🎉 Emissary Ingress 3.2.0 🎉
Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.2.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
-
Change: The envoy version included in Emissary-ingress has been upgraded from 1.22 to the latest
patch release of 1.23. This provides Emissary-ingress with the latest security patches,
performances enhancments, and features offered by the envoy proxy. -
Change: Changes to label matching will change how
Hosts
are associated withMappings
. There
was a bug with label selectors that was causingHosts
to be incorrectly being associated with
moreMappings
than intended. If any single label from the selector was matched then theHost
would be associated with theMapping
. Now it has been updated to correctly only associate a
Host
with aMapping
if all labels required by the selector are present. This brings the
mappingSelector
field in-line with how label selectors are used in Kubernetes. To avoid
unexpected behaviour after the upgrade, add all labels that Hosts have in theirmappingSelector
toMappings
you want to associate with theHost
. You can opt-out of the new behaviour by
setting the environment variableDISABLE_STRICT_LABEL_SELECTORS
to"true"
(default:
"false"
). (Thanks to Filip Herceg and Joe Andaverde!). -
Feature: Previously the
Host
resource could only use secrets that are in the namespace as the
Host. ThetlsSecret
field in the Host has a new subfieldnamespace
that will allow the use of
secrets from different namespaces. -
Change: Set
AMBASSADOR_EDS_BYPASS
totrue
to bypass EDS handling of endpoints and have
endpoints be inserted to clusters manually. This can help resolve with503 UH
caused by
certification rotation relating to a delay between EDS + CDS. The default isfalse
. -
Bugfix: Distinct services with names that are the same in the first forty characters will no
longer be incorrectly mapped to the same cluster. (#4354) -
Feature: By default, when Envoy is unable to communicate with the configured RateLimitService then
it will allow traffic through. TheRateLimitService
resource now exposes the failure_mode_deny
option. Setfailure_mode_deny: true
, then Envoy will deny traffic when it is unable to
communicate to the RateLimitService returning a 500. -
Bugfix: Previously, setting the
stats_name
for theTracingService
,RateLimitService
or the
AuthService
would have no affect because it was not being properly passed to the Envoy cluster
config. This has been fixed and thealt_stats_name
field in the cluster config is now set
correctly. (Thanks to Paul!) -
Feature: The
AMBASSADOR_RECONFIG_MAX_DELAY
env var can be optionally set to batch changes for
the specified non-negative window period in seconds before doing an Envoy reconfiguration. Default
is "1" if not set. -
Bugfix: If a
Host
orTLSContext
contained a hostname with a:
when using the diagnostics
endpointsambassador/v0/diagd
then an error would be thrown due to the parsing logic not being
able to handle the extra colon. This has been fixed and Emissary-ingress will not throw an error
when parsing envoy metrics for the diagnostics user interface. -
Feature: It is now possible to set
custom_tags
in theTracingService
. Trace tags can be set
based on literal values, environment variables, or request headers. (Thanks to Paul!) (#4181) -
Bugfix: Emissary-ingress 2.0.0 introduced a bug where a
TCPMapping
that uses SNI, instead of
using the hostname glob in theTCPMapping
, uses the hostname glob in theHost
that the TLS
termination configuration comes from. -
Bugfix: Emissary-ingress 2.0.0 introduced a bug where a
TCPMapping
that terminates TLS must have
a correspondingHost
that it can take the TLS configuration from. This was semi-intentional, but
didn't make much sense. You can now use aTLSContext
without aHost
as in Emissary-ingress 1.y
releases, or aHost
with or without aTLSContext
as in prior 2.y releases. -
Bugfix: Prior releases of Emissary-ingress had the arbitrary limitation that a
TCPMapping
cannot
be used on the same port that HTTP is served on, even if TLS+SNI would make this possible.
Emissary-ingress now allowsTCPMappings
to be used on the sameListener
port as HTTPHosts
,
as long as thatListener
terminates TLS. -
Security: Updated Golang to 1.19.1 to address the CVEs: CVE-2022-27664, CVE-2022-32190.