emissary-ingress/emissary v1.9.0

Ambassador 1.9.0

on GitHub

🎉 Ambassador 1.9.0 🎉

Ambassador is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Ambasssador API Gateway + Ambassador Edge Stack

• Change: The DevPortal no longer looks for documentation at /.ambassador-internal/openapi-docs. A new field in Mappings, docs, must be used for specifying the source for documentation. This can result in an empty Dev Portal after upgrading if Mappings do not include a docs attribute.
• Feature: Support configuring the gRPC Statistics Envoy filter to enable telemetry of gRPC calls (see the grpc_stats configuration flag -- thanks, Felipe Roveran!)
• Feature: The RateLimitService and AuthService configs now support switching between gRPC protocol versions v2 and v2alpha (see the protocol_version setting)
• Feature: The TracingService Zipkin config now supports setting collector_hostname to tell Envoy which host header to set when sending spans to the collector
• Feature: Ambassador now supports custom error response mapping
• Feature: DevPortal: default configuration using the ambassador DevPortal resource.
• Bugfix: Ambassador will no longer mistakenly post notices regarding regex_rewrite and rewrite directive conflicts in Mappings due to the latter's implicit default value of / (thanks, obataku!)
• Bugfix: The /metrics endpoint will no longer break if invoked before configuration is complete (thanks, Markus Jevring!)
• Bugfix: Update Python requirements to address CVE-2020-25659
• Bugfix: Prevent mixing Mappings with host_redirect set with Mappings that don't in the same group
• Bugfix: ConsulResolver will now fallback to the Address of a Consul service if Service.Address is not set.
• Docs: Added instructions for building ambassador from source, within a docker container (thanks, Rahul Kumar Saini!)
• Update: Upgrade Alpine 3.10→3.12, GNU libc 2.30→2.32, and Python 3.7→3.8
• Update: Knative serving tests were bumped from version 0.11.0 to version 0.18.0 (thanks, Noah Fontes!)

Ambassador Edge Stack Only

• Feature: How the OAuth2 Filter authenticates itself to the identity provider is now configurable with the clientAuthentication setting.
• Feature: The OAuth2 Filter can now use RFC 7523 JWT assertions to authenticate itself to the identity provider; this is usable with all grant types.
• Feature: When validating a JWT's scope, the JWT and OAuth2 Filters now support not just RFC 8693 behavior, but also the behavior of various drafts leading to it, making JWT scope validation usable with more identity providers.
• Feature: The OAuth2 Filter now has inheritScopeArgument and stripInheritedScope settings that can further customize the behavior of accessTokenJWTFilter.
• Change: The OAuth2 Filter argument scopes has been renamed to scope, for consistency. The name scopes is deprecated, but will continue to work for backward compatibility.
• Bugfix: OAuth2 Filter: Don't have accessTokenValidation: auto fall back to "userinfo" validation for a client_credentials grant; it doesn't make sense there and only serves to obscure a more useful error message.