Emissary Ingress 2.4.0

🎉 Emissary Ingress 2.4.0 🎉

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.4.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

• Feature: Previously the Host resource could only use secrets that are in the namespace as the
  Host. The tlsSecret field in the Host has a new subfield namespace that will allow the use of
  secrets from different namespaces.

• Change: Set AMBASSADOR_EDS_BYPASS to true to bypass EDS handling of endpoints and have
  endpoints be inserted to clusters manually. This can help resolve with 503 UH caused by
  certification rotation relating to a delay between EDS + CDS. The default is false.

• Bugfix: Previously, setting the stats_name for the TracingService, RateLimitService or the
  AuthService would have no affect because it was not being properly passed to the Envoy cluster
  config. This has been fixed and the alt_stats_name field in the cluster config is now set
  correctly. (Thanks to Paul!)

• Feature: The AMBASSADOR_RECONFIG_MAX_DELAY env var can be optionally set to batch changes for
  the specified non-negative window period in seconds before doing an Envoy reconfiguration. Default
  is "1" if not set.

• Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping that uses SNI, instead of
  using the hostname glob in the TCPMapping, uses the hostname glob in the Host that the TLS
  termination configuration comes from.

• Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping that terminates TLS must have
  a corresponding Host that it can take the TLS configuration from. This was semi-intentional, but
  didn't make much sense. You can now use a TLSContext without a Hostas in Emissary-ingress 1.y
  releases, or a Host with or without a TLSContext as in prior 2.y releases.

• Bugfix: Prior releases of Emissary-ingress had the arbitrary limitation that a TCPMapping cannot
  be used on the same port that HTTP is served on, even if TLS+SNI would make this possible.
  Emissary-ingress now allows TCPMappings to be used on the same Listener port as HTTP Hosts,
  as long as that Listener terminates TLS.

Emissary Ingress Chart 7.5.0

🎉 Emissary Ingress Chart 7.5.0 🎉

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

---

• Upgrade Emissary to v2.4.0 CHANGELOG

Emissary Ingress 3.1.0

🎉 Emissary Ingress 3.1.0 🎉

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.1.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

• Feature: The agent is now able to parse api contracts using swagger 2, and to convert them to
  OpenAPI 3, making them available for use in the dev portal.

• Feature: Adds a new command to the agent directive service to manage secrets. This allows a third
  party product to manage CRDs that depend upon a secret.

• Feature: Add additional pprof endpoints to allow for profiling Emissary-ingress:

  • CPU profiles
    (/debug/pprof/profile)
  • tracing (/debug/pprof/trace)
  • command line running
    (/debug/pprof/cmdline)
  • program counters (/debug/pprof/symbol)

• Change: In the standard published .yaml files, the Module resource enables serving remote
  client requests to the :8877/ambassador/v0/diag/ endpoint. The associated Helm chart release
  also now enables it by default.

• Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming
  from emissary ingress before sending them to Ambassador cloud. This issue has been resolved to
  ensure that all the nodes composing the emissary ingress cluster are reporting properly.

• Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327,
  CVE-2022-24675, CVE-2022-24921, CVE-2022-23772.

• Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782,
  CVE-2022-27781, CVE-2022-27780.

• Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.

• Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458

Emissary Ingress 2.3.2

🎉 Emissary Ingress 2.3.2 🎉

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.3.2/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

• Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming
  from emissary ingress before sending them to Ambassador cloud. This issue has been resolved to
  ensure that all the nodes composing the emissary ingress cluster are reporting properly.

• Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327,
  CVE-2022-24675, CVE-2022-24921, CVE-2022-23772.

• Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782,
  CVE-2022-27781, CVE-2022-27780.

• Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.

• Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458

Emissary Ingress Chart 8.1.0

🎉 Emissary Ingress Chart 8.1.0 🎉

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

---

Emissary Ingress Chart 7.4.2

🎉 Emissary Ingress Chart 7.4.2 🎉

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

---

• Update Emissary chart image to version v2.3.2 CHANGELOG

Emissary Ingress 3.0.0

🎉 Emissary Ingress 3.0.0 🎉

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.0.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

• Change: The envoy version included in Emissary-ingress has been upgraded from 1.17 to the latest
  patch release of 1.22. This provides Emissary-ingress with the latest security patches,
  performances enhancments, and features offered by the envoy proxy. One notable change that will
  effect users is the removal of support for V2 tranport protocol. See below for more information.

• Change: Emissary-ingress can no longer be made to configure Envoy using the v2 xDS configuration
  API; it now always uses the v3 xDS API to configure Envoy. This change should be mostly invisible
  to users, with one notable exception: It removes support for regex_type: unsafe.
  The
  regex_type field will is removed from the ambassador Module, meaning that it is not be
  possible to instruct Envoy to use the ECMAScript Regex engine rather than
  the default RE2 engine.
  Users who rely on the specific
  ECMAScript Regex syntax will need to rewrite their regular expressions with RE2 syntax before
  upgrading to Emissary-ingress 3.0.0.
  As the xDS version is no longer configurable and the range of
  supported Zipkin protocols is reduced (see below), the AMBASSADOR_ENVOY_API_VERSION environment
  variable has been removed.

• Change: With the ugprade to Envoy 1.22, Emissary-ingress no longer supports the V2 transport
  protocol. The AuthService, LogService and the RateLimitService will only support the v3
  protocol_version. If protocol_version is not specified, the default value of v2 will cause an
  error to be posted. Therefore, you will need to set it to protocol_version: "v3". If upgrading
  from a previous version you will want to set it to "v3" and ensure it is working before upgrading
  to Emissary-ingress 3.Y.

• Change: With the upgrade to Envoy 1.22, the zipkin driver for the TraceService no longer
  supports setting the collector_endpoint_version: HTTP_JSON_V1. This was removed in Envoy 1.20 -
  .
  The new default will be collector_endpoint_version: HTTP_JSON, regardless of the
  AMBASSADOR_ENVOY_API_VERSION environment variable.

• Change: In the standard published .yaml files, now included is a Module resource that disables
  the /ambassador/v0/ → 127.0.0.1:8878 synthetic mapping. We have long recommended to turn
  this off for production use; it is now off in the standard YAML. The associated Helm chart
  release also now disables it by default. A later apiVersion (getambassador.io/v3alpha2 or
  later) will likely change the Module CRD so that it is disabled if unspecified; but in the
  mean-time, the default install procedure will now specify it to be disabled.

• Change: This release does not include the publishing of emissary-emissaryns-agent.yaml,
  emissary-defaultns-agent.yaml, emissary-emissaryns-migration.yaml, or
  emissary-defaultns-migration.yaml files. All four of these files existed solely as part of the
  migration process from 1;y, but since 2.2.0 the *-migration.yaml files have not been part of the
  migration instructions, and while the *-agent.yaml files remained part of the instructions they
  were actually unnescessary.

• Change: The previous version of Emissary-ingress was based on Envoy 1.17 and when using grpc_stats
  with all_methods or services set, it would output metrics in the following format
  envoy_cluster_grpc_{ServiceName}_{statname}. When neither of these fields are set it would be
  aggregated to envoy_cluster_grpc_{statname}.
  The new behavior since Envoy 1.18 will produce
  metrics in the following format envoy_cluster_grpc_{MethodName}_statsname and
  envoy_cluster_grpc_statsname.
  After further investigation we found that Envoy doesn't properly
  parse service names such as cncf.telepresence.Manager/Status. In the future, we will work
  upstream Envoy to get this parsing logic fixed to ensure consistent metric naming.

• Bugfix: Previously setting grpc_stats in the ambassador Module without setting either
  grpc_stats.services or grpc_stats.all_methods would result in crashing. Now it behaves as if
  grpc_stats.all_methods=false.

• Feature: With the ugprade to Envoy 1.22, Emissary-ingress can now be configured to listen for
  HTTP/3 connections using QUIC and the UDP network protocol. It currently only supports for
  connections between downstream clients and Emissary-ingress.

Emissary Ingress Chart 8.0.0

🎉 Emissary Ingress Chart 8.0.0 🎉

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

---

• Change: The default for the module value has changed to disable
  the /ambassador/v0/ → 127.0.0.1:8877 synthetic Mapping by
  default. We have long recommended to turn this off for production
  use; it is now off by default.

• Bugfix: The default values no trigger the creation of an
  "emissary-test-ready" Pod. This Pod was meant to only be created
  when running the chart's test suite; it was not meant to be created
  in users' clusters.

Ambassador 1.14.4

🎉 Ambassador 1.14.4 🎉

Ambassador is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started

• Security: We have backported patches from the Envoy 1.19.5 security update to Emissary-ingress's
  1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. Emissary-ingress is not affected
  by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it does not support internal
  redirects, and does not use Envoy's built-in OAuth2 filter.

Ambassador Chart 6.9.5

🎉 Ambassador Chart 6.9.5 🎉

Upgrade Ambassador - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/datawire/ambassador/blob/master/charts/ambassador/CHANGELOG.md

---

• Update Ambassador API Gateway chart image to version v1.14.4: CHANGELOG
• Update Ambassador Edge Stack chart image to version v1.14.4: CHANGELOG