v1.18.0-beta15

Helm Changes

• Introduce gatewayProxies.gatewayProxy.istioSpiffeCertProviderAddress which overrides the Istio SPIFFE certificate provider (CA_ADDR env variable). It defaults to gatewayProxies.gatewayProxy.discoveryAddress. (#9855)

New Features

• Expose CorsPolicyMergeSettings on VirtualHostOptions which allows users to specify how to reconcile CORS settings when configured on both Route and VirtualHost. Specifically it is now possible to define a UNION merge strategy for the ExposeHeaders field, resulting in the union of the headers set at Route and VirtualHost level being applied to traffic for the Route. (#7689)

Fixes

• Only update the K8s Gateway resource statuses on change to improve HTTPRoute translation time. (solo-io/solo-projects#6638)

v1.17.3

Helm Changes

• Add a new field global.securitySettings.floatingUserId to the Gloo Helm chart that when set to true has the same effect as setting floatingUserId=true for all deployment-specific floatingUserIds, as well as setting discovery.deployment.enablePodSecurityContext=false and gatewayProxies.gatewayProxy.podTemplate.enablePodSecurityContext=false`to allow for easy OpenShift deployment. The global value will override any local settings. (#5034)

Fixes

• Provide a Helm field global.securitySettings.floatingUserId to apply floatingUserId logic, which unsets runAsUser for security contexts, for all deployments in the Gloo Helm chart. The global field will also cause templates to be rendered as if deployments with "enablePodSecurityContextfields have their value set tofalseto allow for easy OpenShift deployment. This functionality has also been added to Gloo Gateway via the GatewayParameters resource. IffloatingUserId` is set in GatewayParameters, it will be applied to all deployments in the Gloo Gateway Helm chart, unless a deployment-specific value is set. (#5034)

v1.18.0-beta14

Helm Changes

• Add a new field global.securitySettings.floatingUserId to the Gloo Helm chart that when set to true has the same effect as setting floatingUserId=true for all deployment-specific floatingUserIds, as well as setting discovery.deployment.enablePodSecurityContext=false and gatewayProxies.gatewayProxy.podTemplate.enablePodSecurityContext=false`to allow for easy OpenShift deployment. The global value will override any local settings. (#5034)
• Ensure that image digests are set correctly for all image variants (standard, fips, distroless, fips-distroless). (#9860)

New Features

• Provide a Helm field global.securitySettings.floatingUserId to apply floatingUserId logic, which unsets runAsUser for security contexts, for all deployments in the Gloo Helm chart. The global field will also cause templates to be rendered as if deployments with "enablePodSecurityContextfields have their value set tofalseto allow for easy OpenShift deployment. This functionality has also been added to Gloo Gateway via the GatewayParameters resource. IffloatingUserId` is set in GatewayParameters, it will be applied to all deployments in the Gloo Gateway Helm chart, unless a deployment-specific value is set. (#5034)
• Check the validity of Gloo Gateway License using glooctl license validate --license-key <key>. (#3520)

Fixes

• Fix a bug that causes edge to try to list endpoints across all namespaces when no upstreams exist. (#5885)

v1.17.2

Helm Changes

• Ensure that image digests are set correctly for all image variants (standard, fips, distroless, fips-distroless). (#9860)

Fixes

• Set the 'message' field on various HTTPRoute conditions to enable easier troubleshooting (#9859)
• gateway2/delegation: fix extraneous route arising from invalid child rule

There's a bug where if a child route contains an invalid rule (rule
not matching the parent matcher), then even though the matcher is
discarded, the rule with an empty matcher but valid backendRef
is returned by GetDelegatedRoutes(). The result is that a /
route is programmed for such an invalid route rule. A more
precise fix is to also prune the rules that do not have a valid
matcher so that we do not rely on the translator to interpret
a route without a valid matcher as '/', which could be an alternative
fix though fragile.

The essence of this fix is to prune both the rules and matches
field on the child route when we process it in the context of the
parent matcher, so that:

1. invalid matchers on the child route are discarded
2. invalid rules (no valid child matchers) are also discarded

Previously, 2. was missing so a child route with a rule without
a matcher was configured, which results in a / route being exposed
for the corresponding backendRef. (solo-io/solo-projects#6621)

• Fix a bug that causes edge to try to list endpoints across all namespaces when no upstreams exist. (#5885)

v1.18.0-beta13

New Features

• Introduce API for oneWayTls in UpstreamSslConfig, which enables the capability for an upstream to be configured for one way TLS even if root CA data exists in the secret referenced by the UpstreamSslConfig. This feature does nothing when SDS is configured. (#9826)

v1.18.0-beta12

Dependency Bumps

• solo-io/envoy-gloo has been upgraded to v1.30.4-patch2.

New Features

• gateway2/route-options: merge extensionRef based attachments

Enables merging of multiple ExtensionRef based RouteOption
attachments for a rule within an HTTPRoute. (solo-io/solo-projects#6675)

v1.18.0-beta11

Fixes

• gateway2/delegation: resolve comments from 739b0e9 (solo-io/solo-projects#6621)
• gateway2/delegation: fix extraneous route arising from invalid child rule

There's a bug where if a child route contains an invalid rule (rule
not matching the parent matcher), then even though the matcher is
discarded, the rule with an empty matcher but valid backendRef
is returned by GetDelegatedRoutes(). The result is that a /
route is programmed for such an invalid route rule. A more
precise fix is to also prune the rules that do not have a valid
matcher so that we do not rely on the translator to interpret
a route without a valid matcher as '/', which could be an alternative
fix though fragile.

The essence of this fix is to prune both the rules and matches
field on the child route when we process it in the context of the
parent matcher, so that:

1. invalid matchers on the child route are discarded
2. invalid rules (no valid child matchers) are also discarded

Previously, 2. was missing so a child route with a rule without
a matcher was configured, which results in a / route being exposed
for the corresponding backendRef. (solo-io/solo-projects#6621)

v1.17.1

Fixes

• Fix a bug where the service and function names of a discovered gRPC service are not printed in JSON and YAML
  output when running glooctl get upstreams (#9743)

v1.15.30

Fixes

• Fix a bug where the service and function names of a discovered gRPC service are not printed in JSON and YAML
  output when running glooctl get upstreams (#9743)
• Infer the gloo deployment name in cases where the deployment name is not the default gloo. The gloo deployment is identified by the gloo=gloo label. (#9163)
• Optimizes the glooctl check command by reducing the time taken to check resources by almost half in large environments consisting of over 500 namespaces (#9673)
• Fix a bug where the service and function names of a discovered gRPC service are not printed when running glooctl get upstreams (#9644)

v1.18.0-beta10

Fixes

• Add AssertEventualCurlError assertion for kubernetes e2e tests to assert that a curl command eventually fails. This is useful for validating that a route is not reachable/a deletion has taken effect. (solo-io/solo-projects#6437)
• Fix a bug where the service and function names of a discovered gRPC service are not printed in JSON and YAML
  output when running glooctl get upstreams (#9743)