Emissary - open source Kubernetes-native API gateway for microservices built on the Envoy Proxy

Last update: Dec 31, 2022

Overview

Emissary-ingress

Emissary-Ingress is an open-source Kubernetes-native API Gateway + Layer 7 load balancer + Kubernetes Ingress built on Envoy Proxy. Emissary-ingress is an CNCF incubation project (and was formerly known as Ambassador API Gateway.)

Emissary-ingress enables its users to:

Manage ingress traffic with load balancing, support for multiple protocols (gRPC and HTTP/2, TCP, and web sockets), and Kubernetes integration
Manage changes to routing with an easy to use declarative policy engine and self-service configuration, via Kubernetes CRDs or annotations
Secure microservices with authentication, rate limiting, and TLS
Ensure high availability with sticky sessions, rate limiting, and circuit breaking
Leverage observability with integrations with Grafana, Prometheus, and Datadog, and comprehensive metrics support
Enable progressive delivery with canary releases
Connect service meshes including Consul, Linkerd, and Istio
Knative serverless integration

See the full list of features here.

Architecture

Emissary is configured via Kubernetes CRDs, or via annotations on Kubernetes Services. Internally, it uses the [Envoy Proxy] to actually handle routing data; externally, it relies on Kubernetes for scaling and resiliency. For more on Emissary's architecture and motivation, read this blog post.

Getting Started

You can get Emissary up and running in just three steps. Follow the instructions here: https://www.getambassador.io/docs/emissary/latest/tutorials/getting-started/

If you are looking for a Kubernetes ingress controller, Emissary provides a superset of the functionality of a typical ingress controller. (It does the traditional routing, and layers on a raft of configuration options.) This blog post covers Kubernetes ingress.

For other common questions, view this FAQ page.

You can also use Helm to install Emissary. For more information, see the instructions in the Helm installation documentation

Community

Emissary-ingress is a CNCF Incubating project, and welcomes any and all contributors. To get started:

Join our Slack channel
Check out the Emissary documentation
Read the Contributor's Guide.

If you're interested in contributing, here are some ways:

Write a blog post for our blog
Investigate an open issue
Add more tests

The Ambassador Edge Stack is a superset of Emissary-ingress that provides additional functionality including OAuth/OpenID Connect, advanced rate limiting, Swagger/OpenAPI support, integrated ACME support for automatic TLS certificate management, and a cloud-based UI. For more information, visit https://www.getambassador.io/editions/.

Comments

Ambassador not working on fresh installed kubernetes

Describe the bug The Ambassador container within ambassador pod does not spawn up properly on a local cluster with kubernetes 1.10.2

To Reproduce Steps to reproduce the behavior: A fresh install of kubernetes 1.10.2 on a local cluster. Follow the guidance to install ambassador-no-rbac.

Expected behavior expect ambassador to spawn up. but it give error code 137. Both liveness probe and Readiness probe failed with getsockopt: connection refused.

ambassador-6c7dd7799b-2mjzx   1/2       CrashLoopBackOff   13         37m

Versions (please complete the following information):

Ambassador: 0.32.1
Kubernetes environment: local cluster installed using kubeadm. Configured with calico.
Version 1.10.2
Ubuntu 16.04

Additional context Someone @richarddli suggested this is due to a dns problem, but local dns (/etc/resolve.conf) is configured using 8.8.8.8 and 8.8.4.4, I am sure at least I can access google website. (By deploying a busybox into my cluster, I checked my busybox container can ping google.com, but not sure for others.) Here are some extra log for debugging

kubernetes@local-cluster-0:~/my-kubeflow$ kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name) -c kubedns
I0503 10:46:23.833551       1 dns.go:48] version: 1.14.8
I0503 10:46:23.862220       1 server.go:71] Using configuration read from directory: /kube-dns-config with period 10s
I0503 10:46:23.862374       1 server.go:119] FLAG: --alsologtostderr="false"
I0503 10:46:23.862433       1 server.go:119] FLAG: --config-dir="/kube-dns-config"
I0503 10:46:23.862466       1 server.go:119] FLAG: --config-map=""
I0503 10:46:23.862485       1 server.go:119] FLAG: --config-map-namespace="kube-system"
I0503 10:46:23.862504       1 server.go:119] FLAG: --config-period="10s"
I0503 10:46:23.862532       1 server.go:119] FLAG: --dns-bind-address="0.0.0.0"
I0503 10:46:23.862551       1 server.go:119] FLAG: --dns-port="10053"
I0503 10:46:23.862592       1 server.go:119] FLAG: --domain="cluster.local."
I0503 10:46:23.862621       1 server.go:119] FLAG: --federations=""
I0503 10:46:23.862648       1 server.go:119] FLAG: --healthz-port="8081"
I0503 10:46:23.862668       1 server.go:119] FLAG: --initial-sync-timeout="1m0s"
I0503 10:46:23.862688       1 server.go:119] FLAG: --kube-master-url=""
I0503 10:46:23.862742       1 server.go:119] FLAG: --kubecfg-file=""
I0503 10:46:23.862761       1 server.go:119] FLAG: --log-backtrace-at=":0"
I0503 10:46:23.862794       1 server.go:119] FLAG: --log-dir=""
I0503 10:46:23.862815       1 server.go:119] FLAG: --log-flush-frequency="5s"
I0503 10:46:23.862835       1 server.go:119] FLAG: --logtostderr="true"
I0503 10:46:23.862854       1 server.go:119] FLAG: --nameservers=""
I0503 10:46:23.862872       1 server.go:119] FLAG: --stderrthreshold="2"
I0503 10:46:23.862891       1 server.go:119] FLAG: --v="2"
I0503 10:46:23.862911       1 server.go:119] FLAG: --version="false"
I0503 10:46:23.862953       1 server.go:119] FLAG: --vmodule=""
I0503 10:46:23.863269       1 server.go:201] Starting SkyDNS server (0.0.0.0:10053)
I0503 10:46:23.864231       1 server.go:220] Skydns metrics enabled (/metrics:10055)
I0503 10:46:23.864282       1 dns.go:146] Starting endpointsController
I0503 10:46:23.864363       1 dns.go:149] Starting serviceController
I0503 10:46:23.901849       1 logs.go:41] skydns: ready for queries on cluster.local. for tcp://0.0.0.0:10053 [rcache 0]
I0503 10:46:23.901936       1 logs.go:41] skydns: ready for queries on cluster.local. for udp://0.0.0.0:10053 [rcache 0]
I0503 10:46:24.364803       1 dns.go:170] Initialized services and endpoints from apiserver
I0503 10:46:24.364871       1 server.go:135] Setting up Healthz Handler (/readiness)
I0503 10:46:24.364935       1 server.go:140] Setting up cache handler (/cache)
I0503 10:46:24.364962       1 server.go:126] Status HTTP port 8081
I0504 04:33:43.169511       1 dns.go:555] Could not find endpoints for service "tf-hub-0" in namespace "kubeflow". DNS records will be created once endpoints show up.
I0515 01:02:23.572540       1 dns.go:555] Could not find endpoints for service "tf-hub-0" in namespace "kubeflow". DNS records will be created once endpoints show up.

kubernetes@local-cluster-0:~/my-kubeflow$ kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name) -c dnsmasq
I0503 10:46:24.860136       1 main.go:76] opts: {{/usr/sbin/dnsmasq [-k --cache-size=1000 --no-negcache --log-facility=- --server=/cluster.local/127.0.0.1#10053 --server=/in-addr.arpa/127.0.0.1#10053 --server=/ip6.arpa/127.0.0.1#10053] true} /etc/k8s/dns/dnsmasq-nanny 10000000000}
I0503 10:46:24.870496       1 nanny.go:94] Starting dnsmasq [-k --cache-size=1000 --no-negcache --log-facility=- --server=/cluster.local/127.0.0.1#10053 --server=/in-addr.arpa/127.0.0.1#10053 --server=/ip6.arpa/127.0.0.1#10053]
I0503 10:46:25.334307       1 nanny.go:116] dnsmasq[12]: started, version 2.78 cachesize 1000
I0503 10:46:25.334618       1 nanny.go:116] dnsmasq[12]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
I0503 10:46:25.334632       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain ip6.arpa
I0503 10:46:25.334638       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain in-addr.arpa
I0503 10:46:25.334643       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain cluster.local
I0503 10:46:25.334651       1 nanny.go:116] dnsmasq[12]: reading /etc/resolv.conf
I0503 10:46:25.334657       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain ip6.arpa
I0503 10:46:25.334662       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain in-addr.arpa
I0503 10:46:25.334668       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain cluster.local
I0503 10:46:25.334672       1 nanny.go:116] dnsmasq[12]: using nameserver 8.8.8.8#53
I0503 10:46:25.334678       1 nanny.go:116] dnsmasq[12]: using nameserver 8.8.4.4#53
I0503 10:46:25.334716       1 nanny.go:116] dnsmasq[12]: read /etc/hosts - 7 addresses
I0503 10:46:25.334851       1 nanny.go:119]
W0503 10:46:25.334861       1 nanny.go:120] Got EOF from stdout

kubernetes@local-cluster-0:~/my-kubeflow$ kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name) -c sidecar
I0503 10:46:25.240827       1 main.go:51] Version v1.14.8
I0503 10:46:25.240868       1 server.go:45] Starting server (options {DnsMasqPort:53 DnsMasqAddr:127.0.0.1 DnsMasqPollIntervalMs:5000 Probes:[{Label:kubedns Server:127.0.0.1:10053 Name:kubernetes.default.svc.cluster.local. Interval:5s Type:33} {Label:dnsmasq Server:127.0.0.1:53 Name:kubernetes.default.svc.cluster.local. Interval:5s Type:33}] PrometheusAddr:0.0.0.0 PrometheusPort:10054 PrometheusPath:/metrics PrometheusNamespace:kubedns})
I0503 10:46:25.240906       1 dnsprobe.go:75] Starting dnsProbe {Label:kubedns Server:127.0.0.1:10053 Name:kubernetes.default.svc.cluster.local. Interval:5s Type:33}
I0503 10:46:25.240992       1 dnsprobe.go:75] Starting dnsProbe {Label:dnsmasq Server:127.0.0.1:53 Name:kubernetes.default.svc.cluster.local. Interval:5s Type:33}
W0503 10:46:25.241374       1 server.go:64] Error getting metrics from dnsmasq: read udp 127.0.0.1:58432->127.0.0.1:53: read: connection refused

Can anyone help me have a look? Many thanks in advance!

opened by jiaanguo 41

Regression: Ambassador does not route insecure requests

Description

This bug has already been fixed in the past and it came back when updating the Helm Chart from 6.5.5 to 6.5.6 (or Ambassador 1.7.1 to 1.7.2).

Even if one follows the documentation for ClearText support, Ambassador categorically refuses to forward non HTTP requests and always forces redirection (HTTP 301).

---
apiVersion: getambassador.io/v2
kind: Module
metadata:
  name: ambassador
  namespace: ambassador
spec:
  config:
    enable_grpc_web: true
    use_proxy_proto: false
    use_remote_address: true
    x_forwarded_proto_redirect: false
...
apiVersion: getambassador.io/v2
kind: Host
metadata:
  name: ambassador
  namespace: ambassador
spec:
  hostname: "*.example.com"
  acmeProvider:
    authority: none
  requestPolicy:
    insecure:
      action: Route
      additionalPort: -1
...

t:bug

opened by srheaume 37

build(deps): bump k8s.io/api from 0.21.9 to 0.24.4
Bumps k8s.io/api from 0.21.9 to 0.24.4.

Commits

44d27eb Update dependencies to v0.24.4 tag

0bf1867 Revert "Introduce APIs to support multiple ClusterCIDRs (#108290)"

2de6996 Merge pull request #109241 from ravisantoshgudimetla/sts-ar-optional

7734d26 [sts] api: Make available replicas optional

38ec09a [sts] Generated: Make available replicas optional

ec84bcb Merge pull request #109178 from liggitt/openapi-master

e3797f2 Drop enum tag from certificate request condition

02c2207 Merge pull request #109151 from Argh4k/r-101566

1eb735b Revert "Field status.hostIPs added for Pod (#101566)"

290a349 Introduce APIs to support multiple ClusterCIDRs (#108290)

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies
opened by dependabot[bot] 30
build(deps): bump k8s.io/apimachinery from 0.21.9 to 0.24.4
Bumps k8s.io/apimachinery from 0.21.9 to 0.24.4.

Commits

97e5df2 fix remove implicit copy of a lock

6550efd Merge pull request #109102 from liggitt/darwin-tls

00f0711 Merge pull request #109031 from Jefftree/openapiv3beta

53a85ef Tolerate additional error messages in TLS unit tests

9b5b68c generated: Update kube-openapi and vendor

31e52c9 Merge pull request #108126 from sanposhiho/doc/generatedname

3b8fb46 Merge pull request #108713 from jiahuif-forks/feature/openapi/intstr-any-of

dd2f21c fix the doc about generateName conflict

2866f23 oneOf types for IntOrString

7b6c37e oneOf types for Quantity

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies
opened by dependabot[bot] 30
Host header may include port
Describe the bug If the Host header provided in a request includes the port, Ambassador responds with a 404 where there is an otherwise valid route.

To Reproduce Steps to reproduce the behavior:

Setup a Host and Mapping

curl https://myhostname.com will work because curl sends Host: myhostname.com

curl https://myhostname.com -H "Host: myhostname.com:443" will return a 404 with an empty body

Expected behavior Ambassador should ignore the port portion of the Host header, or at least treat the default ports as equivalent to the absence of a port.

Versions (please complete the following information):

Ambassador: AES 1.1.0

Kubernetes environment: Digital Ocean Managed Kubernetes

Version: 1.16.2-do.3

Additional context Our client is using Qt's QNetworkAccessManager to send requests, but upon testing Ambassador I have found that requests were failing from our client (but working from browsers, curl, etc.) Initially I assumed this was a bug in Qt, but the RFC states that the Host header may include a port.
pinned t:bug
opened by james-emerton 30
503 and 403 errors when using more than 1 ambassador pod
Describe the bug

When talking to a service through ambassador that has an auth service, was getting what appeared to be random responses between 200, 503, and 403. Had replica of 3 set for the ambassador deployment. Upon looking at the logs, one pod was always giving 200 responses, another 503, and another 403. Tried restarting the trouble pods with no luck.

As a workaround I made my deployment to just replica 1 and now only seem to be getting 200 responses. Only saw this bug when I upgraded to 0.53.1. Was previously on version 0.50.3.

Versions (please complete the following information):

Ambassador: 0.53.1

Kubernetes environment (bare metal)

Version 1.13.1

stale
opened by robertrbruno 29
grpc hello world example does not work clean ambassador edge install on kubeadm
Describe the bug

We had clean install of ambassador edge on aws instance running kubeadm 1.17.0. Then we deployed grpc hello world example but executing greeter_client.py result in an error. Also, grpc example pod log has some strange error

sudo docker logs 0a6f7953d987 -f E0129 08:00:33.483639279 9 http_server_filter.cc:299] GET request without QUERY E0129 08:01:33.479603017 9 http_server_filter.cc:299] GET request without QUERY E0129 08:02:33.482634173 9 http_server_filter.cc:299] GET request without QUERY

and running greeter_client.py with ambassador host and port give and error:

python greeter_client.py Traceback (most recent call last): File "greeter_client.py", line 38, in run() File "greeter_client.py", line 32, in run response = stub.SayHello(helloworld_pb2.HelloRequest(name='you')) File "/home/ubuntu/.local/lib/python2.7/site-packages/grpc/_channel.py", line 824, in call return _end_unary_response_blocking(state, call, False, None) File "/home/ubuntu/.local/lib/python2.7/site-packages/grpc/_channel.py", line 726, in _end_unary_response_blocking raise _InactiveRpcError(state) grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with: status = StatusCode.UNIMPLEMENTED details = "unknown service edge_stack_ui/helloworld.Greeter" debug_error_string = "{"created":"@1580285513.750873999","description":"Error received from peer ipv4:172.31.79.169:80","file":"src/core/lib/surface/call.cc","file_line":1056,"grpc_message":"unknown service edge_stack_ui/helloworld.Greeter","grpc_status":12}"

To Reproduce Steps to reproduce the behavior:

Clean install ambassador edge

configure host and certificate

download and deploy grpc example hello world

lanch greeter_client.py with ambassador host and port

Expected behavior expected a reply $ python greeter_client.py Greeter client received: Hello, you!

Versions (please complete the following information):

Ambassador Ede stack : [1.0.0]

Kubernetes environment: Kubeadm

Version [1.17.0]

Additional context Add any other context about the problem here.
stale
opened by cogmeta 28

TLS redirect_cleartext_from doesn't preserve path

Describe the bug url path is not preserved with redirect_cleartext_from set

To Reproduce

Follow TLS Termination documentation to create cert and store as kubernetes secret
Deploy ambassador with helm chart 2.2.1 with values:

service:
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v1
      kind: Module
      name: tls
      config:
        server:
          enabled: True
          secret: ambassador-certs
          redirect_cleartext_from: 8080

Deploy httpbin service to test redirect

---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v1
      kind:  Mapping
      name:  httpbin_mapping
      prefix: /httpbin/
      service: httpbin.org:80
      host_rewrite: httpbin.org
spec:
  ports:
  - name: httpbin
    port: 80

curl the endpoint using http

curl -Li http://hostname/httpbin/

Result: path is not preserved on redirect

HTTP/1.1 301 Moved Permanently
location: https://hostname/
date: Wed, 24 Apr 2019 20:12:19 GMT
server: envoy
content-length: 0

HTTP/2 404 
date: Wed, 24 Apr 2019 20:12:19 GMT
server: envoy

Expected behavior Path should be preserved and redirect to https://hostname/httpbin/

Versions (please complete the following information):

Ambassador: [0.60.0] (using Helm chart 2.2.1)
Kubernetes environment: [AKS]
Version [1.12.7]

Additional context

opened by bpehling 27

v0.50.1 AuthService drops all but one `set-cookie` response header

Describe the bug When AuthService returns a non-200 response to Ambassador, only one set-cookie header can be sent back to the client, all other set-cookie headers are stripped. All cookies have the same domain, max_age, etc.

To Reproduce Steps to reproduce the behavior:

Setup a v1 (0.50.1) AuthService that adds more than one set-cookie header on auth responses
Send a non-200 response (302 in this case so that the request does not continue upstream) from AuthService with >1 set-cookie header on response
Verify all set-cookie headers are present on response from AuthService as the response passes back through Ambassador; there should be >1 set-cookie header on the response from the AuthService and only 1 set-cookie header on the response that Ambassador filters and sends back to the client

Expected behavior We expect all set-cookie headers to be returned by Ambassador when the AuthService returns a response. Rolling the service back to Ambassador v0.40.2 results in the expected behavior.

Versions (please complete the following information):

Ambassador: [e.g. 0.32.1]
Kubernetes environment [e.g. Minikube, bare metal, Google Kubernetes Engine]
Version [e.g. 1.8.1]

Additional context Here is logging we captured of the issue. Notice that x-request-destination is preserved but session is removed in the final response.

[2019-02-07 20:41:58.736][000059][debug][http] [source/common/http/async_client_impl.cc:96] async http request response headers (end_stream=false):
':status', '302'
'server', 'nginx/1.15.0'
'date', 'Thu, 07 Feb 2019 20:41:58 GMT'
'content-type', 'text/html; charset=utf-8'
'content-length', '941'
'connection', 'keep-alive'
'location', 'https://dev-syapse.auth0.com/authorize?response_type=code&client_id=Y4EF4s3mw3IvLKFUUggL9Xgz64g0pH6h&redirect_uri=https%3A%2F%2Fambassador.dev.syapse.com%2Fauthz%2Fv1%2Fauth0%2Fcomplete&scope=openid+profile+email+user_metadata+app_metadata&state=u63YpJcjSweLIFyOQpqfFL1ZvRSLxI&audience=https%3A%2F%2Fdev-syapse.auth0.com%2Fuserinfo&prompt=none'
'set-cookie', 'x-request-destination=https://oncology-web-2.dev.syapse.com/; Domain=.syapse.com; Path=/'
'vary', 'Cookie'
'set-cookie', 'session=.eJyrVopPLC3JMACTOZlJ8cmJOTlJicnZ8UpWShklJQXFVvr6iblJicXFiSn5RXopqWV6xZWJBcWpesn5ufogXVX6ZYZghoE-UKggJ7UkVUkH3djiksSSVJCZpWbGkQVeyVnB5ak-nm6V_oEFhWluPoZRZUHBPhWeSrUAJe00QQ.XFyYFg.8BzD07RYRXiRz8Iz2s-9U3S3XUg; Domain=.syapse.com; HttpOnly; Path=/'
'x-content-type-options', 'nosniff'
'x-frame-options', 'SAMEORIGIN'
'x-xss-protection', '1; mode=block'
'strict-transport-security', 'max-age=15768000; includeSubDomains'
'x-envoy-upstream-service-time', '27'

[2019-02-07 20:41:58.740][000059][debug][client] [source/common/http/codec_client.cc:95] [C141708] response complete
[2019-02-07 20:41:58.740][000059][debug][filter] [source/extensions/filters/http/ext_authz/ext_authz.cc:177] [C141707][S17486080943075874799] ext_authz rejected the request
[2019-02-07 20:41:58.740][000059][debug][http] [source/common/http/conn_manager_impl.cc:1096] [C141707][S17486080943075874799] encoding headers via codec (end_stream=false):
':status', '302'
'content-length', '941'
'content-type', 'text/plain'
'location', 'https://dev-syapse.auth0.com/authorize?response_type=code&client_id=Y4EF4s3mw3IvLKFUUggL9Xgz64g0pH6h&redirect_uri=https%3A%2F%2Fambassador.dev.syapse.com%2Fauthz%2Fv1%2Fauth0%2Fcomplete&scope=openid+profile+email+user_metadata+app_metadata&state=u63YpJcjSweLIFyOQpqfFL1ZvRSLxI&audience=https%3A%2F%2Fdev-syapse.auth0.com%2Fuserinfo&prompt=none'
'set-cookie', 'x-request-destination=https://oncology-web-2.dev.syapse.com/; Domain=.syapse.com; Path=/'
'date', 'Thu, 07 Feb 2019 20:41:58 GMT'
'server', 'envoy'

[2019-02-07 20:41:58.741][000059][debug][pool] [source/common/http/http1/conn_pool.cc:209] [C141708] response complete
[2019-02-07 20:41:58.741][000059][debug][pool] [source/common/http/http1/conn_pool.cc:247] [C141708] moving to ready[2019-02-07 20:41:58.736][000059][debug][http] [source/common/http/async_client_impl.cc:96] async http request response headers (end_stream=false):
':status', '302'
'server', 'nginx/1.15.0'
'date', 'Thu, 07 Feb 2019 20:41:58 GMT'
'content-type', 'text/html; charset=utf-8'
'content-length', '941'
'connection', 'keep-alive'
'location', 'https://dev-syapse.auth0.com/authorize?response_type=code&client_id=Y4EF4s3mw3IvLKFUUggL9Xgz64g0pH6h&redirect_uri=https%3A%2F%2Fambassador.dev.syapse.com%2Fauthz%2Fv1%2Fauth0%2Fcomplete&scope=openid+profile+email+user_metadata+app_metadata&state=u63YpJcjSweLIFyOQpqfFL1ZvRSLxI&audience=https%3A%2F%2Fdev-syapse.auth0.com%2Fuserinfo&prompt=none'
'set-cookie', 'x-request-destination=https://oncology-web-2.dev.syapse.com/; Domain=.syapse.com; Path=/'
'vary', 'Cookie'
'set-cookie', 'session=.eJyrVopPLC3JMACTOZlJ8cmJOTlJicnZ8UpWShklJQXFVvr6iblJicXFiSn5RXopqWV6xZWJBcWpesn5ufogXVX6ZYZghoE-UKggJ7UkVUkH3djiksSSVJCZpWbGkQVeyVnB5ak-nm6V_oEFhWluPoZRZUHBPhWeSrUAJe00QQ.XFyYFg.8BzD07RYRXiRz8Iz2s-9U3S3XUg; Domain=.syapse.com; HttpOnly; Path=/'
'x-content-type-options', 'nosniff'
'x-frame-options', 'SAMEORIGIN'
'x-xss-protection', '1; mode=block'
'strict-transport-security', 'max-age=15768000; includeSubDomains'
'x-envoy-upstream-service-time', '27'

[2019-02-07 20:41:58.740][000059][debug][client] [source/common/http/codec_client.cc:95] [C141708] response complete
[2019-02-07 20:41:58.740][000059][debug][filter] [source/extensions/filters/http/ext_authz/ext_authz.cc:177] [C141707][S17486080943075874799] ext_authz rejected the request
[2019-02-07 20:41:58.740][000059][debug][http] [source/common/http/conn_manager_impl.cc:1096] [C141707][S17486080943075874799] encoding headers via codec (end_stream=false):
':status', '302'
'content-length', '941'
'content-type', 'text/plain'
'location', 'https://dev-syapse.auth0.com/authorize?response_type=code&client_id=Y4EF4s3mw3IvLKFUUggL9Xgz64g0pH6h&redirect_uri=https%3A%2F%2Fambassador.dev.syapse.com%2Fauthz%2Fv1%2Fauth0%2Fcomplete&scope=openid+profile+email+user_metadata+app_metadata&state=u63YpJcjSweLIFyOQpqfFL1ZvRSLxI&audience=https%3A%2F%2Fdev-syapse.auth0.com%2Fuserinfo&prompt=none'
'set-cookie', 'x-request-destination=https://oncology-web-2.dev.syapse.com/; Domain=.syapse.com; Path=/'
'date', 'Thu, 07 Feb 2019 20:41:58 GMT'
'server', 'envoy'

[2019-02-07 20:41:58.741][000059][debug][pool] [source/common/http/http1/conn_pool.cc:209] [C141708] response complete
[2019-02-07 20:41:58.741][000059][debug][pool] [source/common/http/http1/conn_pool.cc:247] [C141708] moving to ready

Here's the AuthService annotation that we are using:

  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v1
      kind: AuthService
      name: authentication
      auth_service: {auth-service-url-and-port}
      path_prefix: "/v1/validate"
      allowed_authorization_headers:
      - "set-cookie"
      - "session"
      ---
      apiVersion: ambassador/v1
      kind: Mapping
      name: authz_mapping
      prefix: /authz/
      service: {auth-service-url-and-port}
      tls: true

We also verified this behavior against normal non-AuthService request/response flows, and did not see Ambassador filtering any response headers.

opened by mianelson 26

Set a capability to allow binding to low ports
Description

The cap_net_bind_service capability allows a process to bind to a low port without root. While Kubernetes lets you allow a capability in the pod spec, the effective capabilities are wiped when the root -> user transition is made.

This change setcap's the binary so that it can assert that capability. e.g.

securityContext: |~ capabilities: |~ add: |~ - NET_BIND_SERVICE

(there is no CAP_ at the beginning; K8s seems to add that)

If you don't want to bind to a low port, don't add the capability and we're back to the previous behavior. If you want to bind to a low port, add the capability and configure Ambassador appropriately.

Related Issues

This is a feature addition -- I want to be able to run this as a non root user but still bind to a low port.

Testing

Manual testing.

Todos

[ ] Tests

[ ] Documentation
opened by swalberg 25

Host CRD does not route insecure requests

Describe the bug Despite using the Host CRD for http-only in the docs, Ambassador refuses to route non-http requests and always forces 301 redirect.

To Reproduce Use the following k8s yaml

apiVersion: getambassador.io/v2
kind: Host
metadata:
  name: minimal-host
spec:
  hostname: host.example.com
  acmeProvider:
    authority: none
requestPolicy:
  insecure:
    action: route
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: hello-world-mapping
spec:
  prefix: /hello-world/
  service: hello-world
---
apiVersion: v1
kind: Service
metadata:
  name: hello-world
spec:
  selector:
    app: hello-world
  ports:
  - port: 80
    targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-world
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
  selector:
    matchLabels:
      app: hello-world
  template:
    metadata:
      labels:
        app: hello-world
    spec:
      containers:
      - name: hello-world
        image: infrastructureascode/hello-world

Curl to curl -v http://host.example.com:30845/hello-world/ See 301 redirect

*   Trying 192.168.64.5...
* TCP_NODELAY set
* Connected to host.example.com (192.168.64.5) port 30845 (#0)
> GET /hello-world/ HTTP/1.1
> Host: host.example.com:30845
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< location: https://host.example.com:30845/hello-world/
< date: Sun, 19 Jan 2020 15:15:13 GMT
< server: envoy
< content-length: 0
<
* Connection #0 to host host.example.com left intact

Expected behavior Expect Host definition to allow http-only requests, no redirects.

Versions (please complete the following information):

Image: quay.io/datawire/aes:1.0.0
Image ID: docker-pullable://quay.io/datawire/aes@sha256:4a6577ca83178fbbfd8295d68312b2d92b6820dfd97e6a36e2ec1337ac4cf66b
minikube version: v1.6.2

Additional context I review of the generated envoy.json file shows the vhost host.example.com has an entry for the /hello-world/ path, but it is set to redirect: true. Seems like the insecure-action route is not being recognized.

t:bug

opened by daninthewoods 23

build(deps): bump importlib-metadata from 5.0.0 to 6.0.0 in /docker/test-shadow
Bumps importlib-metadata from 5.0.0 to 6.0.0.

Changelog

Sourced from importlib-metadata's changelog.

v6.0.0

#419: Declared Distribution as an abstract class, enforcing definition of abstract methods in instantiated subclasses. It's no longer possible to instantiate a Distribution or any subclasses unless they define the abstract methods.

Please comment in the issue if this change breaks any projects. This change will likely be rolled back if it causes significant disruption.

v5.2.0

#371: Deprecated expectation that PackageMetadata.__getitem__ will return None for missing keys. In the future, it will raise a KeyError.

v5.1.0

#415: Instrument SimplePath with generic support.

Commits

d66e35a Merge pull request #420 from python/bugfix/419

2d52ecd Update changelog. Ref #419.

8a9d169 Add ABCMeta to Distribution. Fixes #419.

1bf8a7a Add xfail test capturing desired expectation.

4a4f062 Correct typo

cd68fe5 Remove test for 'new style classes', no longer relevant in a world where all ...

35da17c Merge https://github.com/jaraco/tidelift

a6c6660 Put tidelift docs dependency in its own section to limit merge conflicts.

4fe7502 Merge pull request #417 from python/debt/deprecate-getitem-none

880a621 Mark PackageMetadata.__getitem__ as deprecated for missing values. Ref #371.

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies python
opened by dependabot[bot] 0
.github: remove x.y.z-dev tags from rc promotion
Description

Cause more confusion than its worth.

Checklist

[x] Does my change need to be backported to a previous release?

release/v3.4 (after GA)

release/v2.5

[ ] I made sure to update CHANGELOG.md.

Remember, the CHANGELOG needs to mention:

Any new features

Any changes to our included version of Envoy

Any non-backward-compatible changes

Any deprecations

[ ] This is unlikely to impact how Ambassador performs at scale.

Remember, things that might have an impact at scale include:

Any significant changes in memory use that might require adjusting the memory limits

Any significant changes in CPU use that might require adjusting the CPU limits

Anything that might change how many replicas users should use

Changes that impact data-plane latency/scalability

[ ] My change is adequately tested.

Remember when considering testing:

Your change needs to be specifically covered by tests.

Tests need to cover all the states where your change is relevant: for example, if you add a behavior that can be enabled or disabled, you'll need tests that cover the enabled case and tests that cover the disabled case. It's not sufficient just to test with the behavior enabled.

You also need to make sure that the entire area being changed has adequate test coverage.

If existing tests don't actually cover the entire area being changed, add tests.

This applies even for aspects of the area that you're not changing – check the test coverage, and improve it if needed!

We should lean on the bulk of code being covered by unit tests, but...

... an end-to-end test should cover the integration points

[ ] I updated DEVELOPING.md with any any special dev tricks I had to use to work on this code efficiently.

[ ] The changes in this PR have been reviewed for security concerns and adherence to security best practices.
opened by haq204 0
Istio Multicluster Support?
Describe the bug We are running an Istio multi-cluster setup with 2 clusters. We are using Istio version 1.14.1 on all workloads, including emissary-ingress, which is injected with the istio-proxy sidecar via the istio.io/rev: 1-14-1 label on the emissary namespace; i.e. standard practice. This is all running on 2 GKE clusters running kubernetes versionv1.21.14-gke.4300

We installed emissary-ingresss following this documentation - https://www.getambassador.io/docs/emissary/latest/howtos/istio

If we exec into an emissary-ingress pod, we can communicate with workloads on the same cluster as expected. When we try to communicate with a workload on the remote cluster, we receive 504 Gateway Timeout responses. DNS resolution for remote services is working.

Another non-emissary pod in the same namespace as the emissary-ingress pods, can communicate with the remote service without issue. This seems to point to emissary-ingress as being the problem is this case.

Expected behavior To be able to communicate with remote services.

Versions (please complete the following information):

emissary-ingress - 3.3.1

helm chart version emissary-ingress-8.3.1

Kubernetes environment - GKE

Version - v1.21.14
opened by rixongary 0
Move CRDs and apiext to its own helm chart and add it as a dependency

Please describe your use case / problem. Currently apiext and the CRDs are kind of loosely managed from a helm user perspective. That means that as a helm user I have to manually delete and update the apiext deployment and the CRDs.

Describe the solution you'd like As a helm user I would expect to maintain only the emissary-ingress helm release, which "ships" its CRDs and the apiext deployment. One solution would be to define the CRDs and apiext in seperate helm charts, which the emissary-ingress helm chart depends on.

Describe alternatives you've considered Include the CRDs and the apiext deployment directly in the emissary-ingress chart as described here. That would work for the apiext deployment, but upgrading the CRDs would not be supported by it.

Additional context Part of https://github.com/emissary-ingress/emissary/issues/4531

opened by kharf 1
Introduction of default requests/limits for apiext deployment

Please describe your use case / problem. One of the best practices of Kubernetes is to define resource requests and limits. Requests are what the container is guaranteed to get. If a container requests a resource, Kubernetes will only schedule it on a node that can give it that resource. Limits, on the other hand, make sure a container never goes above a certain value. Currently apiext does not have these requests and limits defined.

Describe the solution you'd like Add resource requests and limits to the apiext deployment.

Describe alternatives you've considered Documentation why it is not defined and explain how customers can define their own resource request and limits. (e.g. with Kustomize)

Additional context Part of: https://github.com/emissary-ingress/emissary/issues/4531

opened by kharf 2
How to use feature on ssl-passthrough in emissary
Describe the bug How to use feature on ssl-passthrough in emissary

To Reproduce Steps to reproduce the behavior: I am not sure how to use ssl passthrough in emissary? In one the issue I can see that TCPMapping can be used but I dont know how to use it and it didnt worked for me. please help me resolving the issue How to use feature on ssl-passthrough in emissary

Expected behavior SSL passthrough must work

Versions (please complete the following information):

Ambassador: [e.g. 0.32.1]

Kubernetes environment [e.g. Minikube, bare metal, Google Kubernetes Engine]

Version [e.g. 1.8.1]

Additional context Add any other context about the problem here. Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

Go to '...'I am not sure how to use ssl passthrough in emissary? In one the issue I can see that TCPMapping can be used but I dont know how to use it and it didnt worked for me. please help me resolving the issue

Click on '....'

Scroll down to '....'

See error

Expected behavior A clear and concise description of what you expected to happen.

Versions (please complete the following information):

Ambassador: [e.g. 0.32.1]

Kubernetes environment [e.g. Minikube, bare metal, Google Kubernetes Engine]

Version [e.g. 1.8.1]

Additional context Add any other context about the problem here.
opened by mohania17 0

Releases(v3.3.1)

v3.3.1(Dec 9, 2022)
:tada: Emissary Ingress 3.3.1 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v3.3.1/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Security: Update Golang to release 1.19.4. Two CVE's were annouced in this z patch release. CVE-2022-41720 only affects Windows environments and Emissary-ingress runs in linux. The second one CVE-2022-41717 only affects HTTP/2 server connections exposed to external clients. Emissary-ingress does not expose any Golang http servers to outside clients. The data-plane of Envoy is not affected by either of these.

Source code(tar.gz)
Source code(zip)
v2.5.1(Dec 9, 2022)
:tada: Emissary Ingress 2.5.1 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.5.1/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Feature: Support for the getambassador.io/v1 apiVersion has been re-introduced, in order to facilitate smoother migrations from Emissary-ingress 1.y. Previously, in order to make migrations possible, an "unserved" v1 version was declared to Kubernetes, but was unsupported by Emissary-ingress. That unserved v1 could cause an excess of errors to be logged by the Kubernetes Nodes (regardless of whether the installation was migrated from 1.y or was a fresh 2.y install); fully supporting v1 again should resolve these errors.

Security: Update Golang to release 1.19.4. Two CVE's were annouced in this z patch release. CVE-2022-41720 only affects Windows environments and Emissary-ingress runs in linux. The second one CVE-2022-41717 only affects HTTP/2 server connections exposed to external clients. Emissary-ingress does not expose any Golang http servers to outside clients. The data-plane of Envoy is not affected by either of these.

Security: Updated Golang to the latest z patch. We are not vulnerable to the CVE-2022-3602 that was released in 1.19.3 and you can read more about it here: https://medium.com/ambassador-api-gateway/ambassador-labs-security-impact-assessment-of-nov-1-openssl-golang-vulnerabilities-f11b5ec37a7e. Updating to the latest z patch as part of our normal dependency update process and this will help reduce the noise of security scanners.

Source code(tar.gz)
Source code(zip)
chart/v8.3.1(Dec 9, 2022)
:tada: Emissary Ingress Chart 8.3.1 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Upgrade Emissary to v3.3.1 CHANGELOG

Source code(tar.gz)
Source code(zip)
chart/v7.6.1(Dec 9, 2022)
:tada: Emissary Ingress Chart 7.6.1 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Upgrade Emissary to v2.5.1 CHANGELOG

Source code(tar.gz)
Source code(zip)
v2.5.0(Nov 3, 2022)
:tada: Emissary Ingress 2.5.0 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.5.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Bugfix: If a Host or TLSContext contained a hostname with a : then when using the diagnostics endpoints ambassador/v0/diagd then an error would be thrown due to the parsing logic not being able to handle the extra colon. This has been fixed and Emissary-ingress will not throw an error when parsing envoy metrics for the diagnostics user interface.

Security: Bump Go from 1.17.12 to 1.19.2. This is to keep the Go version current.

Source code(tar.gz)
Source code(zip)
chart/v7.6.0(Nov 3, 2022)
:tada: Emissary Ingress Chart 7.6.0 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Upgrade Emissary to v2.5.0 CHANGELOG

Source code(tar.gz)
Source code(zip)
v3.3.0(Nov 2, 2022)
:tada: Emissary Ingress 3.3.0 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v3.3.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Security: Updated Golang to 1.19.2 to address the CVEs: CVE-2022-2879, CVE-2022-2880, CVE-2022-41715.

Bugfix: By default Emissary-ingress adds routes for http to https redirection. When an AuthService is applied in v2.Y of Emissary-ingress, Envoy would skip the ext_authz call for non-tls http request and would perform the https redirect. In Envoy 1.20+ the behavior has changed where Envoy will always call the ext_authz filter and must be disabled on a per route basis. This new behavior change introduced a regression in v3.0 of Emissary-ingress when it was upgraded to Envoy 1.22. The http to https redirection no longer works when an AuthService was applied. This fix restores the previous behavior by disabling the ext_authz call on the https redirect routes. (#4620)

Bugfix: When an AuthService is applied in v2.Y of Emissary-ingress, Envoy would skip the ext_authz call for all redirect routes and would perform the redirect. In Envoy 1.20+ the behavior has changed where Envoy will always call the ext_authz filter so it must be disabled on a per route basis. This new behavior change introduced a regression in v3.0 of Emissary-ingress when it was upgraded to Envoy 1.22. The host_redirect would call an AuthService prior to redirect if applied. This fix restores the previous behavior by disabling the ext_authz call on the host_redirect routes. (#4640)

Bugfix: Previous versions of Emissary-ingress required a workaround using TLSContexts to find tls secrets referenced from Ingress resources. Now tls secrets referenced are properly detected without requiring an additional TLSContext to reference them. (Thanks to Ole Markus!).

Source code(tar.gz)
Source code(zip)
chart/v8.3.0(Nov 2, 2022)
:tada: Emissary Ingress Chart 8.3.0 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Upgrade Emissary to v3.3.0 CHANGELOG

Change: By default, the Ambassador agent will report diagnostics to the Ambassador Cloud

Change: updated auto-scaling resource cpu and memory variable ordering to help with git-ops syncing. Also, adjusted memory and cpu settings to be more friendly so that they do not cause the HPA auto-scaling to trigger during start-up. Thanks to Ian Martin for the contribution!

Source code(tar.gz)
Source code(zip)
v2.4.1(Oct 10, 2022)
:tada: Emissary Ingress 2.4.1 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.4.1/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Bugfix: If a Host or TLSContext contained a hostname with a : then when using the diagnostics endpoints ambassador/v0/diagd then an error would be thrown due to the parsing logic not being able to handle the extra colon. This has been fixed and Emissary-ingress will not throw an error when parsing envoy metrics for the diagnostics user interface.

Bugfix: The synthetic AuthService didn't correctly handle AmbassadorID, which was fixed in version 3.1 of Emissary-ingress. The fix has been backported to make sure the AuthService is handled correctly during upgrades.

Source code(tar.gz)
Source code(zip)
chart/v7.5.1(Oct 10, 2022)
:tada: Emissary Ingress Chart 7.5.1 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Upgrade Emissary to v2.4.1 CHANGELOG

Source code(tar.gz)
Source code(zip)
v3.2.0(Sep 27, 2022)
:tada: Emissary Ingress 3.2.0 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v3.2.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Change: The envoy version included in Emissary-ingress has been upgraded from 1.22 to the latest patch release of 1.23. This provides Emissary-ingress with the latest security patches, performances enhancments, and features offered by the envoy proxy.

Change: Changes to label matching will change how Hosts are associated with Mappings. There was a bug with label selectors that was causing Hosts to be incorrectly being associated with more Mappings than intended. If any single label from the selector was matched then the Host would be associated with the Mapping. Now it has been updated to correctly only associate a Host with a Mapping if all labels required by the selector are present. This brings the mappingSelector field in-line with how label selectors are used in Kubernetes. To avoid unexpected behaviour after the upgrade, add all labels that Hosts have in their mappingSelector to Mappings you want to associate with the Host. You can opt-out of the new behaviour by setting the environment variable DISABLE_STRICT_LABEL_SELECTORS to "true" (default: "false"). (Thanks to Filip Herceg and Joe Andaverde!).

Feature: Previously the Host resource could only use secrets that are in the namespace as the Host. The tlsSecret field in the Host has a new subfield namespace that will allow the use of secrets from different namespaces.

Change: Set AMBASSADOR_EDS_BYPASS to true to bypass EDS handling of endpoints and have endpoints be inserted to clusters manually. This can help resolve with 503 UH caused by certification rotation relating to a delay between EDS + CDS. The default is false.

Bugfix: Distinct services with names that are the same in the first forty characters will no longer be incorrectly mapped to the same cluster. (#4354)

Feature: By default, when Envoy is unable to communicate with the configured RateLimitService then it will allow traffic through. The RateLimitService resource now exposes the failure_mode_deny option. Set failure_mode_deny: true, then Envoy will deny traffic when it is unable to communicate to the RateLimitService returning a 500.

Bugfix: Previously, setting the stats_name for the TracingService, RateLimitService or the AuthService would have no affect because it was not being properly passed to the Envoy cluster config. This has been fixed and the alt_stats_name field in the cluster config is now set correctly. (Thanks to Paul!)

Feature: The AMBASSADOR_RECONFIG_MAX_DELAY env var can be optionally set to batch changes for the specified non-negative window period in seconds before doing an Envoy reconfiguration. Default is "1" if not set.

Bugfix: If a Host or TLSContext contained a hostname with a : when using the diagnostics endpoints ambassador/v0/diagd then an error would be thrown due to the parsing logic not being able to handle the extra colon. This has been fixed and Emissary-ingress will not throw an error when parsing envoy metrics for the diagnostics user interface.

Feature: It is now possible to set custom_tags in the TracingService. Trace tags can be set based on literal values, environment variables, or request headers. (Thanks to Paul!) (#4181)

Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping that uses SNI, instead of using the hostname glob in the TCPMapping, uses the hostname glob in the Host that the TLS termination configuration comes from.

Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping that terminates TLS must have a corresponding Host that it can take the TLS configuration from. This was semi-intentional, but didn't make much sense. You can now use a TLSContext without a Hostas in Emissary-ingress 1.y releases, or a Host with or without a TLSContext as in prior 2.y releases.

Bugfix: Prior releases of Emissary-ingress had the arbitrary limitation that a TCPMapping cannot be used on the same port that HTTP is served on, even if TLS+SNI would make this possible. Emissary-ingress now allows TCPMappings to be used on the same Listener port as HTTP Hosts, as long as that Listener terminates TLS.

Security: Updated Golang to 1.19.1 to address the CVEs: CVE-2022-27664, CVE-2022-32190.

Source code(tar.gz)
Source code(zip)
chart/v8.2.0(Sep 27, 2022)
:tada: Emissary Ingress Chart 8.2.0 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Upgrade Emissary to v3.2.0 CHANGELOG

Bugfix: The default Role configuration of the Ambassador Agent Deployment will allow it to correctly watch Secret resources for Ambassador Cloud tokens.

Source code(tar.gz)
Source code(zip)
v2.4.0(Sep 19, 2022)
:tada: Emissary Ingress 2.4.0 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.4.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Feature: Previously the Host resource could only use secrets that are in the namespace as the Host. The tlsSecret field in the Host has a new subfield namespace that will allow the use of secrets from different namespaces.

Change: Set AMBASSADOR_EDS_BYPASS to true to bypass EDS handling of endpoints and have endpoints be inserted to clusters manually. This can help resolve with 503 UH caused by certification rotation relating to a delay between EDS + CDS. The default is false.

Bugfix: Previously, setting the stats_name for the TracingService, RateLimitService or the AuthService would have no affect because it was not being properly passed to the Envoy cluster config. This has been fixed and the alt_stats_name field in the cluster config is now set correctly. (Thanks to Paul!)

Feature: The AMBASSADOR_RECONFIG_MAX_DELAY env var can be optionally set to batch changes for the specified non-negative window period in seconds before doing an Envoy reconfiguration. Default is "1" if not set.

Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping that uses SNI, instead of using the hostname glob in the TCPMapping, uses the hostname glob in the Host that the TLS termination configuration comes from.

Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping that terminates TLS must have a corresponding Host that it can take the TLS configuration from. This was semi-intentional, but didn't make much sense. You can now use a TLSContext without a Hostas in Emissary-ingress 1.y releases, or a Host with or without a TLSContext as in prior 2.y releases.

Bugfix: Prior releases of Emissary-ingress had the arbitrary limitation that a TCPMapping cannot be used on the same port that HTTP is served on, even if TLS+SNI would make this possible. Emissary-ingress now allows TCPMappings to be used on the same Listener port as HTTP Hosts, as long as that Listener terminates TLS.

Source code(tar.gz)
Source code(zip)
chart/v7.5.0(Sep 19, 2022)
:tada: Emissary Ingress Chart 7.5.0 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Upgrade Emissary to v2.4.0 CHANGELOG

Source code(tar.gz)
Source code(zip)
v3.1.0(Aug 1, 2022)
:tada: Emissary Ingress 3.1.0 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v3.1.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Feature: The agent is now able to parse api contracts using swagger 2, and to convert them to OpenAPI 3, making them available for use in the dev portal.

Feature: Adds a new command to the agent directive service to manage secrets. This allows a third party product to manage CRDs that depend upon a secret.

Feature: Add additional pprof endpoints to allow for profiling Emissary-ingress:

CPU profiles (/debug/pprof/profile)

tracing (/debug/pprof/trace)

command line running (/debug/pprof/cmdline)

program counters (/debug/pprof/symbol)

Change: In the standard published .yaml files, the Module resource enables serving remote client requests to the :8877/ambassador/v0/diag/ endpoint. The associated Helm chart release also now enables it by default.

Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure that all the nodes composing the emissary ingress cluster are reporting properly.

Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, CVE-2022-24921, CVE-2022-23772.

Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, CVE-2022-27780.

Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.

Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458

Source code(tar.gz)
Source code(zip)
v2.3.2(Aug 1, 2022)
:tada: Emissary Ingress 2.3.2 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.3.2/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure that all the nodes composing the emissary ingress cluster are reporting properly.

Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, CVE-2022-24921, CVE-2022-23772.

Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, CVE-2022-27780.

Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.

Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458

Source code(tar.gz)
Source code(zip)
chart/v8.1.0(Aug 1, 2022)

:tada: Emissary Ingress Chart 8.1.0 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Source code(tar.gz)
Source code(zip)
chart/v7.4.2(Aug 1, 2022)
:tada: Emissary Ingress Chart 7.4.2 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Update Emissary chart image to version v2.3.2 CHANGELOG

Source code(tar.gz)
Source code(zip)
v3.0.0(Jun 28, 2022)
:tada: Emissary Ingress 3.0.0 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v3.0.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Change: The envoy version included in Emissary-ingress has been upgraded from 1.17 to the latest patch release of 1.22. This provides Emissary-ingress with the latest security patches, performances enhancments, and features offered by the envoy proxy. One notable change that will effect users is the removal of support for V2 tranport protocol. See below for more information.

Change: Emissary-ingress can no longer be made to configure Envoy using the v2 xDS configuration API; it now always uses the v3 xDS API to configure Envoy. This change should be mostly invisible to users, with one notable exception: It removes support for regex_type: unsafe. The regex_type field will is removed from the ambassador Module, meaning that it is not be possible to instruct Envoy to use the ECMAScript Regex engine rather than the default RE2 engine. Users who rely on the specific ECMAScript Regex syntax will need to rewrite their regular expressions with RE2 syntax before upgrading to Emissary-ingress 3.0.0. As the xDS version is no longer configurable and the range of supported Zipkin protocols is reduced (see below), the AMBASSADOR_ENVOY_API_VERSION environment variable has been removed.

Change: With the ugprade to Envoy 1.22, Emissary-ingress no longer supports the V2 transport protocol. The AuthService, LogService and the RateLimitService will only support the v3 protocol_version. If protocol_version is not specified, the default value of v2 will cause an error to be posted. Therefore, you will need to set it to protocol_version: "v3". If upgrading from a previous version you will want to set it to "v3" and ensure it is working before upgrading to Emissary-ingress 3.Y.

Change: With the upgrade to Envoy 1.22, the zipkin driver for the TraceService no longer supports setting the collector_endpoint_version: HTTP_JSON_V1. This was removed in Envoy 1.20 - . The new default will be collector_endpoint_version: HTTP_JSON, regardless of the AMBASSADOR_ENVOY_API_VERSION environment variable.

Change: In the standard published .yaml files, now included is a Module resource that disables the /ambassador/v0/ → 127.0.0.1:8878 synthetic mapping. We have long recommended to turn this off for production use; it is now off in the standard YAML. The associated Helm chart release also now disables it by default. A later apiVersion (getambassador.io/v3alpha2 or later) will likely change the Module CRD so that it is disabled if unspecified; but in the mean-time, the default install procedure will now specify it to be disabled.

Change: This release does not include the publishing of emissary-emissaryns-agent.yaml, emissary-defaultns-agent.yaml, emissary-emissaryns-migration.yaml, or emissary-defaultns-migration.yaml files. All four of these files existed solely as part of the migration process from 1;y, but since 2.2.0 the *-migration.yaml files have not been part of the migration instructions, and while the *-agent.yaml files remained part of the instructions they were actually unnescessary.

Change: The previous version of Emissary-ingress was based on Envoy 1.17 and when using grpc_stats with all_methods or services set, it would output metrics in the following format envoy_cluster_grpc_{ServiceName}_{statname}. When neither of these fields are set it would be aggregated to envoy_cluster_grpc_{statname}. The new behavior since Envoy 1.18 will produce metrics in the following format envoy_cluster_grpc_{MethodName}_statsname and envoy_cluster_grpc_statsname. After further investigation we found that Envoy doesn't properly parse service names such as cncf.telepresence.Manager/Status. In the future, we will work upstream Envoy to get this parsing logic fixed to ensure consistent metric naming.

Bugfix: Previously setting grpc_stats in the ambassador Module without setting either grpc_stats.services or grpc_stats.all_methods would result in crashing. Now it behaves as if grpc_stats.all_methods=false.

Feature: With the ugprade to Envoy 1.22, Emissary-ingress can now be configured to listen for HTTP/3 connections using QUIC and the UDP network protocol. It currently only supports for connections between downstream clients and Emissary-ingress.

Source code(tar.gz)
Source code(zip)
chart/v8.0.0(Jun 28, 2022)
:tada: Emissary Ingress Chart 8.0.0 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Change: The default for the module value has changed to disable the /ambassador/v0/ → 127.0.0.1:8877 synthetic Mapping by default. We have long recommended to turn this off for production use; it is now off by default.

Bugfix: The default values no trigger the creation of an "emissary-test-ready" Pod. This Pod was meant to only be created when running the chart's test suite; it was not meant to be created in users' clusters.

Source code(tar.gz)
Source code(zip)
v1.14.4(Jun 13, 2022)
:tada: Ambassador 1.14.4 :tada:

Ambassador is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Security: We have backported patches from the Envoy 1.19.5 security update to Emissary-ingress's 1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. Emissary-ingress is not affected by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it does not support internal redirects, and does not use Envoy's built-in OAuth2 filter.

Source code(tar.gz)
Source code(zip)
chart/v6.9.5(Jun 13, 2022)
:tada: Ambassador Chart 6.9.5 :tada:

Upgrade Ambassador - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/datawire/ambassador/blob/master/charts/ambassador/CHANGELOG.md

Update Ambassador API Gateway chart image to version v1.14.4: CHANGELOG

Update Ambassador Edge Stack chart image to version v1.14.4: CHANGELOG

Source code(tar.gz)
Source code(zip)
v2.3.1(Jun 10, 2022)
:tada: Emissary Ingress 2.3.1 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.3.1/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Bugfix: A regression was introduced in 2.3.0 that leaked zipkin default config fields into the configuration for the other drivers (lightstep, etc...). This caused Emissary-ingress to crash on startup. This issue has been resolved to ensure that the defaults are only applied when driver is zipkin (#4267)

Security: We have backported patches from the Envoy 1.19.5 security update to Emissary-ingress's 1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. Emissary-ingress is not affected by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it does not support internal redirects, and does not use Envoy's built-in OAuth2 filter.

Source code(tar.gz)
Source code(zip)
chart/v7.4.1(Jun 10, 2022)

:tada: Emissary Ingress Chart 7.4.1 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Source code(tar.gz)
Source code(zip)
v2.3.0(Jun 6, 2022)
:tada: Emissary Ingress 2.3.0 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.3.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Security: Completely remove gdbm, pip, smtplib, and sqlite packages, as they are unused.

Feature: It is now possible to set propagation_modes in the TracingService config when using lightstep as the driver. (Thanks to Paul!) (#4179)

Feature: It is now possible to set crl_secret in Host and TLSContext resources to check peer certificates against a certificate revocation list. (#1743)

Feature: Previously, a LogService would always have Emissary-ingress communicate with the external log service using the envoy.service.accesslog.v2.AccessLogService API. It is now possible for the LogService to specify protocol_version: v3 to use the newer envoy.service.accesslog.v3.AccessLogService API instead. This functionality is not available if you set the AMBASSADOR_ENVOY_API_VERSION=V2 environment variable.

Bugfix: When CORS is specified (either in a Mapping or in the Ambassador Module), CORS processing will happen before authentication. This corrects a problem where XHR to authenticated endpoints would fail.

Bugfix: In 2.x releases of Emissary-ingress when there are multiple Mappings that have the same metadata.name across multiple namespaces, their old config would not properly be removed from the cache when their config was updated. This resulted in an inability to update configuration for groups of Mappings that share the same name until the Emissary-ingress pods restarted.

Bugfix: It is now possible for a TracingService to specify collector_endpoint_version: HTTP_JSON_V1 when using xDS v3 to configure Envoy (which has been the default since Emissary-ingress 1.14.0). The HTTP_JSON_V1 value configures Envoy to speak to Zipkin using Zipkin's old API-v1, while the HTTP_JSON value configures Envoy to speak to Zipkin using Zipkin's new API-v2. In previous versions of Emissary-ingress it was only possible to use HTTP_JSON_V1 when explicitly setting the AMBASSADOR_ENVOY_API_VERSION=V2 environment variable to force use of xDS v2 to configure Envoy.

Source code(tar.gz)
Source code(zip)
chart/v7.4.0(Jun 6, 2022)
:tada: Emissary Ingress Chart 7.4.0 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Update change Emissary chart image to version v2.3.0 CHANGELOG

Add "lifecycle" option to main container. This can be used, for example, to add a lifecycle.preStop hook. Thanks to Eric Totten for the contribution!

Add ambassador_id to listener manifests rendered when using createDefaultListeners: true with AMBASSADOR_ID set in environment variables. Thanks to Jennifer Reed for the contribution!

Feature: Added configurable IngressClass resource to be compliant with Kubernetes 1.22+ ingress specification.

Source code(tar.gz)
Source code(zip)
v2.2.2(Feb 25, 2022)
:tada: Emissary Ingress 2.2.2 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.2.2/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Change: You may now choose to enable TLS Secret validation by setting the AMBASSADOR_FORCE_SECRET_VALIDATION=true environment variable. The default configuration does not enforce secret validation.

Bugfix: Kubernetes Secrets that should contain an EC (Elliptic Curve) TLS Private Key are now properly validated. (4134)

Source code(tar.gz)
Source code(zip)
v1.14.3(Feb 25, 2022)
:tada: Ambassador 1.14.3 :tada:

Ambassador is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started

Security: Upgraded Envoy to address security vulnerabilities CVE-2021-43824, CVE-2021-43825, CVE-2021-43826, CVE-2022-21654, and CVE-2022-21655.

Source code(tar.gz)
Source code(zip)
chart/v7.3.2(Feb 25, 2022)

:tada: Emissary Ingress Chart 7.3.2 :tada:

Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md

Source code(tar.gz)
Source code(zip)
chart/v6.9.4(Feb 25, 2022)
:tada: Ambassador Chart 6.9.4 :tada:

Upgrade Ambassador - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/datawire/ambassador/blob/master/charts/ambassador/CHANGELOG.md

Update Ambassador API Gateway chart image to version v1.14.3: CHANGELOG

Update Ambassador Edge Stack chart image to version v1.14.3: CHANGELOG

Source code(tar.gz)
Source code(zip)