diff --git a/.circleci/config.yml b/.circleci/config.yml
index 6f23489..743c129 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -348,7 +348,7 @@ commands:
parameters:
"version":
type: string
- default: "1.15"
+ default: "1.19.1"
steps:
- run:
name: "Install Go << parameters.version >>"
diff --git a/.circleci/config.yml.d/generic_util.yml b/.circleci/config.yml.d/generic_util.yml
index 9c916f7..606235d 100644
--- a/.circleci/config.yml.d/generic_util.yml
+++ b/.circleci/config.yml.d/generic_util.yml
@@ -79,7 +79,7 @@ commands:
parameters:
"version":
type: string
- default: "1.15"
+ default: "1.19.1"
steps:
- run:
name: "Install Go << parameters.version >>"
diff --git a/.circleci/yq.d/go.mod b/.circleci/yq.d/go.mod
index dea3eb3..8b06cfd 100644
--- a/.circleci/yq.d/go.mod
+++ b/.circleci/yq.d/go.mod
@@ -1,6 +1,6 @@
module github.com/datawire/build-aux/bin-go/yq
-go 1.17
+go 1.19
require github.com/mikefarah/yq/v4 v4.25.1
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f91c343..9aaa0fb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -77,16 +77,186 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest
## RELEASE NOTES
+## [3.2.0] 2022-09-27
+[3.2.0]: https://github.com/datawire/edge-stack/releases/v3.2.0
+
+## Ambassador Edge Stack
+
+- Change: The envoy version included in Ambassador Edge Stack has been upgraded from 1.22 to the latest
+ patch release of 1.23. This provides Ambassador Edge Stack with the latest security patches,
+ performances enhancments, and features offered by the envoy proxy.
+
+- Change: Changes to label matching will change how `Hosts` are associated with `Mappings`. There was a bug
+ with label selectors that was causing `Hosts` to be incorrectly being associated with more
+ `Mappings` than intended. If any single label from the selector was matched then the `Host` would
+ be associated with the `Mapping`. Now it has been updated to correctly only associate a `Host`
+ with a `Mapping` if _all_ labels required by the selector are present. This brings the
+ `mappingSelector` field in-line with how label selectors are used in Kubernetes. To avoid
+ unexpected behaviour after the upgrade, add all labels that Hosts have in their `mappingSelector`
+ to `Mappings` you want to associate with the `Host`. You can opt-out of the new behaviour by
+ setting the environment variable `DISABLE_STRICT_LABEL_SELECTORS` to `"true"` (default:
+ `"false"`). (Thanks to Filip Herceg and Joe Andaverde!).
+
+- Feature: Previously the `Host` resource could only use secrets that are in the namespace as the Host. The
+ `tlsSecret` field in the Host has a new subfield `namespace` that will allow the use of secrets
+ from different namespaces.
+
+- Change: Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be
+ inserted to clusters manually. This can help resolve with `503 UH` caused by certification
+ rotation relating to a delay between EDS + CDS. The default is `false`.
+
+- Bugfix: Distinct services with names that are the same in the first forty characters will no longer be
+ incorrectly mapped to the same cluster. ([#4354])
+
+- Feature: By default, when Envoy is unable to communicate with the configured RateLimitService then it will
+ allow traffic through. The `RateLimitService` resource now exposes the failure_mode_deny
+ option. Set `failure_mode_deny: true`, then Envoy will deny traffic when it is unable to
+ communicate to the RateLimitService returning a 500.
+
+- Bugfix: Previously, setting the `stats_name` for the `TracingService`, `RateLimitService` or the
+ `AuthService` would have no affect because it was not being properly passed to the Envoy cluster
+ config. This has been fixed and the `alt_stats_name` field in the cluster config is now set
+ correctly. (Thanks to Paul!)
+
+- Feature: The `AMBASSADOR_RECONFIG_MAX_DELAY` env var can be optionally set to batch changes for the
+ specified non-negative window period in seconds before doing an Envoy reconfiguration. Default is
+ "1" if not set.
+
+- Bugfix: If a `Host` or `TLSContext` contained a hostname with a `:` when using the diagnostics endpoints
+ `ambassador/v0/diagd` then an error would be thrown due to the parsing logic not being able to
+ handle the extra colon. This has been fixed and Ambassador Edge Stack will not throw an error when
+ parsing envoy metrics for the diagnostics user interface.
+
+- Feature: It is now possible to set `custom_tags` in the `TracingService`. Trace tags can be set based on
+ literal values, environment variables, or request headers. (Thanks to Paul!) ([#4181])
+
+- Bugfix: Ambassador Edge Stack 2.0.0 introduced a bug where a `TCPMapping` that uses SNI, instead of using
+ the hostname glob in the `TCPMapping`, uses the hostname glob in the `Host` that the TLS
+ termination configuration comes from.
+
+- Bugfix: Ambassador Edge Stack 2.0.0 introduced a bug where a `TCPMapping` that terminates TLS must have a
+ corresponding `Host` that it can take the TLS configuration from. This was semi-intentional, but
+ didn't make much sense. You can now use a `TLSContext` without a `Host`as in Ambassador Edge
+ Stack 1.y releases, or a `Host` with or without a `TLSContext` as in prior 2.y releases.
+
+- Bugfix: Prior releases of Ambassador Edge Stack had the arbitrary limitation that a `TCPMapping` cannot be
+ used on the same port that HTTP is served on, even if TLS+SNI would make this possible.
+ Ambassador Edge Stack now allows `TCPMappings` to be used on the same `Listener` port as HTTP
+ `Hosts`, as long as that `Listener` terminates TLS.
+
+- Security: Updated Golang to 1.19.1 to address the CVEs: CVE-2022-27664, CVE-2022-32190.
+
+- Bugfix: Previously, Ambassador Edge Stack would incorrectly include empty fields when converting a
+ FilterPolicy or ExternalFilter between versions. This would cause undesired state to be persisted
+ in k8s which would lead to validation issues when trying to kubectl apply the custom resource.
+ This fixes these issues to ensure the correct data is being persisted and roundtripped properly
+ between CRD versions.
+
+- Feature: You may now define (on supported IDPs) a `postLogoutRedirectURI` to your `Oauth2` filter. This
+ will allow you to redirect to a specific URI upon logging out. However, in order to achieve this
+ you must define your IDP logout URL to `https:{{host}}/.ambassador/oauth2/post-logout-redirect`.
+ Upon logout Ambassador Edge Stack will redirect to the custom URI which will then redirect to the
+ URI you have defined in `postLogoutRedirectURI`.
+
+[#4354]: https://github.com/emissary-ingress/emissary/issues/4354
+[#4181]: https://github.com/emissary-ingress/emissary/pull/4181
+
+## [3.1.0] 2022-08-01
+[3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0
+
+## Ambassador Edge Stack
+
+- Feature: A new `Fitler` has been added to support validating APIKey's on incoming requests. The new
+ `APIKeyFilter` when applied with a `FilterPolicy` will check to see if the incoming requests has
+ a valid API Key in the request header. Ambassador Edge Stack uses Kubernetes `Secret`'s to lookup
+ valid keys for authorizing requests.
+
+- Feature: Emissary-ingress has been taught to watch for APIKey secrets when Ambassador Edge Stack is running
+ and makes them available to be used with the new `APIKeyFilter`.
+
+- Feature: A new opt-in feature flag has been added that allows Ambassador Edge Stack to use a new Redis
+ driver when storing state between requests for the OAuth2 Filter. The new driver has better
+ connection pool handling, shares connections and supports the Redis RESP3 protocol. Set
+ `AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true` to enable the experimental feature. Most of the
+ standard Redis configuration fields (e.g.`REDIS_*`) can be used with the driver. Howeever, due to
+ the drivers better connection handling the new driver no longer supports setting
+ `REDIS_SURGE_LIMIT_INTERVAL`, `REDIS_SURGE_LIMIT_AFTER`, `REDIS_SURGE_POOL_SIZE`,
+ `REDIS_SURGE_POOL_DRAIN_INTERVAL` and these will be ignored.
+Note: Other Ambassador Edge Stack
+ features such as the `RateLimitService` will continue to use the current Redis driver and in
+ future releases we plan to roll out the new driver for those features as well.
+
+- Change: If Ambassador Edge Stack is running then Emissary-ingress ensures that only a single
+ RateLimitService is active. If a user doesn't provide one or provides an invalid one then a
+ synthetic RateLimitService will be injected. If the `protocol_version` field is not set or set to
+ an invalid value then it will automatically get upgraded `protocol_version: v3`.
+This matches the
+ existing behavior that was introduced in Ambassador Edge Stack v3.0.0 for the `AuthService`. For
+ new installs a valid `RateLimitService` will be added but this change ensures a smooth upgrade
+ from Ambassador Edge Stack to v2.3.Z to v3.Y for users who use the manifest in a GitOps scenario.
+
+- Feature: The agent is now able to parse api contracts using swagger 2, and to convert them to OpenAPI 3,
+ making them available for use in the dev portal.
+
+- Change: In the standard published `.yaml` files, the `Module` resource enables serving remote client
+ requests to the `:8877/ambassador/v0/diag/` endpoint. The associated Helm chart release also now
+ enables it by default.
+
+- Bugfix: When an `OAuth2` filter sets cookies for a `protectedOrigin`, it should set a cookie's "Secure"
+ flag to true for `https://` origins and false for `http://` origins. However, for filters with
+ multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather
+ than the origin that the cookie is actually for.
+
+- Bugfix: When an `OAuth2` filter with multiple `protectedOrigins` needs to adjust the cookies for an active
+ login (which only happens when using a refresh token), it would erroneously redirect the web
+ browser to the last origin listed, rather than returning to the original URL. This has been
+ fixed.
+
+- Bugfix: Previously, the `OAuth2` filter's known endpoints `/.ambassador/oauth2/logout` and
+ `/.ambassador/oauth2/multicookie` did not understand CORS or CORS preflight request which would
+ cause the browser to reject the request. This has now been fixed and these endpoints will attach
+ the appropriate CORS headers to the response.
+
+- Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from
+ emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure
+ that all the nodes composing the emissary ingress cluster are reporting properly.
+
+- Bugfix: Previously, we would inject an upstream route for acme-challenge that was targeting the localhost
+ auth service cluster. This route is injected to make Envoy configuration happy and the AuthService
+ that is shipped with Ambassador Edge Stack will handle it properly. However, if the cluster name
+ is longer than 60 characters due to a long namespace, etc... then Ambassador Edge Stack will
+ truncate it and make sure it is unique. When this happens the name of the cluster assigned to the
+ acme-challenge route would get out-of-sync and would introduce invalid Envoy configuration.
+To
+ avoid this Ambassador Edge Stack will now inject a route that returns a direct `404` response
+ rather than pointing at an arbitrary cluster. This matches existing behavior and is a transparent
+ change to the user.
+
+- Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675,
+ CVE-2022-24921, CVE-2022-23772.
+
+- Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781,
+ CVE-2022-27780.
+
+- Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.
+
+- Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458
+
+- Security: Upgrade jwt-go to latest commit to resolve CVE-2020-26160.
+
## [3.0.0] 2022-06-29
[3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0
## Ambassador Edge Stack
- Change: Ambassador Edge Stack is now built on top of Emissary-ingress 3.0.0 which updates Envoy Proxy from
- v1.17 to v1.22. This provides Ambassador Edge Stack with the latest security patches,
- performances enhancments, and features offered by Envoy Proxy. One notable change that will
- effect users is the removal of support for the V2 xDS tranport protocol. See the Emissary-ingress
- changelog for more details.
+ v1.17 to v1.22. This provides Ambassador Edge Stack with the latest security patches, performances
+ enhancments, and features offered by Envoy Proxy. One notable change that will effect users is the
+ removal of support for the V2 xDS tranport protocol. See the Emissary-ingress changelog for more
+ details.
- Change: In Envoy Proxy 1.18, two behavior changes were made in the way headers are attached to request.
First, the `:scheme` header is now attached to upstream requests over HTTP/1.1 to align with
@@ -100,9 +270,64 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest
transport protocol.
- Change: Since Ambassador Edge Stack no longer supports the xDS V2 transport protocol, the default Helm
- Charts and Manifest explicilty set `protocol_version` to `v3` for the `RateLimitService` and
+ Charts and Manifest explicilty set `protocol_version` to `v3` for the `RateLimitService` and
`AuthService` provided by Ambassador Edge Stack.
+## [2.4.0] 2022-09-19
+[2.4.0]: https://github.com/datawire/edge-stack/releases/v2.4.0
+
+## Ambassador Edge Stack
+
+- Feature: Previously the `Host` resource could only use secrets that are in the namespace as the Host. The
+ `tlsSecret` field in the Host has a new subfield `namespace` that will allow the use of secrets
+ from different namespaces.
+
+- Change: Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be
+ inserted to clusters manually. This can help resolve with `503 UH` caused by certification
+ rotation relating to a delay between EDS + CDS. The default is `false`.
+
+- Bugfix: Previously, Ambassador Edge Stack would incorrectly include empty fields when converting a
+ FilterPolicy or ExternalFilter between versions. This would cause undesired state to be persisted
+ in k8s which would lead to validation issues when trying to kubectl apply the custom resource.
+ This fixes these issues to ensure the correct data is being persisted and roundtripped properly
+ between CRD versions.
+
+## [2.3.2] 2022-08-01
+[2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2
+
+## Ambassador Edge Stack
+
+- Bugfix: When an `OAuth2` filter sets cookies for a `protectedOrigin`, it should set a cookie's "Secure"
+ flag to true for `https://` origins and false for `http://` origins. However, for filters with
+ multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather
+ than the origin that the cookie is actually for.
+
+- Bugfix: When an `OAuth2` filter with multiple `protectedOrigins` needs to adjust the cookies for an active
+ login (which only happens when using a refresh token), it would erroneously redirect the web
+ browser to the last origin listed, rather than returning to the original URL. This has been
+ fixed.
+
+- Bugfix: Previously, the `OAuth2` filter's known endpoints `/.ambassador/oauth2/logout` and
+ `/.ambassador/oauth2/multicookie` did not understand CORS or CORS preflight request which would
+ cause the browser to reject the request. This has now been fixed and these endpoints will attach
+ the appropriate CORS headers to the response.
+
+- Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from
+ emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure
+ that all the nodes composing the emissary ingress cluster are reporting properly.
+
+- Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675,
+ CVE-2022-24921, CVE-2022-23772.
+
+- Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781,
+ CVE-2022-27780.
+
+- Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.
+
+- Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458
+
+- Security: Upgrade jwt-go to latest commit to resolve CVE-2020-26160.
+
## [2.3.1] 2022-06-09
[2.3.1]: https://github.com/datawire/edge-stack/releases/v2.3.1
diff --git a/Makefile b/Makefile
index b38a067..c47835c 100644
--- a/Makefile
+++ b/Makefile
@@ -71,7 +71,8 @@ generate:
generate-clean:
rm -rf $(generate/files)
-.PHONY: generate
+ rm -rf $(EDGE_STACK_HOME)/charts/edge-stack/charts/
+.PHONY: generate-clean
$(EDGE_STACK_HOME)/CHANGELOG.md: $(EDGE_STACK_HOME)/docs/CHANGELOG.tpl $(EDGE_STACK_HOME)/docs/releaseNotes.yml
docker run --rm \
diff --git a/VERSION b/VERSION
index 4a36342..944880f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.0.0
+3.2.0
diff --git a/charts/edge-stack/CHANGELOG.md b/charts/edge-stack/CHANGELOG.md
index aaaa26b..bd49ac5 100644
--- a/charts/edge-stack/CHANGELOG.md
+++ b/charts/edge-stack/CHANGELOG.md
@@ -2,11 +2,24 @@
This file documents all notable changes to Edge Stack Helm Chart. The release
numbering uses [semantic versioning](http://semver.org).
+## v8.2.0
+
+- Update Edge Stack chart image to version v3.2.0: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md)
+
+## v8.1.0
+
+- Update Edge Stack chart image to version v3.1.0: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md)
## v8.0.0
- Update Edge Stack chart image to version v3.0.0: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md)
+## v7.5.0
+- Update Edge Stack chart image to version v2.4.0: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md)
+
+## v7.4.2
+- Update Edge Stack chart image to version v2.3.2: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md)
+
## v7.4.1
- Update Edge Stack chart image to version v2.3.1: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md)
diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock
index 8173fe7..aa96fae 100644
--- a/charts/edge-stack/Chart.lock
+++ b/charts/edge-stack/Chart.lock
@@ -1,6 +1,6 @@
dependencies:
- name: emissary-ingress
repository: https://s3.amazonaws.com/datawire-static-files/charts
- version: 8.0.0
-digest: sha256:5cf1b088272dfcb672dbab5471946c3d3bd2b5d924a669863676593f68c50d91
-generated: "2022-06-28T13:33:23.110421-05:00"
+ version: 8.2.0
+digest: sha256:f46f64fd6e4be3020311d3931b9db273b776ad13e078ea781bddebc79bfab1eb
+generated: "2022-09-27T15:43:43.215815585-04:00"
diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml
index d698896..540b02c 100644
--- a/charts/edge-stack/Chart.yaml
+++ b/charts/edge-stack/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v2
-appVersion: 3.0.0
+appVersion: 3.2.0
description: A Helm chart for Ambassador Edge Stack
name: edge-stack
-version: 8.0.0
+version: 8.2.0
# TODO: change these to whatever the appropriate things are
icon: https://www.getambassador.io/images/logo.png
home: https://www.getambassador.io/
@@ -27,5 +27,5 @@ maintainers:
engine: gotpl
dependencies:
- name: emissary-ingress
- version: 8.0.0
+ version: 8.2.0
repository: https://s3.amazonaws.com/datawire-static-files/charts
diff --git a/charts/edge-stack/templates/aes-redis.yaml b/charts/edge-stack/templates/aes-redis.yaml
index 7169cdb..313c120 100644
--- a/charts/edge-stack/templates/aes-redis.yaml
+++ b/charts/edge-stack/templates/aes-redis.yaml
@@ -90,6 +90,14 @@ spec:
imagePullPolicy: {{ .Values.redis.image.pullPolicy }}
resources:
{{- toYaml .Values.redis.resources | nindent 10 }}
+ {{- if .Values.redis.containerArgs }}
+ args:
+ {{- toYaml .Values.redis.containerArgs | nindent 10 }}
+ {{- end }}
+ {{- if .Values.redis.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml .Values.redis.imagePullSecrets | nindent 8 }}
+ {{- end }}
restartPolicy: Always
{{- with .Values.redis.nodeSelector }}
nodeSelector:
diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml
index d440a10..3a33fad 100644
--- a/charts/edge-stack/values.yaml
+++ b/charts/edge-stack/values.yaml
@@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break
image:
repository: docker.io/datawire/aes
- tag: 3.0.0
+ tag: 3.2.0
pullPolicy: IfNotPresent
rbac:
@@ -150,6 +150,14 @@ redis:
nodeSelector: {}
affinity: {}
tolerations: {}
+ # Arguments for the redis container
+ containerArgs: {}
+ # - arg1
+ # - arg2
+ # Secrets used for pulling the redis image from a private repo
+ imagePullSecrets: {}
+ # - name: example-secret-1
+ # - name: example-secret-2
# Configures the AuthService that ships with the Ambassador Edge Stack.
diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml
index 0270ce9..3c9517b 100644
--- a/docs/releaseNotes.yml
+++ b/docs/releaseNotes.yml
@@ -32,6 +32,246 @@
changelog: https://github.com/datawire/edge-stack/blob/$branch$/CHANGELOG.md
items:
+ - version: 3.2.0
+ date: '2022-09-27'
+ notes:
+ - title: Envoy upgraded to 1.23
+ type: change
+ body: >-
+ The envoy version included in $productName$ has been upgraded from 1.22 to the latest patch
+ release of 1.23. This provides $productName$ with the latest security patches, performances enhancments,
+ and features offered by the envoy proxy.
+ docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.23/v1.23.0
+ - title: Fixed mappingSelector associating Hosts with Mappings
+ type: change
+ body: >-
+ Changes to label matching will change how Hosts are associated with Mappings. There was a bug with label
+ selectors that was causing Hosts to be incorrectly being associated with more Mappings than intended.
+ If any single label from the selector was matched then the Host would be associated with the Mapping.
+ Now it has been updated to correctly only associate a Host with a Mapping if all labels required by
+ the selector are present. This brings the mappingSelector field in-line with how label selectors are used
+ in Kubernetes. To avoid unexpected behaviour after the upgrade, add all labels that Hosts have in their
+ mappingSelector to Mappings you want to associate with the Host. You can opt-out of the new behaviour
+ by setting the environment variable DISABLE_STRICT_LABEL_SELECTORS to "true" (default: "false").
+ (Thanks to Filip Herceg and Joe Andaverde!).
+ - title: Add support for Host resources using secrets from different namespaces
+ type: feature
+ body: >-
+ Previously the Host resource could only use secrets that are in the namespace as the
+ Host. The tlsSecret field in the Host has a new subfield namespace that will allow
+ the use of secrets from different namespaces.
+ - title: Allow bypassing of EDS for manual endpoint insertion
+ type: change
+ body: >-
+ Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be
+ inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to
+ a delay between EDS + CDS. The default is `false`.
+ - title: Correctly manage cluster names when service names are very long
+ type: bugfix
+ body: >-
+ Distinct services with names that are the same in the first forty characters
+ will no longer be incorrectly mapped to the same cluster.
+ github:
+ - title: "#4354"
+ link: https://github.com/emissary-ingress/emissary/issues/4354
+ - title: Add failure_mode_deny option to the RateLimitService
+ type: feature
+ body: >-
+ By default, when Envoy is unable to communicate with the configured
+ RateLimitService then it will allow traffic through. The
+ RateLimitService resource now exposes the
+ failure_mode_deny
+ option. Set failure_mode_deny: true, then Envoy will
+ deny traffic when it is unable to communicate to the RateLimitService
+ returning a 500.
+ docs: https://www.getambassador.io/docs/emissary/latest/topics/running/services/rate-limit-service/
+ - title: Properly populate alt_state_name for Tracing, Auth and RateLimit Services
+ type: bugfix
+ body: >-
+ Previously, setting the stats_name for the TracingService, RateLimitService
+ or the AuthService would have no affect because it was not being properly passed to the Envoy cluster
+ config. This has been fixed and the alt_stats_name field in the cluster config is now set correctly.
+ (Thanks to Paul!)
+ - title: Add support for config change batch window before reconfiguring Envoy
+ type: feature
+ body: >-
+ The AMBASSADOR_RECONFIG_MAX_DELAY env var can be optionally set to batch changes for the specified
+ non-negative window period in seconds before doing an Envoy reconfiguration. Default is "1" if not set.
+ - title: Diagnostics stats properly handles parsing envoy metrics with colons
+ type: bugfix
+ body: >-
+ If a Host or TLSContext contained a hostname with a : when using the
+ diagnostics endpoints ambassador/v0/diagd then an error would be thrown due to the parsing logic not
+ being able to handle the extra colon. This has been fixed and $productName$ will not throw an error when parsing
+ envoy metrics for the diagnostics user interface.
+ - title: Allow setting custom_tags for traces
+ type: feature
+ body: >-
+ It is now possible to set custom_tags in the
+ TracingService. Trace tags can be set based on
+ literal values, environment variables, or request headers.
+ (Thanks to Paul!)
+ github:
+ - title: "#4181"
+ link: https://github.com/emissary-ingress/emissary/pull/4181
+ - title: TCPMappings use correct SNI configuration
+ type: bugfix
+ body: >-
+ $productName$ 2.0.0 introduced a bug where a TCPMapping that uses SNI,
+ instead of using the hostname glob in the TCPMapping, uses the hostname glob
+ in the Host that the TLS termination configuration comes from.
+ - title: TCPMappings configure TLS termination without a Host resource
+ type: bugfix
+ body: >-
+ $productName$ 2.0.0 introduced a bug where a TCPMapping that terminates TLS
+ must have a corresponding Host that it can take the TLS configuration from.
+ This was semi-intentional, but didn't make much sense. You can now use a
+ TLSContext without a Hostas in $productName$ 1.y releases, or a
+ Host with or without a TLSContext as in prior 2.y releases.
+ - title: TCPMappings and HTTP Hosts can coexist on Listeners that terminate TLS
+ type: bugfix
+ body: >-
+ Prior releases of $productName$ had the arbitrary limitation that a
+ TCPMapping cannot be used on the same port that HTTP is served on, even if
+ TLS+SNI would make this possible. $productName$ now allows TCPMappings to be
+ used on the same Listener port as HTTP Hosts, as long as that
+ Listener terminates TLS.
+ - title: Update Golang to 1.19.1
+ type: security
+ body: >-
+ Updated Golang to 1.19.1 to address the CVEs: CVE-2022-27664, CVE-2022-32190.
+ - title: Properly convert FilterPolicy and ExternalFilter between CRD versions
+ type: bugfix
+ body: >-
+ Previously, $productName$ would incorrectly include empty fields when converting a FilterPolicy
+ or ExternalFilter between versions. This would cause undesired state to be persisted in k8s which
+ would lead to validation issues when trying to kubectl apply the custom resource. This fixes these
+ issues to ensure the correct data is being persisted and roundtripped properly between CRD versions.
+ - title: Add Post Logout Redirect URI support for Oauth2 Filter
+ type: feature
+ body: >-
+ You may now define (on supported IDPs) a postLogoutRedirectURI to your Oauth2 filter.
+ This will allow you to redirect to a specific URI upon logging out. However, in order to achieve this you must
+ define your IDP logout URL to https:{{host}}/.ambassador/oauth2/post-logout-redirect. Upon logout
+ $productName$ will redirect to the custom URI which will then redirect to the URI you have defined in postLogoutRedirectURI.
+ docs: topics/using/filters/oauth2
+
+ - version: 3.1.0
+ date: '2022-08-01'
+ notes:
+ - title: Add new Filter to support authenticating APIKey's
+ type: feature
+ body: >-
+ A new Fitler has been added to support validating APIKey's on incoming requests.
+ The new APIKeyFilter when applied with a FilterPolicy will check to
+ see if the incoming requests has a valid API Key in the request header. $productName$ uses
+ Kubernetes Secret's to lookup valid keys for authorizing requests.
+ - title: Add support to watch for secrets with APIKey's
+ type: feature
+ body: >-
+ Emissary-ingress has been taught to watch for APIKey secrets when $productName$ is running and
+ makes them available to be used with the new APIKeyFilter.
+ - title: A new experimental Redis driver for use with the OAuth2 Filter
+ type: feature
+ body: >-
+ A new opt-in feature flag has been added that allows $productName$ to use a new Redis
+ driver when storing state between requests for the OAuth2 Filter. The new driver has
+ better connection pool handling, shares connections and supports the Redis RESP3 protocol.
+ Set AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true to enable the experimental feature.
+ Most of the standard Redis configuration fields (e.g.REDIS_*) can be used with the driver.
+ Howeever, due to the drivers better connection handling the new driver no longer supports setting
+ REDIS_SURGE_LIMIT_INTERVAL, REDIS_SURGE_LIMIT_AFTER, REDIS_SURGE_POOL_SIZE,
+ REDIS_SURGE_POOL_DRAIN_INTERVAL and these will be ignored.
+
+ Note: Other $productName$ features such as the RateLimitService will continue to use the current
+ Redis driver and in future releases we plan to roll out the new driver for those features as well.
+ - title: Add support for injecting a valid synthetic RateLimitService
+ type: change
+ body: >-
+ If $productName$ is running then Emissary-ingress ensures that only a single RateLimitService is active.
+ If a user doesn't provide one or provides an invalid one then a synthetic RateLimitService will be
+ injected. If the protocol_version field is not set or set to an invalid value then it will
+ automatically get upgraded protocol_version: v3.
+
+ This matches the existing behavior that was introduced in $productName$ v3.0.0 for the
+ AuthService. For new installs a valid RateLimitService will be added but this
+ change ensures a smooth upgrade from $productName$ to v2.3.Z to v3.Y for users who use the manifest
+ in a GitOps scenario.
+ - title: Add Agent support for OpenAPI 2 contracts
+ type: feature
+ body: >-
+ The agent is now able to parse api contracts using swagger 2, and to convert them to OpenAPI 3, making them
+ available for use in the dev portal.
+ - title: Default YAML enables the diagnostics interface from non-local clients on the admin service port
+ type: change
+ body: >-
+ In the standard published .yaml files, the Module resource enables serving
+ remote client requests to the :8877/ambassador/v0/diag/ endpoint.
+ The associated Helm chart release also now enables it by default.
+ - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins
+ type: bugfix
+ body: >-
+ When an OAuth2 filter sets cookies for a protectedOrigin, it
+ should set a cookie's "Secure" flag to true for https:// origins and false
+ for http:// origins. However, for filters with multiple origins, it set the
+ cookie's flag based on the first origin listen in the Filter, rather than the origin that
+ the cookie is actually for.
+ - title: Correctly handle refresh tokens for OAuth2 filters with multiple origins
+ type: bugfix
+ body: >-
+ When an OAuth2 filter with multiple protectedOrigins needs to
+ adjust the cookies for an active login (which only happens when using a refresh token), it
+ would erroneously redirect the web browser to the last origin listed, rather than
+ returning to the original URL. This has been fixed.
+ - title: Correctly handle CORS and CORs preflight request within the OAuth2 Fitler known endpoints
+ type: bugfix
+ body: >-
+ Previously, the OAuth2 filter's known endpoints /.ambassador/oauth2/logout
+ and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request
+ which would cause the browser to reject the request. This has now been fixed and these endpoints will
+ attach the appropriate CORS headers to the response.
+ - title: Fix regression in the agent for the metrics transfer.
+ type: bugfix
+ body: >-
+ A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from
+ emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure
+ that all the nodes composing the emissary ingress cluster are reporting properly.
+ - title: Handle long cluster names for injected acme-challenge route.
+ type: bugfix
+ body: >-
+ Previously, we would inject an upstream route for acme-challenge that was targeting the localhost
+ auth service cluster. This route is injected to make Envoy configuration happy and the AuthService
+ that is shipped with $productName$ will handle it properly. However, if the cluster name is longer
+ than 60 characters due to a long namespace, etc... then $productName$ will truncate it and make
+ sure it is unique. When this happens the name of the cluster assigned to the acme-challenge route
+ would get out-of-sync and would introduce invalid Envoy configuration.
+
+ To avoid this $productName$ will now inject a route that returns a direct 404 response
+ rather than pointing at an arbitrary cluster. This matches existing behavior and is a transparent
+ change to the user.
+ - title: Update Golang to 1.17.12
+ type: security
+ body: >-
+ Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675,
+ CVE-2022-24921, CVE-2022-23772.
+ - title: Update Curl to 7.80.0-r2
+ type: security
+ body: >-
+ Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781,
+ CVE-2022-27780.
+ - title: Update openSSL-dev to 1.1.1q-r0
+ type: security
+ body: >-
+ Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.
+ - title: Update ncurses to 1.1.1q-r0
+ type: security
+ body: >-
+ Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458
+ - title: Upgrade jwt-go
+ type: security
+ body: >-
+ Upgrade jwt-go to latest commit to resolve CVE-2020-26160.
+
- version: 3.0.0
date: '2022-06-29'
notes:
@@ -39,9 +279,9 @@ items:
type: change
body: >-
$productName$ is now built on top of Emissary-ingress 3.0.0 which updates
- Envoy Proxy from v1.17 to v1.22. This provides $productName$ with the latest
- security patches, performances enhancments, and features offered by Envoy Proxy.
- One notable change that will effect users is the removal of support for
+ Envoy Proxy from v1.17 to v1.22. This provides $productName$ with the latest
+ security patches, performances enhancments, and features offered by Envoy Proxy.
+ One notable change that will effect users is the removal of support for
the V2 xDS tranport protocol. See the Emissary-ingress changelog for more details.
docs: https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md
- title: Envoy http header behavior change
@@ -65,8 +305,86 @@ items:
type: change
body: >-
Since $productName$ no longer supports the xDS V2 transport protocol, the default Helm
- Charts and Manifest explicilty set protocol_version to v3 for
+ Charts and Manifest explicilty set protocol_version to v3 for
the RateLimitService and AuthService provided by $productName$.
+
+ - version: 2.4.0
+ date: '2022-09-19'
+ notes:
+ - title: Add support for Host resources using secrets from different namespaces
+ type: feature
+ body: >-
+ Previously the Host resource could only use secrets that are in the namespace as the
+ Host. The tlsSecret field in the Host has a new subfield namespace that will allow
+ the use of secrets from different namespaces.
+ - title: Allow bypassing of EDS for manual endpoint insertion
+ type: change
+ body: >-
+ Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be
+ inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to
+ a delay between EDS + CDS. The default is `false`.
+ - title: Properly convert FilterPolicy and ExternalFilter between CRD versions
+ type: bugfix
+ body: >-
+ Previously, $productName$ would incorrectly include empty fields when converting a FilterPolicy
+ or ExternalFilter between versions. This would cause undesired state to be persisted in k8s which
+ would lead to validation issues when trying to kubectl apply the custom resource. This fixes these
+ issues to ensure the correct data is being persisted and roundtripped properly between CRD versions.
+
+ - version: 2.3.2
+ date: '2022-08-01'
+ notes:
+ - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins
+ type: bugfix
+ body: >-
+ When an OAuth2 filter sets cookies for a protectedOrigin, it
+ should set a cookie's "Secure" flag to true for https:// origins and false
+ for http:// origins. However, for filters with multiple origins, it set the
+ cookie's flag based on the first origin listen in the Filter, rather than the origin that
+ the cookie is actually for.
+ - title: Correctly handle refresh tokens for OAuth2 filters with multiple origins
+ type: bugfix
+ body: >-
+ When an OAuth2 filter with multiple protectedOrigins needs to
+ adjust the cookies for an active login (which only happens when using a refresh token), it
+ would erroneously redirect the web browser to the last origin listed, rather than
+ returning to the original URL. This has been fixed.
+ - title: Correctly handle CORS and CORs preflight request within the OAuth2 Fitler known endpoints
+ type: bugfix
+ body: >-
+ Previously, the OAuth2 filter's known endpoints /.ambassador/oauth2/logout
+ and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request
+ which would cause the browser to reject the request. This has now been fixed and these endpoints will
+ attach the appropriate CORS headers to the response.
+ - title: Fix regression in the agent for the metrics transfer.
+ type: bugfix
+ body: >-
+ A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from
+ emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure
+ that all the nodes composing the emissary ingress cluster are reporting properly.
+ - title: Update Golang to 1.17.12
+ type: security
+ body: >-
+ Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675,
+ CVE-2022-24921, CVE-2022-23772.
+ - title: Update Curl to 7.80.0-r2
+ type: security
+ body: >-
+ Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781,
+ CVE-2022-27780.
+ - title: Update openSSL-dev to 1.1.1q-r0
+ type: security
+ body: >-
+ Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.
+ - title: Update ncurses to 1.1.1q-r0
+ type: security
+ body: >-
+ Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458
+ - title: Upgrade jwt-go
+ type: security
+ body: >-
+ Upgrade jwt-go to latest commit to resolve CVE-2020-26160.
+
- version: 2.3.1
date: '2022-06-09'
notes:
@@ -88,6 +406,7 @@ items:
href="https://github.com/emissary-ingress/emissary/issues/2846">does not support internal
redirects, and does not use Envoy's built-in OAuth2 filter.
docs: https://groups.google.com/g/envoy-announce/c/8nP3Kn4jV7k
+
- version: 2.3.0
date: '2022-06-06'
notes:
diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml
index 69e0613..fb62a00 100644
--- a/manifests/edge-stack/aes-ambassadorns-agent.yaml
+++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml
@@ -178,6 +178,9 @@ rules:
- apiGroups: ['']
resources: [configmaps]
verbs: [get, list, watch]
+- apiGroups: ['']
+ resources: [secrets]
+ verbs: [get, create, delete, patch, watch]
---
# Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -273,7 +276,7 @@ spec:
serviceAccountName: edge-stack-agent
containers:
- name: agent
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/emissaryingress/emissary:3.1.0
imagePullPolicy: IfNotPresent
command: [agent]
ports:
diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml
index 1cdf9a0..00989e7 100644
--- a/manifests/edge-stack/aes-ambassadorns-migration.yaml
+++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml
@@ -140,7 +140,7 @@ spec:
containers:
- name: aes
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/datawire/aes:3.2.0
imagePullPolicy: IfNotPresent
ports:
- name: http
diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml
index 8718284..d0740b4 100644
--- a/manifests/edge-stack/aes-ambassadorns.yaml
+++ b/manifests/edge-stack/aes-ambassadorns.yaml
@@ -358,6 +358,9 @@ rules:
- apiGroups: ['']
resources: [configmaps]
verbs: [get, list, watch]
+- apiGroups: ['']
+ resources: [secrets]
+ verbs: [get, create, delete, patch, watch]
---
# Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -518,7 +521,7 @@ spec:
serviceAccountName: edge-stack-agent
containers:
- name: agent
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/emissaryingress/emissary:3.1.0
imagePullPolicy: IfNotPresent
command: [agent]
ports:
@@ -593,7 +596,7 @@ spec:
containers:
- name: aes
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/datawire/aes:3.2.0
imagePullPolicy: IfNotPresent
ports:
- name: http
diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml
index bdd9045..d7b7d9a 100644
--- a/manifests/edge-stack/aes-crds.yaml
+++ b/manifests/edge-stack/aes-crds.yaml
@@ -131,12 +131,17 @@ spec:
type: object
x-kubernetes-preserve-unknown-fields: true
ifRequestHeader:
+ description: HeaderFieldSelector allows for matching on
+ header fields using an exact match value or using a
+ regular expression match.
properties:
name:
type: string
negate:
type: boolean
value:
+ description: Value is an exact match, empty is a valid
+ value
type: string
valueRegex:
type: string
@@ -198,14 +203,21 @@ spec:
type: object
x-kubernetes-preserve-unknown-fields: true
ifRequestHeader:
+ description: HeaderFieldSelector allows for matching on
+ header fields using an exact match value or using a
+ regular expression match.
properties:
name:
type: string
negate:
type: boolean
value:
+ description: Value will do an exact match on header
+ value, empty is a valid value
type: string
valueRegex:
+ description: ValueRegex will do a match on the header
+ value based on the provide header regular expression
type: string
required:
- name
@@ -339,10 +351,10 @@ spec:
type: object
JWT:
description: "FilterJWT \n Currently supported algorithms: \n - RSA
- \ * \"RS256\" * \"RS384\" * \"RS512\" - RSA-PSS * \"PS256\"
- \ * \"PS384\" * \"PS512\" - ECDSA * \"ES256\" * \"ES384\"
- \ * \"ES512\" - HMAC-SHA * \"HS256\" * \"HS384\" * \"HS512\"
- - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go
+ \ - \"RS256\" - \"RS384\" - \"RS512\" \n - RSA-PSS - \"PS256\"
+ \ - \"PS384\" - \"PS512\" \n - ECDSA - \"ES256\" - \"ES384\"
+ \ - \"ES512\" \n - HMAC-SHA - \"HS256\" - \"HS384\" - \"HS512\"
+ \n - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go
v3.2.0. Keep this list in sync if we pull in a jwt-go update. More
algorithms can be added with jwt.RegistersigningMethod(). \n Haha,
JK, our JWKS parser only understands RSA keys."
@@ -545,12 +557,17 @@ spec:
useSessionCookies:
properties:
ifRequestHeader:
+ description: HeaderFieldSelector allows for matching on header
+ fields using an exact match value or using a regular expression
+ match.
properties:
name:
type: string
negate:
type: boolean
value:
+ description: Value is an exact match, empty is a valid
+ value
type: string
valueRegex:
type: string
@@ -647,10 +664,10 @@ spec:
type: object
JWT:
description: "FilterJWT \n Currently supported algorithms: \n - RSA
- \ * \"RS256\" * \"RS384\" * \"RS512\" - RSA-PSS * \"PS256\"
- \ * \"PS384\" * \"PS512\" - ECDSA * \"ES256\" * \"ES384\"
- \ * \"ES512\" - HMAC-SHA * \"HS256\" * \"HS384\" * \"HS512\"
- - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go
+ \ - \"RS256\" - \"RS384\" - \"RS512\" \n - RSA-PSS - \"PS256\"
+ \ - \"PS384\" - \"PS512\" \n - ECDSA - \"ES256\" - \"ES384\"
+ \ - \"ES512\" \n - HMAC-SHA - \"HS256\" - \"HS384\" - \"HS512\"
+ \n - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go
v3.2.0. Keep this list in sync if we pull in a jwt-go update. More
algorithms can be added with jwt.RegistersigningMethod(). \n Haha,
JK, our JWKS parser only understands RSA keys."
@@ -853,12 +870,17 @@ spec:
useSessionCookies:
properties:
ifRequestHeader:
+ description: HeaderFieldSelector allows for matching on header
+ fields using an exact match value or using a regular expression
+ match.
properties:
name:
type: string
negate:
type: boolean
value:
+ description: Value is an exact match, empty is a valid
+ value
type: string
valueRegex:
type: string
@@ -868,12 +890,31 @@ spec:
value:
type: boolean
type: object
+ v3postLogoutRedirectURI:
+ type: string
type: object
Plugin:
properties:
name:
type: string
type: object
+ v3APIKey:
+ description: FilterAPIKey enforce a set of API Keys.
+ properties:
+ httpHeader:
+ type: string
+ keys:
+ items:
+ description: APIKeyItem defines how to resolve the values of
+ the keys.
+ properties:
+ secretName:
+ type: string
+ type: object
+ type: array
+ required:
+ - keys
+ type: object
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -897,6 +938,23 @@ spec:
type: object
spec:
properties:
+ APIKey:
+ description: FilterAPIKey enforce a set of API Keys.
+ properties:
+ httpHeader:
+ type: string
+ keys:
+ items:
+ description: APIKeyItem defines how to resolve the values of
+ the keys.
+ properties:
+ secretName:
+ type: string
+ type: object
+ type: array
+ required:
+ - keys
+ type: object
External:
description: FilterExternal closely mimics AuthService.getambassador.io.
properties:
@@ -958,10 +1016,10 @@ spec:
type: object
JWT:
description: "FilterJWT \n Currently supported algorithms: \n - RSA
- \ * \"RS256\" * \"RS384\" * \"RS512\" - RSA-PSS * \"PS256\"
- \ * \"PS384\" * \"PS512\" - ECDSA * \"ES256\" * \"ES384\"
- \ * \"ES512\" - HMAC-SHA * \"HS256\" * \"HS384\" * \"HS512\"
- - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go
+ \ - \"RS256\" - \"RS384\" - \"RS512\" \n - RSA-PSS - \"PS256\"
+ \ - \"PS384\" - \"PS512\" \n - ECDSA - \"ES256\" - \"ES384\"
+ \ - \"ES512\" \n - HMAC-SHA - \"HS256\" - \"HS384\" - \"HS512\"
+ \n - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go
v3.2.0. Keep this list in sync if we pull in a jwt-go update. More
algorithms can be added with jwt.RegistersigningMethod(). \n Haha,
JK, our JWKS parser only understands RSA keys."
@@ -1136,6 +1194,8 @@ spec:
type: boolean
maxStale:
type: string
+ postLogoutRedirectURI:
+ type: string
protectedOrigins:
items:
properties:
@@ -1164,14 +1224,21 @@ spec:
useSessionCookies:
properties:
ifRequestHeader:
+ description: HeaderFieldSelector allows for matching on header
+ fields using an exact match value or using a regular expression
+ match.
properties:
name:
type: string
negate:
type: boolean
value:
+ description: Value will do an exact match on header value,
+ empty is a valid value
type: string
valueRegex:
+ description: ValueRegex will do a match on the header
+ value based on the provide header regular expression
type: string
required:
- name
@@ -1744,7 +1811,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -1963,7 +2030,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -2020,14 +2087,14 @@ spec:
schema:
openAPIV3Schema:
description: "DevPortal is the Schema for the DevPortals API \n DevPortal
- resources specify the `what` and `how` is shown in a DevPortal: \n * `what`
- is in a DevPortal can be controlled with - a `selector`, that can be used
- for filtering `Mappings`. - a `docs` listing of (services, url) * `how`
- is a pointer to some `contents` (a checkout of a Git repository with go-templates/markdown/css).
- \n Multiple `DevPortal`s can exist in the cluster, and the Dev Portal server
- will show them at different endpoints. A `DevPortal` resource with a special
- name, `ambassador`, will be used for configuring the default Dev Portal
- (served at `/docs/` by default)."
+ resources specify the `what` and `how` is shown in a DevPortal: \n 1. `what`
+ is in a DevPortal can be controlled with \n - a `selector`, that can
+ be used for filtering `Mappings`. \n - a `docs` listing of (services,
+ url) \n 2. `how` is a pointer to some `contents` (a checkout of a Git repository
+ \ with go-templates/markdown/css). \n Multiple `DevPortal`s can exist
+ in the cluster, and the Dev Portal server will show them at different endpoints.
+ A `DevPortal` resource with a special name, `ambassador`, will be used for
+ configuring the default Dev Portal (served at `/docs/` by default)."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
@@ -2133,14 +2200,14 @@ spec:
schema:
openAPIV3Schema:
description: "DevPortal is the Schema for the DevPortals API \n DevPortal
- resources specify the `what` and `how` is shown in a DevPortal: \n * `what`
- is in a DevPortal can be controlled with - a `selector`, that can be used
- for filtering `Mappings`. - a `docs` listing of (services, url) * `how`
- is a pointer to some `contents` (a checkout of a Git repository with go-templates/markdown/css).
- \n Multiple `DevPortal`s can exist in the cluster, and the Dev Portal server
- will show them at different endpoints. A `DevPortal` resource with a special
- name, `ambassador`, will be used for configuring the default Dev Portal
- (served at `/docs/` by default)."
+ resources specify the `what` and `how` is shown in a DevPortal: \n 1. `what`
+ is in a DevPortal can be controlled with \n - a `selector`, that can
+ be used for filtering `Mappings`. \n - a `docs` listing of (services,
+ url) \n 2. `how` is a pointer to some `contents` (a checkout of a Git repository
+ \ with go-templates/markdown/css). \n Multiple `DevPortal`s can exist
+ in the cluster, and the Dev Portal server will show them at different endpoints.
+ A `DevPortal` resource with a special name, `ambassador`, will be used for
+ configuring the default Dev Portal (served at `/docs/` by default)."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
@@ -2160,7 +2227,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -2493,22 +2560,18 @@ spec:
type: string
type: object
tlsSecret:
- description: "Name of the Kubernetes secret into which to save generated
+ description: Name of the Kubernetes secret into which to save generated
certificates. If ACME is enabled (see $acmeProvider), then the
- default is $hostname; otherwise the default is \"\". If the value
- is \"\", then we do not do TLS for this Host. \n Note that this
- is a native-Kubernetes-style core.v1.LocalObjectReference, not an
- Ambassador-style `{name}.{namespace}` string. Because we're opinionated,
- it does not support referencing a Secret in another namespace (because
- most native Kubernetes resources don't support that), but if we
- ever abandon that opinion and decide to support non-local references
- it, it would be by adding a `namespace:` field by changing it from
- a core.v1.LocalObjectReference to a core.v1.SecretReference, not
- by adopting the `{name}.{namespace}` notation."
+ default is $hostname; otherwise the default is "". If the value
+ is "", then we do not do TLS for this Host.
properties:
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ description: Name is unique within a namespace to reference a
+ secret resource.
+ type: string
+ namespace:
+ description: Namespace defines the space within which the secret
+ name must be unique.
type: string
type: object
type: object
@@ -2825,22 +2888,18 @@ spec:
type: string
type: object
tlsSecret:
- description: "Name of the Kubernetes secret into which to save generated
+ description: Name of the Kubernetes secret into which to save generated
certificates. If ACME is enabled (see $acmeProvider), then the
- default is $hostname; otherwise the default is \"\". If the value
- is \"\", then we do not do TLS for this Host. \n Note that this
- is a native-Kubernetes-style core.v1.LocalObjectReference, not an
- Ambassador-style `{name}.{namespace}` string. Because we're opinionated,
- it does not support referencing a Secret in another namespace (because
- most native Kubernetes resources don't support that), but if we
- ever abandon that opinion and decide to support non-local references
- it, it would be by adding a `namespace:` field by changing it from
- a core.v1.LocalObjectReference to a core.v1.SecretReference, not
- by adopting the `{name}.{namespace}` notation."
+ default is $hostname; otherwise the default is "". If the value
+ is "", then we do not do TLS for this Host.
properties:
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ description: Name is unique within a namespace to reference a
+ secret resource.
+ type: string
+ namespace:
+ description: Namespace defines the space within which the secret
+ name must be unique.
type: string
type: object
type: object
@@ -2988,7 +3047,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -3093,7 +3152,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -3178,7 +3237,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -3426,7 +3485,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -3983,7 +4042,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -4595,7 +4654,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -4678,6 +4737,10 @@ spec:
properties:
domain:
type: string
+ failure_mode_deny:
+ description: FailureModeDeny when set to true, envoy will deny traffic
+ if it is unable to communicate with the rate limit service.
+ type: boolean
protocol_version:
enum:
- v2
@@ -4723,6 +4786,10 @@ spec:
type: array
domain:
type: string
+ failure_mode_deny:
+ description: FailureModeDeny when set to true, envoy will deny traffic
+ if it is unable to communicate with the rate limit service.
+ type: boolean
protocol_version:
description: ProtocolVersion is the envoy api transport protocol version
enum:
@@ -4925,7 +4992,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -5163,7 +5230,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -5333,6 +5400,51 @@ spec:
items:
type: string
type: array
+ v3CustomTags:
+ items:
+ description: TracingCustomTag provides a data structure for capturing
+ envoy's `type.tracing.v3.CustomTag`
+ properties:
+ environment:
+ description: Environment explicitly specifies the protocol stack
+ to set up. Exactly one of Literal, Environment or Header must
+ be supplied.
+ properties:
+ default_value:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ literal:
+ description: Literal explicitly specifies the protocol stack
+ to set up. Exactly one of Literal, Environment or Header must
+ be supplied.
+ properties:
+ value:
+ type: string
+ required:
+ - value
+ type: object
+ request_header:
+ description: Header explicitly specifies the protocol stack
+ to set up. Exactly one of Literal, Environment or Header must
+ be supplied.
+ properties:
+ default_value:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ tag:
+ type: string
+ required:
+ - tag
+ type: object
+ type: array
v3StatsName:
type: string
required:
@@ -5366,7 +5478,7 @@ spec:
ambassador_id:
description: "AmbassadorID declares which Ambassador instances should
pay attention to this resource. If no value is provided, the default
- is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2,
+ is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2,
consider renaming all of the `ambassador_id` (singular) fields to
`ambassador_ids` (plural)."
items:
@@ -5404,6 +5516,51 @@ spec:
trace_id_128bit:
type: boolean
type: object
+ custom_tags:
+ items:
+ description: TracingCustomTag provides a data structure for capturing
+ envoy's `type.tracing.v3.CustomTag`
+ properties:
+ environment:
+ description: Environment explicitly specifies the protocol stack
+ to set up. Exactly one of Literal, Environment or Header must
+ be supplied.
+ properties:
+ default_value:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ literal:
+ description: Literal explicitly specifies the protocol stack
+ to set up. Exactly one of Literal, Environment or Header must
+ be supplied.
+ properties:
+ value:
+ type: string
+ required:
+ - value
+ type: object
+ request_header:
+ description: Header explicitly specifies the protocol stack
+ to set up. Exactly one of Literal, Environment or Header must
+ be supplied.
+ properties:
+ default_value:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ tag:
+ type: string
+ required:
+ - tag
+ type: object
+ type: array
driver:
enum:
- lightstep
@@ -5424,6 +5581,9 @@ spec:
stats_name:
type: string
tag_headers:
+ description: 'Deprecated: tag_headers is deprecated. Use custom_tags
+ instead. `tag_headers: ["header"]` can be defined as `custom_tags:
+ [{"request_header": {"name": "header"}}]`.'
items:
type: string
type: array
@@ -5619,7 +5779,7 @@ spec:
serviceAccountName: emissary-apiext
containers:
- name: emissary-apiext
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/datawire/aes:3.2.0
imagePullPolicy: IfNotPresent
command: [ "apiext", "emissary-apiext" ]
ports:
diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml
index 52177e1..8bbb745 100644
--- a/manifests/edge-stack/aes-defaultns-agent.yaml
+++ b/manifests/edge-stack/aes-defaultns-agent.yaml
@@ -178,6 +178,9 @@ rules:
- apiGroups: ['']
resources: [configmaps]
verbs: [get, list, watch]
+- apiGroups: ['']
+ resources: [secrets]
+ verbs: [get, create, delete, patch, watch]
---
# Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -273,7 +276,7 @@ spec:
serviceAccountName: edge-stack-agent
containers:
- name: agent
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/emissaryingress/emissary:3.1.0
imagePullPolicy: IfNotPresent
command: [agent]
ports:
diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml
index b7bce15..c4b8d05 100644
--- a/manifests/edge-stack/aes-defaultns-migration.yaml
+++ b/manifests/edge-stack/aes-defaultns-migration.yaml
@@ -140,7 +140,7 @@ spec:
containers:
- name: aes
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/datawire/aes:3.2.0
imagePullPolicy: IfNotPresent
ports:
- name: http
diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml
index 3e89061..54a09d4 100644
--- a/manifests/edge-stack/aes-defaultns.yaml
+++ b/manifests/edge-stack/aes-defaultns.yaml
@@ -350,6 +350,9 @@ rules:
- apiGroups: ['']
resources: [configmaps]
verbs: [get, list, watch]
+- apiGroups: ['']
+ resources: [secrets]
+ verbs: [get, create, delete, patch, watch]
---
# Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -510,7 +513,7 @@ spec:
serviceAccountName: edge-stack-agent
containers:
- name: agent
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/emissaryingress/emissary:3.1.0
imagePullPolicy: IfNotPresent
command: [agent]
ports:
@@ -585,7 +588,7 @@ spec:
containers:
- name: aes
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/datawire/aes:3.2.0
imagePullPolicy: IfNotPresent
ports:
- name: http
diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml
index bab563c..8e5d2af 100644
--- a/manifests/edge-stack/aes-emissaryns-agent.yaml
+++ b/manifests/edge-stack/aes-emissaryns-agent.yaml
@@ -178,6 +178,9 @@ rules:
- apiGroups: ['']
resources: [configmaps]
verbs: [get, list, watch]
+- apiGroups: ['']
+ resources: [secrets]
+ verbs: [get, create, delete, patch, watch]
---
# Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -273,7 +276,7 @@ spec:
serviceAccountName: edge-stack-agent
containers:
- name: agent
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/emissaryingress/emissary:3.1.0
imagePullPolicy: IfNotPresent
command: [agent]
ports:
diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml
index 0950d54..02496a2 100644
--- a/manifests/edge-stack/aes-emissaryns-migration.yaml
+++ b/manifests/edge-stack/aes-emissaryns-migration.yaml
@@ -140,7 +140,7 @@ spec:
containers:
- name: aes
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/datawire/aes:3.2.0
imagePullPolicy: IfNotPresent
ports:
- name: http
diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml
index 54e3a6e..e18262c 100644
--- a/manifests/edge-stack/aes-emissaryns.yaml
+++ b/manifests/edge-stack/aes-emissaryns.yaml
@@ -358,6 +358,9 @@ rules:
- apiGroups: ['']
resources: [configmaps]
verbs: [get, list, watch]
+- apiGroups: ['']
+ resources: [secrets]
+ verbs: [get, create, delete, patch, watch]
---
# Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -518,7 +521,7 @@ spec:
serviceAccountName: edge-stack-agent
containers:
- name: agent
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/emissaryingress/emissary:3.1.0
imagePullPolicy: IfNotPresent
command: [agent]
ports:
@@ -593,7 +596,7 @@ spec:
containers:
- name: aes
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/datawire/aes:3.2.0
imagePullPolicy: IfNotPresent
ports:
- name: http
diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml
index d3dc242..31a519c 100644
--- a/manifests/edge-stack/aes.yaml
+++ b/manifests/edge-stack/aes.yaml
@@ -358,6 +358,9 @@ rules:
- apiGroups: ['']
resources: [configmaps]
verbs: [get, list, watch]
+- apiGroups: ['']
+ resources: [secrets]
+ verbs: [get, create, delete, patch, watch]
---
# Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -518,7 +521,7 @@ spec:
serviceAccountName: edge-stack-agent
containers:
- name: agent
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/emissaryingress/emissary:3.1.0
imagePullPolicy: IfNotPresent
command: [agent]
ports:
@@ -593,7 +596,7 @@ spec:
containers:
- name: aes
- image: docker.io/datawire/aes:3.0.0
+ image: docker.io/datawire/aes:3.2.0
imagePullPolicy: IfNotPresent
ports:
- name: http