Helm Changes
- Introduce
gateway.validation.webhook.enablePolicyApiwhich controls whether or not RouteOptions and VirtualHostOptions CRs are subject to validation. By default, this value is true. The validation of these Policy APIs only runs if the Kubernetes Gateway integration is enabled (kubeGateway.enabled). (https://github.com/solo-io/solo-projects/issues/6352)
New Features
- Adds the
host_rewrite_headerto the route options to allow envoy to swapped the host header with the content of given downstream or custom header. Pay attention to the potential security implications of using this option. Provided header must come from trusted source. (#9579) - Adds pre-admission validation rules to the
AuthConfigCRD. (https://github.com/solo-io/gloo-mesh-enterprise/issues/16010) - Adds the ability to recover if the Kubernetes API server is unreachable once the gloo pod comes up. The
MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVERenvironment variable defines the maximum duration the gloo pod can run and attempt to reconnect to the kube apiserver if it is unreachable. Exceeding this duration will lead to the pod quitting. To enable this feature, set theMAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVERenvironment variable to the desired duration in the gloo container. This can be done either by modifying the gloo deployment or by specifying thegloo.deployment.customEnv[0].Name=MAX_RECOVERY_DURATION_WITHOUT_KUBE_API_SERVERandgloo.deployment.customEnv[0].Value=60shelm values. (#8107) - gateway2: merge multiple targetRef based Route & VirtualHost options
Implements merging of targetRef based RouteOptions and
VirtualHostOptions in a specific order of precedence from
oldest to newest created resource.
The merging uses shallow merging such that for an option
A that is higher priority than option B, merge(A,B) merges
the top-level options of B that have not already been set on A.
This allows options later in the precedence chain to augment
the existing options during a merge but not overwrite them. (https://github.com/solo-io/solo-projects/issues/6313)
Fixes
- Previously, header names consisting of invalid characters such as '()[]:;,<=>' were accepted when passed via the healthCheck or headerManipulation
requestHeadersToAddparameter. This resulted in envoy throwing aninvalid header nameerror. Now, header names are validated according to RFC 9110, which is the same validation used by envoy. If a header name consisting of invalid characters is passed via the aforementioned parameters, it is caught and rejected in edge and does not propagate to envoy. (#9622) - Fix statuses being synced properly for k8s gateway resources (https://github.com/solo-io/solo-projects/issues/6304)
- Follow up to fix discoveryAddress, istioMetaMeshId and istioMetaClusterId in k8s gateway deployment for Istio integration. (https://github.com/solo-io/solo-projects/issues/6107)
- Fix issue where Kube Gateway proxies would have errors regarding status logged constantly (https://github.com/solo-io/solo-projects/issues/6252)