gloo
The Feature-rich, Kubernetes-native, Next-Generation API Gateway Built on Envoy
APACHE-2.0 License
Bot releases are visible (Hide)
Published by EItanya over 4 years ago
This release contained no user-facing changes.
Published by Sodman over 4 years ago
Helm Changes
- Add the following Helm values, available for Gloo Enterprise only:
-
gatewayProxies.NAME.failover.enabled: Configure this proxy for failover. Set to false by default. -
gatewayProxies.NAME.failover.port: Port to use for failover Gateway bind port, and service. Default is 15443. -
gatewayProxies.NAME.failover.nodePort: Optional NodePort for failover Service. -
gatewayProxies.NAME.failover.secretName: Secret containing downstream Ssl Secrets. Set tofailover-downstreamby default. (https://github.com/solo-io/gloo/issues/3338)
-
- Add the following Helm value:
-
gloo.deployment.restXdsPort: the port port where gloo serves REST xDS API to Envoy. Set to 9976 by default. (https://github.com/solo-io/gloo/issues/3338)
-
New Features
- Add the following commands:
-
glooctl cluster list- List clusters registered to the Gloo Federation control plane -
glooctl cluster register- Register a cluster to the Gloo Federation control plane -
glooctl cluster unregister- Unregister a cluster to the Gloo Federation control plane (https://github.com/solo-io/gloo/issues/3369)
-
- Add the following commands:
-
glooctl install federation- install Gloo Federation on Kubernetes -
glooctl uninstall federation- uninstall Gloo Federation (https://github.com/solo-io/gloo/issues/3369)
-
Fixes
- Allow specifying transformations at an earlier stage. Also allow response only transformations, that match on response headers. (https://github.com/solo-io/gloo/issues/3028)
- Stop copying Kubernetes labels when creating Upstreams. Treat labels instead as a discovery-related metadata that can be explicitly used downstream (e.g. by FDS). (https://github.com/solo-io/gloo/issues/2634)
- Update wasm protos to reflect latest method signatures. This fixes a bug in our previous wasm implementation, and uses the configuration object google.protobuf.Any instead of a string value for config. (https://github.com/solo-io/gloo/issues/3035)
Notes
Marked as a pre-release as there are errors in the proto imports
Published by marcogschmidt over 4 years ago
New Features
- Define the API to enforce rate limit policies using
RateLimitConfigresources. The API allows users to apply policies by referencing a set ofRateLimitConfigresources onVirtualHostsandRoutes. Each resource represents a rate limit policy that will be independently enforced on the routing resource that references it. Please see the docs for a detailed explanation of the new API. (https://github.com/solo-io/gloo/issues/3335) - Route-level rate limit descriptors are now supported via the new
RateLimitConfigresources. (https://github.com/solo-io/gloo/issues/2462) - Expose InitialStreamWindowSize and InitialConnectionWindowSize as http2 protocol options. They both default to 256Mib. (https://github.com/solo-io/gloo/issues/3305)
Fixes
- Use the proxy status rather than entire proxy when calculating if we need to update the status of a gateway resource. This change means we resync the status of gateway resources only when we need to. When failing to write status, it will be retried a second later. (https://github.com/solo-io/gloo/issues/3115)
Published by yuval-k over 4 years ago
Fixes
- Use the proxy status rather than entire proxy when calculating if we need to update the status of a gateway resource. This change means we resync the status of gateway resources only when we need to. When failing to write status, it will be retried a second later. (https://github.com/solo-io/gloo/issues/3115)
Published by kdorosh over 4 years ago
New Features
- Define the API to specify access token validation for external authentication in Gloo Enterprise. This API allows for a user to perform additional validation on the access token received during an OAuth2.0 flow and use it in authorization decisions. The userinfo metadata can also be queried and leveraged in an extauth plugin. Further, users can perform the first leg of an OAuth2.0 flow outside of Gloo and only use Gloo to validate access tokens that have been provided on the incoming request. (https://github.com/solo-io/gloo/issues/3055)
Fixes
- Fix a bug where a virtual service has an inconsistent state, by keeping only the last version of it and reducing the number of go-routines. (https://github.com/solo-io/gloo/issues/3115)
Published by yuval-k over 4 years ago
Fixes
- Fix a bug where a virtual service has an inconsistent state, by keeping only the last version of it and reducing the number of go-routines. (https://github.com/solo-io/gloo/issues/3115)
Published by kdorosh over 4 years ago
Fixes
- Fix issue where gateway-level extauth could not be overriden by lower-level virtualhost, route, and weighted destination extauth config. (https://github.com/solo-io/gloo/issues/3270)
Published by kdorosh over 4 years ago
Fixes
- Fix issue where gateway-level extauth could not be overriden by lower-level virtualhost, route, and weighted destination extauth config. (https://github.com/solo-io/gloo/issues/3270)
Published by EItanya over 4 years ago
New Features
- Prepend the TlsInspector filter when no SNI domains are available to match on, as without the ServerName match envoy does not automatically prepend it (https://github.com/solo-io/gloo/issues/3288)
- Expose IncludeRequestAttemptCount and IncludeAttemptCountInResponse as VirtualHost options. They both default to false. (https://github.com/solo-io/gloo/issues/3182)
Fixes
- Removed the 30 second timeout on the knative syncer propagating the proxy status. Now we have eventual consistency and the proxy will eventually report as ready even if eg a secret is added after a config which uses it. (https://github.com/solo-io/gloo/issues/3281)
- Properly validate
RouteTableroutes without matchers. Like with regularVirtualServiceroutes, these routes will be assigned the default/prefix matcher. Consequently, the route is valid only if the parent route also has a\prefix matcher (either explicitly defined, or by default). (https://github.com/solo-io/gloo/issues/3291) - Report delegation cycle errors on the offending
RouteTable, not only onVirtualServicesthat use the table. (https://github.com/solo-io/gloo/issues/3144)
Published by kdorosh over 4 years ago
Dependency Bumps
- envoy-gloo/solo-io has been upgraded to v1.13.3-patch1.
Fixes
- Fix issue where two ssl certs with the same name but different namespaces were merged. (https://github.com/solo-io/gloo/issues/2605)
Published by kdorosh over 4 years ago
CVEs
Updated envoy-gloo to one based on envoy 1.14.3, which includes security fixes in envoy. For more details on the CVEs, see the envoy release notes here.
Note that one of the CVEs requires setting the global_downstream_max_connections, which may affect traffic if you perform a rolling upgrade from a version vulnerable to the CVE. The max connections is configurable and defaults to 250,000.
Dependency Bumps
- envoy-gloo/solo-io has been upgraded to v1.14.3-patch1.
Fixes
- Ingress: fixed updating status.loadBalancer field (https://github.com/solo-io/gloo/issues/2473)
- Properly suffix all cluster-scoped RBAC resources, including those only relevant to ingress- and knative-mode installations. This ensures that multi-tenant Gloo installations will not experience conflicts on those RBAC resources. (https://github.com/solo-io/gloo/issues/3103)
- Default gateway proxy to running as non-root and disabling NET_BIND_SERVICE by default. (https://github.com/solo-io/gloo/issues/3084)
- Enable certgen to run in a fully restricted kubernetes environment. Certgen now runs without root privileges. (https://github.com/solo-io/gloo/issues/3084)
Published by kdorosh over 4 years ago
CVEs
Updated envoy-gloo to one based on envoy master (1.15.0), which includes security fixes in envoy. For more details on the CVEs, see the envoy release notes here.
Note that one of the CVEs requires setting the global_downstream_max_connections, which may affect traffic if you perform a rolling upgrade from a version vulnerable to the CVE. The max connections is configurable and defaults to 250,000.
Dependency Bumps
- envoy-gloo/solo-io has been upgraded to v1.15.0-rc1.
Fixes
- Add Envoy host with port rule for Ingress (https://github.com/solo-io/gloo/issues/3244)
- Fix TCP multi-cluster routing by enabling routing via SNI name. Gloo adds new APIs to expose the envoy tcp SNI filter. (https://github.com/solo-io/gloo/issues/3223)
Published by kdorosh over 4 years ago
CVEs
Updated envoy-gloo to one based on envoy master (1.15.0), which includes security fixes in envoy. For more details on the CVEs, see the envoy release notes here.
Note that one of the CVEs requires setting the global_downstream_max_connections, which may affect traffic if you perform a rolling upgrade from a version vulnerable to the CVE. The max connections is configurable and defaults to 250,000.
Dependency Bumps
- envoy-gloo/solo-io has been upgraded to v1.15.0-rc1.
Fixes
- Add Envoy host with port rule for Ingress (https://github.com/solo-io/gloo/issues/3244)
- Make glooctl debug command respect -f flag for unzipped log output (https://github.com/solo-io/gloo/issues/3124)
Published by kdorosh over 4 years ago
Dependency Bumps
- solo-io/go-utils has been upgraded to v0.16.3.
Published by GrahamGoudeau over 4 years ago
Dependency Bumps
- solo-io/go-utils has been upgraded to v0.16.3.
Published by kdorosh over 4 years ago
Dependency Bumps
- solo-io/go-utils has been upgraded to v0.16.1.
New Features
- Add the envoy Upstream Cluster from SNI filter to the TCP proxy. This filter allows for the sni name of a tls request to be used as the cluster name when routing requests through a TCP listener. (https://github.com/solo-io/gloo/issues/3223)
Fixes
- Fix bug in UDS where Health Checks and Outlier Detection config are being overwritten by updated upstreams. In addition add the
UseHttp2option to the list of checked fields. Part of this involved switching the UseHttp2 option on the Upstream to awrappers.BoolValue. This has no impact on the API itself, but only on the Go implementations. (https://github.com/solo-io/gloo/issues/3216)
Published by kdorosh over 4 years ago
Fixes
- Fix bug in UDS where Health Checks and Outlier Detection config are being overwritten by updated upstreams. In addition add the
UseHttp2option to the list of checked fields. Part of this involved switching the UseHttp2 option on the Upstream to awrappers.BoolValue. This has no impact on the API itself, but only on the Go implementations. (https://github.com/solo-io/gloo/issues/3216)
Published by kdorosh over 4 years ago
Helm Changes
- The loadBalancerIP for the ingress-proxy service can now be configured in helm. This is controlled through the new Helm string value
ingressProxy.service.loadBalancerIP. (https://github.com/solo-io/gloo/issues/3184)
New Features
- Default gateway proxy to mount volumes as non-root. (https://github.com/solo-io/gloo/issues/3084)
Fixes
- Ingress: fixed updating status.loadBalancer field (https://github.com/solo-io/gloo/issues/2473)
Published by kdorosh over 4 years ago
Marked as a pre-release as some of the XDS code still returns v3 resources as v2 resources, which may, in rare cases, cause bugs. The envoy v3 API changes will be reverted in the next release, and completed in a future release.
Helm Changes
- In "gateway" installations of Gloo, enable configuration of the loopback address used for binding the Envoy admin port. This is controlled through the new Helm string value
gatewayProxies.gatewayProxy.loopBackAddress. That same Helm value is also now used to configure the address used for Envoy's readiness probes in a Kubernetes environment. In "ingress" installations of Gloo, Envoy's admin port address is configured using the Helm string valueingressProxy.loopBackAddress. And in "knative" installations, it is configured using the Helm string valuesettings.integrations.knative.proxy.loopBackAddress. (https://github.com/solo-io/gloo/issues/3114)
Fixes
- Properly suffix all cluster-scoped RBAC resources, including those only relevant to ingress- and knative-mode installations. This ensures that multi-tenant Gloo installations will not experience conflicts on those RBAC resources. (https://github.com/solo-io/gloo/issues/3103)
- Re add SDS V2 API to SDS container along side new V3 API so that both may run simultaneously while we transition to V3 API in envoy across different components. This change only affects gloo running in MTLS mode. In addition, removing the top level locality field of the Failover API introduce in
v1.4.0-beta15as it does not have any meaningful effect on the underlying implementation. (https://github.com/solo-io/gloo/pull/3191)
Published by kdorosh over 4 years ago
Fixes
- Expose a validation setting (
allowWarnings, defaulttrue) in the API and in helm that was intended to be exposed. When set to false, the validation webhook will begin rejecting resources that cause warnings in addition to resources that would cause errors. For this to take effect, note that the validation settingalwaysAcceptmust be set to false. (defaulttrue) (https://github.com/solo-io/gloo/issues/3099) - Register listener plugin so that listener options are translated to Envoy configuration. (https://github.com/solo-io/gloo/issues/2904)
- Expose
perConnectionBufferLimitBytesas an optional configuration on an upstream connection. If unset, Envoy uses the default of 1MiB. (https://github.com/solo-io/gloo/issues/2861)