open source Kubernetes-native API gateway for microservices built on the Envoy Proxy
APACHE-2.0 License
Bot releases are hidden (Show)
Published by kflynn over 3 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
false
from non-existent attributes in CRDs (#3212)Published by kflynn over 3 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Published by esmet over 3 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
labels
specifying headers with extra attributes are correctly supported again (#3137).ConsulResolver
and the Mapping
aren't in the same namespace, and legacy mode is not enabled.TLSContext
CA secrets with fast validation (#3005).action
for each limit. Possible values include "Enforce" and "LogOnly", case insensitive. LogOnly may be used to implement dry run rules that do not actually enforce.name
for each limit. This name can later be used in the access log to know which RateLimit, if any, applied to a request.DYNAMIC_METADATA(envoy.http.filters.ratelimit: ... )
command operator in the Envoy access logs. See Envoy Documentation for more on using dynamic metadata in the access log.Published by kflynn almost 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
redirect_reponse_code
on Mappings
that use host_redirect
.prefix_redirect
on Mappings
that use host_redirect
.regex_redirect
on Mappings
that use host_redirect
.max_request_headers_kb
in the Ambassador Module
. This directly exposes the same value in Envoy; see Envoy documentation for more information.error_response_overrides
now support configuring an empty response body using text_format
. Previously, empty response bodies could only be configured by specifying an empty file using text_format_source
.id_token
information to the upstream if it was returned by the IDP.text_format_source
field was incorrectly defined as type string
instead of an object, as documented.AMBASSADOR_FAST_RECONFIGURE
is enabled now more-closely match the requirements when it's disabled.AMBASSADOR_FAST_VALIDATION
variable has been removed. The Golang boot sequence is also now the default. Set AMBASSADOR_LEGACY_MODE=true
to disable these two behaviors.ambassador
namespace instead of the active namespace specified in the user's kubernetes context (usually default
). Old resource cleanup is documented in the Ambassador Consul integration documentation.insufficient_scope
error when validating Azure access tokens.Published by acookin almost 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
host
cannot be parsed as a valid hostname.Published by esmet almost 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
/.ambassador-internal/openapi-docs
. A new field in Mappings
, docs
, must be used for specifying the source for documentation. This can result in an empty Dev Portal after upgrading if Mappings
do not include a docs
attribute.grpc_stats
configuration flag -- thanks, Felipe Roveran!)RateLimitService
and AuthService
configs now support switching between gRPC protocol versions v2
and v2alpha
(see the protocol_version
setting)TracingService
Zipkin config now supports setting collector_hostname
to tell Envoy which host header to set when sending spans to the collectorambassador
DevPortal
resource.regex_rewrite
and rewrite
directive conflicts in Mapping
s due to the latter's implicit default value of /
(thanks, obataku!)/metrics
endpoint will no longer break if invoked before configuration is complete (thanks, Markus Jevring!)Mapping
s with host_redirect
set with Mapping
s that don't in the same groupConsulResolver
will now fallback to the Address
of a Consul service if Service.Address
is not set.OAuth2
Filter authenticates itself to the identity provider is now configurable with the clientAuthentication
setting.OAuth2
Filter can now use RFC 7523 JWT assertions to authenticate itself to the identity provider; this is usable with all grant types.JWT
and OAuth2
Filters now support not just RFC 8693 behavior, but also the behavior of various drafts leading to it, making JWT scope validation usable with more identity providers.OAuth2
Filter now has inheritScopeArgument
and stripInheritedScope
settings that can further customize the behavior of accessTokenJWTFilter
.OAuth2
Filter argument scopes
has been renamed to scope
, for consistency. The name scopes
is deprecated, but will continue to work for backward compatibility.OAuth2
Filter: Don't have accessTokenValidation: auto
fall back to "userinfo" validation for a client_credentials grant; it doesn't make sense there and only serves to obscure a more useful error message.Published by LukeShu about 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Published by kflynn about 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
edgectl connect
command now works properly when using zsh on a Linux platform.command
.RateLimit
CRDs now support setting a response body, configurable with the errorResponse
setting.External
Filter
can now properly proxy the body to the configured auth_service
Events.v1.core
(previously it granted "create" but not "patch")Published by LukeShu about 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
insecure.action
on a per-Host
-resource basis, which was an ability added in 1.7.0. This reverts to the pre-1.7.0 behavior of having one Host
's insecure action "win" and be used for all Host
s.AMBASSADOR_FAST_RECONFIGURE=true
.AMBASSADOR_FAST_RECONFIGURE=true
is set, Ambassador now logs information about memory usage.Published by LukeShu about 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
AMBASSADOR_FAST_RECONFIGURE=true
has been fixed where Host resources tls.ca_secret
didn't work correctly.TLSContext
resources and spec.tls
in Host
resources now correctly handle namespaces with .
in them.spec.requestPolicy.insecure.action
for Host
resources with a *
wildcard in the hostname.Published by kflynn about 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Published by LukeShu about 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
envoy_validation_timeout
in the Ambassador Module to set the timeout for validating new Envoy configurationsconsul_connect_integration
is now built correctly.Published by kflynn about 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Host
object with incompatible manually-specified TLSContext
/metrics
endpoint on port 8877.AMBASSADOR_FAST_RECONFIGURE
env var must be set to enable this. AMBASSADOR_FAST_VALIDATION
should also be set for maximum benefit.Mapping
s that set host
and headers
edgectl install
will automatically enable Service Preview with a Preview URL on the Host resource it creates.x-service-preview-path
header in filtered requests with the original request prefix to allow for context propagation.--grpc
flag on the edgectl intercept add
command and the getambassador.io/inject-traffic-agent-grpc: "true"
annotation when using automatic Traffic-Agent injection.TracingService
Zipkin config now supports setting collector_endpoint_version
to tell Envoy to use Zipkin v2.RateLimit
.Path
value for the spec.previewUrl.type
field.JWT
, OAuth2
, and other Filters are now better about reusing connections for outgoing HTTP requests.Filters
./.ambassador-internal/
endpoints used by the DevPortal.RateLimit
resource beyond 5rps without any form of license key will still trigger 429 responses, but now with a X-Ambassador-Message
header indicating that's what happned.RateLimit
s overlap, it is supposed to enforce the strictest limit; but the strictness comparison didn't correctly handle comparing limits with different units.Published by LukeShu about 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Host.spec.tls
and Host.spec.tlsContext
fields now work when AMBASSADOR_FAST_VALIDATION=fast
is not set.use_websocket: true
on a Mapping
now only affects routes generated from that Mapping
, instead of affecting all routes on that port.allow_upgrade
is a generalization of use_websocket
.Host.spec.requestPolicy.insecure.additionalPort
field works again.Host.spec.ambassadorId
is once again handled in addition to .ambassador_id
; allowing hosts written by older versions AES prior to 1.6.0 to continue working.protectedOrigins
in a Host
.Published by LukeShu about 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
https
scheme for service are correctly parsed.localhost
is now handled correctly.Published by alexgervais about 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading/
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Mapping
status from default-on to default-off; see below.kubectl apply
.Host
resource via tlsContext
and tls
fields.AMBASSADOR_FAST_VALIDATION
env var must be set to enable this.envoy_log_format
can now be set with envoy_log_type: json
.As previously announced, the default value of AMBASSADOR_UPDATE_MAPPING_STATUS
has now changed from true
to false
; Ambassador will no longer attempt to
update the Status
of a Mapping
unless you explicitly set
AMBASSADOR_UPDATE_MAPPING_STATUS=true
in the environment. If you do not have
tooling that relies on Mapping
status updates, we do not recommend setting
AMBASSADOR_UPDATE_MAPPING_STATUS
.
In Ambassador 1.7, TLS secrets in Ingress
resources will not be able to use
.namespace
suffixes to cross namespaces.
X-Content-Type-Options: nosniff
to response headers are now set for the Edge Policy Console, to prevent MIME confusion attacks.OAuth2
Filter now has a allowMalformedAccessToken
setting to enable use with IDPs that generate access tokens that are not compliant with RFC 6750.errorResponse
.Published by LukeShu over 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Published by LukeShu over 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
Mapping
-status updates (RECOMMENDED: see below)We recommend that users set AMBASSADOR_UPDATE_MAPPING_STATUS=false
in the environment to tell Ambassador not to update Mapping
statuses unless you have some script that relies on Mapping
status updates. The default value of AMBASSADOR_UPDATE_MAPPING_STATUS
will change to false
in Ambassador 1.6.
Published by LukeShu over 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
OAuth2
AuthorizationCode filter no longer works when behind another gateway that rewrites the request hostname. The behavior here is now controllable via the internalOrigin
sub-field.Published by LukeShu over 4 years ago
Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started
DEVPORTAL_CONTENT_URL
environment variable now properly handles file:///
URLs to refer to volume-mounted content.acmeProvider.authority: none
is no longer case sensitiveedgectl connect
works again on Ubuntu and other Linux setups with old versions of nss-mdns (older than version 0.11)edgectl
works again on Windows