Releases: solo-io/gloo
v1.18.0-beta1
Helm Changes
- Introduce
gateway.validation.webhook.enablePolicyApi
which controls whether or not RouteOptions and VirtualHostOptions CRs are subject to validation. By default, this value is true. The validation of these Policy APIs only runs if the Kubernetes Gateway integration is enabled (kubeGateway.enabled
). (solo-io/solo-projects#6352)
New Features
- Adds the
host_rewrite_header
to the route options to allow envoy to swapped the host header with the content of given downstream or custom header. Pay attention to the potential security implications of using this option. Provided header must come from trusted source. (#9579) - Adds pre-admission validation rules to the
AuthConfig
CRD. (solo-io/gloo-mesh-enterprise#16010) - Adds the ability to recover if the Kubernetes API server is unreachable once the gloo pod comes up. The
MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER
environment variable defines the maximum duration the gloo pod can run and attempt to reconnect to the kube apiserver if it is unreachable. Exceeding this duration will lead to the pod quitting. To enable this feature, set theMAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER
environment variable to the desired duration in the gloo container. This can be done either by modifying the gloo deployment or by specifying thegloo.deployment.customEnv[0].Name=MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER
andgloo.deployment.customEnv[0].Value=60s
helm values. (#8107) - gateway2: merge multiple targetRef based Route & VirtualHost options
Implements merging of targetRef based RouteOptions and
VirtualHostOptions in a specific order of precedence from
oldest to newest created resource.
The merging uses shallow merging such that for an option
A that is higher priority than option B, merge(A,B) merges
the top-level options of B that have not already been set on A.
This allows options later in the precedence chain to augment
the existing options during a merge but not overwrite them. (solo-io/solo-projects#6313)
Fixes
- Previously, header names consisting of invalid characters such as '()[]:;,<=>' were accepted when passed via the healthCheck or headerManipulation
requestHeadersToAdd
parameter. This resulted in envoy throwing aninvalid header name
error. Now, header names are validated according to RFC 9110, which is the same validation used by envoy. If a header name consisting of invalid characters is passed via the aforementioned parameters, it is caught and rejected in edge and does not propagate to envoy. (#9622) - Fix statuses being synced properly for k8s gateway resources (solo-io/solo-projects#6304)
- Follow up to fix discoveryAddress, istioMetaMeshId and istioMetaClusterId in k8s gateway deployment for Istio integration. (solo-io/solo-projects#6107)
- Fix issue where Kube Gateway proxies would have errors regarding status logged constantly (solo-io/solo-projects#6252)
v1.17.0-rc5
New Features
- Adds the ability to recover if the Kubernetes API server is unreachable once the gloo pod comes up. The
MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER
environment variable defines the maximum duration the gloo pod can run and attempt to reconnect to the kube apiserver if it is unreachable. Exceeding this duration will lead to the pod quitting. To enable this feature, set theMAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER
environment variable to the desired duration in the gloo container. This can be done either by modifying the gloo deployment or by specifying thegloo.deployment.customEnv[0].Name=MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVER
andgloo.deployment.customEnv[0].Value=60s
helm values. (#8107)
Fixes
- Adds the
host_rewrite_header
to the route options to allow envoy to swapped the host header with the content of given downstream or custom header. Pay attention to the potential security implications of using this option. Provided header must come from trusted source. (#9579) - Previously, header names consisting of invalid characters such as '()[]:;,<=>' were accepted when passed via the healthCheck or headerManipulation
requestHeadersToAdd
parameter. This resulted in envoy throwing aninvalid header name
error. Now, header names are validated according to RFC 9110, which is the same validation used by envoy. If a header name consisting of invalid characters is passed via the aforementioned parameters, it is caught and rejected in edge and does not propagate to envoy. (#9622) - Fix issue where Kube Gateway proxies would have errors regarding status logged constantly (solo-io/solo-projects#6252)
v1.16.16
Fixes
- Adds the
host_rewrite_header
to the route options to allow envoy to swapped the host header with the content of given downstream or custom header. Pay attention to the potential security implications of using this option. Provided header must come from trusted source. (#9579) - Previously, header names consisting of invalid characters such as '()[]:;,<=>' were accepted when passed via the healthCheck or headerManipulation
requestHeadersToAdd
parameter. This resulted in envoy throwing aninvalid header name
error. Now, header names are validated according to RFC 9110, which is the same validation used by envoy. If a header name consisting of invalid characters is passed via the aforementioned parameters, it is caught and rejected in edge and does not propagate to envoy. (#9622)
v1.17.0-rc4
New Features
- Enables routing to AWS Lambda and Azure Function upstreams via the GGv2 API. (solo-io/solo-projects#6160)
- Add HttpListenerOption policy for use with Kube Gateway API resources (solo-io/solo-projects#6319)
Fixes
- Resync the Gloo Gateway Controller when a Service is updated. (solo-io/solo-projects#6332)
- Fix
glooctl check
to not rely on existence of proxy deployments when checking proxies. (solo-io/solo-projects#5741)
v1.17.0-rc3
Dependency Bumps
- solo-io/envoy-gloo has been upgraded to v1.30.2-patch2.
Helm Changes
- Fix istioIntegration.enabled helm value to configure bootstrap configmap. Remove deprecated istioSDS.enabled as a requirement for Istio automtls integration. (solo-io/solo-projects#5743)
New Features
- Add support for the envoy.http.stateful_session.header filter This support has been added via a new HTTPListener option,
stateful_session
which can be used to configure the filter. Envoy notes about this filter: - Stateful sessions can result in imbalanced load across upstreams and allow external actors to direct requests to specific upstream hosts. Operators should carefully consider the security and reliability implications of stateful sessions before enabling this feature. - This extension is functional but has not had substantial production burn time, use only with this caveat. - This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted. (#9104)
v1.16.15
v1.17.0-rc2
Helm Changes
- Rename the kube gateway envoy container image helm value from
kubeGateway.gatewayParameters.glooGateway.image
tokubeGateway.gatewayParameters.glooGateway.envoyContainer.image
. (solo-io/solo-projects#6107)
New Features
-
- Add API for running postRouting transformations. This means that the transformation filter
will be run as a part of the router filter, rather than during the standard HTTP filter chain.
This allows access to endpoint specific information which is not available during the standard
fiter chain.
- Add API for running postRouting transformations. This means that the transformation filter
- Add API for adding metadata to endpoints in static/failover upstreams. This metadata can
then be accessed in the transformation filter mentioned above. - Add new plugin type to allow adding filter in the upstream filter chain. (solo-io/solo-projects#5890)
Fixes
- Properly pass through the
json_to_proto
value from the gloo API to the envoy API for dynamic metadata transformations. (solo-io/solo-projects#5890)
v1.17.0-rc1
Helm Changes
- Add k8s Gateway Istio integration values to the Gloo Gateway Helm chart under kubeGateway.gatewayParameters.glooGateway. (solo-io/solo-projects#5743)
Fixes
- Adds error types for plugins errors to differentiate between validation errors and validation warnings in order to support preventing the validation webhook rejecting config due to eventual consistency issues with the RateLimitConfig resource. (solo-io/solo-projects#6251)
- Changing error type to warning will deflake the validation webhook rejecting config due to eventual consistency issues with the RateLimitConfig resource. (solo-io/solo-projects#5307)
- Adds initial error types for plugins errors to differentiate between validation errors and validation warnings. (#7357)
v1.17.0-beta35
New Features
- New CRDs added for ListenerOption and HttpListenerOption resources (solo-io/solo-projects#5941)
- Add ListenerOption as a policy resource for use with Kube Gateway API objects.
Note that this resource can not currently be used as a standalone resource (i.e. delegated option) for the Gloo Edge API. (solo-io/solo-projects#5941)
v1.17.0-beta34
Helm Changes
- Mark Istio integration helm values that rely on double proxy setup as deprecated. This includes: - global.istioIntegration.labelInstallNamespace - global.istioIntegration.whitelistDiscovery - global.istioIntegration.enableIstioSidecarOnGateway - global.istioIntegration.istioSidecarRevTag - global.istioIntegration.appendXForwardedHost (solo-io/solo-projects#5743)
New Features
- gateway2: enable self-managed Gateways
Adds capability to integrate self-managed gateways
that are not meant to be auto-provisioned by the
controller. This is required to support use cases
where gateways are statically provisioned, such
as when running the gateways external to k8s on
VMs.
It adds a selfManaged field to the GatewayParameters
CRD which is used to skip the deployment of Gateway
related objects (deployment, service, etc.). When
a gateway is self-managed, it is expected to be
correctly bootstrapped with an envoy config that
matches the Gateway resource's name and namespace,
specifically the node
field must be configured
correctly to link a self-managed gateway to the
Gateway resource. (solo-io/solo-projects#6196)
Fixes
- Resolves issue where default GatewayParameters could be passed invalid fields and fail to render (solo-io/solo-projects#6257)
- Fix bug in
glooctl get proxy
that returned duplicate proxies. (solo-io/solo-projects#6088)