support configuring upstream buffer sizes type: feature body: >- You can now set buffer_limit_bytes in the ambassador Module to to change the size of the upstream read and write buffers. The default is 1MiB. docs: topics/running/ambassador/#modify-default-buffer-size - title: Version number reported correctly type: bugfix body: >- The release now shows its actual released version number, rather than the internal development version number. github: - title: "#3854" link: https://github.com/emissary-ingress/emissary/issues/3854 docs: https://github.com/emissary-ingress/emissary/issues/3854 image: ./v2.0.4-version.png - title: Large configurations work correctly with Ambassador Cloud type: bugfix body: >- Large configurations no longer cause $productName$ to be unable to communicate with Ambassador Cloud. github: - title: "#3593" link: https://github.com/emissary-ingress/emissary/issues/3593 docs: https://github.com/emissary-ingress/emissary/issues/3593 - title: Listeners correctly support l7Depth type: bugfix body: >- The l7Depth element of the Listener CRD is properly supported. docs: topics/running/listener#l7depth image: ./v2.0.4-l7depth.png - version: 2.0.3-ea date: '2021-09-16' notes: - title: Developer Preview! body: We're pleased to introduce $productName$ 2.0.3 as a developer preview. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on Slack and let us know what you think. type: change isHeadline: true docs: about/changes-2.x - title: AES_LOG_LEVEL more widely effective body: The environment variable AES_LOG_LEVEL now also sets the log level for the diagd logger. type: feature docs: topics/running/running/ github: - title: "#3686" link: https://github.com/emissary-ingress/emissary/issues/3686 - title: "#3666" link: https://github.com/emissary-ingress/emissary/issues/3666 - title: AmbassadorMapping supports setting the DNS type body: You can now set dns_type in the AmbassadorMapping to configure how Envoy will use the DNS for the service. type: feature docs: topics/using/mappings/#using-dns_type - title: Building Emissary no longer requires setting DOCKER_BUILDKIT body: It is no longer necessary to set DOCKER_BUILDKIT=0 when building Emissary. A future change will fully support BuildKit. type: bugfix docs: https://github.com/emissary-ingress/emissary/issues/3707 github: - title: "#3707" link: https://github.com/emissary-ingress/emissary/issues/3707 - version: 2.0.2-ea date: '2021-08-24' notes: - title: Developer Preview! body: We're pleased to introduce $productName$ 2.0.2 as a developer preview. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on Slack and let us know what you think. type: change isHeadline: true docs: about/changes-2.x - title: Envoy security updates type: bugfix body: "Upgraded envoy to 1.17.4 to address security vulnerabilities CVE-2021-32777, CVE-2021-32778, CVE-2021-32779, and CVE-2021-32781." docs: https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE?pli=1 - title: Expose Envoy's allow_chunked_length HTTPProtocolOption type: feature body: "You can now set allow_chunked_length in the Ambassador Module to configure the same value in Envoy." docs: topics/running/ambassador/#content-length-headers - title: Envoy-configuration snapshots saved type: change body: Envoy-configuration snapshots get saved (as ambex-#.json) in /ambassador/snapshots. The number of snapshots is controlled by the AMBASSADOR_AMBEX_SNAPSHOT_COUNT environment variable; set it to 0 to disable. The default is 30. docs: topics/running/running/ - version: 2.0.1-ea date: '2021-08-12' notes: - title: Developer Preview! body: We're pleased to introduce $productName$ 2.0.1 as a developer preview. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on Slack and let us know what you think. type: change isHeadline: true docs: about/changes-2.x - title: Improved Ambassador Cloud visibility type: feature body: Ambassador Agent reports sidecar process information and AmbassadorMapping OpenAPI documentation to Ambassador Cloud to provide more visibility into services and clusters. docs: /docs/cloud/latest/service-catalog/quick-start/ - title: Configurable per-AmbassadorListener statistics prefix body: The optional stats_prefix element of the AmbassadorListener CRD now determines the prefix of HTTP statistics emitted for a specific AmbassadorListener. type: feature docs: topics/running/listener - title: Configurable statistics names body: The optional stats_name element of AmbassadorMapping, AmbassadorTCPMapping, AuthService, LogService, RateLimitService, and TracingService now sets the name under which cluster statistics will be logged. The default is the service, with non-alphanumeric characters replaced by underscores. type: feature docs: topics/running/statistics - title: Updated klog to reduce log noise type: bugfix body: We have updated to k8s.io/klog/v2 to track upstream and to quiet unnecessary log output. docs: https://github.com/emissary-ingress/emissary/issues/3603 - title: Subsecond time resolution in logs type: change body: Logs now include subsecond time resolutions, rather than just seconds. docs: https://github.com/emissary-ingress/emissary/pull/3650 - title: Configurable Envoy-configuration rate limiting type: change body: Set AMBASSADOR_AMBEX_NO_RATELIMIT to true to completely disable ratelimiting Envoy reconfiguration under memory pressure. This can help performance with the endpoint or Consul resolvers, but could make OOMkills more likely with large configurations. The default is false, meaning that the rate limiter is active. docs: topics/concepts/rate-limiting-at-the-edge/ - version: 2.0.0-ea date: '2021-06-24' notes: - title: Developer Preview! body: We're pleased to introduce $productName$ 2.0.0 as a developer preview. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on Slack and let us know what you think. type: change docs: about/changes-2.x isHeadline: true - title: Configuration API v3alpha1 body: >- $productName$ 2.0.0 introduces API version x.getambassador.io/v3alpha1 for configuration changes that are not backwards compatible with the 1.X family. API versions getambassador.io/v0, getambassador.io/v1, and getambassador.io/v2 are deprecated. Further details are available in the Major Changes in 2.X document. type: feature docs: about/changes-2.x/#1-configuration-api-version-getambassadoriov3alpha1 image: ./edge-stack-2.0.0-v3alpha1.png - title: The AmbassadorListener Resource body: The new AmbassadorListener CRD defines where and how to listen for requests from the network, and which AmbassadorHost definitions should be used to process those requests. Note that the AmbassadorListener CRD is mandatory and consolidates all port configuration; see the AmbassadorListener documentation for more details. type: feature docs: topics/running/listener image: ./edge-stack-2.0.0-listener.png - title: AmbassadorMapping hostname DNS glob support body: >- Where AmbassadorMapping's host field is either an exact match or (with host_regex set) a regex, the new hostname element is always a DNS glob. Use hostname instead of host for best results. docs: about/changes-2.x/#ambassadorhost-and-ambassadormapping-association type: feature - title: Memory usage improvements for installations with many AmbassadorHosts body: The behavior of the Ambassador module prune_unreachable_routes field is now automatic, which should reduce Envoy memory requirements for installations with many AmbassadorHosts docs: topics/running/ambassador/#prune-unreachable-routes image: ./edge-stack-2.0.0-prune_routes.png type: feature - title: Independent Host actions supported body: Each AmbassadorHost can specify its requestPolicy.insecure.action independently of any other AmbassadorHost, allowing for HTTP routing as flexible as HTTPS routing. docs: topics/running/host-crd/#secure-and-insecure-requests github: - title: "#2888" link: https://github.com/datawire/ambassador/issues/2888 image: ./edge-stack-2.0.0-insecure_action_hosts.png type: bugfix - title: Correctly set Ingress resource status in all cases body: $productName$ 2.0.0 fixes a regression in detecting the Ambassador Kubernetes service that could cause the wrong IP or hostname to be used in Ingress statuses -- thanks, Noah Fontes! docs: topics/running/ingress-controller type: bugfix image: ./edge-stack-2.0.0-ingressstatus.png - title: Stricter mTLS enforcement body: $productName$ 2.0.0 fixes a bug where mTLS could use the wrong configuration when SNI and the :authority header didn't match type: bugfix - title: Port configuration outside AmbassadorListener has been moved to AmbassadorListener body: The TLSContext redirect_cleartext_from and AmbassadorHost requestPolicy.insecure.additionalPort elements are no longer supported. Use a AmbassadorListener for this functionality instead. type: change docs: about/changes-2.x/#tlscontext-redirect_cleartext_from-and-host-insecureadditionalport - title: PROXY protocol configuration has been moved to AmbassadorListener body: The use_proxy_protocol element of the Ambassador Module is no longer supported, as it is now part of the AmbassadorListener resource (and can be set per-AmbassadorListener rather than globally). type: change docs: about/changes-2.x/#proxy-protocol-configuration - title: Stricter rules for AmbassadorHost/AmbassadorMapping association body: An AmbassadorMapping will only be matched with an AmbassadorHost if the AmbassadorMapping's host or the AmbassadorHost's selector (or both) are explicitly set, and match. This change can significantly improve $productName$'s memory footprint when many AmbassadorHosts are involved. Further details are available in the Major Changes in 2.X document. docs: about/changes-2.x/#host-and-mapping-association type: change - title: AmbassadorHost or Ingress now required for TLS termination body: An AmbassadorHost or Ingress resource is now required when terminating TLS -- simply creating a TLSContext is not sufficient. Further details are available in the AmbassadorHost CRD documentation. docs: about/changes-2.x/#host-tlscontext-and-tls-termination type: change image: ./edge-stack-2.0.0-host_crd.png - title: Envoy V3 APIs body: By default, $productName$ will configure Envoy using the V3 Envoy API. This change is mostly transparent to users, but note that Envoy V3 does not support unsafe regular expressions or, e.g., Zipkin's V1 collector protocol. Further details are available in the Major Changes in 2.X document. type: change docs: about/changes-2.x/#envoy-v3-api-by-default - title: Module-based TLS no longer supported body: The tls module and the tls field in the Ambassador module are no longer supported. Please use TLSContext resources instead. docs: about/changes-2.x/#tls-the-ambassador-module-and-the-tls-module image: ./edge-stack-2.0.0-tlscontext.png type: change - title: Higher performance while generating Envoy configuration now enabled by default body: The environment variable AMBASSADOR_FAST_RECONFIGURE is now set by default, enabling the higher-performance implementation of the code that $productName$ uses to generate and validate Envoy configurations. docs: topics/running/scaling/#ambassador_fast_reconfigure-and-ambassador_legacy_mode-flags type: change - title: Service Preview no longer supported body: >- Service Preview and the AGENT_SERVICE environment variable are no longer supported. The Telepresence product replaces this functionality. docs: https://www.getambassador.io/docs/telepresence/ type: change - title: edgectl no longer supported body: The edgectl CLI tool has been deprecated; please use the emissary-ingress helm chart instead. docs: topics/install/helm/ type: change - version: 1.14.2 date: '2021-09-29' notes: - title: Mappings support controlling DNS refresh with DNS TTL type: feature body: >- You can now set respect_dns_ttl in Ambassador Mappings. When true it configures that upstream's refresh rate to be set to resource record’s TTL docs: topics/using/mappings/#dns-configuration-for-mappings - title: Mappings support configuring strict or logical DNS type: feature body: >- You can now set dns_type in Ambassador Mappings to use Envoy's logical_dns resolution instead of the default strict_dns. docs: topics/using/mappings/#dns-configuration-for-mappings - title: Support configuring upstream buffer size type: feature body: >- You can now set buffer_limit_bytes in the ambassador Module to to change the size of the upstream read and write buffers. The default is 1MiB. docs: topics/running/ambassador/#modify-default-buffer-size - version: 1.14.1 date: '2021-08-24' notes: - title: Envoy security updates type: change body: >- Upgraded Envoy to 1.17.4 to address security vulnerabilities CVE-2021-32777, CVE-2021-32778, CVE-2021-32779, and CVE-2021-32781. docs: https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE - version: 1.14.0 date: '2021-08-19' notes: - title: Envoy upgraded to 1.17.3! type: change body: >- Update from Envoy 1.15 to 1.17.3 docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history - title: Expose Envoy's allow_chunked_length HTTPProtocolOption type: feature body: >- You can now set allow_chunked_length in the Ambassador Module to configure the same value in Envoy. docs: topics/running/ambassador/#content-length-headers - title: Default Envoy API version is now V3 type: change body: >- AMBASSADOR_ENVOY_API_VERSION now defaults to V3 docs: topics/running/running/#ambassador_envoy_api_version - title: Subsecond time resolution in logs type: change body: Logs now include subsecond time resolutions, rather than just seconds. docs: https://github.com/emissary-ingress/emissary/pull/3650 - version: 1.13.10 date: '2021-07-28' notes: - title: Fix for CORS origins configuration on the Mapping resource type: bugfix body: >- Fixed a regression when specifying a comma separated string for cors.origins on the Mapping resource. ([#3609](https://github.com/emissary-ingress/emissary/issues/3609)) docs: topics/using/cors image: ../images/emissary-1.13.10-cors-origin.png - title: New Envoy-configuration snapshots for debugging body: "Envoy-configuration snapshots get saved (as ambex-#.json) in /ambassador/snapshots. The number of snapshots is controlled by the AMBASSADOR_AMBEX_SNAPSHOT_COUNT environment variable; set it to 0 to disable. The default is 30." type: change docs: topics/running/environment/ - title: Optionally remove ratelimiting for Envoy reconfiguration body: >- Set AMBASSADOR_AMBEX_NO_RATELIMIT to true to completely disable ratelimiting Envoy reconfiguration under memory pressure. This can help performance with the endpoint or Consul resolvers, but could make OOMkills more likely with large configurations. The default is false, meaning that the rate limiter is active. type: change docs: topics/running/environment/ edgeStackNotes: - title: Mappings support configuring the DevPortal fetch timeout type: bugfix body: >- The Mapping resource can now specify docs.timeout_ms to set the timeout when the Dev Portal is fetching API specifications. docs: topics/using/dev-portal image: ../images/edge-stack-1.13.10-docs-timeout.png - title: Dev Portal will strip HTML tags when displaying results type: bugfix body: >- The Dev Portal will now strip HTML tags when displaying search results, showing just the actual content of the search result. docs: topics/using/dev-portal - title: Consul certificate rotation logs more information type: change body: >- Consul certificate-rotation logging now includes the fingerprints and validity timestamps of certificates being rotated. docs: howtos/consul/ image: ../images/edge-stack-1.13.10-consul-cert-log.png - version: 1.13.9 date: '2021-06-30' notes: - title: Fix for TCPMappings body: >- Configuring multiple TCPMappings with the same ports (but different hosts) no longer generates invalid Envoy configuration. type: bugfix docs: topics/using/tcpmappings/ - version: 1.13.8 date: '2021-06-08' notes: - title: Fix Ambassador Cloud Service Details body: >- Ambassador Agent now accurately reports up-to-date Endpoint information to Ambassador Cloud type: bugfix docs: tutorials/getting-started/#3-connect-your-cluster-to-ambassador-cloud image: ../images/edge-stack-1.13.8-cloud-bugfix.png - title: Improved Argo Rollouts Experience with Ambassador Cloud body: >- Ambassador Agent reports ConfigMaps and Deployments to Ambassador Cloud to provide a better Argo Rollouts experience. See [Argo+Ambassador documentation](https://www.getambassador.io/docs/argo) for more info. type: feature docs: https://www.getambassador.io/docs/argo - version: 1.13.7 date: '2021-06-03' notes: - title: JSON logging support body: >- Add AMBASSADOR_JSON_LOGGING to enable JSON for most of the Ambassador control plane. Some (but few) logs from gunicorn and the Kubernetes client-go package still log text. image: ../images/edge-stack-1.13.7-json-logging.png docs: topics/running/running/#log-format type: feature - title: Consul resolver bugfix with TCPMappings body: >- Fixed a bug where the Consul resolver would not actually use Consul endpoints with TCPMappings. image: ../images/edge-stack-1.13.7-tcpmapping-consul.png docs: topics/running/resolvers/#the-consul-resolver type: bugfix - title: Memory usage calculation improvements body: >- Ambassador now calculates its own memory usage in a way that is more similar to how the kernel OOMKiller tracks memory. image: ../images/edge-stack-1.13.7-memory.png docs: topics/running/scaling/#inspecting-ambassador-performance type: change - version: 1.13.6 date: '2021-05-24' notes: - title: Quieter logs in legacy mode type: bugfix body: >- Fixed a regression where Ambassador snapshot data was logged at the INFO label when using AMBASSADOR_LEGACY_MODE=true. - version: 1.13.5 date: '2021-05-13' notes: - title: Correctly support proper_case and preserve_external_request_id type: bugfix body: >- Fix a regression from 1.8.0 that prevented ambassador Module config keys proper_case and preserve_external_request_id from working correctly. docs: topics/running/ambassador/#header-case - title: Correctly support Ingress statuses in all cases type: bugfix body: >- Fixed a regression in detecting the Ambassador Kubernetes service that could cause the wrong IP or hostname to be used in Ingress statuses (thanks, [Noah Fontes](https://github.com/impl)! docs: topics/running/ingress-controller - version: 1.13.4 date: '2021-05-11' notes: - title: Envoy 1.15.5 body: >- Incorporate the Envoy 1.15.5 security update by adding the reject_requests_with_escaped_slashes option to the Ambassador module. image: ../images/edge-stack-1.13.4.png docs: topics/running/ambassador/#rejecting-client-requests-with-escaped-slashes type: security # Don't go any further back than 1.13.4.