From 6dd2dd6efe022dd818d4102b30061deb17b8c05c Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Fri, 25 Mar 2022 17:34:30 -0600 Subject: [PATCH 01/55] OAuth2: Fix a bug with setting the Secure flag for cookies incorrectly (cherry picked from commit a8803c837b0cc2d43baa35e267d124082a119bcb) Signed-off-by: Flynn --- CHANGELOG.md | 20 ++++++++++++++++++++ docs/releaseNotes.yml | 22 ++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f91c343..83e317f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,6 +77,26 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest ## RELEASE NOTES +## [3.1.0] TBD +[3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 + +## Ambassador Edge Stack + +- Bugfix: When an `OAuth2` filter sets cookies for a `protectedOrigin`, it should set a cookie's "Secure" + flag to true for `https://` origins and false for `http://` origins. However, for filters with + multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather + than the origin that the cookie is actually for. + +## [2.3.2] TBD +[2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 + +## Ambassador Edge Stack + +- Bugfix: When an `OAuth2` filter sets cookies for a `protectedOrigin`, it should set a cookie's "Secure" + flag to true for `https://` origins and false for `http://` origins. However, for filters with + multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather + than the origin that the cookie is actually for. + ## [3.0.0] 2022-06-29 [3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 0270ce9..3c2a701 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -32,6 +32,28 @@ changelog: https://github.com/datawire/edge-stack/blob/$branch$/CHANGELOG.md items: + - version: 3.1.0 + date: 'TBD' + notes: + - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins + type: bugfix + body: >- + When an OAuth2 filter sets cookies for a protectedOrigin, it + should set a cookie's "Secure" flag to true for https:// origins and false + for http:// origins. However, for filters with multiple origins, it set the + cookie's flag based on the first origin listen in the Filter, rather than the origin that + the cookie is actually for. + - version: 2.3.2 + date: 'TBD' + notes: + - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins + type: bugfix + body: >- + When an OAuth2 filter sets cookies for a protectedOrigin, it + should set a cookie's "Secure" flag to true for https:// origins and false + for http:// origins. However, for filters with multiple origins, it set the + cookie's flag based on the first origin listen in the Filter, rather than the origin that + the cookie is actually for. - version: 3.0.0 date: '2022-06-29' notes: From 797dec59ec8e5b6acc98bc8903cd540cdc56e0f7 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Tue, 29 Mar 2022 15:15:45 -0600 Subject: [PATCH 02/55] OAuth2: authz_code: Fix a bug with editing cookies with multiple origins (cherry picked from commit 3acb3de2b805b443498aa48e9bda0f262fdcdf31) Signed-off-by: Flynn --- CHANGELOG.md | 10 ++++++++++ docs/releaseNotes.yml | 14 ++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 83e317f..40ab947 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -87,6 +87,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather than the origin that the cookie is actually for. +- Bugfix: When an `OAuth2` filter with multiple `protectedOrigins` needs to adjust the cookies for an active + login (which only happens when using a refresh token), it would erroneously redirect the web + browser to the last origin listed, rather than returning to the original URL. This has been + fixed. + ## [2.3.2] TBD [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 @@ -97,6 +102,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather than the origin that the cookie is actually for. +- Bugfix: When an `OAuth2` filter with multiple `protectedOrigins` needs to adjust the cookies for an active + login (which only happens when using a refresh token), it would erroneously redirect the web + browser to the last origin listed, rather than returning to the original URL. This has been + fixed. + ## [3.0.0] 2022-06-29 [3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 3c2a701..13749ec 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -43,6 +43,13 @@ items: for http:// origins. However, for filters with multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather than the origin that the cookie is actually for. + - title: Correctly handle refresh tokens for OAuth2 filters with multiple origins + type: bugfix + body: >- + When an OAuth2 filter with multiple protectedOrigins needs to + adjust the cookies for an active login (which only happens when using a refresh token), it + would erroneously redirect the web browser to the last origin listed, rather than + returning to the original URL. This has been fixed. - version: 2.3.2 date: 'TBD' notes: @@ -54,6 +61,13 @@ items: for http:// origins. However, for filters with multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather than the origin that the cookie is actually for. + - title: Correctly handle refresh tokens for OAuth2 filters with multiple origins + type: bugfix + body: >- + When an OAuth2 filter with multiple protectedOrigins needs to + adjust the cookies for an active login (which only happens when using a refresh token), it + would erroneously redirect the web browser to the last origin listed, rather than + returning to the original URL. This has been fixed. - version: 3.0.0 date: '2022-06-29' notes: From 23eb3bf6caeee466ea4986ffd29fc851703de5f7 Mon Sep 17 00:00:00 2001 From: Flynn Date: Tue, 22 Mar 2022 17:33:05 -0400 Subject: [PATCH 03/55] OAuth2: Make sure we actually handle CORS requests for known filter endpoints. Add support for handling CORS request and CORS preflight request on the known endpoints for `/.ambassador/oauth2/logout` and `/.ambassador/oauth2/multicooke`. The appropriate CORS headers are added to the response. We ensure that the `Access-Control-Allow-Origin` header is set because some browsers are more strict than others. In certain versions of Safari we have witnessed not including the origin to cause Safari to reject the CORS request. While we respond to both CORS preflights and to CORS requests, we generally do _not_ allow configuring the response: when the OAuth2 filter is in play, there's pretty much only one Right Way to Respond. Co-authored-by: Lance Austin Signed-off-by: Flynn --- CHANGELOG.md | 10 ++++++++++ docs/releaseNotes.yml | 14 ++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40ab947..62d0875 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -92,6 +92,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest browser to the last origin listed, rather than returning to the original URL. This has been fixed. +- Bugfix: Previously, the `OAuth2` filter's known endpoints `/.ambassador/oauth2/logout` and + `/.ambassador/oauth2/multicookie` did not understand CORS or CORS preflight request which would + cause the browser to reject the request. This has now been fixed and these endpoints will attach + the appropriate CORS headers to the response. + ## [2.3.2] TBD [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 @@ -107,6 +112,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest browser to the last origin listed, rather than returning to the original URL. This has been fixed. +- Bugfix: Previously, the `OAuth2` filter's known endpoints `/.ambassador/oauth2/logout` and + `/.ambassador/oauth2/multicookie` did not understand CORS or CORS preflight request which would + cause the browser to reject the request. This has now been fixed and these endpoints will attach + the appropriate CORS headers to the response. + ## [3.0.0] 2022-06-29 [3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 13749ec..d53d292 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -50,6 +50,13 @@ items: adjust the cookies for an active login (which only happens when using a refresh token), it would erroneously redirect the web browser to the last origin listed, rather than returning to the original URL. This has been fixed. + - title: Correctly handle CORS and CORs preflight request within the OAuth2 Fitler known endpoints + type: bugfix + body: >- + Previously, the OAuth2 filter's known endpoints /.ambassador/oauth2/logout + and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request + which would cause the browser to reject the request. This has now been fixed and these endpoints will + attach the appropriate CORS headers to the response. - version: 2.3.2 date: 'TBD' notes: @@ -68,6 +75,13 @@ items: adjust the cookies for an active login (which only happens when using a refresh token), it would erroneously redirect the web browser to the last origin listed, rather than returning to the original URL. This has been fixed. + - title: Correctly handle CORS and CORs preflight request within the OAuth2 Fitler known endpoints + type: bugfix + body: >- + Previously, the OAuth2 filter's known endpoints /.ambassador/oauth2/logout + and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request + which would cause the browser to reject the request. This has now been fixed and these endpoints will + attach the appropriate CORS headers to the response. - version: 3.0.0 date: '2022-06-29' notes: From d609c70f4a361185c0bf3428bce5cee9bf63592b Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Fri, 25 Mar 2022 17:34:30 -0600 Subject: [PATCH 04/55] OAuth2: Fix a bug with setting the Secure flag for cookies incorrectly (cherry picked from commit a8803c837b0cc2d43baa35e267d124082a119bcb) Signed-off-by: Flynn (cherry picked from commit 1fc6113f1e9d85353f43298bd1f43d29dfe640ac) --- CHANGELOG.md | 46 ++++++++++++++++++++++++++++++++++ docs/releaseNotes.yml | 57 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd95611..83e317f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,6 +77,52 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest ## RELEASE NOTES +## [3.1.0] TBD +[3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 + +## Ambassador Edge Stack + +- Bugfix: When an `OAuth2` filter sets cookies for a `protectedOrigin`, it should set a cookie's "Secure" + flag to true for `https://` origins and false for `http://` origins. However, for filters with + multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather + than the origin that the cookie is actually for. + +## [2.3.2] TBD +[2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 + +## Ambassador Edge Stack + +- Bugfix: When an `OAuth2` filter sets cookies for a `protectedOrigin`, it should set a cookie's "Secure" + flag to true for `https://` origins and false for `http://` origins. However, for filters with + multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather + than the origin that the cookie is actually for. + +## [3.0.0] 2022-06-29 +[3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 + +## Ambassador Edge Stack + +- Change: Ambassador Edge Stack is now built on top of Emissary-ingress 3.0.0 which updates Envoy Proxy from + v1.17 to v1.22. This provides Ambassador Edge Stack with the latest security patches, + performances enhancments, and features offered by Envoy Proxy. One notable change that will + effect users is the removal of support for the V2 xDS tranport protocol. See the Emissary-ingress + changelog for more details. + +- Change: In Envoy Proxy 1.18, two behavior changes were made in the way headers are attached to request. + First, the `:scheme` header is now attached to upstream requests over HTTP/1.1 to align with + http/2 and is used by HTTP Filters. The second behavior change is that the `content-length: 0` + will no longer be added to upstream request that have no body. + +- Change: Ambassador Edge Stack no longer supports the xDS V2 transport protocol. `ExternalFilter`s + targeting `grpc` must not explicitly set the `protocol_version` to `v3`. If not set or if using an + unsupported protocol_version then an error will be returned. Before upgrading to 3.0.0 you should + ugrade to Ambassador Edge Stack v2.3 and test that your `ExternalFilter` works with the xDS v3 + transport protocol. + +- Change: Since Ambassador Edge Stack no longer supports the xDS V2 transport protocol, the default Helm + Charts and Manifest explicilty set `protocol_version` to `v3` for the `RateLimitService` and + `AuthService` provided by Ambassador Edge Stack. + ## [2.3.1] 2022-06-09 [2.3.1]: https://github.com/datawire/edge-stack/releases/v2.3.1 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 51caada..3c2a701 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -32,6 +32,63 @@ changelog: https://github.com/datawire/edge-stack/blob/$branch$/CHANGELOG.md items: + - version: 3.1.0 + date: 'TBD' + notes: + - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins + type: bugfix + body: >- + When an OAuth2 filter sets cookies for a protectedOrigin, it + should set a cookie's "Secure" flag to true for https:// origins and false + for http:// origins. However, for filters with multiple origins, it set the + cookie's flag based on the first origin listen in the Filter, rather than the origin that + the cookie is actually for. + - version: 2.3.2 + date: 'TBD' + notes: + - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins + type: bugfix + body: >- + When an OAuth2 filter sets cookies for a protectedOrigin, it + should set a cookie's "Secure" flag to true for https:// origins and false + for http:// origins. However, for filters with multiple origins, it set the + cookie's flag based on the first origin listen in the Filter, rather than the origin that + the cookie is actually for. + - version: 3.0.0 + date: '2022-06-29' + notes: + - title: upgrade to Emissary-ingress 3.0.0 + type: change + body: >- + $productName$ is now built on top of Emissary-ingress 3.0.0 which updates + Envoy Proxy from v1.17 to v1.22. This provides $productName$ with the latest + security patches, performances enhancments, and features offered by Envoy Proxy. + One notable change that will effect users is the removal of support for + the V2 xDS tranport protocol. See the Emissary-ingress changelog for more details. + docs: https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md + - title: Envoy http header behavior change + type: change + body: >- + In Envoy Proxy 1.18, two behavior changes were made in the way headers are attached + to request. First, the `:scheme` header is now attached to upstream requests over + HTTP/1.1 to align with http/2 and is used by HTTP Filters. The second behavior change + is that the `content-length: 0` will no longer be added to upstream request that + have no body. + docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.18/v1.18.0.html + - title: Remove xDS V2 support in ExternalFilter + type: change + body: >- + $productName$ no longer supports the xDS V2 transport protocol. `ExternalFilter`s + targeting grpc must not explicitly set the protocol_version + to v3. If not set or if using an unsupported protocol_version then an + error will be returned. Before upgrading to 3.0.0 you should ugrade to $productName$ v2.3 + and test that your ExternalFilter works with the xDS v3 transport protocol. + - title: Helm chart and manifest set protocol_version to v3 + type: change + body: >- + Since $productName$ no longer supports the xDS V2 transport protocol, the default Helm + Charts and Manifest explicilty set protocol_version to v3 for + the RateLimitService and AuthService provided by $productName$. - version: 2.3.1 date: '2022-06-09' notes: From f99ae2639dd032ae8b59050b6300e59a90577142 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Tue, 29 Mar 2022 15:15:45 -0600 Subject: [PATCH 05/55] OAuth2: authz_code: Fix a bug with editing cookies with multiple origins (cherry picked from commit 3acb3de2b805b443498aa48e9bda0f262fdcdf31) Signed-off-by: Flynn (cherry picked from commit 73826f3812cf63abb5a8f7921553085aa66c68df) --- CHANGELOG.md | 10 ++++++++++ docs/releaseNotes.yml | 14 ++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 83e317f..40ab947 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -87,6 +87,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather than the origin that the cookie is actually for. +- Bugfix: When an `OAuth2` filter with multiple `protectedOrigins` needs to adjust the cookies for an active + login (which only happens when using a refresh token), it would erroneously redirect the web + browser to the last origin listed, rather than returning to the original URL. This has been + fixed. + ## [2.3.2] TBD [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 @@ -97,6 +102,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather than the origin that the cookie is actually for. +- Bugfix: When an `OAuth2` filter with multiple `protectedOrigins` needs to adjust the cookies for an active + login (which only happens when using a refresh token), it would erroneously redirect the web + browser to the last origin listed, rather than returning to the original URL. This has been + fixed. + ## [3.0.0] 2022-06-29 [3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 3c2a701..13749ec 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -43,6 +43,13 @@ items: for http:// origins. However, for filters with multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather than the origin that the cookie is actually for. + - title: Correctly handle refresh tokens for OAuth2 filters with multiple origins + type: bugfix + body: >- + When an OAuth2 filter with multiple protectedOrigins needs to + adjust the cookies for an active login (which only happens when using a refresh token), it + would erroneously redirect the web browser to the last origin listed, rather than + returning to the original URL. This has been fixed. - version: 2.3.2 date: 'TBD' notes: @@ -54,6 +61,13 @@ items: for http:// origins. However, for filters with multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather than the origin that the cookie is actually for. + - title: Correctly handle refresh tokens for OAuth2 filters with multiple origins + type: bugfix + body: >- + When an OAuth2 filter with multiple protectedOrigins needs to + adjust the cookies for an active login (which only happens when using a refresh token), it + would erroneously redirect the web browser to the last origin listed, rather than + returning to the original URL. This has been fixed. - version: 3.0.0 date: '2022-06-29' notes: From 5424b42ed999ebec157bf2f3b320068ccfcaee16 Mon Sep 17 00:00:00 2001 From: Flynn Date: Tue, 22 Mar 2022 17:33:05 -0400 Subject: [PATCH 06/55] OAuth2: Make sure we actually handle CORS requests for known filter endpoints. Add support for handling CORS request and CORS preflight request on the known endpoints for `/.ambassador/oauth2/logout` and `/.ambassador/oauth2/multicooke`. The appropriate CORS headers are added to the response. We ensure that the `Access-Control-Allow-Origin` header is set because some browsers are more strict than others. In certain versions of Safari we have witnessed not including the origin to cause Safari to reject the CORS request. While we respond to both CORS preflights and to CORS requests, we generally do _not_ allow configuring the response: when the OAuth2 filter is in play, there's pretty much only one Right Way to Respond. Co-authored-by: Lance Austin Signed-off-by: Flynn (cherry picked from commit d2a22ec493d1d5e3986a93cbaef45eef847875fe) --- CHANGELOG.md | 10 ++++++++++ docs/releaseNotes.yml | 14 ++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40ab947..62d0875 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -92,6 +92,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest browser to the last origin listed, rather than returning to the original URL. This has been fixed. +- Bugfix: Previously, the `OAuth2` filter's known endpoints `/.ambassador/oauth2/logout` and + `/.ambassador/oauth2/multicookie` did not understand CORS or CORS preflight request which would + cause the browser to reject the request. This has now been fixed and these endpoints will attach + the appropriate CORS headers to the response. + ## [2.3.2] TBD [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 @@ -107,6 +112,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest browser to the last origin listed, rather than returning to the original URL. This has been fixed. +- Bugfix: Previously, the `OAuth2` filter's known endpoints `/.ambassador/oauth2/logout` and + `/.ambassador/oauth2/multicookie` did not understand CORS or CORS preflight request which would + cause the browser to reject the request. This has now been fixed and these endpoints will attach + the appropriate CORS headers to the response. + ## [3.0.0] 2022-06-29 [3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 13749ec..d53d292 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -50,6 +50,13 @@ items: adjust the cookies for an active login (which only happens when using a refresh token), it would erroneously redirect the web browser to the last origin listed, rather than returning to the original URL. This has been fixed. + - title: Correctly handle CORS and CORs preflight request within the OAuth2 Fitler known endpoints + type: bugfix + body: >- + Previously, the OAuth2 filter's known endpoints /.ambassador/oauth2/logout + and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request + which would cause the browser to reject the request. This has now been fixed and these endpoints will + attach the appropriate CORS headers to the response. - version: 2.3.2 date: 'TBD' notes: @@ -68,6 +75,13 @@ items: adjust the cookies for an active login (which only happens when using a refresh token), it would erroneously redirect the web browser to the last origin listed, rather than returning to the original URL. This has been fixed. + - title: Correctly handle CORS and CORs preflight request within the OAuth2 Fitler known endpoints + type: bugfix + body: >- + Previously, the OAuth2 filter's known endpoints /.ambassador/oauth2/logout + and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request + which would cause the browser to reject the request. This has now been fixed and these endpoints will + attach the appropriate CORS headers to the response. - version: 3.0.0 date: '2022-06-29' notes: From dc3bb5a6f117608d5cf7edc15043511be852568a Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Sun, 17 Jul 2022 00:17:50 -0500 Subject: [PATCH 07/55] oauth2: add radix v4 support This adds a dependency on the latest radix v4 library. A dependency on the radix v2 library will still exist until the other areas of the codebase have shifted over to the v4 library. To ensure we are not breaking existing customers, a feature flag will need to be set to opt-in to using the experimental redis driver. Setting `AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true` will use the new library for the Auth Filters (OAuth2). Currently, it piggy backs off the original environment config fields for Redis. This has the advantage of keeping doc changes simple, and manifest changes minimal. The tradeoff with this decision is that settings are shared with the v2 redisPools which means they cannot be tuned separately. Note: it will also do it for the `acmeclient.challengerHandler` due to the way that this is created within the FilterMux. Unit tests have been added to ensure behavior and future work will port the other parts of the acmeclient over to the new library. Two other notable items are: 1. poolSize of 0 is not allowed, will fallback to a default 2. These config fields are ignored and have no effect for v4: - SurgePoolSize - SurgePoolDrainInterval - SurgeLimitAfter - SurgeLimitInterval Signed-off-by: Lance Austin --- CHANGELOG.md | 12 ++++++++++++ docs/releaseNotes.yml | 15 +++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62d0875..a62dc77 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -97,6 +97,18 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. +- Feature: A new opt-in feature flag has been added that allows Ambassador Edge Stack to use a new Redis + driver when storing state between requests for the Authentication Filters. The new driver has + better connection pool handling, shares connections and supports the Redis RESP3 protocol. +Set + `AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true` to enable the experimental feature. Most of the + standard Redis configuration fields (e.g.`REDIS_*`) can be used with the driver. Due to the + drivers better connection handling it no longer supports setting `REDIS_SURGE_LIMIT_INTERVAL`, + `REDIS_SURGE_LIMIT_AFTER`, `REDIS_SURGE_POOL_SIZE`, `REDIS_SURGE_POOL_DRAIN_INTERVAL`. +Note: Other + Ambassador Edge Stack features such as the `RateLimitService` will continue to use the current + Redis driver and in future releases we plan to roll out the new driver for those features as well. + ## [2.3.2] TBD [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index d53d292..fc3a318 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -57,6 +57,21 @@ items: and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request which would cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. + - title: A new experimental Redis driver for use with Authentication Filters + type: feature + body: >- + A new opt-in feature flag has been added that allows $productName$ to use a new Redis + driver when storing state between requests for the Authentication Filters. The new driver has + better connection pool handling, shares connections and supports the Redis RESP3 protocol. + + Set AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true to enable the experimental feature. + Most of the standard Redis configuration fields (e.g.REDIS_*) can be used with the driver. + Due to the drivers better connection handling it no longer supports setting + REDIS_SURGE_LIMIT_INTERVAL, REDIS_SURGE_LIMIT_AFTER, REDIS_SURGE_POOL_SIZE, + REDIS_SURGE_POOL_DRAIN_INTERVAL. + + Note: Other $productName$ features such as the RateLimitService will continue to use the current + Redis driver and in future releases we plan to roll out the new driver for those features as well. - version: 2.3.2 date: 'TBD' notes: From ddb2e3d681d8f5b028006e5334ed55de7c83b85a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Lambert?= Date: Tue, 28 Jun 2022 15:12:30 -0400 Subject: [PATCH 08/55] Add a new type of filter to validate API Keys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Kévin Lambert --- CHANGELOG.md | 3 ++ docs/releaseNotes.yml | 6 +++ manifests/edge-stack/aes-crds.yaml | 63 ++++++++++++++++++++++++++++++ 3 files changed, 72 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a62dc77..2b9ea39 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -129,6 +129,9 @@ Note: Other cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. +- Feature: You can now define a new type of filter to enforce API Keys on top of your services, and provide a + Kubernetes secrets as a source for the list of all the keys. + ## [3.0.0] 2022-06-29 [3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index fc3a318..ed2d800 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -97,6 +97,12 @@ items: and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request which would cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. + - title: Add a new API Key filter + type: feature + body: >- + You can now define a new type of filter to enforce API Keys on top of your services, + and provide a Kubernetes secrets as a source for the list of all the keys. + - version: 3.0.0 date: '2022-06-29' notes: diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index bdd9045..3b26b0a 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -286,6 +286,27 @@ spec: type: object spec: properties: + APIKey: + description: FilterAPIKey enforce a set of API Keys. + properties: + httpHeader: + type: string + keys: + items: + description: APIKeyItem defines an API Key, and the secrets + it is based on. + properties: + secretName: + type: string + secretNamespace: + type: string + value: + type: string + type: object + type: array + required: + - keys + type: object External: description: FilterExternal closely mimics AuthService.getambassador.io. properties: @@ -589,6 +610,27 @@ spec: type: object spec: properties: + APIKey: + description: FilterAPIKey enforce a set of API Keys. + properties: + httpHeader: + type: string + keys: + items: + description: APIKeyItem defines an API Key, and the secrets + it is based on. + properties: + secretName: + type: string + secretNamespace: + type: string + value: + type: string + type: object + type: array + required: + - keys + type: object External: description: FilterExternal closely mimics AuthService.getambassador.io. properties: @@ -897,6 +939,27 @@ spec: type: object spec: properties: + APIKey: + description: FilterAPIKey enforce a set of API Keys. + properties: + httpHeader: + type: string + keys: + items: + description: APIKeyItem defines an API Key, and the secrets + it is based on. + properties: + secretName: + type: string + secretNamespace: + type: string + value: + type: string + type: object + type: array + required: + - keys + type: object External: description: FilterExternal closely mimics AuthService.getambassador.io. properties: From 321df466d3f41fa1f906795c1cb3785ac6fe728b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Lambert?= Date: Mon, 11 Jul 2022 17:17:57 -0400 Subject: [PATCH 09/55] Remove API Keys from beta & cross namespace support --- manifests/edge-stack/aes-crds.yaml | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 3b26b0a..cc9286a 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -286,27 +286,6 @@ spec: type: object spec: properties: - APIKey: - description: FilterAPIKey enforce a set of API Keys. - properties: - httpHeader: - type: string - keys: - items: - description: APIKeyItem defines an API Key, and the secrets - it is based on. - properties: - secretName: - type: string - secretNamespace: - type: string - value: - type: string - type: object - type: array - required: - - keys - type: object External: description: FilterExternal closely mimics AuthService.getambassador.io. properties: @@ -622,10 +601,6 @@ spec: properties: secretName: type: string - secretNamespace: - type: string - value: - type: string type: object type: array required: @@ -951,10 +926,6 @@ spec: properties: secretName: type: string - secretNamespace: - type: string - value: - type: string type: object type: array required: From be13cb1411aba5d7be12febdb32ee541d87bc342 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Lambert?= Date: Tue, 12 Jul 2022 10:59:12 -0400 Subject: [PATCH 10/55] Prefix APIKey option with v3 in v2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Kévin Lambert --- manifests/edge-stack/aes-crds.yaml | 34 +++++++++++++++--------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index cc9286a..b6e1719 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -589,23 +589,6 @@ spec: type: object spec: properties: - APIKey: - description: FilterAPIKey enforce a set of API Keys. - properties: - httpHeader: - type: string - keys: - items: - description: APIKeyItem defines an API Key, and the secrets - it is based on. - properties: - secretName: - type: string - type: object - type: array - required: - - keys - type: object External: description: FilterExternal closely mimics AuthService.getambassador.io. properties: @@ -891,6 +874,23 @@ spec: name: type: string type: object + v3APIKey: + description: FilterAPIKey enforce a set of API Keys. + properties: + httpHeader: + type: string + keys: + items: + description: APIKeyItem defines an API Key, and the secrets + it is based on. + properties: + secretName: + type: string + type: object + type: array + required: + - keys + type: object type: object x-kubernetes-preserve-unknown-fields: true type: object From c82b10279441b6196357b728a00fd3905f53de6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Lambert?= Date: Wed, 20 Jul 2022 15:51:55 -0400 Subject: [PATCH 11/55] Various optimizations, code style fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Kévin Lambert --- docs/releaseNotes.yml | 1 + manifests/edge-stack/aes-crds.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index ed2d800..12bb369 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -102,6 +102,7 @@ items: body: >- You can now define a new type of filter to enforce API Keys on top of your services, and provide a Kubernetes secrets as a source for the list of all the keys. + docs: topics/using/filters/apikeys - version: 3.0.0 date: '2022-06-29' diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index b6e1719..6076eac 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -881,8 +881,8 @@ spec: type: string keys: items: - description: APIKeyItem defines an API Key, and the secrets - it is based on. + description: APIKeyItem defines how to resolve the values of + the keys. properties: secretName: type: string @@ -921,8 +921,8 @@ spec: type: string keys: items: - description: APIKeyItem defines an API Key, and the secrets - it is based on. + description: APIKeyItem defines how to resolve the values of + the keys. properties: secretName: type: string From e049132faa50fd137679022154765e6b09abb769 Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Thu, 21 Jul 2022 13:30:47 -0500 Subject: [PATCH 12/55] deps: update emissary-ingress This updates our dependency to emissary-ingress with the recently back ported kat splits on the oss side. Includes changes from `make generate`. Signed-off-by: Lance Austin --- charts/edge-stack/Chart.lock | 8 ++++---- charts/edge-stack/Chart.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index c5e5e97..67d53d0 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress - repository: https://s3.amazonaws.com/datawire-static-files/charts - version: 7.4.1 -digest: sha256:5f56b81953aa28c6564dc9891ab8000fa685a4c45a224279cbdde434c06b3dd4 -generated: "2022-06-10T11:40:32.354171948-07:00" + repository: https://s3.amazonaws.com/datawire-static-files/charts-dev + version: 7.4.2-0.20220721174626-139a164a1c70 +digest: sha256:ccd57c0b7d1b0158afa4722b7d887ac1ea18fc8e58d491cdb88da0818416e11f +generated: "2022-07-21T13:17:51.224447-05:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 5814237..a506daa 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 7.4.1 - repository: https://s3.amazonaws.com/datawire-static-files/charts + version: 7.4.2-0.20220721174626-139a164a1c70 + repository: https://s3.amazonaws.com/datawire-static-files/charts-dev From a402b92c94aad70b9ecb914b8dd6e8dbc45beb76 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Tue, 26 Jul 2022 16:34:55 -0400 Subject: [PATCH 13/55] [2.3.2] RC.0 Preparations --- CHANGELOG.md | 54 +++---------- VERSION | 2 +- charts/edge-stack/CHANGELOG.md | 3 + charts/edge-stack/Chart.yaml | 4 +- charts/edge-stack/values.yaml | 2 +- docs/releaseNotes.yml | 78 ++++++------------- .../edge-stack/aes-ambassadorns-agent.yaml | 2 +- .../aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 4 +- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- .../edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 4 +- .../edge-stack/aes-emissaryns-agent.yaml | 2 +- .../edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 4 +- manifests/edge-stack/aes.yaml | 4 +- 17 files changed, 57 insertions(+), 116 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62d0875..9364ae8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,8 +77,8 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest ## RELEASE NOTES -## [3.1.0] TBD -[3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 +## [2.3.2] 2022-08-01 +[2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 ## Ambassador Edge Stack @@ -97,51 +97,21 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. -## [2.3.2] TBD -[2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 - -## Ambassador Edge Stack - -- Bugfix: When an `OAuth2` filter sets cookies for a `protectedOrigin`, it should set a cookie's "Secure" - flag to true for `https://` origins and false for `http://` origins. However, for filters with - multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather - than the origin that the cookie is actually for. +- Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from + emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure + that all the nodes composing the emissary ingress cluster are reporting properly. -- Bugfix: When an `OAuth2` filter with multiple `protectedOrigins` needs to adjust the cookies for an active - login (which only happens when using a refresh token), it would erroneously redirect the web - browser to the last origin listed, rather than returning to the original URL. This has been - fixed. +- Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, + CVE-2022-24921, CVE-2022-23772. -- Bugfix: Previously, the `OAuth2` filter's known endpoints `/.ambassador/oauth2/logout` and - `/.ambassador/oauth2/multicookie` did not understand CORS or CORS preflight request which would - cause the browser to reject the request. This has now been fixed and these endpoints will attach - the appropriate CORS headers to the response. +- Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, + CVE-2022-27780. -## [3.0.0] 2022-06-29 -[3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 +- Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. -## Ambassador Edge Stack +- Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 -- Change: Ambassador Edge Stack is now built on top of Emissary-ingress 3.0.0 which updates Envoy Proxy from - v1.17 to v1.22. This provides Ambassador Edge Stack with the latest security patches, - performances enhancments, and features offered by Envoy Proxy. One notable change that will - effect users is the removal of support for the V2 xDS tranport protocol. See the Emissary-ingress - changelog for more details. - -- Change: In Envoy Proxy 1.18, two behavior changes were made in the way headers are attached to request. - First, the `:scheme` header is now attached to upstream requests over HTTP/1.1 to align with - http/2 and is used by HTTP Filters. The second behavior change is that the `content-length: 0` - will no longer be added to upstream request that have no body. - -- Change: Ambassador Edge Stack no longer supports the xDS V2 transport protocol. `ExternalFilter`s - targeting `grpc` must not explicitly set the `protocol_version` to `v3`. If not set or if using an - unsupported protocol_version then an error will be returned. Before upgrading to 3.0.0 you should - ugrade to Ambassador Edge Stack v2.3 and test that your `ExternalFilter` works with the xDS v3 - transport protocol. - -- Change: Since Ambassador Edge Stack no longer supports the xDS V2 transport protocol, the default Helm - Charts and Manifest explicilty set `protocol_version` to `v3` for the `RateLimitService` and - `AuthService` provided by Ambassador Edge Stack. +- Security: Upgrade jwt-go to latest commit to resolve CVE-2020-26160. ## [2.3.1] 2022-06-09 [2.3.1]: https://github.com/datawire/edge-stack/releases/v2.3.1 diff --git a/VERSION b/VERSION index 2bf1c1c..5459e30 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.1 +2.3.2-rc.0 diff --git a/charts/edge-stack/CHANGELOG.md b/charts/edge-stack/CHANGELOG.md index b24037a..bc162b9 100644 --- a/charts/edge-stack/CHANGELOG.md +++ b/charts/edge-stack/CHANGELOG.md @@ -3,6 +3,9 @@ This file documents all notable changes to Edge Stack Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v7.4.2 +- Update Edge Stack chart image to version v2.3.2: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md) + ## v7.4.1 - Update Edge Stack chart image to version v2.3.1: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md) diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index a506daa..49a94c3 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 2.3.1 +appVersion: 2.3.2-rc.0 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 7.4.1 +version: 7.4.2-rc.0 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index 6d4849c..c3b8330 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 2.3.1 + tag: 2.3.2-rc.0 pullPolicy: IfNotPresent rbac: diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index d53d292..a83e13c 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -32,8 +32,8 @@ changelog: https://github.com/datawire/edge-stack/blob/$branch$/CHANGELOG.md items: - - version: 3.1.0 - date: 'TBD' + - version: 2.3.2 + date: '2022-08-01' notes: - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins type: bugfix @@ -57,66 +57,34 @@ items: and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request which would cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. - - version: 2.3.2 - date: 'TBD' - notes: - - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins - type: bugfix - body: >- - When an OAuth2 filter sets cookies for a protectedOrigin, it - should set a cookie's "Secure" flag to true for https:// origins and false - for http:// origins. However, for filters with multiple origins, it set the - cookie's flag based on the first origin listen in the Filter, rather than the origin that - the cookie is actually for. - - title: Correctly handle refresh tokens for OAuth2 filters with multiple origins + - title: Fix regression in the agent for the metrics transfer. type: bugfix body: >- - When an OAuth2 filter with multiple protectedOrigins needs to - adjust the cookies for an active login (which only happens when using a refresh token), it - would erroneously redirect the web browser to the last origin listed, rather than - returning to the original URL. This has been fixed. - - title: Correctly handle CORS and CORs preflight request within the OAuth2 Fitler known endpoints - type: bugfix + A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from + emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure + that all the nodes composing the emissary ingress cluster are reporting properly. + - title: Update Golang to 1.17.12 + type: security body: >- - Previously, the OAuth2 filter's known endpoints /.ambassador/oauth2/logout - and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request - which would cause the browser to reject the request. This has now been fixed and these endpoints will - attach the appropriate CORS headers to the response. - - version: 3.0.0 - date: '2022-06-29' - notes: - - title: upgrade to Emissary-ingress 3.0.0 - type: change + Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, + CVE-2022-24921, CVE-2022-23772. + - title: Update Curl to 7.80.0-r2 + type: security body: >- - $productName$ is now built on top of Emissary-ingress 3.0.0 which updates - Envoy Proxy from v1.17 to v1.22. This provides $productName$ with the latest - security patches, performances enhancments, and features offered by Envoy Proxy. - One notable change that will effect users is the removal of support for - the V2 xDS tranport protocol. See the Emissary-ingress changelog for more details. - docs: https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md - - title: Envoy http header behavior change - type: change + Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, + CVE-2022-27780. + - title: Update openSSL-dev to 1.1.1q-r0 + type: security body: >- - In Envoy Proxy 1.18, two behavior changes were made in the way headers are attached - to request. First, the `:scheme` header is now attached to upstream requests over - HTTP/1.1 to align with http/2 and is used by HTTP Filters. The second behavior change - is that the `content-length: 0` will no longer be added to upstream request that - have no body. - docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.18/v1.18.0.html - - title: Remove xDS V2 support in ExternalFilter - type: change + Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. + - title: Update ncurses to 1.1.1q-r0 + type: security body: >- - $productName$ no longer supports the xDS V2 transport protocol. `ExternalFilter`s - targeting grpc must not explicitly set the protocol_version - to v3. If not set or if using an unsupported protocol_version then an - error will be returned. Before upgrading to 3.0.0 you should ugrade to $productName$ v2.3 - and test that your ExternalFilter works with the xDS v3 transport protocol. - - title: Helm chart and manifest set protocol_version to v3 - type: change + Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 + - title: Upgrade jwt-go + type: security body: >- - Since $productName$ no longer supports the xDS V2 transport protocol, the default Helm - Charts and Manifest explicilty set protocol_version to v3 for - the RateLimitService and AuthService provided by $productName$. + Upgrade jwt-go to latest commit to resolve CVE-2020-26160. - version: 2.3.1 date: '2022-06-09' notes: diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 6fa8381..d6e80d6 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index d1c56d6..cf39404 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 37adbd7..9d120ec 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 591ffdf..0af2b5c 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5612,7 +5612,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index c67f8e5..21e7a2a 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index d153bee..2426439 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 30ff1de..3244d0b 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -510,7 +510,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -585,7 +585,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index 980b74c..c532d22 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 116f5d5..170f909 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index e922211..5c07b5a 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 37adbd7..9d120ec 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.1 + image: docker.io/datawire/aes:2.3.2-rc.0 imagePullPolicy: IfNotPresent ports: - name: http From f4e90ba537892d9ac1149dee2466a8c2a259a15c Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Tue, 26 Jul 2022 18:17:51 -0400 Subject: [PATCH 14/55] make generate --- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 67d53d0..aff9c05 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 7.4.2-0.20220721174626-139a164a1c70 -digest: sha256:ccd57c0b7d1b0158afa4722b7d887ac1ea18fc8e58d491cdb88da0818416e11f -generated: "2022-07-21T13:17:51.224447-05:00" + version: 7.4.2-rc.0 +digest: sha256:ac3c53eff334a0b9468f372b10802f5e7e390126099134ea10cf6cdee92ebc9c +generated: "2022-07-26T18:12:19.234322741-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 49a94c3..f483003 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 7.4.2-0.20220721174626-139a164a1c70 + version: 7.4.2-rc.0 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev From b36c2217785df0b4c45ea22cf911ce1b4b0094e2 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Wed, 27 Jul 2022 12:45:37 -0400 Subject: [PATCH 15/55] [2.3.2] RC.1 Prepartions --- VERSION | 2 +- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 6 +++--- charts/edge-stack/values.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-agent.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 4 ++-- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- manifests/edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 4 ++-- manifests/edge-stack/aes-emissaryns-agent.yaml | 2 +- manifests/edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 4 ++-- manifests/edge-stack/aes.yaml | 4 ++-- 15 files changed, 23 insertions(+), 23 deletions(-) diff --git a/VERSION b/VERSION index 5459e30..1c7d8c6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.2-rc.0 +2.3.2-rc.1 diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index aff9c05..5d9b254 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 7.4.2-rc.0 -digest: sha256:ac3c53eff334a0b9468f372b10802f5e7e390126099134ea10cf6cdee92ebc9c -generated: "2022-07-26T18:12:19.234322741-04:00" + version: 7.4.2-rc.1 +digest: sha256:4c501e05c4af606030a23b13946cce8b72b3458d1f9b7c45dc271593f3b16c74 +generated: "2022-07-27T12:42:09.772472253-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index f483003..eb1db3c 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 2.3.2-rc.0 +appVersion: 2.3.2-rc.1 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 7.4.2-rc.0 +version: 7.4.2-rc.1 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 7.4.2-rc.0 + version: 7.4.2-rc.1 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index c3b8330..df25786 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 2.3.2-rc.0 + tag: 2.3.2-rc.1 pullPolicy: IfNotPresent rbac: diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index d6e80d6..502ce27 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index cf39404..816c31c 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 9d120ec..9a6cd56 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 0af2b5c..29f4851 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5612,7 +5612,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 21e7a2a..1a29ce8 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index 2426439..d7d9daa 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 3244d0b..8e568e9 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -510,7 +510,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -585,7 +585,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index c532d22..a1a77c4 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 170f909..153381a 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 5c07b5a..1a12343 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 9d120ec..9a6cd56 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.0 + image: docker.io/datawire/aes:2.3.2-rc.1 imagePullPolicy: IfNotPresent ports: - name: http From a1498dd34d2c8b61ab2f002365a6f64acb3b7471 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Thu, 28 Jul 2022 11:57:16 -0400 Subject: [PATCH 16/55] [2.3.2] Prepartions --- VERSION | 2 +- charts/edge-stack/Chart.yaml | 4 ++-- charts/edge-stack/values.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-agent.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 4 ++-- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- manifests/edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 4 ++-- manifests/edge-stack/aes-emissaryns-agent.yaml | 2 +- manifests/edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 4 ++-- manifests/edge-stack/aes.yaml | 4 ++-- 14 files changed, 19 insertions(+), 19 deletions(-) diff --git a/VERSION b/VERSION index 1c7d8c6..e703481 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.2-rc.1 +2.3.2 \ No newline at end of file diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index eb1db3c..3223c72 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 2.3.2-rc.1 +appVersion: 2.3.2 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 7.4.2-rc.1 +version: 7.4.2 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index df25786..25f4d43 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 2.3.2-rc.1 + tag: 2.3.2 pullPolicy: IfNotPresent rbac: diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 502ce27..8ad7e76 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 816c31c..0a3d658 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 9a6cd56..2bceb63 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 29f4851..ba322f9 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5612,7 +5612,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 1a29ce8..06adf38 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index d7d9daa..fe4aafe 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 8e568e9..1022ccc 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -510,7 +510,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -585,7 +585,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index a1a77c4..cd579c7 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 153381a..6b2fe69 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 1a12343..f5900dc 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 9a6cd56..2bceb63 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2-rc.1 + image: docker.io/datawire/aes:2.3.2 imagePullPolicy: IfNotPresent ports: - name: http From d51186fd212f9eb102726c2e4ee2ab71c39870b0 Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Thu, 28 Jul 2022 23:40:30 -0500 Subject: [PATCH 17/55] deps: update emissary to 3.1.0-rc.1 Updates to the latest rc that pulls in new features that includes the pinned dependencies for golang, python, etc... A bug with the injected acme challenge route was addressed in this RC as well. Signed-off-by: Lance Austin --- charts/edge-stack/Chart.lock | 8 ++++---- charts/edge-stack/Chart.yaml | 4 ++-- manifests/edge-stack/aes-ambassadorns-agent.yaml | 3 +++ manifests/edge-stack/aes-ambassadorns.yaml | 3 +++ manifests/edge-stack/aes-defaultns-agent.yaml | 3 +++ manifests/edge-stack/aes-defaultns.yaml | 3 +++ manifests/edge-stack/aes-emissaryns-agent.yaml | 3 +++ manifests/edge-stack/aes-emissaryns.yaml | 3 +++ manifests/edge-stack/aes.yaml | 3 +++ 9 files changed, 27 insertions(+), 6 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 8173fe7..e21a7ef 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress - repository: https://s3.amazonaws.com/datawire-static-files/charts - version: 8.0.0 -digest: sha256:5cf1b088272dfcb672dbab5471946c3d3bd2b5d924a669863676593f68c50d91 -generated: "2022-06-28T13:33:23.110421-05:00" + repository: https://s3.amazonaws.com/datawire-static-files/charts-dev + version: 8.1.0-rc.1 +digest: sha256:bb97023872df629c8b85a911a73d5fcc7cd1ed69208114816d08c0b572eda3b1 +generated: "2022-07-28T23:36:34.680085-05:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index d698896..0ea6e0a 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.0.0 - repository: https://s3.amazonaws.com/datawire-static-files/charts + version: 8.1.0-rc.1 + repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 69e0613..1023054 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -178,6 +178,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 8718284..e0765fe 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -358,6 +358,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 52177e1..6c8979f 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -178,6 +178,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 3e89061..ea6b02c 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -350,6 +350,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index bab563c..5f29c90 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -178,6 +178,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 54e3a6e..0c16fe3 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -358,6 +358,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index d3dc242..b0dc73f 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -358,6 +358,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 From 4aaeb886c625928e34d5c1b41276b6f6a6e26e4e Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Fri, 29 Jul 2022 07:35:21 -0500 Subject: [PATCH 18/55] [v3.1.0] RC.1 Release Prep Signed-off-by: Lance Austin --- CHANGELOG.md | 97 ++++++++++-- VERSION | 2 +- charts/edge-stack/CHANGELOG.md | 2 + charts/edge-stack/Chart.yaml | 4 +- charts/edge-stack/values.yaml | 2 +- docs/releaseNotes.yml | 140 +++++++++++++++--- .../edge-stack/aes-ambassadorns-agent.yaml | 2 +- .../aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 4 +- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- .../edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 4 +- .../edge-stack/aes-emissaryns-agent.yaml | 2 +- .../edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 4 +- manifests/edge-stack/aes.yaml | 4 +- 17 files changed, 221 insertions(+), 56 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2b9ea39..7ab5392 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,11 +77,48 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest ## RELEASE NOTES -## [3.1.0] TBD +## [3.1.0] 2022-08-01 [3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 ## Ambassador Edge Stack +- Feature: A new `Fitler` has been added to support validating APIKey's on incoming requests. The new + `APIKeyFilter` when applied with a `FilterPolicy` will check to see if the incoming requests has + a valid API Key in the request header. Ambassador Edge Stack uses Kubernetes `Secret`'s to lookup + valid keys for authorizing requests. + +- Feature: Emissary-ingress has been taught to watch for APIKey secrets when Ambassador Edge Stack is running + and makes them available to be used with the new `APIKeyFilter`. + +- Feature: A new opt-in feature flag has been added that allows Ambassador Edge Stack to use a new Redis + driver when storing state between requests for the OAuth2 Filter. The new driver has better + connection pool handling, shares connections and supports the Redis RESP3 protocol. +Set + `AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true` to enable the experimental feature. Most of the + standard Redis configuration fields (e.g.`REDIS_*`) can be used with the driver. Howeever, due to + the drivers better connection handling the new driver no longer supports setting + `REDIS_SURGE_LIMIT_INTERVAL`, `REDIS_SURGE_LIMIT_AFTER`, `REDIS_SURGE_POOL_SIZE`, + `REDIS_SURGE_POOL_DRAIN_INTERVAL` and these will be ignored. +Note: Other Ambassador Edge Stack + features such as the `RateLimitService` will continue to use the current Redis driver and in + future releases we plan to roll out the new driver for those features as well. + +- Change: If Ambassador Edge Stack is running then Emissary-ingress ensures that only a single + RateLimitService is active. If a user doesn't provide one or provides an invalid one then a + synthetic RateLimitService will be injected. If the `protocol_version` field is not set or set to + an invalid value then it will automatically get upgraded `protocol_version: v3`. +This matches the + existing behavior that was introduced in Ambassador Edge Stack v3.0.0 for the `AuthService`. For + new installs a valid `RateLimitService` will be added but this change ensures a smooth upgrade + from Ambassador Edge Stack to v2.3.Z to v3.Y for users who use the manifest in a GitOps scenario. + +- Feature: The agent is now able to parse api contracts using swagger 2, and to convert them to OpenAPI 3, + making them available for use in the dev portal. + +- Change: In the standard published `.yaml` files, the `Module` resource enables serving remote client + requests to the `:8877/ambassador/v0/diag/` endpoint. The associated Helm chart release also now + enables it by default. + - Bugfix: When an `OAuth2` filter sets cookies for a `protectedOrigin`, it should set a cookie's "Secure" flag to true for `https://` origins and false for `http://` origins. However, for filters with multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather @@ -97,19 +134,34 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. -- Feature: A new opt-in feature flag has been added that allows Ambassador Edge Stack to use a new Redis - driver when storing state between requests for the Authentication Filters. The new driver has - better connection pool handling, shares connections and supports the Redis RESP3 protocol. -Set - `AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true` to enable the experimental feature. Most of the - standard Redis configuration fields (e.g.`REDIS_*`) can be used with the driver. Due to the - drivers better connection handling it no longer supports setting `REDIS_SURGE_LIMIT_INTERVAL`, - `REDIS_SURGE_LIMIT_AFTER`, `REDIS_SURGE_POOL_SIZE`, `REDIS_SURGE_POOL_DRAIN_INTERVAL`. -Note: Other - Ambassador Edge Stack features such as the `RateLimitService` will continue to use the current - Redis driver and in future releases we plan to roll out the new driver for those features as well. - -## [2.3.2] TBD +- Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from + emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure + that all the nodes composing the emissary ingress cluster are reporting properly. + +- Bugfix: Previously, we would inject an upstream route for acme-challenge that was targeting the localhost + auth service cluster. This route is injected to make Envoy configuration happy and the AuthService + that is shipped with Ambassador Edge Stack will handle it properly. However, if the cluster name + is longer than 60 characters due to a long namespace, etc... then Ambassador Edge Stack will + truncate it and make sure it is unique. When this happens the name of the cluster assigned to the + acme-challenge route would get out-of-sync and would introduce invalid Envoy configuration. +To + avoid this Ambassador Edge Stack will now inject a route that returns a direct `404` response + rather than pointing at an arbitrary cluster. This matches existing behavior and is a transparent + change to the user. + +- Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, + CVE-2022-24921, CVE-2022-23772. + +- Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, + CVE-2022-27780. + +- Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. + +- Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 + +- Security: Upgrade jwt-go to latest commit to resolve CVE-2020-26160. + +## [2.3.2] 2022-08-01 [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 ## Ambassador Edge Stack @@ -129,8 +181,21 @@ Note: Other cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. -- Feature: You can now define a new type of filter to enforce API Keys on top of your services, and provide a - Kubernetes secrets as a source for the list of all the keys. +- Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from + emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure + that all the nodes composing the emissary ingress cluster are reporting properly. + +- Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, + CVE-2022-24921, CVE-2022-23772. + +- Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, + CVE-2022-27780. + +- Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. + +- Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 + +- Security: Upgrade jwt-go to latest commit to resolve CVE-2020-26160. ## [3.0.0] 2022-06-29 [3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 diff --git a/VERSION b/VERSION index 4a36342..eb734bb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.0.0 +3.1.0-rc.1 diff --git a/charts/edge-stack/CHANGELOG.md b/charts/edge-stack/CHANGELOG.md index aaaa26b..c79f6f2 100644 --- a/charts/edge-stack/CHANGELOG.md +++ b/charts/edge-stack/CHANGELOG.md @@ -2,7 +2,9 @@ This file documents all notable changes to Edge Stack Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v8.1.0 +- Update Edge Stack chart image to version v3.1.0: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md) ## v8.0.0 - Update Edge Stack chart image to version v3.0.0: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md) diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 0ea6e0a..1617a7f 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 3.0.0 +appVersion: 3.1.0-rc.1 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 8.0.0 +version: 8.1.0-rc.1 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index d440a10..04b34e7 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 3.0.0 + tag: 3.1.0-rc.1 pullPolicy: IfNotPresent rbac: diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 12bb369..5e77b37 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -33,8 +33,58 @@ changelog: https://github.com/datawire/edge-stack/blob/$branch$/CHANGELOG.md items: - version: 3.1.0 - date: 'TBD' + date: '2022-08-01' notes: + - title: Add new Filter to support authenticating APIKey's + type: feature + body: >- + A new Fitler has been added to support validating APIKey's on incoming requests. + The new APIKeyFilter when applied with a FilterPolicy will check to + see if the incoming requests has a valid API Key in the request header. $productName$ uses + Kubernetes Secret's to lookup valid keys for authorizing requests. + - title: Add support to watch for secrets with APIKey's + type: feature + body: >- + Emissary-ingress has been taught to watch for APIKey secrets when $productName$ is running and + makes them available to be used with the new APIKeyFilter. + - title: A new experimental Redis driver for use with the OAuth2 Filter + type: feature + body: >- + A new opt-in feature flag has been added that allows $productName$ to use a new Redis + driver when storing state between requests for the OAuth2 Filter. The new driver has + better connection pool handling, shares connections and supports the Redis RESP3 protocol. + + Set AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true to enable the experimental feature. + Most of the standard Redis configuration fields (e.g.REDIS_*) can be used with the driver. + Howeever, due to the drivers better connection handling the new driver no longer supports setting + REDIS_SURGE_LIMIT_INTERVAL, REDIS_SURGE_LIMIT_AFTER, REDIS_SURGE_POOL_SIZE, + REDIS_SURGE_POOL_DRAIN_INTERVAL and these will be ignored. + + Note: Other $productName$ features such as the RateLimitService will continue to use the current + Redis driver and in future releases we plan to roll out the new driver for those features as well. + - title: Add support for injecting a valid synthetic RateLimitService + type: change + body: >- + If $productName$ is running then Emissary-ingress ensures that only a single RateLimitService is active. + If a user doesn't provide one or provides an invalid one then a synthetic RateLimitService will be + injected. If the protocol_version field is not set or set to an invalid value then it will + automatically get upgraded protocol_version: v3. + + This matches the existing behavior that was introduced in $productName$ v3.0.0 for the + AuthService. For new installs a valid RateLimitService will be added but this + change ensures a smooth upgrade from $productName$ to v2.3.Z to v3.Y for users who use the manifest + in a GitOps scenario. + - title: Add Agent support for OpenAPI 2 contracts + type: feature + body: >- + The agent is now able to parse api contracts using swagger 2, and to convert them to OpenAPI 3, making them + available for use in the dev portal. + - title: Default YAML enables the diagnostics interface from non-local clients on the admin service port + type: change + body: >- + In the standard published .yaml files, the Module resource enables serving + remote client requests to the :8877/ambassador/v0/diag/ endpoint. + The associated Helm chart release also now enables it by default. - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins type: bugfix body: >- @@ -57,23 +107,49 @@ items: and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request which would cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. - - title: A new experimental Redis driver for use with Authentication Filters - type: feature + - title: Fix regression in the agent for the metrics transfer. + type: bugfix body: >- - A new opt-in feature flag has been added that allows $productName$ to use a new Redis - driver when storing state between requests for the Authentication Filters. The new driver has - better connection pool handling, shares connections and supports the Redis RESP3 protocol. - - Set AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true to enable the experimental feature. - Most of the standard Redis configuration fields (e.g.REDIS_*) can be used with the driver. - Due to the drivers better connection handling it no longer supports setting - REDIS_SURGE_LIMIT_INTERVAL, REDIS_SURGE_LIMIT_AFTER, REDIS_SURGE_POOL_SIZE, - REDIS_SURGE_POOL_DRAIN_INTERVAL. - - Note: Other $productName$ features such as the RateLimitService will continue to use the current - Redis driver and in future releases we plan to roll out the new driver for those features as well. + A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from + emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure + that all the nodes composing the emissary ingress cluster are reporting properly. + - title: Handle long cluster names for injected acme-challenge route. + type: bugfix + body: >- + Previously, we would inject an upstream route for acme-challenge that was targeting the localhost + auth service cluster. This route is injected to make Envoy configuration happy and the AuthService + that is shipped with $productName$ will handle it properly. However, if the cluster name is longer + than 60 characters due to a long namespace, etc... then $productName$ will truncate it and make + sure it is unique. When this happens the name of the cluster assigned to the acme-challenge route + would get out-of-sync and would introduce invalid Envoy configuration. + + To avoid this $productName$ will now inject a route that returns a direct 404 response + rather than pointing at an arbitrary cluster. This matches existing behavior and is a transparent + change to the user. + - title: Update Golang to 1.17.12 + type: security + body: >- + Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, + CVE-2022-24921, CVE-2022-23772. + - title: Update Curl to 7.80.0-r2 + type: security + body: >- + Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, + CVE-2022-27780. + - title: Update openSSL-dev to 1.1.1q-r0 + type: security + body: >- + Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. + - title: Update ncurses to 1.1.1q-r0 + type: security + body: >- + Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 + - title: Upgrade jwt-go + type: security + body: >- + Upgrade jwt-go to latest commit to resolve CVE-2020-26160. - version: 2.3.2 - date: 'TBD' + date: '2022-08-01' notes: - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins type: bugfix @@ -97,12 +173,34 @@ items: and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request which would cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. - - title: Add a new API Key filter - type: feature + - title: Fix regression in the agent for the metrics transfer. + type: bugfix + body: >- + A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from + emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure + that all the nodes composing the emissary ingress cluster are reporting properly. + - title: Update Golang to 1.17.12 + type: security + body: >- + Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, + CVE-2022-24921, CVE-2022-23772. + - title: Update Curl to 7.80.0-r2 + type: security + body: >- + Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, + CVE-2022-27780. + - title: Update openSSL-dev to 1.1.1q-r0 + type: security + body: >- + Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. + - title: Update ncurses to 1.1.1q-r0 + type: security + body: >- + Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 + - title: Upgrade jwt-go + type: security body: >- - You can now define a new type of filter to enforce API Keys on top of your services, - and provide a Kubernetes secrets as a source for the list of all the keys. - docs: topics/using/filters/apikeys + Upgrade jwt-go to latest commit to resolve CVE-2020-26160. - version: 3.0.0 date: '2022-06-29' diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 1023054..34508a7 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 1cdf9a0..4a6d0da 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index e0765fe..c5fd5d0 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 6076eac..4d2f7a1 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5653,7 +5653,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 6c8979f..65e0f95 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index b7bce15..b4b6f06 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index ea6b02c..b5f6501 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -513,7 +513,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -588,7 +588,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index 5f29c90..2fd1ca9 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 0950d54..aa8bfc5 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 0c16fe3..6f77c74 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index b0dc73f..4d06029 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http From 9f0818ea65cafd1d25eafe32e4f5375553750ced Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Thu, 28 Jul 2022 22:19:56 -0500 Subject: [PATCH 19/55] deps: update emissary to latest Updates to the latest emissary with pinned golang, python and a fix for the injected acme route in prepartion for RC. Signed-off-by: Lance Austin --- charts/edge-stack/Chart.lock | 8 ++++---- charts/edge-stack/Chart.yaml | 4 ++-- manifests/edge-stack/aes-ambassadorns-agent.yaml | 3 +++ manifests/edge-stack/aes-ambassadorns.yaml | 3 +++ manifests/edge-stack/aes-defaultns-agent.yaml | 3 +++ manifests/edge-stack/aes-defaultns.yaml | 3 +++ manifests/edge-stack/aes-emissaryns-agent.yaml | 3 +++ manifests/edge-stack/aes-emissaryns.yaml | 3 +++ manifests/edge-stack/aes.yaml | 3 +++ 9 files changed, 27 insertions(+), 6 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 8173fe7..6980e05 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress - repository: https://s3.amazonaws.com/datawire-static-files/charts - version: 8.0.0 -digest: sha256:5cf1b088272dfcb672dbab5471946c3d3bd2b5d924a669863676593f68c50d91 -generated: "2022-06-28T13:33:23.110421-05:00" + repository: https://s3.amazonaws.com/datawire-static-files/charts-dev + version: 8.0.1-0.20220729030635-1897d292bdda +digest: sha256:0dc6ef5fd7f6762e79719539f437b7db08037fb89fcf1ad857e83c80d42c2aca +generated: "2022-07-28T22:15:07.34416-05:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index d698896..fa01653 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.0.0 - repository: https://s3.amazonaws.com/datawire-static-files/charts + version: 8.0.1-0.20220729030635-1897d292bdda + repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 69e0613..1023054 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -178,6 +178,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 8718284..e0765fe 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -358,6 +358,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 52177e1..6c8979f 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -178,6 +178,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 3e89061..ea6b02c 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -350,6 +350,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index bab563c..5f29c90 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -178,6 +178,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 54e3a6e..0c16fe3 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -358,6 +358,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index d3dc242..b0dc73f 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -358,6 +358,9 @@ rules: - apiGroups: [''] resources: [configmaps] verbs: [get, list, watch] +- apiGroups: [''] + resources: [secrets] + verbs: [get, create, delete, patch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 From 6421df23a2ba75301eaed6e7fdb0bc80a8853023 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Mon, 1 Aug 2022 11:30:33 -0400 Subject: [PATCH 20/55] [2.3.2] Release --- charts/edge-stack/Chart.lock | 8 ++++---- charts/edge-stack/Chart.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 5d9b254..c3f72d4 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress - repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 7.4.2-rc.1 -digest: sha256:4c501e05c4af606030a23b13946cce8b72b3458d1f9b7c45dc271593f3b16c74 -generated: "2022-07-27T12:42:09.772472253-04:00" + repository: https://s3.amazonaws.com/datawire-static-files/charts + version: 7.4.2 +digest: sha256:823028b3e71148c388cbc4b75247618242b60a872c7bfead572ff865945d465b +generated: "2022-08-01T11:05:01.107596162-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 3223c72..297193b 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 7.4.2-rc.1 - repository: https://s3.amazonaws.com/datawire-static-files/charts-dev + version: 7.4.2 + repository: https://s3.amazonaws.com/datawire-static-files/charts From 3155c3ff69c8d9de7c1732ef2959944e68e13e8e Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Mon, 1 Aug 2022 10:44:52 -0500 Subject: [PATCH 21/55] [v3.1.0] Release Signed-off-by: Lance Austin --- VERSION | 2 +- charts/edge-stack/Chart.lock | 8 ++++---- charts/edge-stack/Chart.yaml | 8 ++++---- charts/edge-stack/values.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-agent.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 4 ++-- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- manifests/edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 4 ++-- manifests/edge-stack/aes-emissaryns-agent.yaml | 2 +- manifests/edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 4 ++-- manifests/edge-stack/aes.yaml | 4 ++-- 15 files changed, 25 insertions(+), 25 deletions(-) diff --git a/VERSION b/VERSION index eb734bb..fd2a018 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.1.0-rc.1 +3.1.0 diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index e21a7ef..b165b13 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress - repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.1.0-rc.1 -digest: sha256:bb97023872df629c8b85a911a73d5fcc7cd1ed69208114816d08c0b572eda3b1 -generated: "2022-07-28T23:36:34.680085-05:00" + repository: https://s3.amazonaws.com/datawire-static-files/charts + version: 8.1.0 +digest: sha256:dd8ddf751960498718cf0bd87413f4a39eedc4e8dbf49d00191eb22f883875f8 +generated: "2022-08-01T10:38:49.323037-05:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 1617a7f..d2ce4c2 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 3.1.0-rc.1 +appVersion: 3.1.0 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 8.1.0-rc.1 +version: 8.1.0 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.1.0-rc.1 - repository: https://s3.amazonaws.com/datawire-static-files/charts-dev + version: 8.1.0 + repository: https://s3.amazonaws.com/datawire-static-files/charts diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index 04b34e7..efbbcc3 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 3.1.0-rc.1 + tag: 3.1.0 pullPolicy: IfNotPresent rbac: diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 34508a7..47d23c2 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 4a6d0da..e35bea8 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index c5fd5d0..2b2d6ae 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 4d2f7a1..7dc24e7 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5653,7 +5653,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 65e0f95..af25569 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index b4b6f06..71cf418 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index b5f6501..2b482c6 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -513,7 +513,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -588,7 +588,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index 2fd1ca9..809b2e1 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index aa8bfc5..30aac3b 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 6f77c74..8890be7 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 4d06029..a9d78a9 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0-rc.1 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http From af181b4e6b7efabcff1d8710d9e8aaee6eea0055 Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Mon, 1 Aug 2022 14:07:04 -0500 Subject: [PATCH 22/55] sync with release branch and upgrade to 3.1.0 This pr updates to emissary 3.1.0 in master and pulls in the release commits from the `release/v3.1.0` to keep them in sync with master. Signed-off-by: Lance Austin --- CHANGELOG.md | 94 ++++++++++-- VERSION | 2 +- charts/edge-stack/Chart.lock | 8 +- charts/edge-stack/Chart.yaml | 8 +- charts/edge-stack/values.yaml | 2 +- docs/releaseNotes.yml | 137 +++++++++++++++--- .../edge-stack/aes-ambassadorns-agent.yaml | 2 +- .../aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 4 +- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- .../edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 4 +- .../edge-stack/aes-emissaryns-agent.yaml | 2 +- .../edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 4 +- manifests/edge-stack/aes.yaml | 4 +- 17 files changed, 219 insertions(+), 62 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2b9ea39..cdddd16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,11 +77,46 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest ## RELEASE NOTES -## [3.1.0] TBD +## [3.1.0] 2022-08-01 [3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 ## Ambassador Edge Stack +- Feature: A new `Fitler` has been added to support validating APIKey's on incoming requests. The new + `APIKeyFilter` when applied with a `FilterPolicy` will check to see if the incoming requests has + a valid API Key in the request header. Ambassador Edge Stack uses Kubernetes `Secret`'s to lookup + valid keys for authorizing requests. + +- Feature: Emissary-ingress has been taught to watch for APIKey secrets when Ambassador Edge Stack is running + and makes them available to be used with the new `APIKeyFilter`. + +- Feature: A new opt-in feature flag has been added that allows Ambassador Edge Stack to use a new Redis + driver when storing state between requests for the OAuth2 Filter. The new driver has better + connection pool handling, shares connections and supports the Redis RESP3 protocol. Set + `AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true` to enable the experimental feature. Most of the + standard Redis configuration fields (e.g.`REDIS_*`) can be used with the driver. Howeever, due to + the drivers better connection handling the new driver no longer supports setting + `REDIS_SURGE_LIMIT_INTERVAL`, `REDIS_SURGE_LIMIT_AFTER`, `REDIS_SURGE_POOL_SIZE`, + `REDIS_SURGE_POOL_DRAIN_INTERVAL` and these will be ignored. Note: Other Ambassador Edge Stack + features such as the `RateLimitService` will continue to use the current Redis driver and in + future releases we plan to roll out the new driver for those features as well. + +- Change: If Ambassador Edge Stack is running then Emissary-ingress ensures that only a single + RateLimitService is active. If a user doesn't provide one or provides an invalid one then a + synthetic RateLimitService will be injected. If the `protocol_version` field is not set or set to + an invalid value then it will automatically get upgraded `protocol_version: v3`. +This matches the + existing behavior that was introduced in Ambassador Edge Stack v3.0.0 for the `AuthService`. For + new installs a valid `RateLimitService` will be added but this change ensures a smooth upgrade + from Ambassador Edge Stack to v2.3.Z to v3.Y for users who use the manifest in a GitOps scenario. + +- Feature: The agent is now able to parse api contracts using swagger 2, and to convert them to OpenAPI 3, + making them available for use in the dev portal. + +- Change: In the standard published `.yaml` files, the `Module` resource enables serving remote client + requests to the `:8877/ambassador/v0/diag/` endpoint. The associated Helm chart release also now + enables it by default. + - Bugfix: When an `OAuth2` filter sets cookies for a `protectedOrigin`, it should set a cookie's "Secure" flag to true for `https://` origins and false for `http://` origins. However, for filters with multiple origins, it set the cookie's flag based on the first origin listen in the Filter, rather @@ -97,19 +132,33 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. -- Feature: A new opt-in feature flag has been added that allows Ambassador Edge Stack to use a new Redis - driver when storing state between requests for the Authentication Filters. The new driver has - better connection pool handling, shares connections and supports the Redis RESP3 protocol. -Set - `AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true` to enable the experimental feature. Most of the - standard Redis configuration fields (e.g.`REDIS_*`) can be used with the driver. Due to the - drivers better connection handling it no longer supports setting `REDIS_SURGE_LIMIT_INTERVAL`, - `REDIS_SURGE_LIMIT_AFTER`, `REDIS_SURGE_POOL_SIZE`, `REDIS_SURGE_POOL_DRAIN_INTERVAL`. -Note: Other - Ambassador Edge Stack features such as the `RateLimitService` will continue to use the current - Redis driver and in future releases we plan to roll out the new driver for those features as well. - -## [2.3.2] TBD +- Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from + emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure + that all the nodes composing the emissary ingress cluster are reporting properly. + +- Bugfix: Previously, we would inject an upstream route for acme-challenge that was targeting the localhost + auth service cluster. This route is injected to make Envoy configuration happy and the AuthService + that is shipped with Ambassador Edge Stack will handle it properly. However, if the cluster name + is longer than 60 characters due to a long namespace, etc... then Ambassador Edge Stack will + truncate it and make sure it is unique. When this happens the name of the cluster assigned to the + acme-challenge route would get out-of-sync and would introduce invalid Envoy configuration. To + avoid this Ambassador Edge Stack will now inject a route that returns a direct `404` response + rather than pointing at an arbitrary cluster. This matches existing behavior and is a transparent + change to the user. + +- Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, + CVE-2022-24921, CVE-2022-23772. + +- Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, + CVE-2022-27780. + +- Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. + +- Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 + +- Security: Upgrade jwt-go to latest commit to resolve CVE-2020-26160. + +## [2.3.2] 2022-08-01 [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 ## Ambassador Edge Stack @@ -129,8 +178,21 @@ Note: Other cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. -- Feature: You can now define a new type of filter to enforce API Keys on top of your services, and provide a - Kubernetes secrets as a source for the list of all the keys. +- Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from + emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure + that all the nodes composing the emissary ingress cluster are reporting properly. + +- Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, + CVE-2022-24921, CVE-2022-23772. + +- Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, + CVE-2022-27780. + +- Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. + +- Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 + +- Security: Upgrade jwt-go to latest commit to resolve CVE-2020-26160. ## [3.0.0] 2022-06-29 [3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 diff --git a/VERSION b/VERSION index 4a36342..fd2a018 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.0.0 +3.1.0 diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 6980e05..afa245a 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress - repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.0.1-0.20220729030635-1897d292bdda -digest: sha256:0dc6ef5fd7f6762e79719539f437b7db08037fb89fcf1ad857e83c80d42c2aca -generated: "2022-07-28T22:15:07.34416-05:00" + repository: https://s3.amazonaws.com/datawire-static-files/charts + version: 8.1.0 +digest: sha256:dd8ddf751960498718cf0bd87413f4a39eedc4e8dbf49d00191eb22f883875f8 +generated: "2022-08-01T13:58:44.666972-05:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index fa01653..d2ce4c2 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 3.0.0 +appVersion: 3.1.0 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 8.0.0 +version: 8.1.0 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.0.1-0.20220729030635-1897d292bdda - repository: https://s3.amazonaws.com/datawire-static-files/charts-dev + version: 8.1.0 + repository: https://s3.amazonaws.com/datawire-static-files/charts diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index d440a10..efbbcc3 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 3.0.0 + tag: 3.1.0 pullPolicy: IfNotPresent rbac: diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 12bb369..196a05e 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -33,8 +33,56 @@ changelog: https://github.com/datawire/edge-stack/blob/$branch$/CHANGELOG.md items: - version: 3.1.0 - date: 'TBD' + date: '2022-08-01' notes: + - title: Add new Filter to support authenticating APIKey's + type: feature + body: >- + A new Fitler has been added to support validating APIKey's on incoming requests. + The new APIKeyFilter when applied with a FilterPolicy will check to + see if the incoming requests has a valid API Key in the request header. $productName$ uses + Kubernetes Secret's to lookup valid keys for authorizing requests. + - title: Add support to watch for secrets with APIKey's + type: feature + body: >- + Emissary-ingress has been taught to watch for APIKey secrets when $productName$ is running and + makes them available to be used with the new APIKeyFilter. + - title: A new experimental Redis driver for use with the OAuth2 Filter + type: feature + body: >- + A new opt-in feature flag has been added that allows $productName$ to use a new Redis + driver when storing state between requests for the OAuth2 Filter. The new driver has + better connection pool handling, shares connections and supports the Redis RESP3 protocol. + Set AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true to enable the experimental feature. + Most of the standard Redis configuration fields (e.g.REDIS_*) can be used with the driver. + Howeever, due to the drivers better connection handling the new driver no longer supports setting + REDIS_SURGE_LIMIT_INTERVAL, REDIS_SURGE_LIMIT_AFTER, REDIS_SURGE_POOL_SIZE, + REDIS_SURGE_POOL_DRAIN_INTERVAL and these will be ignored. + Note: Other $productName$ features such as the RateLimitService will continue to use the current + Redis driver and in future releases we plan to roll out the new driver for those features as well. + - title: Add support for injecting a valid synthetic RateLimitService + type: change + body: >- + If $productName$ is running then Emissary-ingress ensures that only a single RateLimitService is active. + If a user doesn't provide one or provides an invalid one then a synthetic RateLimitService will be + injected. If the protocol_version field is not set or set to an invalid value then it will + automatically get upgraded protocol_version: v3. + + This matches the existing behavior that was introduced in $productName$ v3.0.0 for the + AuthService. For new installs a valid RateLimitService will be added but this + change ensures a smooth upgrade from $productName$ to v2.3.Z to v3.Y for users who use the manifest + in a GitOps scenario. + - title: Add Agent support for OpenAPI 2 contracts + type: feature + body: >- + The agent is now able to parse api contracts using swagger 2, and to convert them to OpenAPI 3, making them + available for use in the dev portal. + - title: Default YAML enables the diagnostics interface from non-local clients on the admin service port + type: change + body: >- + In the standard published .yaml files, the Module resource enables serving + remote client requests to the :8877/ambassador/v0/diag/ endpoint. + The associated Helm chart release also now enables it by default. - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins type: bugfix body: >- @@ -57,23 +105,48 @@ items: and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request which would cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. - - title: A new experimental Redis driver for use with Authentication Filters - type: feature + - title: Fix regression in the agent for the metrics transfer. + type: bugfix body: >- - A new opt-in feature flag has been added that allows $productName$ to use a new Redis - driver when storing state between requests for the Authentication Filters. The new driver has - better connection pool handling, shares connections and supports the Redis RESP3 protocol. - - Set AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true to enable the experimental feature. - Most of the standard Redis configuration fields (e.g.REDIS_*) can be used with the driver. - Due to the drivers better connection handling it no longer supports setting - REDIS_SURGE_LIMIT_INTERVAL, REDIS_SURGE_LIMIT_AFTER, REDIS_SURGE_POOL_SIZE, - REDIS_SURGE_POOL_DRAIN_INTERVAL. - - Note: Other $productName$ features such as the RateLimitService will continue to use the current - Redis driver and in future releases we plan to roll out the new driver for those features as well. + A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from + emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure + that all the nodes composing the emissary ingress cluster are reporting properly. + - title: Handle long cluster names for injected acme-challenge route. + type: bugfix + body: >- + Previously, we would inject an upstream route for acme-challenge that was targeting the localhost + auth service cluster. This route is injected to make Envoy configuration happy and the AuthService + that is shipped with $productName$ will handle it properly. However, if the cluster name is longer + than 60 characters due to a long namespace, etc... then $productName$ will truncate it and make + sure it is unique. When this happens the name of the cluster assigned to the acme-challenge route + would get out-of-sync and would introduce invalid Envoy configuration. + To avoid this $productName$ will now inject a route that returns a direct 404 response + rather than pointing at an arbitrary cluster. This matches existing behavior and is a transparent + change to the user. + - title: Update Golang to 1.17.12 + type: security + body: >- + Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, + CVE-2022-24921, CVE-2022-23772. + - title: Update Curl to 7.80.0-r2 + type: security + body: >- + Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, + CVE-2022-27780. + - title: Update openSSL-dev to 1.1.1q-r0 + type: security + body: >- + Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. + - title: Update ncurses to 1.1.1q-r0 + type: security + body: >- + Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 + - title: Upgrade jwt-go + type: security + body: >- + Upgrade jwt-go to latest commit to resolve CVE-2020-26160. - version: 2.3.2 - date: 'TBD' + date: '2022-08-01' notes: - title: Correct cookies for mixed HTTP/HTTPS OAuth2 origins type: bugfix @@ -97,12 +170,34 @@ items: and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request which would cause the browser to reject the request. This has now been fixed and these endpoints will attach the appropriate CORS headers to the response. - - title: Add a new API Key filter - type: feature + - title: Fix regression in the agent for the metrics transfer. + type: bugfix + body: >- + A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from + emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure + that all the nodes composing the emissary ingress cluster are reporting properly. + - title: Update Golang to 1.17.12 + type: security + body: >- + Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, + CVE-2022-24921, CVE-2022-23772. + - title: Update Curl to 7.80.0-r2 + type: security + body: >- + Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, + CVE-2022-27780. + - title: Update openSSL-dev to 1.1.1q-r0 + type: security + body: >- + Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097. + - title: Update ncurses to 1.1.1q-r0 + type: security + body: >- + Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458 + - title: Upgrade jwt-go + type: security body: >- - You can now define a new type of filter to enforce API Keys on top of your services, - and provide a Kubernetes secrets as a source for the list of all the keys. - docs: topics/using/filters/apikeys + Upgrade jwt-go to latest commit to resolve CVE-2020-26160. - version: 3.0.0 date: '2022-06-29' diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 1023054..47d23c2 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 1cdf9a0..e35bea8 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index e0765fe..2b2d6ae 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 6076eac..7dc24e7 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5653,7 +5653,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 6c8979f..af25569 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index b7bce15..71cf418 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index ea6b02c..2b482c6 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -513,7 +513,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -588,7 +588,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index 5f29c90..809b2e1 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 0950d54..30aac3b 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 0c16fe3..8890be7 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index b0dc73f..a9d78a9 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.0.0 + image: docker.io/datawire/aes:3.1.0 imagePullPolicy: IfNotPresent ports: - name: http From b9cc9014a1e41beed873d0c465dfd9a55e066728 Mon Sep 17 00:00:00 2001 From: David Dymko Date: Thu, 4 Aug 2022 09:02:46 -0400 Subject: [PATCH 23/55] Deps : bump Go to 1.18 (#3023) * deps : bumping go to 1.18 Signed-off-by: David Dymko * deps : update opensource.md with proper go version Signed-off-by: David Dymko * deps : update emissary to 1.18 PR for testing Signed-off-by: David Dymko * dep : update emissary sha to master branch Signed-off-by: David Dymko * make generate * dep : bump aes-ratelimit 1.4 & 1.3 to go 1.18 builds Signed-off-by: David Dymko * make generate Signed-off-by: David Dymko --- .circleci/yq.d/go.mod | 2 +- charts/edge-stack/Chart.lock | 8 ++++---- charts/edge-stack/Chart.yaml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.circleci/yq.d/go.mod b/.circleci/yq.d/go.mod index dea3eb3..d31f598 100644 --- a/.circleci/yq.d/go.mod +++ b/.circleci/yq.d/go.mod @@ -1,6 +1,6 @@ module github.com/datawire/build-aux/bin-go/yq -go 1.17 +go 1.18 require github.com/mikefarah/yq/v4 v4.25.1 diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index afa245a..25045e9 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress - repository: https://s3.amazonaws.com/datawire-static-files/charts - version: 8.1.0 -digest: sha256:dd8ddf751960498718cf0bd87413f4a39eedc4e8dbf49d00191eb22f883875f8 -generated: "2022-08-01T13:58:44.666972-05:00" + repository: https://s3.amazonaws.com/datawire-static-files/charts-dev + version: 8.0.1-0.20220803141746-02e9e0aa66d9 +digest: sha256:e74fba3e14dcb6d8efb345533050cc8243ee14ec9d06db74da6e3516130efca0 +generated: "2022-08-03T13:30:05.297538-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index d2ce4c2..c31488c 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.1.0 - repository: https://s3.amazonaws.com/datawire-static-files/charts + version: 8.0.1-0.20220803141746-02e9e0aa66d9 + repository: https://s3.amazonaws.com/datawire-static-files/charts-dev From f07e16ddc8b103eb5199321052efbe0fd721fb9f Mon Sep 17 00:00:00 2001 From: AliceProxy Date: Wed, 3 Nov 2021 18:46:34 -0700 Subject: [PATCH 24/55] Expose imagePullSecrets and args Signed-off-by: AliceProxy --- charts/edge-stack/templates/aes-redis.yaml | 8 ++++++++ charts/edge-stack/values.yaml | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/charts/edge-stack/templates/aes-redis.yaml b/charts/edge-stack/templates/aes-redis.yaml index 7169cdb..313c120 100644 --- a/charts/edge-stack/templates/aes-redis.yaml +++ b/charts/edge-stack/templates/aes-redis.yaml @@ -90,6 +90,14 @@ spec: imagePullPolicy: {{ .Values.redis.image.pullPolicy }} resources: {{- toYaml .Values.redis.resources | nindent 10 }} + {{- if .Values.redis.containerArgs }} + args: + {{- toYaml .Values.redis.containerArgs | nindent 10 }} + {{- end }} + {{- if .Values.redis.imagePullSecrets }} + imagePullSecrets: + {{- toYaml .Values.redis.imagePullSecrets | nindent 8 }} + {{- end }} restartPolicy: Always {{- with .Values.redis.nodeSelector }} nodeSelector: diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index efbbcc3..6969b31 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -150,6 +150,14 @@ redis: nodeSelector: {} affinity: {} tolerations: {} + # Arguments for the redis container + containerArgs: {} + # - arg1 + # - arg2 + # Secrets used for pulling the redis image from a private repo + imagePullSecrets: {} + # - name: example-secret-1 + # - name: example-secret-2 # Configures the AuthService that ships with the Ambassador Edge Stack. From d7c1c9d2eff8d5de6779e475a549c6a48d4d9bb5 Mon Sep 17 00:00:00 2001 From: David Dymko Date: Fri, 12 Aug 2022 15:15:31 -0400 Subject: [PATCH 25/55] bumping emissary to the latest sha off master (#3035) * bumping emissary to the latest sha off master : ran make go-mod-tidy % generate Signed-off-by: David Dymko * make generate Signed-off-by: David Dymko Signed-off-by: David Dymko --- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-agent.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 2 +- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 2 +- manifests/edge-stack/aes-emissaryns-agent.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 2 +- manifests/edge-stack/aes.yaml | 2 +- 9 files changed, 11 insertions(+), 11 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 25045e9..726f0d8 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.0.1-0.20220803141746-02e9e0aa66d9 -digest: sha256:e74fba3e14dcb6d8efb345533050cc8243ee14ec9d06db74da6e3516130efca0 -generated: "2022-08-03T13:30:05.297538-04:00" + version: 8.0.1-0.20220812162246-5e03b912c048 +digest: sha256:979a6d29cad5287b84ad9f9ff54450fbc61155dc66def02ae9372844f4276ee8 +generated: "2022-08-12T13:35:19.790699-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index c31488c..5e07961 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.0.1-0.20220803141746-02e9e0aa66d9 + version: 8.0.1-0.20220812162246-5e03b912c048 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 47d23c2..100727e 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -180,7 +180,7 @@ rules: verbs: [get, list, watch] - apiGroups: [''] resources: [secrets] - verbs: [get, create, delete, patch] + verbs: [get, create, delete, patch, watch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 2b2d6ae..c5deb6a 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -360,7 +360,7 @@ rules: verbs: [get, list, watch] - apiGroups: [''] resources: [secrets] - verbs: [get, create, delete, patch] + verbs: [get, create, delete, patch, watch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index af25569..57374f9 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -180,7 +180,7 @@ rules: verbs: [get, list, watch] - apiGroups: [''] resources: [secrets] - verbs: [get, create, delete, patch] + verbs: [get, create, delete, patch, watch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 2b482c6..21a41b1 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -352,7 +352,7 @@ rules: verbs: [get, list, watch] - apiGroups: [''] resources: [secrets] - verbs: [get, create, delete, patch] + verbs: [get, create, delete, patch, watch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index 809b2e1..8fc9a10 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -180,7 +180,7 @@ rules: verbs: [get, list, watch] - apiGroups: [''] resources: [secrets] - verbs: [get, create, delete, patch] + verbs: [get, create, delete, patch, watch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 8890be7..b8882fc 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -360,7 +360,7 @@ rules: verbs: [get, list, watch] - apiGroups: [''] resources: [secrets] - verbs: [get, create, delete, patch] + verbs: [get, create, delete, patch, watch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index a9d78a9..c3c6b1f 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -360,7 +360,7 @@ rules: verbs: [get, list, watch] - apiGroups: [''] resources: [secrets] - verbs: [get, create, delete, patch] + verbs: [get, create, delete, patch, watch] --- # Source: edge-stack/charts/emissary-ingress/templates/ambassador-agent.yaml apiVersion: rbac.authorization.k8s.io/v1 From 9810d2a80f5adfa04442229b1ed0fb3562d87f5b Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Mon, 15 Aug 2022 06:28:15 -0500 Subject: [PATCH 26/55] deps: upgrade to envoy 1.23 Upgrades Emissary-ingress that is built on envoy 1.23. Ran `make generate` to update charts. Signed-off-by: Lance Austin --- CHANGELOG.md | 9 +++++++++ charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 2 +- docs/releaseNotes.yml | 10 ++++++++++ 4 files changed, 23 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cdddd16..9db61e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,6 +77,15 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest ## RELEASE NOTES +## [3.2.0] TBD +[3.2.0]: https://github.com/datawire/edge-stack/releases/v3.2.0 + +## Ambassador Edge Stack + +- Change: The envoy version included in Ambassador Edge Stack has been upgraded from 1.22 to the latest + patch release of 1.23. This provides Ambassador Edge Stack with the latest security patches, + performances enhancments, and features offered by the envoy proxy. + ## [3.1.0] 2022-08-01 [3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 726f0d8..c0e72d7 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.0.1-0.20220812162246-5e03b912c048 -digest: sha256:979a6d29cad5287b84ad9f9ff54450fbc61155dc66def02ae9372844f4276ee8 -generated: "2022-08-12T13:35:19.790699-04:00" + version: 8.0.1-0.20220817135951-2cb28ef4f415 +digest: sha256:21f4f92228bd5473cb47c30aa16b49b7b0d705b603aa8489a529437731337ac0 +generated: "2022-08-17T11:31:07.657253-05:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 5e07961..0872471 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.0.1-0.20220812162246-5e03b912c048 + version: 8.0.1-0.20220817135951-2cb28ef4f415 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 196a05e..1e9c141 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -32,6 +32,16 @@ changelog: https://github.com/datawire/edge-stack/blob/$branch$/CHANGELOG.md items: + - version: 3.2.0 + date: 'TBD' + notes: + - title: Envoy upgraded to 1.23 + type: change + body: >- + The envoy version included in $productName$ has been upgraded from 1.22 to the latest patch + release of 1.23. This provides $productName$ with the latest security patches, performances enhancments, + and features offered by the envoy proxy. + docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.23/v1.23.0 - version: 3.1.0 date: '2022-08-01' notes: From 3de714cc2a577b14e2a3c78a8782ceab70cc194c Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Wed, 24 Aug 2022 15:06:19 -0500 Subject: [PATCH 27/55] feat: add cross-namespace support for Host secrets This updates the Host Custom Resource to allow fetching the `tlsSecret` from a different namespace where as previously it could only be fetched from the current namespace. ```yaml tlsSecret: name: my-secret namespace: my-alternative-namespace ``` This allows users to centralize a shared secret that multiple developers can then reference so that it is only maintained in a single place. Signed-off-by: Lance Austin --- CHANGELOG.md | 9 ++++++ charts/edge-stack/Chart.lock | 8 +++--- charts/edge-stack/Chart.yaml | 4 +-- docs/releaseNotes.yml | 9 ++++++ manifests/edge-stack/aes-crds.yaml | 44 ++++++++++++------------------ 5 files changed, 42 insertions(+), 32 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9364ae8..421db6a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,6 +77,15 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest ## RELEASE NOTES +## [2.4.0] TBD +[2.4.0]: https://github.com/datawire/edge-stack/releases/v2.4.0 + +## Ambassador Edge Stack + +- Feature: Previously the `Host` resource could only use secrets that are in the namespace as the Host. The + `tlsSecret` field in the Host has a new subfield `namespace` that will allow the use of secrets + from different namespaces. + ## [2.3.2] 2022-08-01 [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index c3f72d4..c10ccfe 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress - repository: https://s3.amazonaws.com/datawire-static-files/charts - version: 7.4.2 -digest: sha256:823028b3e71148c388cbc4b75247618242b60a872c7bfead572ff865945d465b -generated: "2022-08-01T11:05:01.107596162-04:00" + repository: https://s3.amazonaws.com/datawire-static-files/charts-dev + version: 7.5.0-dev.0.20220823215735-3b019bcd3ed9 +digest: sha256:f57d620e5770849f3482d3c881b932a4b4153eb647af4fb13ceec136a485c450 +generated: "2022-08-24T11:35:02.230166-05:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 297193b..2cecbea 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 7.4.2 - repository: https://s3.amazonaws.com/datawire-static-files/charts + version: 7.5.0-dev.0.20220823215735-3b019bcd3ed9 + repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index a83e13c..524c43f 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -32,6 +32,15 @@ changelog: https://github.com/datawire/edge-stack/blob/$branch$/CHANGELOG.md items: + - version: 2.4.0 + date: 'TBD' + notes: + - title: Add support for Host resources using secrets from different namespaces + type: feature + body: >- + Previously the Host resource could only use secrets that are in the namespace as the + Host. The tlsSecret field in the Host has a new subfield namespace that will allow + the use of secrets from different namespaces. - version: 2.3.2 date: '2022-08-01' notes: diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index ba322f9..f031946 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -2492,22 +2492,18 @@ spec: type: string type: object tlsSecret: - description: "Name of the Kubernetes secret into which to save generated + description: Name of the Kubernetes secret into which to save generated certificates. If ACME is enabled (see $acmeProvider), then the - default is $hostname; otherwise the default is \"\". If the value - is \"\", then we do not do TLS for this Host. \n Note that this - is a native-Kubernetes-style core.v1.LocalObjectReference, not an - Ambassador-style `{name}.{namespace}` string. Because we're opinionated, - it does not support referencing a Secret in another namespace (because - most native Kubernetes resources don't support that), but if we - ever abandon that opinion and decide to support non-local references - it, it would be by adding a `namespace:` field by changing it from - a core.v1.LocalObjectReference to a core.v1.SecretReference, not - by adopting the `{name}.{namespace}` notation." + default is $hostname; otherwise the default is "". If the value + is "", then we do not do TLS for this Host. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: Name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. type: string type: object type: object @@ -2824,22 +2820,18 @@ spec: type: string type: object tlsSecret: - description: "Name of the Kubernetes secret into which to save generated + description: Name of the Kubernetes secret into which to save generated certificates. If ACME is enabled (see $acmeProvider), then the - default is $hostname; otherwise the default is \"\". If the value - is \"\", then we do not do TLS for this Host. \n Note that this - is a native-Kubernetes-style core.v1.LocalObjectReference, not an - Ambassador-style `{name}.{namespace}` string. Because we're opinionated, - it does not support referencing a Secret in another namespace (because - most native Kubernetes resources don't support that), but if we - ever abandon that opinion and decide to support non-local references - it, it would be by adding a `namespace:` field by changing it from - a core.v1.LocalObjectReference to a core.v1.SecretReference, not - by adopting the `{name}.{namespace}` notation." + default is $hostname; otherwise the default is "". If the value + is "", then we do not do TLS for this Host. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: Name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. type: string type: object type: object From 3c9a0c9de3d8a8776b540c86abfc2272efe9a417 Mon Sep 17 00:00:00 2001 From: David Dymko Date: Thu, 25 Aug 2022 08:05:44 -0400 Subject: [PATCH 28/55] update emissary version to include 503 eds bypass (#3041) Co-authored-by: Lance Austin Signed-off-by: David Dymko Signed-off-by: David Dymko Co-authored-by: Lance Austin --- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index c10ccfe..32e8dae 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 7.5.0-dev.0.20220823215735-3b019bcd3ed9 -digest: sha256:f57d620e5770849f3482d3c881b932a4b4153eb647af4fb13ceec136a485c450 -generated: "2022-08-24T11:35:02.230166-05:00" + version: 7.5.0-dev.0.20220824182032-6f67d46ea5e2 +digest: sha256:b07fc705fa8b0d61ca19e3e274e9a8f646ce2923326a9ab973a092f35afea4e6 +generated: "2022-08-24T16:31:12.844943-05:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 2cecbea..2b4580d 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 7.5.0-dev.0.20220823215735-3b019bcd3ed9 + version: 7.5.0-dev.0.20220824182032-6f67d46ea5e2 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev From 82c88d76b92d416890dfa4f22087544eab511d18 Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Thu, 25 Aug 2022 10:41:53 -0500 Subject: [PATCH 29/55] [2.4.0] RC.0 Release Signed-off-by: Lance Austin --- CHANGELOG.md | 4 ++++ VERSION | 2 +- charts/edge-stack/CHANGELOG.md | 3 +++ charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 6 +++--- charts/edge-stack/values.yaml | 2 +- docs/releaseNotes.yml | 6 ++++++ manifests/edge-stack/aes-ambassadorns-agent.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 4 ++-- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- manifests/edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 4 ++-- manifests/edge-stack/aes-emissaryns-agent.yaml | 2 +- manifests/edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 4 ++-- manifests/edge-stack/aes.yaml | 4 ++-- 18 files changed, 36 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 421db6a..134619f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -86,6 +86,10 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest `tlsSecret` field in the Host has a new subfield `namespace` that will allow the use of secrets from different namespaces. +- Change: Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be + inserted to clusters manually. This can help resolve with `503 UH` caused by certification + rotation relating to a delay between EDS + CDS. The default is `false`. + ## [2.3.2] 2022-08-01 [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 diff --git a/VERSION b/VERSION index e703481..9183195 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.2 \ No newline at end of file +2.4.0 \ No newline at end of file diff --git a/charts/edge-stack/CHANGELOG.md b/charts/edge-stack/CHANGELOG.md index bc162b9..e6609b1 100644 --- a/charts/edge-stack/CHANGELOG.md +++ b/charts/edge-stack/CHANGELOG.md @@ -3,6 +3,9 @@ This file documents all notable changes to Edge Stack Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v7.5.0 +- Update Edge Stack chart image to version v2.4.0: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md) + ## v7.4.2 - Update Edge Stack chart image to version v2.3.2: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 32e8dae..2c54b34 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 7.5.0-dev.0.20220824182032-6f67d46ea5e2 -digest: sha256:b07fc705fa8b0d61ca19e3e274e9a8f646ce2923326a9ab973a092f35afea4e6 -generated: "2022-08-24T16:31:12.844943-05:00" + version: 7.5.0-rc.0 +digest: sha256:0896aed7e58bcb467045996569b9fd84b33b613d385163932074665a397876f2 +generated: "2022-08-25T10:38:26.057373-05:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 2b4580d..245b89b 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 2.3.2 +appVersion: 2.4.0-rc.0 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 7.4.2 +version: 7.5.0-rc.0 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 7.5.0-dev.0.20220824182032-6f67d46ea5e2 + version: 7.5.0-rc.0 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index 25f4d43..8f6d34d 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 2.3.2 + tag: 2.4.0-rc.0 pullPolicy: IfNotPresent rbac: diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 524c43f..8c7c402 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -41,6 +41,12 @@ items: Previously the Host resource could only use secrets that are in the namespace as the Host. The tlsSecret field in the Host has a new subfield namespace that will allow the use of secrets from different namespaces. + - title: Allow bypassing of EDS for manual endpoint insertion + type: change + body: >- + Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be + inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to + a delay between EDS + CDS. The default is `false`. - version: 2.3.2 date: '2022-08-01' notes: diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 8ad7e76..3bab8c1 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 0a3d658..489f82e 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 2bceb63..2b8d56c 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index f031946..b2784f9 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5604,7 +5604,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 06adf38..3425a55 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index fe4aafe..909100c 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 1022ccc..7dfe2cc 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -510,7 +510,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -585,7 +585,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index cd579c7..a292e82 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 6b2fe69..9c2b6dc 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index f5900dc..9b2de2a 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 2bceb63..2b8d56c 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.3.2 + image: docker.io/datawire/aes:2.4.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http From afe71380e8ef5fdf946e303303277cb7bcc35a28 Mon Sep 17 00:00:00 2001 From: David Dymko Date: Thu, 25 Aug 2022 13:47:09 -0400 Subject: [PATCH 30/55] bump edgestack/verison Signed-off-by: David Dymko --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 9183195..18d4d6c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0 \ No newline at end of file +2.4.0-rc.0 \ No newline at end of file From a8c21768765e6cd527e76d05e1e3e4e78288592d Mon Sep 17 00:00:00 2001 From: David Dymko Date: Mon, 29 Aug 2022 20:51:50 -0400 Subject: [PATCH 31/55] [v3.2.0] rc releases Signed-off-by: David Dymko --- CHANGELOG.md | 4 + VERSION | 2 +- charts/edge-stack/CHANGELOG.md | 5 + charts/edge-stack/Chart.lock | 6 +- charts/edge-stack/Chart.yaml | 6 +- charts/edge-stack/values.yaml | 2 +- docs/releaseNotes.yml | 6 ++ .../edge-stack/aes-ambassadorns-agent.yaml | 2 +- .../aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 4 +- manifests/edge-stack/aes-crds.yaml | 102 ++++++++---------- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- .../edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 4 +- .../edge-stack/aes-emissaryns-agent.yaml | 2 +- .../edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 4 +- manifests/edge-stack/aes.yaml | 4 +- 18 files changed, 84 insertions(+), 77 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 400fadc..ee1fd9b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -86,6 +86,10 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest patch release of 1.23. This provides Ambassador Edge Stack with the latest security patches, performances enhancments, and features offered by the envoy proxy. +- Change: Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be + inserted to clusters manually. This can help resolve with `503 UH` caused by certification + rotation relating to a delay between EDS + CDS. The default is `false`. + ## [3.1.0] 2022-08-01 [3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 diff --git a/VERSION b/VERSION index fd2a018..e11e207 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.1.0 +3.2.0-rc.0 diff --git a/charts/edge-stack/CHANGELOG.md b/charts/edge-stack/CHANGELOG.md index c79f6f2..55b989f 100644 --- a/charts/edge-stack/CHANGELOG.md +++ b/charts/edge-stack/CHANGELOG.md @@ -2,9 +2,14 @@ This file documents all notable changes to Edge Stack Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v8.2.0 + +- Update Edge Stack chart image to version v3.2.0: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md) + ## v8.1.0 - Update Edge Stack chart image to version v3.1.0: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md) + ## v8.0.0 - Update Edge Stack chart image to version v3.0.0: [CHANGELOG](https://github.com/datawire/edge-stack/blob/master/CHANGELOG.md) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index c0e72d7..2210c08 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.0.1-0.20220817135951-2cb28ef4f415 -digest: sha256:21f4f92228bd5473cb47c30aa16b49b7b0d705b603aa8489a529437731337ac0 -generated: "2022-08-17T11:31:07.657253-05:00" + version: 8.2.0-rc.0 +digest: sha256:176ff45d4f238bdc1b2528a9be58a2842f427079c5d647827754086c8462cff4 +generated: "2022-08-29T20:41:54.37638-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 0872471..30851e0 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 3.1.0 +appVersion: 3.2.0-rc.0 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 8.1.0 +version: 8.2.0-rc.0 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.0.1-0.20220817135951-2cb28ef4f415 + version: 8.2.0-rc.0 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index 6969b31..b00be2d 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 3.1.0 + tag: 3.2.0-rc.0 pullPolicy: IfNotPresent rbac: diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index de1e956..7c16699 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -42,6 +42,12 @@ items: release of 1.23. This provides $productName$ with the latest security patches, performances enhancments, and features offered by the envoy proxy. docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.23/v1.23.0 + - title: Allow bypassing of EDS for manual endpoint insertion + type: change + body: >- + Set AMBASSADOR_EDS_BYPASS to true to bypass EDS handling of endpoints and have endpoints be + inserted to clusters manually. This can help resolve with 503 UH caused by certification rotation relating to + a delay between EDS + CDS. The default is false. - version: 3.1.0 date: '2022-08-01' notes: diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 100727e..11e543c 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index e35bea8..bf9c2ea 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index c5deb6a..5eee5df 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 7dc24e7..adef490 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -1778,7 +1778,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -1997,7 +1997,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -2054,14 +2054,14 @@ spec: schema: openAPIV3Schema: description: "DevPortal is the Schema for the DevPortals API \n DevPortal - resources specify the `what` and `how` is shown in a DevPortal: \n * `what` - is in a DevPortal can be controlled with - a `selector`, that can be used - for filtering `Mappings`. - a `docs` listing of (services, url) * `how` - is a pointer to some `contents` (a checkout of a Git repository with go-templates/markdown/css). - \n Multiple `DevPortal`s can exist in the cluster, and the Dev Portal server - will show them at different endpoints. A `DevPortal` resource with a special - name, `ambassador`, will be used for configuring the default Dev Portal - (served at `/docs/` by default)." + resources specify the `what` and `how` is shown in a DevPortal: \n 1. `what` + is in a DevPortal can be controlled with \n - a `selector`, that can + be used for filtering `Mappings`. \n - a `docs` listing of (services, + url) \n 2. `how` is a pointer to some `contents` (a checkout of a Git repository + \ with go-templates/markdown/css). \n Multiple `DevPortal`s can exist + in the cluster, and the Dev Portal server will show them at different endpoints. + A `DevPortal` resource with a special name, `ambassador`, will be used for + configuring the default Dev Portal (served at `/docs/` by default)." properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -2167,14 +2167,14 @@ spec: schema: openAPIV3Schema: description: "DevPortal is the Schema for the DevPortals API \n DevPortal - resources specify the `what` and `how` is shown in a DevPortal: \n * `what` - is in a DevPortal can be controlled with - a `selector`, that can be used - for filtering `Mappings`. - a `docs` listing of (services, url) * `how` - is a pointer to some `contents` (a checkout of a Git repository with go-templates/markdown/css). - \n Multiple `DevPortal`s can exist in the cluster, and the Dev Portal server - will show them at different endpoints. A `DevPortal` resource with a special - name, `ambassador`, will be used for configuring the default Dev Portal - (served at `/docs/` by default)." + resources specify the `what` and `how` is shown in a DevPortal: \n 1. `what` + is in a DevPortal can be controlled with \n - a `selector`, that can + be used for filtering `Mappings`. \n - a `docs` listing of (services, + url) \n 2. `how` is a pointer to some `contents` (a checkout of a Git repository + \ with go-templates/markdown/css). \n Multiple `DevPortal`s can exist + in the cluster, and the Dev Portal server will show them at different endpoints. + A `DevPortal` resource with a special name, `ambassador`, will be used for + configuring the default Dev Portal (served at `/docs/` by default)." properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -2194,7 +2194,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -2527,22 +2527,18 @@ spec: type: string type: object tlsSecret: - description: "Name of the Kubernetes secret into which to save generated + description: Name of the Kubernetes secret into which to save generated certificates. If ACME is enabled (see $acmeProvider), then the - default is $hostname; otherwise the default is \"\". If the value - is \"\", then we do not do TLS for this Host. \n Note that this - is a native-Kubernetes-style core.v1.LocalObjectReference, not an - Ambassador-style `{name}.{namespace}` string. Because we're opinionated, - it does not support referencing a Secret in another namespace (because - most native Kubernetes resources don't support that), but if we - ever abandon that opinion and decide to support non-local references - it, it would be by adding a `namespace:` field by changing it from - a core.v1.LocalObjectReference to a core.v1.SecretReference, not - by adopting the `{name}.{namespace}` notation." + default is $hostname; otherwise the default is "". If the value + is "", then we do not do TLS for this Host. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: Name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. type: string type: object type: object @@ -2859,22 +2855,18 @@ spec: type: string type: object tlsSecret: - description: "Name of the Kubernetes secret into which to save generated + description: Name of the Kubernetes secret into which to save generated certificates. If ACME is enabled (see $acmeProvider), then the - default is $hostname; otherwise the default is \"\". If the value - is \"\", then we do not do TLS for this Host. \n Note that this - is a native-Kubernetes-style core.v1.LocalObjectReference, not an - Ambassador-style `{name}.{namespace}` string. Because we're opinionated, - it does not support referencing a Secret in another namespace (because - most native Kubernetes resources don't support that), but if we - ever abandon that opinion and decide to support non-local references - it, it would be by adding a `namespace:` field by changing it from - a core.v1.LocalObjectReference to a core.v1.SecretReference, not - by adopting the `{name}.{namespace}` notation." + default is $hostname; otherwise the default is "". If the value + is "", then we do not do TLS for this Host. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: Name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. type: string type: object type: object @@ -3022,7 +3014,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -3127,7 +3119,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -3212,7 +3204,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -3460,7 +3452,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -4017,7 +4009,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -4629,7 +4621,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -4959,7 +4951,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -5197,7 +5189,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -5400,7 +5392,7 @@ spec: ambassador_id: description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. If no value is provided, the default - is: \n ambassador_id: - \"default\" \n TODO(lukeshu): In v3alpha2, + is: \n \tambassador_id: \t- \"default\" \n TODO(lukeshu): In v3alpha2, consider renaming all of the `ambassador_id` (singular) fields to `ambassador_ids` (plural)." items: @@ -5653,7 +5645,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 57374f9..4cc2509 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index 71cf418..a8c22c9 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 21a41b1..7cce8ce 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -513,7 +513,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -588,7 +588,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index 8fc9a10..9177718 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -276,7 +276,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 30aac3b..ee24358 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index b8882fc..85ff90d 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index c3c6b1f..971526a 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -521,7 +521,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.1.0 + image: docker.io/datawire/aes:3.2.0-rc.0 imagePullPolicy: IfNotPresent ports: - name: http From ce1aa9e81b23edefffd62ab5738303e82cc76be3 Mon Sep 17 00:00:00 2001 From: David Dymko Date: Tue, 30 Aug 2022 09:51:05 -0400 Subject: [PATCH 32/55] deps: bump go from 1.18 to 1.19 Signed-off-by: David Dymko --- .circleci/yq.d/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/yq.d/go.mod b/.circleci/yq.d/go.mod index d31f598..8b06cfd 100644 --- a/.circleci/yq.d/go.mod +++ b/.circleci/yq.d/go.mod @@ -1,6 +1,6 @@ module github.com/datawire/build-aux/bin-go/yq -go 1.18 +go 1.19 require github.com/mikefarah/yq/v4 v4.25.1 From 7e74b3220b6ebb3f633c03d253db35756b2a406d Mon Sep 17 00:00:00 2001 From: David Dymko Date: Tue, 30 Aug 2022 11:02:50 -0400 Subject: [PATCH 33/55] change: make generate Signed-off-by: David Dymko --- manifests/edge-stack/aes-crds.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index adef490..687fe78 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -339,10 +339,10 @@ spec: type: object JWT: description: "FilterJWT \n Currently supported algorithms: \n - RSA - \ * \"RS256\" * \"RS384\" * \"RS512\" - RSA-PSS * \"PS256\" - \ * \"PS384\" * \"PS512\" - ECDSA * \"ES256\" * \"ES384\" - \ * \"ES512\" - HMAC-SHA * \"HS256\" * \"HS384\" * \"HS512\" - - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go + \ - \"RS256\" - \"RS384\" - \"RS512\" \n - RSA-PSS - \"PS256\" + \ - \"PS384\" - \"PS512\" \n - ECDSA - \"ES256\" - \"ES384\" + \ - \"ES512\" \n - HMAC-SHA - \"HS256\" - \"HS384\" - \"HS512\" + \n - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go v3.2.0. Keep this list in sync if we pull in a jwt-go update. More algorithms can be added with jwt.RegistersigningMethod(). \n Haha, JK, our JWKS parser only understands RSA keys." @@ -647,10 +647,10 @@ spec: type: object JWT: description: "FilterJWT \n Currently supported algorithms: \n - RSA - \ * \"RS256\" * \"RS384\" * \"RS512\" - RSA-PSS * \"PS256\" - \ * \"PS384\" * \"PS512\" - ECDSA * \"ES256\" * \"ES384\" - \ * \"ES512\" - HMAC-SHA * \"HS256\" * \"HS384\" * \"HS512\" - - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go + \ - \"RS256\" - \"RS384\" - \"RS512\" \n - RSA-PSS - \"PS256\" + \ - \"PS384\" - \"PS512\" \n - ECDSA - \"ES256\" - \"ES384\" + \ - \"ES512\" \n - HMAC-SHA - \"HS256\" - \"HS384\" - \"HS512\" + \n - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go v3.2.0. Keep this list in sync if we pull in a jwt-go update. More algorithms can be added with jwt.RegistersigningMethod(). \n Haha, JK, our JWKS parser only understands RSA keys." @@ -992,10 +992,10 @@ spec: type: object JWT: description: "FilterJWT \n Currently supported algorithms: \n - RSA - \ * \"RS256\" * \"RS384\" * \"RS512\" - RSA-PSS * \"PS256\" - \ * \"PS384\" * \"PS512\" - ECDSA * \"ES256\" * \"ES384\" - \ * \"ES512\" - HMAC-SHA * \"HS256\" * \"HS384\" * \"HS512\" - - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go + \ - \"RS256\" - \"RS384\" - \"RS512\" \n - RSA-PSS - \"PS256\" + \ - \"PS384\" - \"PS512\" \n - ECDSA - \"ES256\" - \"ES384\" + \ - \"ES512\" \n - HMAC-SHA - \"HS256\" - \"HS384\" - \"HS512\" + \n - \"none\" \n This is this list of algos built-in to github.com/dgrijalva/jwt-go v3.2.0. Keep this list in sync if we pull in a jwt-go update. More algorithms can be added with jwt.RegistersigningMethod(). \n Haha, JK, our JWKS parser only understands RSA keys." From b14569cc8ccb9ebe159a85a44d929d6cf50686ea Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Tue, 30 Aug 2022 12:25:48 -0500 Subject: [PATCH 34/55] ratelimit: add failure_mode_deny field By default, Envoy will fail open when it is unable to communicate with the configured service. This adds the `failure_mode_deny` field to the `RateLimitService` so that Envoy can be configured to reject request when it is unable to communicate with the service. A 500 will be returned when this field is enabled. Signed-off-by: Lance Austin --- CHANGELOG.md | 6 ++++++ charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 2 +- docs/releaseNotes.yml | 11 +++++++++++ manifests/edge-stack/aes-crds.yaml | 8 ++++++++ 5 files changed, 29 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee1fd9b..5b07ff0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -90,6 +90,12 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to a delay between EDS + CDS. The default is `false`. +- Feature: By default, when Envoy is unable to communicate with the configured RateLimitService then it will + allow traffic through. The `RateLimitService` resource now exposes the failure_mode_deny + option. Set `failure_mode_deny: true`, then Envoy will deny traffic when it is unable to + communicate to the RateLimitService returning a 500. + ## [3.1.0] 2022-08-01 [3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 2210c08..c3738f7 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.2.0-rc.0 -digest: sha256:176ff45d4f238bdc1b2528a9be58a2842f427079c5d647827754086c8462cff4 -generated: "2022-08-29T20:41:54.37638-04:00" + version: 8.2.0-rc.0.0.20220830143419-1af5b4207a4a +digest: sha256:20025b73b451094f7a4c25ad13654a5908f324e9d5a257c7b299ea1e9e604bd1 +generated: "2022-08-30T12:03:42.576342-05:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 30851e0..21a62cf 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.2.0-rc.0 + version: 8.2.0-rc.0.0.20220830143419-1af5b4207a4a repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 7c16699..3086861 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -48,6 +48,17 @@ items: Set AMBASSADOR_EDS_BYPASS to true to bypass EDS handling of endpoints and have endpoints be inserted to clusters manually. This can help resolve with 503 UH caused by certification rotation relating to a delay between EDS + CDS. The default is false. + - title: Add failure_mode_deny option to the RateLimitService + type: feature + body: >- + By default, when Envoy is unable to communicate with the configured + RateLimitService then it will allow traffic through. The + RateLimitService resource now exposes the + failure_mode_deny + option. Set failure_mode_deny: true, then Envoy will + deny traffic when it is unable to communicate to the RateLimitService + returning a 500. + docs: https://www.getambassador.io/docs/edge-stack/latest/topics/running/services/rate-limit-service/ - version: 3.1.0 date: '2022-08-01' notes: diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 687fe78..2896089 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -4704,6 +4704,10 @@ spec: properties: domain: type: string + failure_mode_deny: + description: FailureModeDeny when set to true, envoy will deny traffic + if it is unable to communicate with the rate limit service. + type: boolean protocol_version: enum: - v2 @@ -4749,6 +4753,10 @@ spec: type: array domain: type: string + failure_mode_deny: + description: FailureModeDeny when set to true, envoy will deny traffic + if it is unable to communicate with the rate limit service. + type: boolean protocol_version: description: ProtocolVersion is the envoy api transport protocol version enum: From f43ab3e17f1db748235298ac557549946466ee6c Mon Sep 17 00:00:00 2001 From: David Dymko Date: Wed, 31 Aug 2022 11:58:03 -0400 Subject: [PATCH 35/55] make generate Signed-off-by: David Dymko --- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 2c54b34..754d9a6 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 7.5.0-rc.0 -digest: sha256:0896aed7e58bcb467045996569b9fd84b33b613d385163932074665a397876f2 -generated: "2022-08-25T10:38:26.057373-05:00" + version: 7.5.0-rc.0.0.20220831151131-dcf6ecc893b6 +digest: sha256:b58485c768c5dca83154ddba4d17fe931b83fe6945acd4aece25f25284d0521e +generated: "2022-08-31T11:55:07.789943-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 245b89b..8a93405 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 7.5.0-rc.0 + version: 7.5.0-rc.0.0.20220831151131-dcf6ecc893b6 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev From c85f95396a3911b52484ff722ab646f000f79f8b Mon Sep 17 00:00:00 2001 From: David Dymko Date: Thu, 1 Sep 2022 10:57:31 -0400 Subject: [PATCH 36/55] change: bump emissary to have latest 503 fix Signed-off-by: David Dymko --- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index c3738f7..561ca4c 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.2.0-rc.0.0.20220830143419-1af5b4207a4a -digest: sha256:20025b73b451094f7a4c25ad13654a5908f324e9d5a257c7b299ea1e9e604bd1 -generated: "2022-08-30T12:03:42.576342-05:00" + version: 8.2.0-rc.0.0.20220901145145-fcd96a20c16e +digest: sha256:b2697f4c42870fdb08103cda3f13167fab3e93080de98a1394521e2888f2bc79 +generated: "2022-09-01T10:54:09.635078-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 21a62cf..33c4bc5 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.2.0-rc.0.0.20220830143419-1af5b4207a4a + version: 8.2.0-rc.0.0.20220901145145-fcd96a20c16e repository: https://s3.amazonaws.com/datawire-static-files/charts-dev From cd4e13378a9162759c6f64bec1e9b8b7e651eceb Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Mon, 29 Aug 2022 16:19:07 -0500 Subject: [PATCH 37/55] fix: ensure custom resources round trip properly This commit renames TestConvert to TestConvertThroughHub to make it a little more obvious what it is testing. The round-trip equality checks are moved from a string comparison to a semantic deep equality comparison due to the fact that not all fields convert 1-1. Things like adding default AmbassadorID, mangling it and enums filling default values all caused the existing string comparisons to fail. Fixes for FilterPolicy and ExternalFilters based on visibilty from the failing test were addressed as well. Signed-off-by: Lance Austin --- CHANGELOG.md | 6 ++++++ docs/releaseNotes.yml | 7 +++++++ manifests/edge-stack/aes-crds.yaml | 29 +++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b07ff0..fd179f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -96,6 +96,12 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest option. Set `failure_mode_deny: true`, then Envoy will deny traffic when it is unable to communicate to the RateLimitService returning a 500. +- Bugfix: Previously, Ambassador Edge Stack would incorrectly include empty fields when converting a + FilterPolicy or ExternalFilter between versions. This would cause undesired state to be persisted + in k8s which would lead to validation issues when trying to kubectl apply the custom resource. + This fixes these issues to ensure the correct data is being persisted and roundtripped properly + between CRD versions. + ## [3.1.0] 2022-08-01 [3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 3086861..e5ffe06 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -59,6 +59,13 @@ items: deny traffic when it is unable to communicate to the RateLimitService returning a 500. docs: https://www.getambassador.io/docs/edge-stack/latest/topics/running/services/rate-limit-service/ + - title: Properly convert FilterPolicy and ExternalFilter between CRD versions + type: bugfix + body: >- + Previously, $productName$ would incorrectly include empty fields when converting a FilterPolicy + or ExternalFilter between versions. This would cause undesired state to be persisted in k8s which + would lead to validation issues when trying to kubectl apply the custom resource. This fixes these + issues to ensure the correct data is being persisted and roundtripped properly between CRD versions. - version: 3.1.0 date: '2022-08-01' notes: diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 2896089..dfad18c 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -131,12 +131,17 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true ifRequestHeader: + description: HeaderFieldSelector allows for matching on + header fields using an exact match value or using a + regular expression match. properties: name: type: string negate: type: boolean value: + description: Value is an exact match, empty is a valid + value type: string valueRegex: type: string @@ -198,14 +203,21 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true ifRequestHeader: + description: HeaderFieldSelector allows for matching on + header fields using an exact match value or using a + regular expression match. properties: name: type: string negate: type: boolean value: + description: Value will do an exact match on header + value, empty is a valid value type: string valueRegex: + description: ValueRegex will do a match on the header + value based on the provide header regular expression type: string required: - name @@ -545,12 +557,17 @@ spec: useSessionCookies: properties: ifRequestHeader: + description: HeaderFieldSelector allows for matching on header + fields using an exact match value or using a regular expression + match. properties: name: type: string negate: type: boolean value: + description: Value is an exact match, empty is a valid + value type: string valueRegex: type: string @@ -853,12 +870,17 @@ spec: useSessionCookies: properties: ifRequestHeader: + description: HeaderFieldSelector allows for matching on header + fields using an exact match value or using a regular expression + match. properties: name: type: string negate: type: boolean value: + description: Value is an exact match, empty is a valid + value type: string valueRegex: type: string @@ -1198,14 +1220,21 @@ spec: useSessionCookies: properties: ifRequestHeader: + description: HeaderFieldSelector allows for matching on header + fields using an exact match value or using a regular expression + match. properties: name: type: string negate: type: boolean value: + description: Value will do an exact match on header value, + empty is a valid value type: string valueRegex: + description: ValueRegex will do a match on the header + value based on the provide header regular expression type: string required: - name From ce20dfba20c9a6dfc8fd6a960757baf43a37fc59 Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Mon, 29 Aug 2022 16:19:07 -0500 Subject: [PATCH 38/55] fix: ensure custom resources round trip properly This commit renames TestConvert to TestConvertThroughHub to make it a little more obvious what it is testing. The round-trip equality checks are moved from a string comparison to a semantic deep equality comparison due to the fact that not all fields convert 1-1. Things like adding default AmbassadorID, mangling it and enums filling default values all caused the existing string comparisons to fail. Fixes for FilterPolicy and ExternalFilters based on visibilty from the failing test were addressed as well. Signed-off-by: Lance Austin (cherry picked from commit 4c68c518be19f4e4234e4a2b5cba2e6e02bb0f8b) --- CHANGELOG.md | 6 ++++++ docs/releaseNotes.yml | 7 +++++++ manifests/edge-stack/aes-crds.yaml | 29 +++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 134619f..c162566 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -90,6 +90,12 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to a delay between EDS + CDS. The default is `false`. +- Bugfix: Previously, Ambassador Edge Stack would incorrectly include empty fields when converting a + FilterPolicy or ExternalFilter between versions. This would cause undesired state to be persisted + in k8s which would lead to validation issues when trying to kubectl apply the custom resource. + This fixes these issues to ensure the correct data is being persisted and roundtripped properly + between CRD versions. + ## [2.3.2] 2022-08-01 [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 8c7c402..60f5fe4 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -47,6 +47,13 @@ items: Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to a delay between EDS + CDS. The default is `false`. + - title: Properly convert FilterPolicy and ExternalFilter between CRD versions + type: bugfix + body: >- + Previously, $productName$ would incorrectly include empty fields when converting a FilterPolicy + or ExternalFilter between versions. This would cause undesired state to be persisted in k8s which + would lead to validation issues when trying to kubectl apply the custom resource. This fixes these + issues to ensure the correct data is being persisted and roundtripped properly between CRD versions. - version: 2.3.2 date: '2022-08-01' notes: diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index b2784f9..0f91ba8 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -131,12 +131,17 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true ifRequestHeader: + description: HeaderFieldSelector allows for matching on + header fields using an exact match value or using a + regular expression match. properties: name: type: string negate: type: boolean value: + description: Value is an exact match, empty is a valid + value type: string valueRegex: type: string @@ -198,14 +203,21 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true ifRequestHeader: + description: HeaderFieldSelector allows for matching on + header fields using an exact match value or using a + regular expression match. properties: name: type: string negate: type: boolean value: + description: Value will do an exact match on header + value, empty is a valid value type: string valueRegex: + description: ValueRegex will do a match on the header + value based on the provide header regular expression type: string required: - name @@ -545,12 +557,17 @@ spec: useSessionCookies: properties: ifRequestHeader: + description: HeaderFieldSelector allows for matching on header + fields using an exact match value or using a regular expression + match. properties: name: type: string negate: type: boolean value: + description: Value is an exact match, empty is a valid + value type: string valueRegex: type: string @@ -853,12 +870,17 @@ spec: useSessionCookies: properties: ifRequestHeader: + description: HeaderFieldSelector allows for matching on header + fields using an exact match value or using a regular expression + match. properties: name: type: string negate: type: boolean value: + description: Value is an exact match, empty is a valid + value type: string valueRegex: type: string @@ -1164,14 +1186,21 @@ spec: useSessionCookies: properties: ifRequestHeader: + description: HeaderFieldSelector allows for matching on header + fields using an exact match value or using a regular expression + match. properties: name: type: string negate: type: boolean value: + description: Value will do an exact match on header value, + empty is a valid value type: string valueRegex: + description: ValueRegex will do a match on the header + value based on the provide header regular expression type: string required: - name From 6a52c5c7ccbb3abafac61e0d7349c417e0e1e502 Mon Sep 17 00:00:00 2001 From: Lance Austin Date: Fri, 2 Sep 2022 08:42:23 -0500 Subject: [PATCH 39/55] [v2.4.0] rc.1 preparations Signed-off-by: Lance Austin --- VERSION | 2 +- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 6 +++--- charts/edge-stack/values.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-agent.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 4 ++-- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- manifests/edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 4 ++-- manifests/edge-stack/aes-emissaryns-agent.yaml | 2 +- manifests/edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 4 ++-- manifests/edge-stack/aes.yaml | 4 ++-- 15 files changed, 23 insertions(+), 23 deletions(-) diff --git a/VERSION b/VERSION index 18d4d6c..8f61380 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-rc.0 \ No newline at end of file +2.4.0-rc.1 \ No newline at end of file diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 754d9a6..39699f8 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 7.5.0-rc.0.0.20220831151131-dcf6ecc893b6 -digest: sha256:b58485c768c5dca83154ddba4d17fe931b83fe6945acd4aece25f25284d0521e -generated: "2022-08-31T11:55:07.789943-04:00" + version: 7.5.0-rc.1 +digest: sha256:303bfdac4f7e033aca0ed74d9fe134f404860225fa1c182231c041c2c05ee377 +generated: "2022-09-02T08:32:20.126041-05:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 8a93405..30dc00a 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 2.4.0-rc.0 +appVersion: 2.4.0-rc.1 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 7.5.0-rc.0 +version: 7.5.0-rc.1 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 7.5.0-rc.0.0.20220831151131-dcf6ecc893b6 + version: 7.5.0-rc.1 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index 8f6d34d..7d68f67 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 2.4.0-rc.0 + tag: 2.4.0-rc.1 pullPolicy: IfNotPresent rbac: diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 3bab8c1..fe717d7 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 489f82e..03c052e 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 2b8d56c..ced0f46 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 0f91ba8..2985a93 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5633,7 +5633,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 3425a55..c933053 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index 909100c..6811e49 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 7dfe2cc..9e2842d 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -510,7 +510,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -585,7 +585,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index a292e82..861a5c0 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 9c2b6dc..19b529d 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 9b2de2a..f722386 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 2b8d56c..ced0f46 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.0 + image: docker.io/datawire/aes:2.4.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http From 1f9e359741933b36af3163d66ad077b76b6e7740 Mon Sep 17 00:00:00 2001 From: David Dymko Date: Tue, 13 Sep 2022 12:53:59 -0400 Subject: [PATCH 40/55] dep: bumping go to 1.19.1 and make gen Signed-off-by: David Dymko --- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-agent.yaml | 3 +-- manifests/edge-stack/aes-ambassadorns.yaml | 3 +-- manifests/edge-stack/aes-defaultns-agent.yaml | 3 +-- manifests/edge-stack/aes-defaultns.yaml | 3 +-- manifests/edge-stack/aes-emissaryns-agent.yaml | 3 +-- manifests/edge-stack/aes-emissaryns.yaml | 3 +-- manifests/edge-stack/aes.yaml | 3 +-- 9 files changed, 11 insertions(+), 18 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 561ca4c..dd789f8 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.2.0-rc.0.0.20220901145145-fcd96a20c16e -digest: sha256:b2697f4c42870fdb08103cda3f13167fab3e93080de98a1394521e2888f2bc79 -generated: "2022-09-01T10:54:09.635078-04:00" + version: 8.2.0-rc.0.0.20220913160418-785b4dee9503 +digest: sha256:ddfa411c6ac1d346c96558f56bd12c8c857870306a8da61f1a94f427113fb913 +generated: "2022-09-13T12:48:26.065611-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 33c4bc5..be95b52 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.2.0-rc.0.0.20220901145145-fcd96a20c16e + version: 8.2.0-rc.0.0.20220913160418-785b4dee9503 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 11e543c..59cd826 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -276,9 +276,8 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/ambassador/ambassador-agent:0.0.7 imagePullPolicy: IfNotPresent - command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 5eee5df..5ff201f 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -521,9 +521,8 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/ambassador/ambassador-agent:0.0.7 imagePullPolicy: IfNotPresent - command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 4cc2509..4e8918c 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -276,9 +276,8 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/ambassador/ambassador-agent:0.0.7 imagePullPolicy: IfNotPresent - command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 7cce8ce..ca0f6fe 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -513,9 +513,8 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/ambassador/ambassador-agent:0.0.7 imagePullPolicy: IfNotPresent - command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index 9177718..d3b8317 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -276,9 +276,8 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/ambassador/ambassador-agent:0.0.7 imagePullPolicy: IfNotPresent - command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 85ff90d..512da03 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -521,9 +521,8 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/ambassador/ambassador-agent:0.0.7 imagePullPolicy: IfNotPresent - command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 971526a..9fa7379 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -521,9 +521,8 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/ambassador/ambassador-agent:0.0.7 imagePullPolicy: IfNotPresent - command: [agent] ports: - containerPort: 8080 name: http From 04fb9b9c649dfa0bd809039d5d99e0d6e1a3ae5c Mon Sep 17 00:00:00 2001 From: David Dymko Date: Wed, 14 Sep 2022 14:29:54 -0400 Subject: [PATCH 41/55] [v3.2.0] rc1 release Signed-off-by: David Dymko --- VERSION | 2 +- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 6 +++--- charts/edge-stack/values.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 2 +- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 2 +- manifests/edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 2 +- manifests/edge-stack/aes.yaml | 2 +- 12 files changed, 16 insertions(+), 16 deletions(-) diff --git a/VERSION b/VERSION index e11e207..f338b62 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.2.0-rc.0 +3.2.0-rc.1 diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index dd789f8..4dafc0e 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.2.0-rc.0.0.20220913160418-785b4dee9503 -digest: sha256:ddfa411c6ac1d346c96558f56bd12c8c857870306a8da61f1a94f427113fb913 -generated: "2022-09-13T12:48:26.065611-04:00" + version: 8.2.0-rc.1 +digest: sha256:c7eaeb55f782be604d7ceb3bf9da92dfe813afa034e059a419966bc1742c7b20 +generated: "2022-09-14T14:25:13.997262-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index be95b52..b94e93e 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 3.2.0-rc.0 +appVersion: 3.2.0-rc.1 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 8.2.0-rc.0 +version: 8.2.0-rc.1 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.2.0-rc.0.0.20220913160418-785b4dee9503 + version: 8.2.0-rc.1 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index b00be2d..0044259 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 3.2.0-rc.0 + tag: 3.2.0-rc.1 pullPolicy: IfNotPresent rbac: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index bf9c2ea..23929ff 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/datawire/aes:3.2.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 5ff201f..e31adaa 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -595,7 +595,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/datawire/aes:3.2.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index dfad18c..837bb3e 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5682,7 +5682,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/datawire/aes:3.2.0-rc.1 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index a8c22c9..6777a47 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/datawire/aes:3.2.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index ca0f6fe..e4b1cae 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -587,7 +587,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/datawire/aes:3.2.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index ee24358..c2a20a7 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/datawire/aes:3.2.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 512da03..dac35b1 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -595,7 +595,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/datawire/aes:3.2.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 9fa7379..6e855cc 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -595,7 +595,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.0 + image: docker.io/datawire/aes:3.2.0-rc.1 imagePullPolicy: IfNotPresent ports: - name: http From df94bd24114f94b7730b691de0988bec15d0a3c2 Mon Sep 17 00:00:00 2001 From: David Dymko Date: Fri, 16 Sep 2022 16:27:48 -0400 Subject: [PATCH 42/55] [2.4.0] RC.2 Preparations Signed-off-by: David Dymko --- CHANGELOG.md | 2 +- VERSION | 2 +- charts/edge-stack/Chart.yaml | 4 ++-- charts/edge-stack/values.yaml | 2 +- docs/releaseNotes.yml | 2 +- manifests/edge-stack/aes-ambassadorns-agent.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 4 ++-- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- manifests/edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 4 ++-- manifests/edge-stack/aes-emissaryns-agent.yaml | 2 +- manifests/edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 4 ++-- manifests/edge-stack/aes.yaml | 4 ++-- 16 files changed, 21 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c162566..4b5832b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,7 +77,7 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest ## RELEASE NOTES -## [2.4.0] TBD +## [2.4.0] 2022-09-19 [2.4.0]: https://github.com/datawire/edge-stack/releases/v2.4.0 ## Ambassador Edge Stack diff --git a/VERSION b/VERSION index 8f61380..2e6a100 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-rc.1 \ No newline at end of file +2.4.0-rc.2 \ No newline at end of file diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 30dc00a..4ad4ed7 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 2.4.0-rc.1 +appVersion: 2.4.0-rc.2 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 7.5.0-rc.1 +version: 7.5.0-rc.2 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index 7d68f67..17a83da 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 2.4.0-rc.1 + tag: 2.4.0-rc.2 pullPolicy: IfNotPresent rbac: diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 60f5fe4..5663137 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -33,7 +33,7 @@ changelog: https://github.com/datawire/edge-stack/blob/$branch$/CHANGELOG.md items: - version: 2.4.0 - date: 'TBD' + date: '2022-09-19' notes: - title: Add support for Host resources using secrets from different namespaces type: feature diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index fe717d7..c7c04d5 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 03c052e..9a8a1bc 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index ced0f46..f122e28 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 2985a93..4fef5a2 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5633,7 +5633,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index c933053..8c2fb94 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index 6811e49..a4a860d 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 9e2842d..4bff8d6 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -510,7 +510,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -585,7 +585,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index 861a5c0..e7fd1b7 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 19b529d..d0a7913 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index f722386..0009a32 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index ced0f46..f122e28 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.1 + image: docker.io/datawire/aes:2.4.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http From 966323c6b4b40f719156a2f5d706ad1481f58db9 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Mon, 19 Sep 2022 12:55:46 -0400 Subject: [PATCH 43/55] [2.4.0] Release Preparations --- VERSION | 2 +- charts/edge-stack/Chart.lock | 8 ++++---- charts/edge-stack/Chart.yaml | 8 ++++---- charts/edge-stack/values.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-agent.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 4 ++-- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-agent.yaml | 2 +- manifests/edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 4 ++-- manifests/edge-stack/aes-emissaryns-agent.yaml | 2 +- manifests/edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 4 ++-- manifests/edge-stack/aes.yaml | 4 ++-- 15 files changed, 25 insertions(+), 25 deletions(-) diff --git a/VERSION b/VERSION index 2e6a100..9183195 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-rc.2 \ No newline at end of file +2.4.0 \ No newline at end of file diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 39699f8..447e2cd 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress - repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 7.5.0-rc.1 -digest: sha256:303bfdac4f7e033aca0ed74d9fe134f404860225fa1c182231c041c2c05ee377 -generated: "2022-09-02T08:32:20.126041-05:00" + repository: https://s3.amazonaws.com/datawire-static-files/charts + version: 7.5.0 +digest: sha256:a99bf31d916156d5fa1d4e1127d8f2a00ea3432d5b7b2857b434eeb4a124f85f +generated: "2022-09-19T12:44:22.850170752-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 4ad4ed7..a48b3b4 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 2.4.0-rc.2 +appVersion: 2.4.0 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 7.5.0-rc.2 +version: 7.5.0 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 7.5.0-rc.1 - repository: https://s3.amazonaws.com/datawire-static-files/charts-dev + version: 7.5.0 + repository: https://s3.amazonaws.com/datawire-static-files/charts diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index 17a83da..b91a439 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 2.4.0-rc.2 + tag: 2.4.0 pullPolicy: IfNotPresent rbac: diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index c7c04d5..9d8ed52 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 9a8a1bc..16516e4 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index f122e28..b39e0bf 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 4fef5a2..bfa8e33 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5633,7 +5633,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 8c2fb94..06b2b63 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index a4a860d..fe50a0d 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index 4bff8d6..2243681 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -510,7 +510,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -585,7 +585,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index e7fd1b7..cdff8f0 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -273,7 +273,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent command: [agent] ports: diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index d0a7913..3b3a2cc 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 0009a32..0242b56 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index f122e28..b39e0bf 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -518,7 +518,7 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent command: [agent] ports: @@ -593,7 +593,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:2.4.0-rc.2 + image: docker.io/datawire/aes:2.4.0 imagePullPolicy: IfNotPresent ports: - name: http From 1e04cef544e795e35c4d2b7a3167b9a5ceaa6b0f Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Wed, 21 Sep 2022 16:21:23 -0400 Subject: [PATCH 44/55] fix conflicts from merging master -> ci/repatriate/from-v2.4-to-v3.1 --- CHANGELOG.md | 91 +++++++++++++++++++++---------------------- docs/releaseNotes.yml | 74 +++++++++++++++++------------------ 2 files changed, 80 insertions(+), 85 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9667170..20833a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,16 +77,6 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest ## RELEASE NOTES -<<<<<<< HEAD -## [2.4.0] 2022-09-19 -[2.4.0]: https://github.com/datawire/edge-stack/releases/v2.4.0 - -## Ambassador Edge Stack - -- Feature: Previously the `Host` resource could only use secrets that are in the namespace as the Host. The - `tlsSecret` field in the Host has a new subfield `namespace` that will allow the use of secrets - from different namespaces. -======= ## [3.2.0] TBD [3.2.0]: https://github.com/datawire/edge-stack/releases/v3.2.0 @@ -95,29 +85,23 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest - Change: The envoy version included in Ambassador Edge Stack has been upgraded from 1.22 to the latest patch release of 1.23. This provides Ambassador Edge Stack with the latest security patches, performances enhancments, and features offered by the envoy proxy. ->>>>>>> master - Change: Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to a delay between EDS + CDS. The default is `false`. -<<<<<<< HEAD -======= - Feature: By default, when Envoy is unable to communicate with the configured RateLimitService then it will allow traffic through. The `RateLimitService` resource now exposes the failure_mode_deny option. Set `failure_mode_deny: true`, then Envoy will deny traffic when it is unable to communicate to the RateLimitService returning a 500. ->>>>>>> master - Bugfix: Previously, Ambassador Edge Stack would incorrectly include empty fields when converting a FilterPolicy or ExternalFilter between versions. This would cause undesired state to be persisted in k8s which would lead to validation issues when trying to kubectl apply the custom resource. This fixes these issues to ensure the correct data is being persisted and roundtripped properly between CRD versions. -<<<<<<< HEAD -======= ## [3.1.0] 2022-08-01 [3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 @@ -201,7 +185,51 @@ To - Security: Upgrade jwt-go to latest commit to resolve CVE-2020-26160. ->>>>>>> master +## [3.0.0] 2022-06-29 +[3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 + +## Ambassador Edge Stack + +- Change: Ambassador Edge Stack is now built on top of Emissary-ingress 3.0.0 which updates Envoy Proxy from + v1.17 to v1.22. This provides Ambassador Edge Stack with the latest security patches, performances + enhancments, and features offered by Envoy Proxy. One notable change that will effect users is the + removal of support for the V2 xDS tranport protocol. See the Emissary-ingress changelog for more + details. + +- Change: In Envoy Proxy 1.18, two behavior changes were made in the way headers are attached to request. + First, the `:scheme` header is now attached to upstream requests over HTTP/1.1 to align with + http/2 and is used by HTTP Filters. The second behavior change is that the `content-length: 0` + will no longer be added to upstream request that have no body. + +- Change: Ambassador Edge Stack no longer supports the xDS V2 transport protocol. `ExternalFilter`s + targeting `grpc` must not explicitly set the `protocol_version` to `v3`. If not set or if using an + unsupported protocol_version then an error will be returned. Before upgrading to 3.0.0 you should + ugrade to Ambassador Edge Stack v2.3 and test that your `ExternalFilter` works with the xDS v3 + transport protocol. + +- Change: Since Ambassador Edge Stack no longer supports the xDS V2 transport protocol, the default Helm + Charts and Manifest explicilty set `protocol_version` to `v3` for the `RateLimitService` and + `AuthService` provided by Ambassador Edge Stack. + +## [2.4.0] 2022-09-19 +[2.4.0]: https://github.com/datawire/edge-stack/releases/v2.4.0 + +## Ambassador Edge Stack + +- Feature: Previously the `Host` resource could only use secrets that are in the namespace as the Host. The + `tlsSecret` field in the Host has a new subfield `namespace` that will allow the use of secrets + from different namespaces. + +- Change: Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be + inserted to clusters manually. This can help resolve with `503 UH` caused by certification + rotation relating to a delay between EDS + CDS. The default is `false`. + +- Bugfix: Previously, Ambassador Edge Stack would incorrectly include empty fields when converting a + FilterPolicy or ExternalFilter between versions. This would cause undesired state to be persisted + in k8s which would lead to validation issues when trying to kubectl apply the custom resource. + This fixes these issues to ensure the correct data is being persisted and roundtripped properly + between CRD versions. + ## [2.3.2] 2022-08-01 [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 @@ -238,35 +266,6 @@ To - Security: Upgrade jwt-go to latest commit to resolve CVE-2020-26160. -<<<<<<< HEAD -======= -## [3.0.0] 2022-06-29 -[3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 - -## Ambassador Edge Stack - -- Change: Ambassador Edge Stack is now built on top of Emissary-ingress 3.0.0 which updates Envoy Proxy from - v1.17 to v1.22. This provides Ambassador Edge Stack with the latest security patches, - performances enhancments, and features offered by Envoy Proxy. One notable change that will - effect users is the removal of support for the V2 xDS tranport protocol. See the Emissary-ingress - changelog for more details. - -- Change: In Envoy Proxy 1.18, two behavior changes were made in the way headers are attached to request. - First, the `:scheme` header is now attached to upstream requests over HTTP/1.1 to align with - http/2 and is used by HTTP Filters. The second behavior change is that the `content-length: 0` - will no longer be added to upstream request that have no body. - -- Change: Ambassador Edge Stack no longer supports the xDS V2 transport protocol. `ExternalFilter`s - targeting `grpc` must not explicitly set the `protocol_version` to `v3`. If not set or if using an - unsupported protocol_version then an error will be returned. Before upgrading to 3.0.0 you should - ugrade to Ambassador Edge Stack v2.3 and test that your `ExternalFilter` works with the xDS v3 - transport protocol. - -- Change: Since Ambassador Edge Stack no longer supports the xDS V2 transport protocol, the default Helm - Charts and Manifest explicilty set `protocol_version` to `v3` for the `RateLimitService` and - `AuthService` provided by Ambassador Edge Stack. - ->>>>>>> master ## [2.3.1] 2022-06-09 [2.3.1]: https://github.com/datawire/edge-stack/releases/v2.3.1 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 115d75b..67c63dd 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -181,6 +181,41 @@ items: type: security body: >- Upgrade jwt-go to latest commit to resolve CVE-2020-26160. + - version: 3.0.0 + date: '2022-06-29' + notes: + - title: upgrade to Emissary-ingress 3.0.0 + type: change + body: >- + $productName$ is now built on top of Emissary-ingress 3.0.0 which updates + Envoy Proxy from v1.17 to v1.22. This provides $productName$ with the latest + security patches, performances enhancments, and features offered by Envoy Proxy. + One notable change that will effect users is the removal of support for + the V2 xDS tranport protocol. See the Emissary-ingress changelog for more details. + docs: https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md + - title: Envoy http header behavior change + type: change + body: >- + In Envoy Proxy 1.18, two behavior changes were made in the way headers are attached + to request. First, the `:scheme` header is now attached to upstream requests over + HTTP/1.1 to align with http/2 and is used by HTTP Filters. The second behavior change + is that the `content-length: 0` will no longer be added to upstream request that + have no body. + docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.18/v1.18.0.html + - title: Remove xDS V2 support in ExternalFilter + type: change + body: >- + $productName$ no longer supports the xDS V2 transport protocol. `ExternalFilter`s + targeting grpc must not explicitly set the protocol_version + to v3. If not set or if using an unsupported protocol_version then an + error will be returned. Before upgrading to 3.0.0 you should ugrade to $productName$ v2.3 + and test that your ExternalFilter works with the xDS v3 transport protocol. + - title: Helm chart and manifest set protocol_version to v3 + type: change + body: >- + Since $productName$ no longer supports the xDS V2 transport protocol, the default Helm + Charts and Manifest explicilty set protocol_version to v3 for + the RateLimitService and AuthService provided by $productName$. - version: 2.4.0 date: '2022-09-19' notes: @@ -256,45 +291,6 @@ items: type: security body: >- Upgrade jwt-go to latest commit to resolve CVE-2020-26160. -<<<<<<< HEAD -======= - - - version: 3.0.0 - date: '2022-06-29' - notes: - - title: upgrade to Emissary-ingress 3.0.0 - type: change - body: >- - $productName$ is now built on top of Emissary-ingress 3.0.0 which updates - Envoy Proxy from v1.17 to v1.22. This provides $productName$ with the latest - security patches, performances enhancments, and features offered by Envoy Proxy. - One notable change that will effect users is the removal of support for - the V2 xDS tranport protocol. See the Emissary-ingress changelog for more details. - docs: https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md - - title: Envoy http header behavior change - type: change - body: >- - In Envoy Proxy 1.18, two behavior changes were made in the way headers are attached - to request. First, the `:scheme` header is now attached to upstream requests over - HTTP/1.1 to align with http/2 and is used by HTTP Filters. The second behavior change - is that the `content-length: 0` will no longer be added to upstream request that - have no body. - docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.18/v1.18.0.html - - title: Remove xDS V2 support in ExternalFilter - type: change - body: >- - $productName$ no longer supports the xDS V2 transport protocol. `ExternalFilter`s - targeting grpc must not explicitly set the protocol_version - to v3. If not set or if using an unsupported protocol_version then an - error will be returned. Before upgrading to 3.0.0 you should ugrade to $productName$ v2.3 - and test that your ExternalFilter works with the xDS v3 transport protocol. - - title: Helm chart and manifest set protocol_version to v3 - type: change - body: >- - Since $productName$ no longer supports the xDS V2 transport protocol, the default Helm - Charts and Manifest explicilty set protocol_version to v3 for - the RateLimitService and AuthService provided by $productName$. ->>>>>>> master - version: 2.3.1 date: '2022-06-09' notes: From f8cb1734ef3adf2915a23b229ead40f9eb53ccb1 Mon Sep 17 00:00:00 2001 From: David Dymko Date: Thu, 22 Sep 2022 17:33:58 -0400 Subject: [PATCH 45/55] OAuth2 post redirect support (#3059) In order to add support for `post_logout_redirect_uri` we had to change the logout behavior a bit. If you define `postLogoutRedirectURI` your yaml manifest for a filter this will now be checked during the logout process and not remove session data until after IDP has cleared its session first. This is to prevent issues where we have cleared out our session first but had issues clearing IDP and now we are in this strange drifted state. This will have us introduce a new endpoint that users will have to tell their IDP to point to in order to use the new `postLogoutRedirectURI` field. This new endpoint is `/.ambassador/ouath2/post-logout-redirect` this will handle clearing out your applications session and then doing the redirect to what you have defined. Overview 1. Check if postLogoutRedirectURI is set 2. If it is set then redirect over to IDP IDPs logout endpoint session with the follow params - state : the regular state file we generate but also include the oauth2 filter + ns used - post_logout_redirect_uri: this will point `/.ambassador/oauth2/post-logout-redirect` - id_token_hint: the jwt token 3. IDP will handle it's removal of session data and then redirect to `/.ambassador/oauth2/post-logout-redirect` 4. We will validate that this is a validate request 5. Remove the applications session 6. Redirect to your defined `postLogoutRedirectURI` TLDR `/.ambassador/oauth2/logout` -> IDP -> /.ambassador/oauth2/post-logout-redirect` -> redirect to your `postLogoutRedirectURI` * change: added postLogoutRedirectURI to v2 & v3 crd Signed-off-by: David Dymko * change: adding post logout redirect uri block Signed-off-by: David Dymko * change: make generate Signed-off-by: David Dymko * change: make generate + handwritten conversion Signed-off-by: David Dymko * change: make generate after handwritten conversion Signed-off-by: David Dymko * change: create local variable for redirect url Signed-off-by: David Dymko * change: added new post redirect endpoint for aes to handle sessions properly Signed-off-by: David Dymko * change: validate state in request matches session Signed-off-by: David Dymko * change: releasenotes + changelog Signed-off-by: David Dymko * change: refactor to remove duplicated code in handler around filter info Signed-off-by: David Dymko * change: grab host + schema information from request not state Signed-off-by: David Dymko * changes: hardcode schema to https Signed-off-by: David Dymko * change: change CRD Field for post logout from string to URL Signed-off-by: David Dymko * change: rename mdState to state as md refers to multidomain Signed-off-by: David Dymko * change: update error handling to use %w Signed-off-by: David Dymko * change: adding okta postlogout redirect yaml Signed-off-by: David Dymko * tests: okta postlogout check cookie count Signed-off-by: David Dymko * tests: adding testdata for filter + policies Signed-off-by: David Dymko * tests: adding user to idp_okta and link to okta app Signed-off-by: David Dymko * tests: update idk_okta to follow auth0 + update URL endpoint for test Signed-off-by: David Dymko * change: removal of cors for post logout Signed-off-by: David Dymko * change: change post redirect to use protected origins and updated docs around rp initiated logout Signed-off-by: David Dymko * change: update filter oauth crd for postlogoutredirect to prefix v3 Signed-off-by: David Dymko * tests: adding e2e tests for post logout Signed-off-by: David Dymko * change: reworked e2e tests + doc addition Signed-off-by: David Dymko Signed-off-by: David Dymko --- CHANGELOG.md | 6 ++++++ docs/releaseNotes.yml | 8 ++++++++ manifests/edge-stack/aes-crds.yaml | 4 ++++ 3 files changed, 18 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fd179f9..f5a1a9f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -102,6 +102,12 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest This fixes these issues to ensure the correct data is being persisted and roundtripped properly between CRD versions. +- Feature: You may now define (on supported IDPs) a `postLogoutRedirectURI` to your `Oauth2` filter. This + will allow you to redirect to a specific URI upon logging out. However, in order to achieve this + you must define your IDP logout URL to `https:{{host}}/.ambassador/oauth2/post-logout-redirect`. + Upon logout Ambassador Edge Stack will redirect to the custom URI which will then redirect to the + URI you have defined in `postLogoutRedirectURI`. + ## [3.1.0] 2022-08-01 [3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index e5ffe06..a7565b9 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -66,6 +66,14 @@ items: or ExternalFilter between versions. This would cause undesired state to be persisted in k8s which would lead to validation issues when trying to kubectl apply the custom resource. This fixes these issues to ensure the correct data is being persisted and roundtripped properly between CRD versions. + - title: Add Post Logout Redirect URI support for Oauth2 Filter + type: feature + body: >- + You may now define (on supported IDPs) a postLogoutRedirectURI to your Oauth2 filter. + This will allow you to redirect to a specific URI upon logging out. However, in order to achieve this you must + define your IDP logout URL to https:{{host}}/.ambassador/oauth2/post-logout-redirect. Upon logout + $productName$ will redirect to the custom URI which will then redirect to the URI you have defined in postLogoutRedirectURI. + docs: topics/using/filters/oauth2 - version: 3.1.0 date: '2022-08-01' notes: diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 837bb3e..36347bf 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -890,6 +890,8 @@ spec: value: type: boolean type: object + v3postLogoutRedirectURI: + type: string type: object Plugin: properties: @@ -1192,6 +1194,8 @@ spec: type: boolean maxStale: type: string + postLogoutRedirectURI: + type: string protectedOrigins: items: properties: From 3404b764645d7491a8c3c3a7a54fb738501bdf5e Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Fri, 23 Sep 2022 11:16:12 -0400 Subject: [PATCH 46/55] [3.2.0-rc.2] Release Preparations --- CHANGELOG.md | 64 ++++++++++- VERSION | 2 +- charts/edge-stack/Chart.lock | 6 +- charts/edge-stack/Chart.yaml | 6 +- charts/edge-stack/values.yaml | 2 +- docs/releaseNotes.yml | 105 ++++++++++++++++-- .../aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 2 +- manifests/edge-stack/aes-crds.yaml | 95 +++++++++++++++- .../edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 2 +- .../edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 2 +- manifests/edge-stack/aes.yaml | 2 +- 14 files changed, 265 insertions(+), 29 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89dcd10..90012c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -86,15 +86,68 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest patch release of 1.23. This provides Ambassador Edge Stack with the latest security patches, performances enhancments, and features offered by the envoy proxy. +- Change: Changes to label matching will change how `Hosts` are associated with `Mappings`. There was a bug + with label selectors that was causing `Hosts` to be incorrectly being associated with more + `Mappings` than intended. If any single label from the selector was matched then the `Host` would + be associated with the `Mapping`. Now it has been updated to correctly only associate a `Host` + with a `Mapping` if _all_ labels required by the selector are present. This brings the + `mappingSelector` field in-line with how label selectors are used in Kubernetes. To avoid + unexpected behaviour after the upgrade, add all labels that Hosts have in their `mappingSelector` + to `Mappings` you want to associate with the `Host`. You can opt-out of the new behaviour by + setting the environment variable `DISABLE_STRICT_LABEL_SELECTORS` to `"true"` (default: + `"false"`). (Thanks to Filip Herceg and Joe Andaverde!). + +- Feature: Previously the `Host` resource could only use secrets that are in the namespace as the Host. The + `tlsSecret` field in the Host has a new subfield `namespace` that will allow the use of secrets + from different namespaces. + - Change: Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be inserted to clusters manually. This can help resolve with `503 UH` caused by certification - rotation relating to a delay between EDS + CDS. The default is `false`. + rotation relating to a delay between EDS + CDS. The default is `false`. + +- Bugfix: Distinct services with names that are the same in the first forty characters will no longer be + incorrectly mapped to the same cluster. ([#4354]) - Feature: By default, when Envoy is unable to communicate with the configured RateLimitService then it will - allow traffic through. The `RateLimitService` resource now exposes the failure_mode_deny - option. Set `failure_mode_deny: true`, then Envoy will deny traffic when it is unable to - communicate to the RateLimitService returning a 500. + option. Set `failure_mode_deny: true`, then Envoy will deny traffic when it is unable to + communicate to the RateLimitService returning a 500. + +- Bugfix: Previously, setting the `stats_name` for the `TracingService`, `RateLimitService` or the + `AuthService` would have no affect because it was not being properly passed to the Envoy cluster + config. This has been fixed and the `alt_stats_name` field in the cluster config is now set + correctly. (Thanks to Paul!) + +- Feature: The `AMBASSADOR_RECONFIG_MAX_DELAY` env var can be optionally set to batch changes for the + specified non-negative window period in seconds before doing an Envoy reconfiguration. Default is + "1" if not set. + +- Bugfix: If a `Host` or `TLSContext` contained a hostname with a `:` when using the diagnostics endpoints + `ambassador/v0/diagd` then an error would be thrown due to the parsing logic not being able to + handle the extra colon. This has been fixed and Ambassador Edge Stack will not throw an error when + parsing envoy metrics for the diagnostics user interface. + +- Feature: It is now possible to set `custom_tags` in the `TracingService`. Trace tags can be set based on + literal values, environment variables, or request headers. (Thanks to Paul!) ([#4181]) + +- Bugfix: Ambassador Edge Stack 2.0.0 introduced a bug where a `TCPMapping` that uses SNI, instead of using + the hostname glob in the `TCPMapping`, uses the hostname glob in the `Host` that the TLS + termination configuration comes from. + +- Bugfix: Ambassador Edge Stack 2.0.0 introduced a bug where a `TCPMapping` that terminates TLS must have a + corresponding `Host` that it can take the TLS configuration from. This was semi-intentional, but + didn't make much sense. You can now use a `TLSContext` without a `Host`as in Ambassador Edge + Stack 1.y releases, or a `Host` with or without a `TLSContext` as in prior 2.y releases. + +- Bugfix: Prior releases of Ambassador Edge Stack had the arbitrary limitation that a `TCPMapping` cannot be + used on the same port that HTTP is served on, even if TLS+SNI would make this possible. + Ambassador Edge Stack now allows `TCPMappings` to be used on the same `Listener` port as HTTP + `Hosts`, as long as that `Listener` terminates TLS. + +- Security: Updated Golang to 1.19.1 to address the CVEs: CVE-2022-27664, CVE-2022-32190. - Bugfix: Previously, Ambassador Edge Stack would incorrectly include empty fields when converting a FilterPolicy or ExternalFilter between versions. This would cause undesired state to be persisted @@ -108,6 +161,9 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest Upon logout Ambassador Edge Stack will redirect to the custom URI which will then redirect to the URI you have defined in `postLogoutRedirectURI`. +[#4354]: https://github.com/emissary-ingress/emissary/issues/4354 +[#4181]: https://github.com/emissary-ingress/emissary/pull/4181 + ## [3.1.0] 2022-08-01 [3.1.0]: https://github.com/datawire/edge-stack/releases/v3.1.0 diff --git a/VERSION b/VERSION index f338b62..7d2dc07 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.2.0-rc.1 +3.2.0-rc.2 diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 4dafc0e..b677b11 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.2.0-rc.1 -digest: sha256:c7eaeb55f782be604d7ceb3bf9da92dfe813afa034e059a419966bc1742c7b20 -generated: "2022-09-14T14:25:13.997262-04:00" + version: 8.2.0-rc.2 +digest: sha256:933715ade4de1971f9391dc907c21c61ebb98003da8c4b5a05f8d6a0e339fefe +generated: "2022-09-23T11:10:31.745421388-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index b94e93e..13dd506 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 3.2.0-rc.1 +appVersion: 3.2.0-rc.2 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 8.2.0-rc.1 +version: 8.2.0-rc.2 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.2.0-rc.1 + version: 8.2.0-rc.2 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index 0044259..4c2ae6f 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 3.2.0-rc.1 + tag: 3.2.0-rc.2 pullPolicy: IfNotPresent rbac: diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 17acca5..5409e68 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -42,23 +42,104 @@ items: release of 1.23. This provides $productName$ with the latest security patches, performances enhancments, and features offered by the envoy proxy. docs: https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.23/v1.23.0 + - title: Fixed mappingSelector associating Hosts with Mappings + type: change + body: >- + Changes to label matching will change how Hosts are associated with Mappings. There was a bug with label + selectors that was causing Hosts to be incorrectly being associated with more Mappings than intended. + If any single label from the selector was matched then the Host would be associated with the Mapping. + Now it has been updated to correctly only associate a Host with a Mapping if all labels required by + the selector are present. This brings the mappingSelector field in-line with how label selectors are used + in Kubernetes. To avoid unexpected behaviour after the upgrade, add all labels that Hosts have in their + mappingSelector to Mappings you want to associate with the Host. You can opt-out of the new behaviour + by setting the environment variable DISABLE_STRICT_LABEL_SELECTORS to "true" (default: "false"). + (Thanks to Filip Herceg and Joe Andaverde!). + - title: Add support for Host resources using secrets from different namespaces + type: feature + body: >- + Previously the Host resource could only use secrets that are in the namespace as the + Host. The tlsSecret field in the Host has a new subfield namespace that will allow + the use of secrets from different namespaces. - title: Allow bypassing of EDS for manual endpoint insertion type: change body: >- - Set AMBASSADOR_EDS_BYPASS to true to bypass EDS handling of endpoints and have endpoints be - inserted to clusters manually. This can help resolve with 503 UH caused by certification rotation relating to - a delay between EDS + CDS. The default is false. + Set `AMBASSADOR_EDS_BYPASS` to `true` to bypass EDS handling of endpoints and have endpoints be + inserted to clusters manually. This can help resolve with `503 UH` caused by certification rotation relating to + a delay between EDS + CDS. The default is `false`. + - title: Correctly manage cluster names when service names are very long + type: bugfix + body: >- + Distinct services with names that are the same in the first forty characters + will no longer be incorrectly mapped to the same cluster. + github: + - title: "#4354" + link: https://github.com/emissary-ingress/emissary/issues/4354 - title: Add failure_mode_deny option to the RateLimitService type: feature body: >- By default, when Envoy is unable to communicate with the configured - RateLimitService then it will allow traffic through. The - RateLimitService resource now exposes the - failure_mode_deny - option. Set failure_mode_deny: true, then Envoy will - deny traffic when it is unable to communicate to the RateLimitService + RateLimitService then it will allow traffic through. The + RateLimitService resource now exposes the + failure_mode_deny + option. Set failure_mode_deny: true, then Envoy will + deny traffic when it is unable to communicate to the RateLimitService returning a 500. - docs: https://www.getambassador.io/docs/edge-stack/latest/topics/running/services/rate-limit-service/ + docs: https://www.getambassador.io/docs/emissary/latest/topics/running/services/rate-limit-service/ + - title: Properly populate alt_state_name for Tracing, Auth and RateLimit Services + type: bugfix + body: >- + Previously, setting the stats_name for the TracingService, RateLimitService + or the AuthService would have no affect because it was not being properly passed to the Envoy cluster + config. This has been fixed and the alt_stats_name field in the cluster config is now set correctly. + (Thanks to Paul!) + - title: Add support for config change batch window before reconfiguring Envoy + type: feature + body: >- + The AMBASSADOR_RECONFIG_MAX_DELAY env var can be optionally set to batch changes for the specified + non-negative window period in seconds before doing an Envoy reconfiguration. Default is "1" if not set. + - title: Diagnostics stats properly handles parsing envoy metrics with colons + type: bugfix + body: >- + If a Host or TLSContext contained a hostname with a : when using the + diagnostics endpoints ambassador/v0/diagd then an error would be thrown due to the parsing logic not + being able to handle the extra colon. This has been fixed and $productName$ will not throw an error when parsing + envoy metrics for the diagnostics user interface. + - title: Allow setting custom_tags for traces + type: feature + body: >- + It is now possible to set custom_tags in the + TracingService. Trace tags can be set based on + literal values, environment variables, or request headers. + (Thanks to Paul!) + github: + - title: "#4181" + link: https://github.com/emissary-ingress/emissary/pull/4181 + - title: TCPMappings use correct SNI configuration + type: bugfix + body: >- + $productName$ 2.0.0 introduced a bug where a TCPMapping that uses SNI, + instead of using the hostname glob in the TCPMapping, uses the hostname glob + in the Host that the TLS termination configuration comes from. + - title: TCPMappings configure TLS termination without a Host resource + type: bugfix + body: >- + $productName$ 2.0.0 introduced a bug where a TCPMapping that terminates TLS + must have a corresponding Host that it can take the TLS configuration from. + This was semi-intentional, but didn't make much sense. You can now use a + TLSContext without a Hostas in $productName$ 1.y releases, or a + Host with or without a TLSContext as in prior 2.y releases. + - title: TCPMappings and HTTP Hosts can coexist on Listeners that terminate TLS + type: bugfix + body: >- + Prior releases of $productName$ had the arbitrary limitation that a + TCPMapping cannot be used on the same port that HTTP is served on, even if + TLS+SNI would make this possible. $productName$ now allows TCPMappings to be + used on the same Listener port as HTTP Hosts, as long as that + Listener terminates TLS. + - title: Update Golang to 1.19.1 + type: security + body: >- + Updated Golang to 1.19.1 to address the CVEs: CVE-2022-27664, CVE-2022-32190. - title: Properly convert FilterPolicy and ExternalFilter between CRD versions type: bugfix body: >- @@ -74,6 +155,7 @@ items: define your IDP logout URL to https:{{host}}/.ambassador/oauth2/post-logout-redirect. Upon logout $productName$ will redirect to the custom URI which will then redirect to the URI you have defined in postLogoutRedirectURI. docs: topics/using/filters/oauth2 + - version: 3.1.0 date: '2022-08-01' notes: @@ -189,6 +271,7 @@ items: type: security body: >- Upgrade jwt-go to latest commit to resolve CVE-2020-26160. + - version: 3.0.0 date: '2022-06-29' notes: @@ -224,6 +307,7 @@ items: Since $productName$ no longer supports the xDS V2 transport protocol, the default Helm Charts and Manifest explicilty set protocol_version to v3 for the RateLimitService and AuthService provided by $productName$. + - version: 2.4.0 date: '2022-09-19' notes: @@ -246,6 +330,7 @@ items: or ExternalFilter between versions. This would cause undesired state to be persisted in k8s which would lead to validation issues when trying to kubectl apply the custom resource. This fixes these issues to ensure the correct data is being persisted and roundtripped properly between CRD versions. + - version: 2.3.2 date: '2022-08-01' notes: @@ -299,6 +384,7 @@ items: type: security body: >- Upgrade jwt-go to latest commit to resolve CVE-2020-26160. + - version: 2.3.1 date: '2022-06-09' notes: @@ -320,6 +406,7 @@ items: href="https://github.com/emissary-ingress/emissary/issues/2846">does not support internal redirects, and does not use Envoy's built-in OAuth2 filter. docs: https://groups.google.com/g/envoy-announce/c/8nP3Kn4jV7k + - version: 2.3.0 date: '2022-06-06' notes: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 23929ff..6a5476f 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.1 + image: docker.io/datawire/aes:3.2.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index e31adaa..1d82060 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -595,7 +595,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.1 + image: docker.io/datawire/aes:3.2.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 36347bf..fe1f241 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5400,6 +5400,51 @@ spec: items: type: string type: array + v3CustomTags: + items: + description: TracingCustomTag provides a data structure for capturing + envoy's `type.tracing.v3.CustomTag` + properties: + environment: + description: Environment explicitly specifies the protocol stack + to set up. Exactly one of Literal, Environment or Header must + be supplied. + properties: + default_value: + type: string + name: + type: string + required: + - name + type: object + literal: + description: Literal explicitly specifies the protocol stack + to set up. Exactly one of Literal, Environment or Header must + be supplied. + properties: + value: + type: string + required: + - value + type: object + request_header: + description: Header explicitly specifies the protocol stack + to set up. Exactly one of Literal, Environment or Header must + be supplied. + properties: + default_value: + type: string + name: + type: string + required: + - name + type: object + tag: + type: string + required: + - tag + type: object + type: array v3StatsName: type: string required: @@ -5471,6 +5516,51 @@ spec: trace_id_128bit: type: boolean type: object + custom_tags: + items: + description: TracingCustomTag provides a data structure for capturing + envoy's `type.tracing.v3.CustomTag` + properties: + environment: + description: Environment explicitly specifies the protocol stack + to set up. Exactly one of Literal, Environment or Header must + be supplied. + properties: + default_value: + type: string + name: + type: string + required: + - name + type: object + literal: + description: Literal explicitly specifies the protocol stack + to set up. Exactly one of Literal, Environment or Header must + be supplied. + properties: + value: + type: string + required: + - value + type: object + request_header: + description: Header explicitly specifies the protocol stack + to set up. Exactly one of Literal, Environment or Header must + be supplied. + properties: + default_value: + type: string + name: + type: string + required: + - name + type: object + tag: + type: string + required: + - tag + type: object + type: array driver: enum: - lightstep @@ -5491,6 +5581,9 @@ spec: stats_name: type: string tag_headers: + description: 'Deprecated: tag_headers is deprecated. Use custom_tags + instead. `tag_headers: ["header"]` can be defined as `custom_tags: + [{"request_header": {"name": "header"}}]`.' items: type: string type: array @@ -5686,7 +5779,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:3.2.0-rc.1 + image: docker.io/datawire/aes:3.2.0-rc.2 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index 6777a47..a269252 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.1 + image: docker.io/datawire/aes:3.2.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index e4b1cae..be1ad05 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -587,7 +587,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.1 + image: docker.io/datawire/aes:3.2.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index c2a20a7..4c2c6df 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.1 + image: docker.io/datawire/aes:3.2.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index dac35b1..4b69981 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -595,7 +595,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.1 + image: docker.io/datawire/aes:3.2.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 6e855cc..257e84a 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -595,7 +595,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.1 + image: docker.io/datawire/aes:3.2.0-rc.2 imagePullPolicy: IfNotPresent ports: - name: http From 4b938a83b6f4bde6a070b022d009deda93f70f56 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Fri, 23 Sep 2022 18:22:39 -0400 Subject: [PATCH 47/55] Bump Emissary ref --- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index b677b11..d4ee1cd 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.2.0-rc.2 -digest: sha256:933715ade4de1971f9391dc907c21c61ebb98003da8c4b5a05f8d6a0e339fefe -generated: "2022-09-23T11:10:31.745421388-04:00" + version: 8.2.0-rc.2.0.20220923220006-57b18a25e7ce +digest: sha256:d0e04b237d074ecb4add7b2aa9f195d9ab7dcf519f7e35d6cc8ce2c4eb4ef638 +generated: "2022-09-23T18:14:52.608466054-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 13dd506..7210b08 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.2.0-rc.2 + version: 8.2.0-rc.2.0.20220923220006-57b18a25e7ce repository: https://s3.amazonaws.com/datawire-static-files/charts-dev From 1d4c03f65a1740aeba31ab04351b3d66da0c5755 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Mon, 26 Sep 2022 15:13:28 -0400 Subject: [PATCH 48/55] bump emissary to 3.2.0-rc.3 --- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-agent.yaml | 3 ++- manifests/edge-stack/aes-ambassadorns.yaml | 3 ++- manifests/edge-stack/aes-defaultns-agent.yaml | 3 ++- manifests/edge-stack/aes-defaultns.yaml | 3 ++- manifests/edge-stack/aes-emissaryns-agent.yaml | 3 ++- manifests/edge-stack/aes-emissaryns.yaml | 3 ++- manifests/edge-stack/aes.yaml | 3 ++- 9 files changed, 18 insertions(+), 11 deletions(-) diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index d4ee1cd..a4ec4ba 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.2.0-rc.2.0.20220923220006-57b18a25e7ce -digest: sha256:d0e04b237d074ecb4add7b2aa9f195d9ab7dcf519f7e35d6cc8ce2c4eb4ef638 -generated: "2022-09-23T18:14:52.608466054-04:00" + version: 8.2.0-rc.3 +digest: sha256:4a7371c71dbe93b17e8dd8cb4c8044c931d2dccc15592e9b3c5f7288e554ed3c +generated: "2022-09-26T15:08:33.225190446-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 7210b08..e3cea66 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.2.0-rc.2.0.20220923220006-57b18a25e7ce + version: 8.2.0-rc.3 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/manifests/edge-stack/aes-ambassadorns-agent.yaml b/manifests/edge-stack/aes-ambassadorns-agent.yaml index 59cd826..fb62a00 100644 --- a/manifests/edge-stack/aes-ambassadorns-agent.yaml +++ b/manifests/edge-stack/aes-ambassadorns-agent.yaml @@ -276,8 +276,9 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/ambassador/ambassador-agent:0.0.7 + image: docker.io/emissaryingress/emissary:3.1.0 imagePullPolicy: IfNotPresent + command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 1d82060..7406d29 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -521,8 +521,9 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/ambassador/ambassador-agent:0.0.7 + image: docker.io/emissaryingress/emissary:3.1.0 imagePullPolicy: IfNotPresent + command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes-defaultns-agent.yaml b/manifests/edge-stack/aes-defaultns-agent.yaml index 4e8918c..8bbb745 100644 --- a/manifests/edge-stack/aes-defaultns-agent.yaml +++ b/manifests/edge-stack/aes-defaultns-agent.yaml @@ -276,8 +276,9 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/ambassador/ambassador-agent:0.0.7 + image: docker.io/emissaryingress/emissary:3.1.0 imagePullPolicy: IfNotPresent + command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index be1ad05..a9a5385 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -513,8 +513,9 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/ambassador/ambassador-agent:0.0.7 + image: docker.io/emissaryingress/emissary:3.1.0 imagePullPolicy: IfNotPresent + command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes-emissaryns-agent.yaml b/manifests/edge-stack/aes-emissaryns-agent.yaml index d3b8317..8e5d2af 100644 --- a/manifests/edge-stack/aes-emissaryns-agent.yaml +++ b/manifests/edge-stack/aes-emissaryns-agent.yaml @@ -276,8 +276,9 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/ambassador/ambassador-agent:0.0.7 + image: docker.io/emissaryingress/emissary:3.1.0 imagePullPolicy: IfNotPresent + command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 4b69981..6ba10b1 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -521,8 +521,9 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/ambassador/ambassador-agent:0.0.7 + image: docker.io/emissaryingress/emissary:3.1.0 imagePullPolicy: IfNotPresent + command: [agent] ports: - containerPort: 8080 name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 257e84a..43980c9 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -521,8 +521,9 @@ spec: serviceAccountName: edge-stack-agent containers: - name: agent - image: docker.io/ambassador/ambassador-agent:0.0.7 + image: docker.io/emissaryingress/emissary:3.1.0 imagePullPolicy: IfNotPresent + command: [agent] ports: - containerPort: 8080 name: http From 9f440697e906a1c3abcb7a22dbe8884e13443ec2 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Mon, 26 Sep 2022 11:19:19 -0400 Subject: [PATCH 49/55] remove vendored charts when calling make generate-clean without it, duplicate or multiple charts could be vendored in the edge-stack chart. Normally this doesn't cause much issues but it can lead to incidents where the right version of the emissary chart isn't installed. --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b38a067..c47835c 100644 --- a/Makefile +++ b/Makefile @@ -71,7 +71,8 @@ generate: generate-clean: rm -rf $(generate/files) -.PHONY: generate + rm -rf $(EDGE_STACK_HOME)/charts/edge-stack/charts/ +.PHONY: generate-clean $(EDGE_STACK_HOME)/CHANGELOG.md: $(EDGE_STACK_HOME)/docs/CHANGELOG.tpl $(EDGE_STACK_HOME)/docs/releaseNotes.yml docker run --rm \ From 11f10ffeccb30b2b88572aa2c9c075821b7ac63c Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Mon, 26 Sep 2022 15:37:47 -0400 Subject: [PATCH 50/55] bump edge-stack/VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7d2dc07..31caa1c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.2.0-rc.2 +3.2.0-rc.3 From 3f6908688e504f7dfc2efdd955d5b883ca3b1a9e Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Mon, 26 Sep 2022 16:10:27 -0400 Subject: [PATCH 51/55] Regenerate edge-stack chart + manifests for RC 3 --- charts/edge-stack/Chart.yaml | 4 ++-- charts/edge-stack/values.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 2 +- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 2 +- manifests/edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 2 +- manifests/edge-stack/aes.yaml | 2 +- 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index e3cea66..d022f87 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 3.2.0-rc.2 +appVersion: 3.2.0-rc.3 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 8.2.0-rc.2 +version: 8.2.0-rc.3 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index 4c2ae6f..02b979f 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 3.2.0-rc.2 + tag: 3.2.0-rc.3 pullPolicy: IfNotPresent rbac: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 6a5476f..7c00f73 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.2 + image: docker.io/datawire/aes:3.2.0-rc.3 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 7406d29..7606190 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.2 + image: docker.io/datawire/aes:3.2.0-rc.3 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index fe1f241..45d9377 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5779,7 +5779,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:3.2.0-rc.2 + image: docker.io/datawire/aes:3.2.0-rc.3 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index a269252..3d88792 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.2 + image: docker.io/datawire/aes:3.2.0-rc.3 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index a9a5385..f948631 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -588,7 +588,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.2 + image: docker.io/datawire/aes:3.2.0-rc.3 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 4c2c6df..4d76901 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.2 + image: docker.io/datawire/aes:3.2.0-rc.3 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 6ba10b1..30bc972 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.2 + image: docker.io/datawire/aes:3.2.0-rc.3 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 43980c9..45ba3ac 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.2 + image: docker.io/datawire/aes:3.2.0-rc.3 imagePullPolicy: IfNotPresent ports: - name: http From 495759f5a1bfb05220a0b347c20bd5f4588bbc34 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Tue, 27 Sep 2022 12:08:10 -0400 Subject: [PATCH 52/55] Prepare Edge Stack 3.2.0-rc.4 --- VERSION | 2 +- charts/edge-stack/Chart.lock | 6 +++--- charts/edge-stack/Chart.yaml | 6 +++--- charts/edge-stack/values.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 2 +- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 2 +- manifests/edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 2 +- manifests/edge-stack/aes.yaml | 2 +- 12 files changed, 16 insertions(+), 16 deletions(-) diff --git a/VERSION b/VERSION index 31caa1c..224d6d0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.2.0-rc.3 +3.2.0-rc.4 diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index a4ec4ba..1420d12 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.2.0-rc.3 -digest: sha256:4a7371c71dbe93b17e8dd8cb4c8044c931d2dccc15592e9b3c5f7288e554ed3c -generated: "2022-09-26T15:08:33.225190446-04:00" + version: 8.2.0-rc.4 +digest: sha256:0ba950e712bb9cba9418b142d5054ee294f2e048d4b3e33f176a4e58c8b83340 +generated: "2022-09-27T12:02:21.885590871-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index d022f87..3bc4a28 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 3.2.0-rc.3 +appVersion: 3.2.0-rc.4 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 8.2.0-rc.3 +version: 8.2.0-rc.4 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.2.0-rc.3 + version: 8.2.0-rc.4 repository: https://s3.amazonaws.com/datawire-static-files/charts-dev diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index 02b979f..0178ba0 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 3.2.0-rc.3 + tag: 3.2.0-rc.4 pullPolicy: IfNotPresent rbac: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 7c00f73..2b7ddc3 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.3 + image: docker.io/datawire/aes:3.2.0-rc.4 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 7606190..6a3cda2 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.3 + image: docker.io/datawire/aes:3.2.0-rc.4 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 45d9377..892c28e 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5779,7 +5779,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:3.2.0-rc.3 + image: docker.io/datawire/aes:3.2.0-rc.4 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index 3d88792..386c5aa 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.3 + image: docker.io/datawire/aes:3.2.0-rc.4 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index f948631..e7e8471 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -588,7 +588,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.3 + image: docker.io/datawire/aes:3.2.0-rc.4 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 4d76901..809e655 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.3 + image: docker.io/datawire/aes:3.2.0-rc.4 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 30bc972..29084d3 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.3 + image: docker.io/datawire/aes:3.2.0-rc.4 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 45ba3ac..539a45e 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.3 + image: docker.io/datawire/aes:3.2.0-rc.4 imagePullPolicy: IfNotPresent ports: - name: http From f13f83c227579ded91dd46d0b59403e1ef51a7a5 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Tue, 27 Sep 2022 15:47:08 -0400 Subject: [PATCH 53/55] Prepare Edge Stack 3.2.0 --- VERSION | 2 +- charts/edge-stack/Chart.lock | 8 ++++---- charts/edge-stack/Chart.yaml | 8 ++++---- charts/edge-stack/values.yaml | 2 +- manifests/edge-stack/aes-ambassadorns-migration.yaml | 2 +- manifests/edge-stack/aes-ambassadorns.yaml | 2 +- manifests/edge-stack/aes-crds.yaml | 2 +- manifests/edge-stack/aes-defaultns-migration.yaml | 2 +- manifests/edge-stack/aes-defaultns.yaml | 2 +- manifests/edge-stack/aes-emissaryns-migration.yaml | 2 +- manifests/edge-stack/aes-emissaryns.yaml | 2 +- manifests/edge-stack/aes.yaml | 2 +- 12 files changed, 18 insertions(+), 18 deletions(-) diff --git a/VERSION b/VERSION index 224d6d0..944880f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.2.0-rc.4 +3.2.0 diff --git a/charts/edge-stack/Chart.lock b/charts/edge-stack/Chart.lock index 1420d12..aa96fae 100644 --- a/charts/edge-stack/Chart.lock +++ b/charts/edge-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: emissary-ingress - repository: https://s3.amazonaws.com/datawire-static-files/charts-dev - version: 8.2.0-rc.4 -digest: sha256:0ba950e712bb9cba9418b142d5054ee294f2e048d4b3e33f176a4e58c8b83340 -generated: "2022-09-27T12:02:21.885590871-04:00" + repository: https://s3.amazonaws.com/datawire-static-files/charts + version: 8.2.0 +digest: sha256:f46f64fd6e4be3020311d3931b9db273b776ad13e078ea781bddebc79bfab1eb +generated: "2022-09-27T15:43:43.215815585-04:00" diff --git a/charts/edge-stack/Chart.yaml b/charts/edge-stack/Chart.yaml index 3bc4a28..540b02c 100644 --- a/charts/edge-stack/Chart.yaml +++ b/charts/edge-stack/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 3.2.0-rc.4 +appVersion: 3.2.0 description: A Helm chart for Ambassador Edge Stack name: edge-stack -version: 8.2.0-rc.4 +version: 8.2.0 # TODO: change these to whatever the appropriate things are icon: https://www.getambassador.io/images/logo.png home: https://www.getambassador.io/ @@ -27,5 +27,5 @@ maintainers: engine: gotpl dependencies: - name: emissary-ingress - version: 8.2.0-rc.4 - repository: https://s3.amazonaws.com/datawire-static-files/charts-dev + version: 8.2.0 + repository: https://s3.amazonaws.com/datawire-static-files/charts diff --git a/charts/edge-stack/values.yaml b/charts/edge-stack/values.yaml index 0178ba0..3a33fad 100644 --- a/charts/edge-stack/values.yaml +++ b/charts/edge-stack/values.yaml @@ -70,7 +70,7 @@ emissary-ingress: # +doc-gen:break image: repository: docker.io/datawire/aes - tag: 3.2.0-rc.4 + tag: 3.2.0 pullPolicy: IfNotPresent rbac: diff --git a/manifests/edge-stack/aes-ambassadorns-migration.yaml b/manifests/edge-stack/aes-ambassadorns-migration.yaml index 2b7ddc3..00989e7 100644 --- a/manifests/edge-stack/aes-ambassadorns-migration.yaml +++ b/manifests/edge-stack/aes-ambassadorns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.4 + image: docker.io/datawire/aes:3.2.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-ambassadorns.yaml b/manifests/edge-stack/aes-ambassadorns.yaml index 6a3cda2..d0740b4 100644 --- a/manifests/edge-stack/aes-ambassadorns.yaml +++ b/manifests/edge-stack/aes-ambassadorns.yaml @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.4 + image: docker.io/datawire/aes:3.2.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-crds.yaml b/manifests/edge-stack/aes-crds.yaml index 892c28e..d7b7d9a 100644 --- a/manifests/edge-stack/aes-crds.yaml +++ b/manifests/edge-stack/aes-crds.yaml @@ -5779,7 +5779,7 @@ spec: serviceAccountName: emissary-apiext containers: - name: emissary-apiext - image: docker.io/datawire/aes:3.2.0-rc.4 + image: docker.io/datawire/aes:3.2.0 imagePullPolicy: IfNotPresent command: [ "apiext", "emissary-apiext" ] ports: diff --git a/manifests/edge-stack/aes-defaultns-migration.yaml b/manifests/edge-stack/aes-defaultns-migration.yaml index 386c5aa..c4b8d05 100644 --- a/manifests/edge-stack/aes-defaultns-migration.yaml +++ b/manifests/edge-stack/aes-defaultns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.4 + image: docker.io/datawire/aes:3.2.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-defaultns.yaml b/manifests/edge-stack/aes-defaultns.yaml index e7e8471..54a09d4 100644 --- a/manifests/edge-stack/aes-defaultns.yaml +++ b/manifests/edge-stack/aes-defaultns.yaml @@ -588,7 +588,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.4 + image: docker.io/datawire/aes:3.2.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns-migration.yaml b/manifests/edge-stack/aes-emissaryns-migration.yaml index 809e655..02496a2 100644 --- a/manifests/edge-stack/aes-emissaryns-migration.yaml +++ b/manifests/edge-stack/aes-emissaryns-migration.yaml @@ -140,7 +140,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.4 + image: docker.io/datawire/aes:3.2.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes-emissaryns.yaml b/manifests/edge-stack/aes-emissaryns.yaml index 29084d3..e18262c 100644 --- a/manifests/edge-stack/aes-emissaryns.yaml +++ b/manifests/edge-stack/aes-emissaryns.yaml @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.4 + image: docker.io/datawire/aes:3.2.0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/manifests/edge-stack/aes.yaml b/manifests/edge-stack/aes.yaml index 539a45e..31a519c 100644 --- a/manifests/edge-stack/aes.yaml +++ b/manifests/edge-stack/aes.yaml @@ -596,7 +596,7 @@ spec: containers: - name: aes - image: docker.io/datawire/aes:3.2.0-rc.4 + image: docker.io/datawire/aes:3.2.0 imagePullPolicy: IfNotPresent ports: - name: http From 2889e05827bf56067a2904334bface341ba07fb1 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Tue, 27 Sep 2022 17:54:31 -0400 Subject: [PATCH 54/55] circleci: update go to 1.19.1 --- .circleci/config.yml | 2 +- .circleci/config.yml.d/generic_util.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 6f23489..743c129 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -348,7 +348,7 @@ commands: parameters: "version": type: string - default: "1.15" + default: "1.19.1" steps: - run: name: "Install Go << parameters.version >>" diff --git a/.circleci/config.yml.d/generic_util.yml b/.circleci/config.yml.d/generic_util.yml index 9c916f7..606235d 100644 --- a/.circleci/config.yml.d/generic_util.yml +++ b/.circleci/config.yml.d/generic_util.yml @@ -79,7 +79,7 @@ commands: parameters: "version": type: string - default: "1.15" + default: "1.19.1" steps: - run: name: "Install Go << parameters.version >>" From 4348ad81d05a5a29024f892f5881b15b4eefe694 Mon Sep 17 00:00:00 2001 From: Hamzah Qudsi Date: Wed, 28 Sep 2022 17:19:58 -0400 Subject: [PATCH 55/55] docs: update release date for v3.2.0 --- CHANGELOG.md | 2 +- docs/releaseNotes.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90012c5..9aaa0fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,7 +77,7 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest ## RELEASE NOTES -## [3.2.0] TBD +## [3.2.0] 2022-09-27 [3.2.0]: https://github.com/datawire/edge-stack/releases/v3.2.0 ## Ambassador Edge Stack diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 5409e68..3c9517b 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -33,7 +33,7 @@ changelog: https://github.com/datawire/edge-stack/blob/$branch$/CHANGELOG.md items: - version: 3.2.0 - date: 'TBD' + date: '2022-09-27' notes: - title: Envoy upgraded to 1.23 type: change