Releases: emissary-ingress/emissary
Emissary Ingress 3.5.1
🎉 Emissary Ingress 3.5.1 🎉
Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.5.1/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
- Bugfix: No changes made to Emissary-ingress but this patch release addresses a regression where
the Module resource fails validation when setting the ambassador_id after upgrading to
getambassador.io/v3alpha1.
Thanks to pie-r
Emissary Ingress Chart 8.5.1
🎉 Emissary Ingress Chart 8.5.1 🎉
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Emissary Ingress 3.5.0
🎉 Emissary Ingress 3.5.0 🎉
Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.5.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
-
Security: Upgrading to the latest release of Golang as part of our general dependency upgrade
process. This includes security fixes for CVE-2022-41725, CVE-2022-41723. -
Feature: In Envoy 1.24, experimental support for a native OpenTelemetry tracing driver was
introduced that allows exporting spans in the otlp format. Many Observability platforms accept
that format and is the recommend replacement for the LightStep driver. Emissary-ingress now
supports setting theTracingService.spec.driver=opentelemetryto export spans in otlp
format.
Thanks to Paul for helping us
get this tested and implemented! -
Bugfix: When wanting to expose traffic to clients on ports other than 80/443, users will set a
port in the Host.hostname (eg.Host.hostname=example.com:8500. The config generated allowed
matching on the :authority header. This worked in v1.Y series due to the way emissary was
generating Envoy configuration under a single wild-card virtual_host and matching on
:authority.In v2.Y/v3.Y+, the way emissary generates Envoy configuration changed to address
memory pressure and improve route lookup speed in Envoy. However, when including a port in the
hostname, an incorrect configuration was generated with an sni match including the port. This has
been fixed and the correct envoy configuration is being generated. (fix: hostname port issue) -
Change: Previously, specifying backend ports by name in Ingress was not supported and would result
in defaulting to port 80. This allows emissary-ingress to now resolve port names for backend
services. If the port number cannot be resolved by the name (e.g named port in the Service doesn't
exist) then it defaults back to the original behavior. (Thanks to Anton Ustyuzhanin!). (#4809) -
Change: The
emissary-apiextserver is a Kubernetes Conversion Webhook that converts between the
Emissary-ingress CRD versions. On startup, it ensures that a self-signed cert is available so that
K8s API Server can talk to the conversion webhook (TLS is required by K8s). We have introduced
a startupProbe to ensure that emissary-apiext server has enough time to configure the webhooks
before running liveness and readiness probes. This is to ensure slow startup doesn't cause K8s to
needlessly restart the pod.
Emissary Ingress Chart 8.5.0
🎉 Emissary Ingress Chart 8.5.0 🎉
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Emissary Ingress 3.4.1
🎉 Emissary Ingress 3.4.1 🎉
Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.4.1/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
- Security: This upgrades emissary-ingress to be built on Envoy v1.24.2. This captures a patch to
boringssl to address CVE-2023-0286. It also includes an update to c-ares dependency to address
issue with cname wildcard dns resolution for upstream clusters.
Emissary Ingress Chart 8.4.1
🎉 Emissary Ingress Chart 8.4.1 🎉
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Emissary Ingress 3.4.0
🎉 Emissary Ingress 3.4.0 🎉
Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.4.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
-
Feature: Support for the
getambassador.io/v1apiVersion has been re-introduced, in order to
facilitate smoother migrations from Emissary-ingress 1.y. Previously, in order to make migrations
possible, an "unserved"v1version was declared to Kubernetes, but was unsupported by
Emissary-ingress. That unservedv1could cause an excess of errors to be logged by the
Kubernetes Nodes (regardless of whether the installation was migrated from 1.y or was a fresh 2.y
install); fully supportingv1again should resolve these errors. -
Feature: It is now possible to configure active healhchecking for upstreams within a
Mapping. If
the upstream fails its configured health check then Envoy will mark the upstream as unhealthy and
no longer send traffic to that upstream. Single pods within a group may can be marked as
unhealthy. The healthy pods will continue to receive traffic normally while the unhealthy pods
will not receive any traffic until they recover by passing the health check. -
Feature: The healthcheck server's bind address, bind port and IP family can now be configured
using environment variables:AMBASSADOR_HEALTHCHECK_BIND_ADDRESS: The address to bind the
healthcheck server to.AMBASSADOR_HEALTHCHECK_BIND_PORT: The port to bind the healthcheck
server to.AMBASSADOR_HEALTHCHECK_IP_FAMILY: The IP family to use for the healthcheck
server.
This allows the healthcheck server to be configured to use IPv6-only k8s environments.
(Thanks to Dmitry Golushko!).
-
Feature: This upgrades Emissary-ingress to be built on Envoy v1.24.1. One notable change is that
the team at LightStep and Envoy Maintainers have decided to no longer support the native
LightStep tracing driver in favor of using the Open Telemetry driver. The code for LightStep
driver has been completely removed from Envoy code base so Emissary-ingress will no longer
support it either.
The recommended upgrade path is to leverage a supported Tracing driver such as
Zipkinand use the Open Telemetry Collector to
collect and forward Observabity data to LightStep.
Emissary Ingress Chart 8.4.0
🎉 Emissary Ingress Chart 8.4.0 🎉
Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html
View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
Emissary Ingress 3.3.1
🎉 Emissary Ingress 3.3.1 🎉
Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.3.1/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
- Security: Update Golang to release 1.19.4. Two CVE's were annouced in this z patch release.
CVE-2022-41720 only affects Windows environments and Emissary-ingress runs in linux. The second
one CVE-2022-41717 only affects HTTP/2 server connections exposed to external clients.
Emissary-ingress does not expose any Golang http servers to outside clients. The data-plane of
Envoy is not affected by either of these.
Emissary Ingress 2.5.1
🎉 Emissary Ingress 2.5.1 🎉
Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v2.5.1/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
-
Feature: Support for the
getambassador.io/v1apiVersion has been re-introduced, in order to
facilitate smoother migrations from Emissary-ingress 1.y. Previously, in order to make migrations
possible, an "unserved"v1version was declared to Kubernetes, but was unsupported by
Emissary-ingress. That unservedv1could cause an excess of errors to be logged by the
Kubernetes Nodes (regardless of whether the installation was migrated from 1.y or was a fresh 2.y
install); fully supportingv1again should resolve these errors. -
Security: Update Golang to release 1.19.4. Two CVE's were annouced in this z patch release.
CVE-2022-41720 only affects Windows environments and Emissary-ingress runs in linux. The second
one CVE-2022-41717 only affects HTTP/2 server connections exposed to external clients.
Emissary-ingress does not expose any Golang http servers to outside clients. The data-plane of
Envoy is not affected by either of these. -
Security: Updated Golang to the latest z patch. We are not vulnerable to the CVE-2022-3602 that
was released in 1.19.3 and you can read more about it here:
https://medium.com/ambassador-api-gateway/ambassador-labs-security-impact-assessment-of-nov-1-openssl-golang-vulnerabilities-f11b5ec37a7e.
Updating to the latest z patch as part of our normal dependency update process and this will help
reduce the noise of security scanners.