gloo

Helm Changes

• Introduce gateway.validation.webhook.enablePolicyApi which controls whether or not RouteOptions and VirtualHostOptions CRs are subject to validation. By default, this value is true. The validation of these Policy APIs only runs if the Kubernetes Gateway integration is enabled (kubeGateway.enabled). (https://github.com/solo-io/solo-projects/issues/6352)

New Features

• Adds the host_rewrite_header to the route options to allow envoy to swapped the host header with the content of given downstream or custom header. Pay attention to the potential security implications of using this option. Provided header must come from trusted source. (https://github.com/solo-io/gloo/issues/9579)
• Adds pre-admission validation rules to the AuthConfig CRD. (https://github.com/solo-io/gloo-mesh-enterprise/issues/16010)
• Adds the ability to recover if the Kubernetes API server is unreachable once the gloo pod comes up. The MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER environment variable defines the maximum duration the gloo pod can run and attempt to reconnect to the kube apiserver if it is unreachable. Exceeding this duration will lead to the pod quitting. To enable this feature, set the MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER environment variable to the desired duration in the gloo container. This can be done either by modifying the gloo deployment or by specifying the gloo.deployment.customEnv[0].Name=MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER and gloo.deployment.customEnv[0].Value=60s helm values. (https://github.com/solo-io/gloo/issues/8107)
• gateway2: merge multiple targetRef based Route & VirtualHost options

Implements merging of targetRef based RouteOptions and
VirtualHostOptions in a specific order of precedence from
oldest to newest created resource.

The merging uses shallow merging such that for an option
A that is higher priority than option B, merge(A,B) merges
the top-level options of B that have not already been set on A.
This allows options later in the precedence chain to augment
the existing options during a merge but not overwrite them. (https://github.com/solo-io/solo-projects/issues/6313)

Fixes

• Previously, header names consisting of invalid characters such as '()[]:;,<=>' were accepted when passed via the healthCheck or headerManipulation requestHeadersToAdd parameter. This resulted in envoy throwing an invalid header name error. Now, header names are validated according to RFC 9110, which is the same validation used by envoy. If a header name consisting of invalid characters is passed via the aforementioned parameters, it is caught and rejected in edge and does not propagate to envoy. (https://github.com/solo-io/gloo/issues/9622)
• Fix statuses being synced properly for k8s gateway resources (https://github.com/solo-io/solo-projects/issues/6304)
• Follow up to fix discoveryAddress, istioMetaMeshId and istioMetaClusterId in k8s gateway deployment for Istio integration. (https://github.com/solo-io/solo-projects/issues/6107)
• Fix issue where Kube Gateway proxies would have errors regarding status logged constantly (https://github.com/solo-io/solo-projects/issues/6252)

New Features

• Adds the ability to recover if the Kubernetes API server is unreachable once the gloo pod comes up. The MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER environment variable defines the maximum duration the gloo pod can run and attempt to reconnect to the kube apiserver if it is unreachable. Exceeding this duration will lead to the pod quitting. To enable this feature, set the MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER environment variable to the desired duration in the gloo container. This can be done either by modifying the gloo deployment or by specifying the gloo.deployment.customEnv[0].Name=MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER and gloo.deployment.customEnv[0].Value=60s helm values. (https://github.com/solo-io/gloo/issues/8107)

Fixes

• Adds the host_rewrite_header to the route options to allow envoy to swapped the host header with the content of given downstream or custom header. Pay attention to the potential security implications of using this option. Provided header must come from trusted source. (https://github.com/solo-io/gloo/issues/9579)
• Previously, header names consisting of invalid characters such as '()[]:;,<=>' were accepted when passed via the healthCheck or headerManipulation requestHeadersToAdd parameter. This resulted in envoy throwing an invalid header name error. Now, header names are validated according to RFC 9110, which is the same validation used by envoy. If a header name consisting of invalid characters is passed via the aforementioned parameters, it is caught and rejected in edge and does not propagate to envoy. (https://github.com/solo-io/gloo/issues/9622)
• Fix issue where Kube Gateway proxies would have errors regarding status logged constantly (https://github.com/solo-io/solo-projects/issues/6252)

Fixes

• Adds the host_rewrite_header to the route options to allow envoy to swapped the host header with the content of given downstream or custom header. Pay attention to the potential security implications of using this option. Provided header must come from trusted source. (https://github.com/solo-io/gloo/issues/9579)
• Previously, header names consisting of invalid characters such as '()[]:;,<=>' were accepted when passed via the healthCheck or headerManipulation requestHeadersToAdd parameter. This resulted in envoy throwing an invalid header name error. Now, header names are validated according to RFC 9110, which is the same validation used by envoy. If a header name consisting of invalid characters is passed via the aforementioned parameters, it is caught and rejected in edge and does not propagate to envoy. (https://github.com/solo-io/gloo/issues/9622)

New Features

• Enables routing to AWS Lambda and Azure Function upstreams via the GGv2 API. (https://github.com/solo-io/solo-projects/issues/6160)
• Add HttpListenerOption policy for use with Kube Gateway API resources (https://github.com/solo-io/solo-projects/issues/6319)

Fixes

• Resync the Gloo Gateway Controller when a Service is updated. (https://github.com/solo-io/solo-projects/issues/6332)
• Fix glooctl check to not rely on existence of proxy deployments when checking proxies. (https://github.com/solo-io/solo-projects/issues/5741)

Dependency Bumps

• solo-io/envoy-gloo has been upgraded to v1.30.2-patch2.

Helm Changes

• Fix istioIntegration.enabled helm value to configure bootstrap configmap. Remove deprecated istioSDS.enabled as a requirement for Istio automtls integration. (https://github.com/solo-io/solo-projects/issues/5743)

New Features

• Add support for the envoy.http.stateful_session.header filter This support has been added via a new HTTPListener option, stateful_session which can be used to configure the filter. Envoy notes about this filter: - Stateful sessions can result in imbalanced load across upstreams and allow external actors to direct requests to specific upstream hosts. Operators should carefully consider the security and reliability implications of stateful sessions before enabling this feature. - This extension is functional but has not had substantial production burn time, use only with this caveat. - This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted. (https://github.com/solo-io/gloo/issues/9104)

Dependency Bumps

• solo-io/envoy-gloo has been upgraded to v1.27.6-patch1.

Helm Changes

• Rename the kube gateway envoy container image helm value from kubeGateway.gatewayParameters.glooGateway.image to kubeGateway.gatewayParameters.glooGateway.envoyContainer.image. (https://github.com/solo-io/solo-projects/issues/6107)

New Features

• 1. Add API for running postRouting transformations. This means that the transformation filter
     will be run as a part of the router filter, rather than during the standard HTTP filter chain.
     This allows access to endpoint specific information which is not available during the standard
     fiter chain.

2. Add API for adding metadata to endpoints in static/failover upstreams. This metadata can
   then be accessed in the transformation filter mentioned above.
3. Add new plugin type to allow adding filter in the upstream filter chain. (https://github.com/solo-io/solo-projects/issues/5890)

Fixes

• Properly pass through the json_to_proto value from the gloo API to the envoy API for dynamic metadata transformations. (https://github.com/solo-io/solo-projects/issues/5890)

Helm Changes

• Add k8s Gateway Istio integration values to the Gloo Gateway Helm chart under kubeGateway.gatewayParameters.glooGateway. (https://github.com/solo-io/solo-projects/issues/5743)

Fixes

• Adds error types for plugins errors to differentiate between validation errors and validation warnings in order to support preventing the validation webhook rejecting config due to eventual consistency issues with the RateLimitConfig resource. (https://github.com/solo-io/solo-projects/issues/6251)
• Changing error type to warning will deflake the validation webhook rejecting config due to eventual consistency issues with the RateLimitConfig resource. (https://github.com/solo-io/solo-projects/issues/5307)
• Adds initial error types for plugins errors to differentiate between validation errors and validation warnings. (https://github.com/solo-io/gloo/issues/7357)

New Features

• New CRDs added for ListenerOption and HttpListenerOption resources (https://github.com/solo-io/solo-projects/issues/5941)
• Add ListenerOption as a policy resource for use with Kube Gateway API objects.
  Note that this resource can not currently be used as a standalone resource (i.e. delegated option) for the Gloo Edge API. (https://github.com/solo-io/solo-projects/issues/5941)

Helm Changes

• Mark Istio integration helm values that rely on double proxy setup as deprecated. This includes: - global.istioIntegration.labelInstallNamespace - global.istioIntegration.whitelistDiscovery - global.istioIntegration.enableIstioSidecarOnGateway - global.istioIntegration.istioSidecarRevTag - global.istioIntegration.appendXForwardedHost (https://github.com/solo-io/solo-projects/issues/5743)

New Features

• gateway2: enable self-managed Gateways

Adds capability to integrate self-managed gateways
that are not meant to be auto-provisioned by the
controller. This is required to support use cases
where gateways are statically provisioned, such
as when running the gateways external to k8s on
VMs.

It adds a selfManaged field to the GatewayParameters
CRD which is used to skip the deployment of Gateway
related objects (deployment, service, etc.). When
a gateway is self-managed, it is expected to be
correctly bootstrapped with an envoy config that
matches the Gateway resource's name and namespace,
specifically the node field must be configured
correctly to link a self-managed gateway to the
Gateway resource. (https://github.com/solo-io/solo-projects/issues/6196)

Fixes

• Resolves issue where default GatewayParameters could be passed invalid fields and fail to render (https://github.com/solo-io/solo-projects/issues/6257)
• Fix bug in glooctl get proxy that returned duplicate proxies. (https://github.com/solo-io/solo-projects/issues/6088)

Dependency Bumps

• k8s.io/api has been upgraded to v0.29.2.
• k8s.io/apiextensions-apiserver has been upgraded to v0.29.2.
• k8s.io/apimachinery has been upgraded to v0.29.2.
• k8s.io/apiserver has been upgraded to v0.29.2.
• k8s.io/cli-runtime has been upgraded to v0.29.2.
• k8s.io/client-go has been upgraded to v0.29.2.
• sigs.k8s.io/code-generator has been upgraded to v0.29.2.
• sigs.k8s.io/component-base has been upgraded to v0.29.2.
• sigs.k8s.io/component-helpers has been upgraded to v0.29.2.
• sigs.k8s.io/kubectl has been upgraded to v0.29.2.
• sigs.k8s.io/metrics has been upgraded to v0.29.2.
• sigs.k8s.io/controller-runtime has been upgraded to v0.17.4.
• onsi/ginkgo/v2 has been upgraded to v2.14.0.
• onsi/gomega has been upgraded to v1.30.0.
• go.uber.org/zap has been upgraded to v1.26.0.
• solo-io/k8s-utils has been upgraded to v0.7.2.
• solo-io/skv2 has been upgraded to v0.39.1.
• solo-io/solo-apis has been upgraded to sa-k8s-1.29-bump.
• solo-io/solo-kit has been upgraded to v0.35.0.

Breaking Changes

• Deprecate Gloo Edge as an Ingress Controller (https://github.com/solo-io/gloo/issues/8978)
• The ErrNoSupportedSidecar has been removed from the projects/gloo/cli/pkg/cmd/istio/sidecars package as we no longer support any versions that would trigger this error. (https://github.com/solo-io/gloo/issues/8990)

Helm Changes

• Startup probe has been enabled by default in Istio helm charts. See Istio 1.20.0 release notes for more information and halm values to revert the startup probe enablement. (https://github.com/solo-io/gloo/issues/8990)

Fixes

• Fix issue where upstream creation/deletion were not being reconciled by the K8s Gateway controller. (https://github.com/solo-io/solo-projects/issues/6222)

Dependency Bumps

• solo-io/envoy-gloo has been upgraded to v1.30.1-patch1.

Helm Changes

• Introduced new fields to kubeGateway top-level field which configure the deployed Gateway proxies generated from a Gateway. Also introduced a new default GatewayParameters to be rendered when kubeGateway.enabled=true. This contains defaults for Istio/SDS, as well as things like envoy image, deployment replicas, and extra labels in the pod template. (https://github.com/solo-io/solo-projects/issues/6107)

New Features

• Introduced a new default GatewayParameters which is associated with a GatewayClass and represents the default values applied to Gateways created from that GatewayClass that don't otherwise have a specific GatewayParameters attached. (https://github.com/solo-io/solo-projects/issues/6107)
• gateway2/delegation: enable optional parent matcher inheritance

In the current design, a child route must have route matchers
that match the parent's to be considered in the delegation chain.

There's a request to enable matcher inheritance from the parent
such that instead of child routes needing to specify paths
that include the parent's path as prefix, they instead inherit
the parent prefix, headers, query params, etc. The result
is that the paths specified by child routes are relative
to the parent paths. Headers and query params are merged
from the parent into the child while giving preference to
parent matchers in case of conflicts. (https://github.com/solo-io/solo-projects/issues/6228)

Fixes

• Added default service type of LoadBalancer to default GatewayParameters. This value will be inherited by each deployed gateway proxy unless it is overridden in a GatewayParameters attached to the Gateway resource which generated it. (https://github.com/solo-io/solo-projects/issues/6113)
• Fixes bug that prevented deleted HTTPRoutes from being fully reconciled to proxies (https://github.com/solo-io/gloo/issues/9508)
• Make GatewayParameters fields nullable so they are more easily overridable. (https://github.com/solo-io/solo-projects/issues/6107)

Fixes

• Set the previously-missing HTTPS listener data when the listeners are translated. (https://github.com/solo-io/solo-projects/issues/6201)

Dependency Bumps

• solo-io/k8s-utils has been upgraded to v0.6.3.

Helm Changes

• • Add helm values for all containers to allow defining containers' securityContexts * Add global.podSecurityStandards.enableRestrictedContainerDefaults to default to using a restricted set of container defaults * Add new helper template to render the container securityContexts and apply the defaults if neccessary (https://github.com/solo-io/gloo/issues/8864)

Fixes

• Add helm values for all containers to allow for conforming to Pod Security Standards (https://github.com/solo-io/gloo/issues/8864)

This release contained no user-facing changes.

Dependency Bumps

• solo-io/k8s-utils has been upgraded to v0.6.3.

Helm Changes

• • Add helm values for all containers to allow defining containers' securityContexts * Add global.podSecurityStandards.enableRestrictedContainerDefaults to default to using a restricted set of container defaults * Add new helper template to render the container securityContexts and apply the defaults if neccessary (https://github.com/solo-io/gloo/issues/8864)

New Features

• Add helm values for all containers to allow for conforming to Pod Security Standards (https://github.com/solo-io/gloo/issues/8864)

Fixes

• gateway2: simplify how plugins handle delegated routes

This change simplifies how plugins may perform merging
of policies in a delegation chain, particularly in the
case of RouteOptions. It performs an in-place merge
such that the policy on a child route may be overridden
by by a subsequent call to the plugin with a different
route context.

Further, it accurately tracks the source RouteOptions
involved in the merge so that the statuses on them
can be correctly reported. (https://github.com/solo-io/solo-projects/issues/6204)

• Removed the --proxy-ns flag from glooctl get proxy, as proxies are now all written to the discoveryNamespace specified in settings. (https://github.com/solo-io/solo-projects/issues/6088)

Helm Changes

• Adds a new helm value global.additionalLabels that specifies additional labels to add to gloo resources. (https://github.com/solo-io/gloo/issues/9035)

New Features

• Adds webhook validation for Gloo Gateway Policies (e.g. RouteOption and VirtualHostOption) when used with Kubernetes Gateway API (https://github.com/solo-io/solo-projects/issues/6063)

New Features

• This change implements policy inheritance, specifically
  in the context of RouteOptions, such that a child route
  in a delegation chain may inherit RouteOptions from its
  ancestors. Parents higher in the hierarchy are given
  preference when merging the RouteOptions down the delegation
  chain, i.e. for a tree A->B->C the RouteOptions of A are
  prioritized first, then the RouteOptions of B augment that
  of A without overriding the options in A, then the options
  of C augment the merge of A and B without overriding fields.

Additionally, it does the following:

• Refactors the RouteOption query API to perform merging
  and prioritization within the query.
• Translator tests for the many scenarios of policy inheritance.
• Converts delegation translator test to a table-driven test.
• E2e tests to verify the inheritance and merge functionality. (https://github.com/solo-io/solo-projects/issues/6161)

Fixes

• This change updates the route sorting such that regex based matchers
  are prioritized over prefix based matchers to be consistent with
  Gloo gateway v1. The Gateway API states that the precedence of
  regex matches is implementation specific, so this change conforms
  to the API requirements.

Further, it avoids prioritizing regex based matchers based on their
lengths as this is rather abitrary. E.g., /a/b./. is longer than
/a/b./c but less specific, so it's relative order should be lower
in the sorted order but if prioritized based on length it would
appear before a more specific match. If there is a tie among
regex routes, the other precedence rules govern the relative
ordering among them. (https://github.com/solo-io/solo-projects/issues/6175)

• Refactor our TestInstallation to make it more re-usable with Portal E2E tests. (https://github.com/solo-io/solo-projects/issues/6029)

Dependency Bumps

• bitnami/kubectl has been upgraded to 1.28.9.
• solo-io/envoy-gloo has been upgraded to v1.29.3-patch2.

Fixes

• Fix a bug where Lambdas returning multiValueHeaders with non-string type with unwrapAsApiGateway enabled would result in a 500 response to the caller (https://github.com/solo-io/gloo/issues/8867)

Dependency Bumps

• solo-io/envoy-gloo has been upgraded to v1.27.5-patch2.

Fixes

• Fix a bug where Lambdas returning multiValueHeaders with non-string type with unwrapAsApiGateway enabled would result in a 500 response to the caller (https://github.com/solo-io/gloo/issues/8867)