open source Kubernetes-native API gateway for microservices built on the Envoy Proxy
APACHE-2.0 License
Bot releases are hidden (Show)
Published by d6e-automaton about 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Upgrade Emissary to v3.2.0 CHANGELOG
Bugfix: The default Role configuration of the Ambassador Agent Deployment will allow it to correctly watch Secret resources for Ambassador Cloud tokens.
Published by d6e-automaton about 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.4.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Feature: Previously the Host
resource could only use secrets that are in the namespace as the
Host. The tlsSecret
field in the Host has a new subfield namespace
that will allow the use of
secrets from different namespaces.
Change: Set AMBASSADOR_EDS_BYPASS
to true
to bypass EDS handling of endpoints and have
endpoints be inserted to clusters manually. This can help resolve with 503 UH
caused by
certification rotation relating to a delay between EDS + CDS. The default is false
.
Bugfix: Previously, setting the stats_name
for the TracingService
, RateLimitService
or the
AuthService
would have no affect because it was not being properly passed to the Envoy cluster
config. This has been fixed and the alt_stats_name
field in the cluster config is now set
correctly. (Thanks to Paul!)
Feature: The AMBASSADOR_RECONFIG_MAX_DELAY
env var can be optionally set to batch changes for
the specified non-negative window period in seconds before doing an Envoy reconfiguration. Default
is "1" if not set.
Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping
that uses SNI, instead of
using the hostname glob in the TCPMapping
, uses the hostname glob in the Host
that the TLS
termination configuration comes from.
Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping
that terminates TLS must have
a corresponding Host
that it can take the TLS configuration from. This was semi-intentional, but
didn't make much sense. You can now use a TLSContext
without a Host
as in Emissary-ingress 1.y
releases, or a Host
with or without a TLSContext
as in prior 2.y releases.
Bugfix: Prior releases of Emissary-ingress had the arbitrary limitation that a TCPMapping
cannot
be used on the same port that HTTP is served on, even if TLS+SNI would make this possible.
Emissary-ingress now allows TCPMappings
to be used on the same Listener
port as HTTP Hosts
,
as long as that Listener
terminates TLS.
Published by d6e-automaton about 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton about 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.1.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Feature: The agent is now able to parse api contracts using swagger 2, and to convert them to
OpenAPI 3, making them available for use in the dev portal.
Feature: Adds a new command to the agent directive service to manage secrets. This allows a third
party product to manage CRDs that depend upon a secret.
Feature: Add additional pprof endpoints to allow for profiling Emissary-ingress:
Change: In the standard published .yaml
files, the Module
resource enables serving remote
client requests to the :8877/ambassador/v0/diag/
endpoint. The associated Helm chart release
also now enables it by default.
Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming
from emissary ingress before sending them to Ambassador cloud. This issue has been resolved to
ensure that all the nodes composing the emissary ingress cluster are reporting properly.
Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327,
CVE-2022-24675, CVE-2022-24921, CVE-2022-23772.
Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782,
CVE-2022-27781, CVE-2022-27780.
Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.
Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458
Published by d6e-automaton about 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton about 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.3.2/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming
from emissary ingress before sending them to Ambassador cloud. This issue has been resolved to
ensure that all the nodes composing the emissary ingress cluster are reporting properly.
Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327,
CVE-2022-24675, CVE-2022-24921, CVE-2022-23772.
Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782,
CVE-2022-27781, CVE-2022-27780.
Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.
Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458
Published by d6e-automaton about 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton over 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.0.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Change: The envoy version included in Emissary-ingress has been upgraded from 1.17 to the latest
patch release of 1.22. This provides Emissary-ingress with the latest security patches,
performances enhancments, and features offered by the envoy proxy. One notable change that will
effect users is the removal of support for V2 tranport protocol. See below for more information.
Change: Emissary-ingress can no longer be made to configure Envoy using the v2 xDS configuration
API; it now always uses the v3 xDS API to configure Envoy. This change should be mostly invisible
to users, with one notable exception: It removes support for regex_type: unsafe
.
The
regex_type
field will is removed from the ambassador
Module
, meaning that it is not be
possible to instruct Envoy to use the ECMAScript Regex engine rather than
the default RE2 engine.
Users who rely on the specific
ECMAScript Regex syntax will need to rewrite their regular expressions with RE2 syntax before
upgrading to Emissary-ingress 3.0.0.
As the xDS version is no longer configurable and the range of
supported Zipkin protocols is reduced (see below), the AMBASSADOR_ENVOY_API_VERSION environment
variable has been removed.
Change: With the ugprade to Envoy 1.22, Emissary-ingress no longer supports the V2 transport
protocol. The AuthService
, LogService
and the RateLimitService
will only support the v3
protocol_version. If protocol_version is not specified, the default value of v2
will cause an
error to be posted. Therefore, you will need to set it to protocol_version: "v3"
. If upgrading
from a previous version you will want to set it to "v3" and ensure it is working before upgrading
to Emissary-ingress 3.Y.
Change: With the upgrade to Envoy 1.22, the zipkin
driver for the TraceService
no longer
supports setting the collector_endpoint_version: HTTP_JSON_V1
. This was removed in Envoy 1.20 -
.
The new default will be collector_endpoint_version: HTTP_JSON
, regardless of the
AMBASSADOR_ENVOY_API_VERSION
environment variable.
Change: In the standard published .yaml
files, now included is a Module
resource that disables
the /ambassador/v0/
→ 127.0.0.1:8878
synthetic mapping. We have long recommended to turn
this off for production use; it is now off in the standard YAML. The associated Helm chart
release also now disables it by default. A later apiVersion (getambassador.io/v3alpha2
or
later) will likely change the Module
CRD so that it is disabled if unspecified; but in the
mean-time, the default install procedure will now specify it to be disabled.
Change: This release does not include the publishing of emissary-emissaryns-agent.yaml
,
emissary-defaultns-agent.yaml
, emissary-emissaryns-migration.yaml
, or
emissary-defaultns-migration.yaml
files. All four of these files existed solely as part of the
migration process from 1;y, but since 2.2.0 the *-migration.yaml
files have not been part of the
migration instructions, and while the *-agent.yaml
files remained part of the instructions they
were actually unnescessary.
Change: The previous version of Emissary-ingress was based on Envoy 1.17 and when using grpc_stats
with all_methods
or services
set, it would output metrics in the following format
envoy_cluster_grpc_{ServiceName}_{statname}
. When neither of these fields are set it would be
aggregated to envoy_cluster_grpc_{statname}
.
The new behavior since Envoy 1.18 will produce
metrics in the following format envoy_cluster_grpc_{MethodName}_statsname
and
envoy_cluster_grpc_statsname
.
After further investigation we found that Envoy doesn't properly
parse service names such as cncf.telepresence.Manager/Status
. In the future, we will work
upstream Envoy to get this parsing logic fixed to ensure consistent metric naming.
Bugfix: Previously setting grpc_stats
in the ambassador
Module
without setting either
grpc_stats.services
or grpc_stats.all_methods
would result in crashing. Now it behaves as if
grpc_stats.all_methods=false
.
Feature: With the ugprade to Envoy 1.22, Emissary-ingress can now be configured to listen for
HTTP/3 connections using QUIC and the UDP network protocol. It currently only supports for
connections between downstream clients and Emissary-ingress.
Published by d6e-automaton over 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Change: The default for the module
value has changed to disable
the /ambassador/v0/
→ 127.0.0.1:8877
synthetic Mapping by
default. We have long recommended to turn this off for production
use; it is now off by default.
Bugfix: The default values no trigger the creation of an
"emissary-test-ready" Pod. This Pod was meant to only be created
when running the chart's test suite; it was not meant to be created
in users' clusters.
Published by LukeShu over 2 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Published by d6e-automaton over 2 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/datawire/ambassador/blob/master/charts/ambassador/CHANGELOG.md
Published by d6e-automaton over 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.3.1/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Bugfix: A regression was introduced in 2.3.0 that leaked zipkin default config fields into the
configuration for the other drivers (lightstep, etc...). This caused Emissary-ingress to crash on
startup. This issue has been resolved to ensure that the defaults are only applied when driver is
zipkin
(#4267)
Security: We have backported patches from the Envoy 1.19.5 security update to Emissary-ingress's
1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. Emissary-ingress is not affected
by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it does not support internal
redirects, and does not use Envoy's built-in OAuth2 filter.
Published by d6e-automaton over 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton over 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.3.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Security: Completely remove gdbm, pip, smtplib, and sqlite packages, as they are unused.
Feature: It is now possible to set propagation_modes
in the TracingService
config when using
lightstep as the driver. (Thanks to Paul!) (#4179)
Feature: It is now possible to set crl_secret
in Host
and TLSContext
resources to check peer
certificates against a certificate revocation list. (#1743)
Feature: Previously, a LogService
would always have Emissary-ingress communicate with the
external log service using the envoy.service.accesslog.v2.AccessLogService
API. It is now
possible for the LogService
to specify protocol_version: v3
to use the newer
envoy.service.accesslog.v3.AccessLogService
API instead. This functionality is not available if
you set the AMBASSADOR_ENVOY_API_VERSION=V2
environment variable.
Bugfix: When CORS is specified (either in a Mapping
or in the Ambassador
Module
), CORS
processing will happen before authentication. This corrects a problem where XHR to authenticated
endpoints would fail.
Bugfix: In 2.x releases of Emissary-ingress when there are multiple Mapping
s that have the same
metadata.name
across multiple namespaces, their old config would not properly be removed from
the cache when their config was updated. This resulted in an inability to update configuration for
groups of Mapping
s that share the same name until the Emissary-ingress pods restarted.
Bugfix: It is now possible for a TracingService
to specify collector_endpoint_version: HTTP_JSON_V1
when using xDS v3 to configure Envoy (which has been the default since
Emissary-ingress 1.14.0). The HTTP_JSON_V1
value configures Envoy to speak to Zipkin using
Zipkin's old API-v1, while the HTTP_JSON
value configures Envoy to speak to Zipkin using
Zipkin's new API-v2. In previous versions of Emissary-ingress it was only possible to use
HTTP_JSON_V1
when explicitly setting the AMBASSADOR_ENVOY_API_VERSION=V2
environment variable
to force use of xDS v2 to configure Envoy.
Published by d6e-automaton over 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
ambassador_id
to listener manifests rendered when using createDefaultListeners: true
with AMBASSADOR_ID
set in environment variables. Thanks to Jennifer Reed for the contribution!Published by LukeShu over 2 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Published by d6e-automaton over 2 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/datawire/ambassador/blob/master/charts/ambassador/CHANGELOG.md
Published by d6e-automaton over 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.2.2/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Change: You may now choose to enable TLS Secret validation by setting the
AMBASSADOR_FORCE_SECRET_VALIDATION=true
environment variable. The default configuration does not
enforce secret validation.
Bugfix: Kubernetes Secrets that should contain an EC (Elliptic Curve) TLS Private Key are now
properly validated. (4134)
Published by d6e-automaton over 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Published by d6e-automaton over 2 years ago
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.2.1/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Change: Support for the Envoy V2 API is deprecated as of Emissary-ingress v2.1, and will be
removed in Emissary-ingress v3.0. The AMBASSADOR_ENVOY_API_VERSION
environment variable will be
removed at the same time. Only the Envoy V3 API will be supported (this has been the default since
Emissary-ingress v1.14.0).
Bugfix: The Ambassador Agent now correctly supports requests to cancel a rollout.