open source Kubernetes-native API gateway for microservices built on the Envoy Proxy
APACHE-2.0 License
Bot releases are hidden (Show)
Published by d6e-automaton over 1 year ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton over 1 year ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.5.1/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
getambassador.io/v3alpha1
. Thanks to pie-r
Published by d6e-automaton over 1 year ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton over 1 year ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.5.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Security: Upgrading to the latest release of Golang as part of our general dependency upgrade
process. This includes security fixes for CVE-2022-41725, CVE-2022-41723.
Feature: In Envoy 1.24, experimental support for a native OpenTelemetry tracing driver was
introduced that allows exporting spans in the otlp format. Many Observability platforms accept
that format and is the recommend replacement for the LightStep driver. Emissary-ingress now
supports setting the TracingService.spec.driver=opentelemetry
to export spans in otlp
format.
Thanks to Paul for helping us
get this tested and implemented!
Bugfix: When wanting to expose traffic to clients on ports other than 80/443, users will set a
port in the Host.hostname (eg.Host.hostname=example.com:8500
. The config generated allowed
matching on the :authority header. This worked in v1.Y series due to the way emissary was
generating Envoy configuration under a single wild-card virtual_host and matching on
:authority.
In v2.Y/v3.Y+, the way emissary generates Envoy configuration changed to address
memory pressure and improve route lookup speed in Envoy. However, when including a port in the
hostname, an incorrect configuration was generated with an sni match including the port. This has
been fixed and the correct envoy configuration is being generated. (fix: hostname port issue)
Change: Previously, specifying backend ports by name in Ingress was not supported and would result
in defaulting to port 80. This allows emissary-ingress to now resolve port names for backend
services. If the port number cannot be resolved by the name (e.g named port in the Service doesn't
exist) then it defaults back to the original behavior. (Thanks to Anton Ustyuzhanin!). (#4809)
Change: The emissary-apiext
server is a Kubernetes Conversion Webhook that converts between the
Emissary-ingress CRD versions. On startup, it ensures that a self-signed cert is available so that
K8s API Server can talk to the conversion webhook (TLS is required by K8s). We have introduced
a startupProbe to ensure that emissary-apiext server has enough time to configure the webhooks
before running liveness and readiness probes. This is to ensure slow startup doesn't cause K8s to
needlessly restart the pod.
Published by d6e-automaton over 1 year ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton over 1 year ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.4.1/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Published by d6e-automaton over 1 year ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton almost 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.4.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Feature: Support for the getambassador.io/v1
apiVersion has been re-introduced, in order to
facilitate smoother migrations from Emissary-ingress 1.y. Previously, in order to make migrations
possible, an "unserved" v1
version was declared to Kubernetes, but was unsupported by
Emissary-ingress. That unserved v1
could cause an excess of errors to be logged by the
Kubernetes Nodes (regardless of whether the installation was migrated from 1.y or was a fresh 2.y
install); fully supporting v1
again should resolve these errors.
Feature: It is now possible to configure active healhchecking for upstreams within a Mapping
. If
the upstream fails its configured health check then Envoy will mark the upstream as unhealthy and
no longer send traffic to that upstream. Single pods within a group may can be marked as
unhealthy. The healthy pods will continue to receive traffic normally while the unhealthy pods
will not receive any traffic until they recover by passing the health check.
Feature: The healthcheck server's bind address, bind port and IP family can now be configured
using environment variables:
AMBASSADOR_HEALTHCHECK_BIND_ADDRESS
: The address to bind theAMBASSADOR_HEALTHCHECK_BIND_PORT
: The port to bind the healthcheckAMBASSADOR_HEALTHCHECK_IP_FAMILY
: The IP family to use for the healthcheckFeature: This upgrades Emissary-ingress to be built on Envoy v1.24.1. One notable change is that
the team at LightStep and Envoy Maintainers have decided to no longer support the native
LightStep tracing driver in favor of using the Open Telemetry driver. The code for LightStep
driver has been completely removed from Envoy code base so Emissary-ingress will no longer
support it either.
The recommended upgrade path is to leverage a supported Tracing driver such as
Zipkin
and use the Open Telemetry Collector to
collect and forward Observabity data to LightStep.
Published by d6e-automaton almost 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton almost 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.3.1/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Published by d6e-automaton almost 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton almost 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton almost 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.5.1/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Feature: Support for the getambassador.io/v1
apiVersion has been re-introduced, in order to
facilitate smoother migrations from Emissary-ingress 1.y. Previously, in order to make migrations
possible, an "unserved" v1
version was declared to Kubernetes, but was unsupported by
Emissary-ingress. That unserved v1
could cause an excess of errors to be logged by the
Kubernetes Nodes (regardless of whether the installation was migrated from 1.y or was a fresh 2.y
install); fully supporting v1
again should resolve these errors.
Security: Update Golang to release 1.19.4. Two CVE's were annouced in this z patch release.
CVE-2022-41720 only affects Windows environments and Emissary-ingress runs in linux. The second
one CVE-2022-41717 only affects HTTP/2 server connections exposed to external clients.
Emissary-ingress does not expose any Golang http servers to outside clients. The data-plane of
Envoy is not affected by either of these.
Security: Updated Golang to the latest z patch. We are not vulnerable to the CVE-2022-3602 that
was released in 1.19.3 and you can read more about it here:
https://medium.com/ambassador-api-gateway/ambassador-labs-security-impact-assessment-of-nov-1-openssl-golang-vulnerabilities-f11b5ec37a7e.
Updating to the latest z patch as part of our normal dependency update process and this will help
reduce the noise of security scanners.
Published by d6e-automaton almost 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.5.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Bugfix: If a Host
or TLSContext
contained a hostname with a :
then when using the
diagnostics endpoints ambassador/v0/diagd
then an error would be thrown due to the parsing logic
not being able to handle the extra colon. This has been fixed and Emissary-ingress will not throw
an error when parsing envoy metrics for the diagnostics user interface.
Security: Bump Go from 1.17.12 to 1.19.2. This is to keep the Go version current.
Published by d6e-automaton almost 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton almost 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.3.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Security: Updated Golang to 1.19.2 to address the CVEs: CVE-2022-2879, CVE-2022-2880,
CVE-2022-41715.
Bugfix: By default Emissary-ingress adds routes for http to https redirection. When an AuthService
is applied in v2.Y of Emissary-ingress, Envoy would skip the ext_authz call for non-tls http
request and would perform the https redirect. In Envoy 1.20+ the behavior has changed where Envoy
will always call the ext_authz filter and must be disabled on a per route basis.
This new behavior
change introduced a regression in v3.0 of Emissary-ingress when it was upgraded to Envoy 1.22. The
http to https redirection no longer works when an AuthService was applied. This fix restores the
previous behavior by disabling the ext_authz call on the https redirect routes. (#4620)
Bugfix: When an AuthService is applied in v2.Y of Emissary-ingress, Envoy would skip the ext_authz
call for all redirect routes and would perform the redirect. In Envoy 1.20+ the behavior has
changed where Envoy will always call the ext_authz filter so it must be disabled on a per route
basis.
This new behavior change introduced a regression in v3.0 of Emissary-ingress when it was
upgraded to Envoy 1.22. The host_redirect would call an AuthService prior to redirect if applied.
This fix restores the previous behavior by disabling the ext_authz call on the host_redirect
routes. (#4640)
Bugfix: Previous versions of Emissary-ingress required a workaround using TLSContexts
to find
tls secrets referenced from Ingress
resources. Now tls secrets referenced are properly detected
without requiring an additional TLSContext
to reference them. (Thanks to Ole Markus!).
Published by d6e-automaton almost 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Upgrade Emissary to v3.3.0 CHANGELOG
Change: By default, the Ambassador agent will report diagnostics to the Ambassador Cloud
Change: updated auto-scaling resource cpu and memory variable ordering to help with git-ops syncing. Also, adjusted memory and cpu settings to be more friendly so that they do not cause the HPA auto-scaling to trigger during start-up. Thanks to Ian Martin for the contribution!
Published by d6e-automaton about 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.4.1/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Bugfix: If a Host
or TLSContext
contained a hostname with a :
then when using the
diagnostics endpoints ambassador/v0/diagd
then an error would be thrown due to the parsing logic
not being able to handle the extra colon. This has been fixed and Emissary-ingress will not throw
an error when parsing envoy metrics for the diagnostics user interface.
Bugfix: The synthetic AuthService didn't correctly handle AmbassadorID, which was fixed in version
3.1 of Emissary-ingress. The fix has been backported to make sure the AuthService is handled
correctly during upgrades.
Published by d6e-automaton about 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton about 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.2.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Change: The envoy version included in Emissary-ingress has been upgraded from 1.22 to the latest
patch release of 1.23. This provides Emissary-ingress with the latest security patches,
performances enhancments, and features offered by the envoy proxy.
Change: Changes to label matching will change how Hosts
are associated with Mappings
. There
was a bug with label selectors that was causing Hosts
to be incorrectly being associated with
more Mappings
than intended. If any single label from the selector was matched then the Host
would be associated with the Mapping
. Now it has been updated to correctly only associate a
Host
with a Mapping
if all labels required by the selector are present. This brings the
mappingSelector
field in-line with how label selectors are used in Kubernetes. To avoid
unexpected behaviour after the upgrade, add all labels that Hosts have in their mappingSelector
to Mappings
you want to associate with the Host
. You can opt-out of the new behaviour by
setting the environment variable DISABLE_STRICT_LABEL_SELECTORS
to "true"
(default:
"false"
). (Thanks to Filip Herceg and Joe Andaverde!).
Feature: Previously the Host
resource could only use secrets that are in the namespace as the
Host. The tlsSecret
field in the Host has a new subfield namespace
that will allow the use of
secrets from different namespaces.
Change: Set AMBASSADOR_EDS_BYPASS
to true
to bypass EDS handling of endpoints and have
endpoints be inserted to clusters manually. This can help resolve with 503 UH
caused by
certification rotation relating to a delay between EDS + CDS. The default is false
.
Bugfix: Distinct services with names that are the same in the first forty characters will no
longer be incorrectly mapped to the same cluster. (#4354)
Feature: By default, when Envoy is unable to communicate with the configured RateLimitService then
it will allow traffic through. The RateLimitService
resource now exposes the failure_mode_deny
option. Set failure_mode_deny: true
, then Envoy will deny traffic when it is unable to
communicate to the RateLimitService returning a 500.
Bugfix: Previously, setting the stats_name
for the TracingService
, RateLimitService
or the
AuthService
would have no affect because it was not being properly passed to the Envoy cluster
config. This has been fixed and the alt_stats_name
field in the cluster config is now set
correctly. (Thanks to Paul!)
Feature: The AMBASSADOR_RECONFIG_MAX_DELAY
env var can be optionally set to batch changes for
the specified non-negative window period in seconds before doing an Envoy reconfiguration. Default
is "1" if not set.
Bugfix: If a Host
or TLSContext
contained a hostname with a :
when using the diagnostics
endpoints ambassador/v0/diagd
then an error would be thrown due to the parsing logic not being
able to handle the extra colon. This has been fixed and Emissary-ingress will not throw an error
when parsing envoy metrics for the diagnostics user interface.
Feature: It is now possible to set custom_tags
in the TracingService
. Trace tags can be set
based on literal values, environment variables, or request headers. (Thanks to Paul!) (#4181)
Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping
that uses SNI, instead of
using the hostname glob in the TCPMapping
, uses the hostname glob in the Host
that the TLS
termination configuration comes from.
Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping
that terminates TLS must have
a corresponding Host
that it can take the TLS configuration from. This was semi-intentional, but
didn't make much sense. You can now use a TLSContext
without a Host
as in Emissary-ingress 1.y
releases, or a Host
with or without a TLSContext
as in prior 2.y releases.
Bugfix: Prior releases of Emissary-ingress had the arbitrary limitation that a TCPMapping
cannot
be used on the same port that HTTP is served on, even if TLS+SNI would make this possible.
Emissary-ingress now allows TCPMappings
to be used on the same Listener
port as HTTP Hosts
,
as long as that Listener
terminates TLS.
Security: Updated Golang to 1.19.1 to address the CVEs: CVE-2022-27664, CVE-2022-32190.