Merge pull request #25 from datawire/flynn/dev/edge-stack-tweaks

Edge Stack Tweaks

Author: kflynn

CHANGELOG.md

@@ -73,12 +73,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest
 ## [2.0.4] 2021-10-19
 [2.0.4]: https://github.com/datawire/edge-stack/releases/v2.0.4
 
-We're pleased to introduce Ambassador Edge Stack 2.0.4 for general availability for new
-installations! The 2.X family introduces a number of changes to allow Ambassador Edge Stack to
-more gracefully handle larger installations, reduce global configuration to better handle
-multitenant or multiorganizational installations, reduce memory footprint, and improve
-performance. We welcome feedback!! Join us on <a href="https://a8r.io/slack">Slack</a> and let us
-know what you think.
+We're pleased to introduce Ambassador Edge Stack 2.0.4 for general availability! The 2.X family
+introduces a number of changes to allow Ambassador Edge Stack to more gracefully handle larger
+installations, reduce global configuration to better handle multitenant or multiorganizational
+installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on
+<a href="https://a8r.io/slack">Slack</a> and let us know what you think.
 
 ## Ambassador Edge Stack
 
@@ -88,7 +87,8 @@ know what you think.
   for 2.0.4_ &mdash; full support for `getambassador.io/v2` will arrive soon in a later 2.X version.
 
 - Feature: The `getambassador.io/v3alpha1` API version and the published chart and manifests have been
-  updated to support Kubernetes 1.22.
+  updated to support Kubernetes 1.22. Thanks to <a href="https://github.com/imoisharma">Mohit
+  Sharma</a> for contributions to this feature!
 
 - Feature: You can now set `dns_type` between `strict_dns` and `logical_dns` in a `Mapping` to configure the
   Service Discovery Type.
@@ -147,7 +147,7 @@ installations, reduce memory footprint, and improve performance. We welcome feed
 - Bugfix: Upgraded envoy to 1.17.4 to address security vulnerabilities CVE-2021-32777, CVE-2021-32778,
   CVE-2021-32779, and CVE-2021-32781.
 
-- Feature: You can now set `allow_chunked_length` in the Ambassador Module to configure the same value in
+- Feature: You can now set `allow_chunked_length` in the `ambassador` `Module` to configure the same value in
   Envoy.
 
 - Change: Envoy-configuration snapshots get saved (as `ambex-#.json`) in `/ambassador/snapshots`. The number
@@ -221,7 +221,7 @@ installations, reduce memory footprint, and improve performance. We welcome feed
   regex, the new `hostname` element is always a DNS glob. Use `hostname` instead of `host` for best
   results.
 
-- Feature: The behavior of the Ambassador module `prune_unreachable_routes` field is now automatic, which
+- Feature: The behavior of the `ambassador` `Module` `prune_unreachable_routes` field is now automatic, which
   should reduce Envoy memory requirements for installations with many `AmbassadorHost`s
 
 - Bugfix: Each `AmbassadorHost` can specify its `requestPolicy.insecure.action` independently of any other
@@ -258,8 +258,8 @@ installations, reduce memory footprint, and improve performance. We welcome feed
   or, e.g., Zipkin's V1 collector protocol. Further details are available in the <a
   href="about/changes-2.0.0">2.0.0 Changes</a> document.
 
-- Change: The `tls` module and the `tls` field in the Ambassador module are no longer supported. Please use
-  `TLSContext` resources instead.
+- Change: The `tls` module and the `tls` field in the `ambassador` `Module` are no longer supported. Please
+  use `TLSContext` resources instead.
 
 - Change: The environment variable `AMBASSADOR_FAST_RECONFIGURE` is now set by default, enabling the
   higher-performance implementation of the code that Ambassador Edge Stack uses to generate and
@@ -305,7 +305,7 @@ installations, reduce memory footprint, and improve performance. We welcome feed
 
 - Change: Update from Envoy 1.15 to 1.17.3
 
-- Feature: You can now set `allow_chunked_length` in the Ambassador Module to configure the same value in
+- Feature: You can now set `allow_chunked_length` in the `ambassador` `Module` to configure the same value in
   Envoy.
 
 - Change: `AMBASSADOR_ENVOY_API_VERSION` now defaults to `V3`
@@ -394,9 +394,8 @@ installations, reduce memory footprint, and improve performance. We welcome feed
 
 ## Ambassador Edge Stack
 
-- Security: Ambassador Edge Stack has been updated to Envoy 1.15.5, which addresses a high severity security
-  vulnerability (CVE-2021-29492). Ambassador Edge Stack can now be configured to reject client
-  requests that contain escaped slashes.
+- Security: Incorporate the Envoy 1.15.5 security update by adding the `reject_requests_with_escaped_slashes`
+  option to the `ambassador` `Module`.
 
 
 ## [1.13.3] May 03, 2021

charts/edge-stack/CHANGELOG.md

@@ -7,6 +7,10 @@ numbering uses [semantic versioning](http://semver.org).
 
 (no changes yet)
 
+## v7.1.10
+
+- Switch Edge Stack CRDs to API version `v3alpha1`.
+
 ## v7.1.9
 
 - Update Edge Stack chart image to version v2.0.4: [CHANGELOG](https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md)

charts/edge-stack/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 2.0.4
 description: A Helm chart for Ambassador Edge Stack
 name: edge-stack
-version: 7.1.9
+version: 7.1.10
 # TODO: change these to whatever the appropriate things are
 icon: https://www.getambassador.io/images/logo.png
 home: https://www.getambassador.io/

charts/edge-stack/crds/filter.yaml

@@ -1,5 +1,5 @@
 ---
-# Source: edge-stack/charts/emissary-ingress/crds/filter.yaml
+# Source: edge-stack/charts/edge-stack/crds/filter.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -22,14 +22,22 @@ spec:
   scope: Namespaced
   versions:
   - name: v1beta2
-    served: true
+    served: false
     storage: false
     schema:
       openAPIV3Schema:
         description: Filter specifies an Ambassador Edge Stack filter
         type: object
         x-kubernetes-preserve-unknown-fields: true
   - name: v2
+    served: false
+    storage: false
+    schema:
+      openAPIV3Schema:
+        description: Filter specifies an Ambassador Edge Stack filter
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
+  - name: v3alpha1
     served: true
     storage: true
     schema:

charts/edge-stack/crds/filterpolicy.yaml

@@ -1,5 +1,5 @@
 ---
-# Source: edge-stack/charts/emissary-ingress/crds/filterpolicy.yaml
+# Source: edge-stack/charts/edge-stack/crds/filterpolicy.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -22,14 +22,22 @@ spec:
   scope: Namespaced
   versions:
   - name: v1beta2
-    served: true
+    served: false
     storage: false
     schema:
       openAPIV3Schema:
         description: Filter specifies an Ambassador Edge Stack filter
         type: object
         x-kubernetes-preserve-unknown-fields: true
   - name: v2
+    served: false
+    storage: false
+    schema:
+      openAPIV3Schema:
+        description: Filter specifies an Ambassador Edge Stack filter
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
+  - name: v3alpha1
     served: true
     storage: true
     schema:

charts/edge-stack/crds/ratelimit.yaml

@@ -1,5 +1,5 @@
 ---
-# Source: edge-stack/charts/emissary-ingress/crds/ratelimit.yaml
+# Source: edge-stack/charts/edge-stack/crds/ratelimit.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -22,14 +22,22 @@ spec:
   scope: Namespaced
   versions:
   - name: v1beta1
-    served: true
+    served: false
     storage: false
     schema:
       openAPIV3Schema:
         description: Filter specifies an Ambassador Edge Stack filter
         type: object
         x-kubernetes-preserve-unknown-fields: true
   - name: v2
+    served: false
+    storage: false
+    schema:
+      openAPIV3Schema:
+        description: Filter specifies an Ambassador Edge Stack filter
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
+  - name: v3alpha1
     served: true
     storage: true
     schema:

docs/releaseNotes.yml

@@ -34,17 +34,18 @@ items:
   - version: 2.0.4
     date: '2021-10-19'
     notes:
-      - title: General availability for new installations!
+      - title: General availability!
         type: feature
         body: >-
-          We're pleased to introduce $productName$ 2.0.4 for general availability for new
-          installations! The 2.X family introduces a number of changes to allow $productName$
-          to more gracefully handle larger installations, reduce global configuration to better
+          We're pleased to introduce $productName$ 2.0.4 for general availability! The
+          2.X family introduces a number of changes to allow $productName$ to more
+          gracefully handle larger installations, reduce global configuration to better
           handle multitenant or multiorganizational installations, reduce memory footprint, and
           improve performance. We welcome feedback!! Join us on
           <a href="https://a8r.io/slack">Slack</a> and let us know what you think.
         isHeadline: true
         docs: about/changes-2.0.0
+        image: ./edge-stack-ga.png
 
       - title: API version getambassador.io/v3alpha1
         type: change
@@ -56,13 +57,17 @@ items:
           is the only supported API version for 2.0.4</b> &mdash; full support for
           <code>getambassador.io/v2</code> will arrive soon in a later 2.X version.
         docs: about/changes-2.0.0
+        image: ./v2.0.4-v3alpha1.png
 
       - title: Support for Kubernetes 1.22
         type: feature
         body: >-
           The <code>getambassador.io/v3alpha1</code> API version and the published chart
-          and manifests have been updated to support Kubernetes 1.22.
+          and manifests have been updated to support Kubernetes 1.22. Thanks to
+          <a href="https://github.com/imoisharma">Mohit Sharma</a> for contributions to
+          this feature!
         docs: about/changes-2.0.0
+        image: ./v2.0.4-k8s-1.22.png
 
       - title: Mappings support configuring strict or logical DNS
         type: feature
@@ -71,6 +76,7 @@ items:
           <code>logical_dns</code> in a <code>Mapping</code> to configure the Service
           Discovery Type.
         docs: topics/using/mappings/#dns-configuration-for-mappings
+        image: ./v2.0.4-mapping-dns-type.png
 
       - title: Mappings support controlling DNS refresh with DNS TTL
         type: feature
@@ -97,6 +103,7 @@ items:
         - title: "#3854"
           link: https://github.com/emissary-ingress/emissary/issues/3854
         docs: https://github.com/emissary-ingress/emissary/issues/3854
+        image: ./v2.0.4-version.png
 
       - title: Large configurations work correctly with Ambassador Cloud
         type: bugfix
@@ -114,6 +121,7 @@ items:
           The <code>l7Depth</code> element of the <code>Listener</code> CRD is 
           properly supported.
         docs: topics/running/listener#l7depth
+        image: ./v2.0.4-l7depth.png
 
   - version: 2.0.3-ea
     date: '2021-09-16'
@@ -163,7 +171,7 @@ items:
 
       - title: Expose Envoy's allow_chunked_length HTTPProtocolOption
         type: feature
-        body: "You can now set <code>allow_chunked_length</code> in the Ambassador Module to configure the same value in Envoy."
+        body: "You can now set <code>allow_chunked_length</code> in the <code>ambassador</code> <code>Module</code> to configure the same value in Envoy."
         docs: topics/running/ambassador/#content-length-headers
 
       - title: Envoy-configuration snapshots saved
@@ -260,7 +268,7 @@ items:
         type: feature
 
       - title: Memory usage improvements for installations with many AmbassadorHosts
-        body: The behavior of the Ambassador module <code>prune_unreachable_routes</code> field is now automatic, which should reduce Envoy memory requirements for installations with many <code>AmbassadorHost</code>s
+        body: The behavior of the <code>ambassador</code> <code>Module</code> <code>prune_unreachable_routes</code> field is now automatic, which should reduce Envoy memory requirements for installations with many <code>AmbassadorHost</code>s
         docs: topics/running/ambassador/#prune-unreachable-routes
         image: ./edge-stack-2.0.0-prune_routes.png
         type: feature
@@ -311,7 +319,7 @@ items:
         docs: about/changes-2.0.0/#envoy-v3-api-by-default
 
       - title: Module-based TLS no longer supported
-        body: The <code>tls</code> module and the <code>tls</code> field in the Ambassador module are no longer supported. Please use <code>TLSContext</code> resources instead.
+        body: The <code>tls</code> module and the <code>tls</code> field in the <code>ambassador</code> <code>Module</code> are no longer supported. Please use <code>TLSContext</code> resources instead.
         docs: about/changes-2.0.0/#tls-the-ambassador-module-and-the-tls-module
         image: ./edge-stack-2.0.0-tlscontext.png
         type: change
@@ -386,7 +394,7 @@ items:
       - title: Expose Envoy's allow_chunked_length HTTPProtocolOption
         type: feature
         body: >-
-          You can now set <code>allow_chunked_length</code> in the Ambassador Module to configure
+          You can now set <code>allow_chunked_length</code> in the <code>ambassador</code> <code>Module</code> to configure
           the same value in Envoy.
         docs: topics/running/ambassador/#content-length-headers
 
@@ -529,7 +537,9 @@ items:
     date: '2021-05-11'
     notes:
       - title: Envoy 1.15.5
-        body: $productName$ has been updated to Envoy 1.15.5, which addresses a high severity security vulnerability (CVE-2021-29492). $productName$ can now be configured to reject client requests that contain escaped slashes.
+        body: >-
+          Incorporate the Envoy 1.15.5 security update by adding the
+          <code>reject_requests_with_escaped_slashes</code> option to the <code>ambassador</code> <code>Module</code>.
         image: ../images/edge-stack-1.13.4.png
         docs: topics/running/ambassador/#rejecting-client-requests-with-escaped-slashes
         type: security