Changelog

BREAKING NEWS

AMBASSADOR EDGE STACK 1.0.0

Ambassador Edge Stack 1.0.0 is a comprehensive, self-service solution for exposing, securing, and managing the boundary between end users and your Kubernetes services. The core of Ambassador Edge Stack is the open-source Ambassador API Gateway, built on the Envoy proxy.

Ambassador Edge Stack provides all the capabilities of the Ambassador API Gateway, as well as additional capabilities including:

The Edge Policy Console, a graphical UI to visualize and manage all of your edge policies;

Security features such as automatic TLS setup via ACME integration, OAuth/OpenID Connect integration, rate limiting, and fine-grained access control; and

Developer onboarding assistance, including an API catalog, Swagger/OpenAPI documentation support, and a fully customizable developer portal.

Note: Ambassador Edge Stack replaces Ambassador Pro and can be installed over existing instances of Ambassador Pro and Ambassador API Gateway. The Ambassador Edge Stack is free for all users, and includes all the functionality of the Ambassador API Gateway in addition to the additional capabilities mentioned above. Due to popular demand, we’re offering a free tier of our core features as part of the Ambassador Edge Stack, designed for startups.

UPCOMING CHANGES

Ingress resources and Namespaces

In a future version of Ambassador, no sooner than Ambassador 1.8.0, TLS secrets in Ingress resources will not be able to use .namespace suffixes to cross namespaces.

gRPC names

In a future version, Ambassador will change the version of the gRPC service name used to communicate with AuthService s and RateLimitService s:

Resource Current service name Upcoming service name AuthService envoy.service.auth.v2alpha.Authorization envoy.service.auth.v2.Authorization RateLimitService pb.lyft.ratelimit.RateLimitService envoy.service.ratelimit.v2.RateLimitService

In some future version of Ambassador, there will be settings to control which name is used; with the default being the current name; it will be opt-in to the new names.

In some future version of Ambassador after that, no sooner than Ambassador 1.8.0, the default values of those settings will change; making them opt-out from the new names.

In some future version of Ambassador after that, no sooner than Ambassador 1.9.0, the settings will go away, and Ambassador will always use the new names.

Note that Ambassador Edge Stack External Filters already unconditionally use the newer envoy.service.auth.v2.Authorization name.

RELEASE NOTES

Next Release

(no changes yet)

Ambasssador API Gateway + Ambassador Edge Stack

Bugfix: A regression introduced in 1.7.0 with the various Host.spec.insecure.action behaviors, including handling of X-Forwarded-Proto, has been fixed.

Bugfix: Host resources no longer perform secret namespacing when the AMBASSADOR_FAST_RECONFIGURE flag is enabled.

Ambasssador API Gateway + Ambassador Edge Stack

Bugfix: Support envoy_validation_timeout in the Ambassador Module to set the timeout for validating new Envoy configurations

Ambassador Edge Stack only

Bugfix: consul_connect_integration is now built correctly.

is now built correctly. Bugfix: The developer portal again supports requests for API documentation

Ambassador API Gateway + Ambassador Edge Stack

Feature: Upgrade from Envoy 1.14.4 to 1.15.0.

Bugfix: Correctly handle a Host object with incompatible manually-specified TLSContext

object with incompatible manually-specified Feature: The Ambassador control-plane now publishes Prometheus metrics alongside the existing Envoy data-plane metrics under the /metrics endpoint on port 8877.

endpoint on port 8877. Default-off early access: Experimental changes to allow Ambassador to more quickly process configuration changes (especially with larger configurations) have been added. The AMBASSADOR_FAST_RECONFIGURE env var must be set to enable this. AMBASSADOR_FAST_VALIDATION should also be set for maximum benefit.

Ambassador API Gateway only

Bugfix: Fixes regression in 1.5.1 that caused it to not correctly know its own version number, leading to notifications about an available upgrade despite being on the most recent version.

Ambassador Edge Stack only

Feature: DevPortal can now discover openapi documentation from Mapping s that set host and headers

s that set and Feature: edgectl install will automatically enable Service Preview with a Preview URL on the Host resource it creates.

will automatically enable Service Preview with a Preview URL on the Host resource it creates. Feature: Service Preview will inject an x-service-preview-path header in filtered requests with the original request prefix to allow for context propagation.

header in filtered requests with the original request prefix to allow for context propagation. Feature: Service Preview can intercept gRPC requests using the --grpc flag on the edgectl intercept add command and the getambassador.io/inject-traffic-agent-grpc: "true" annotation when using automatic Traffic-Agent injection.

flag on the command and the annotation when using automatic Traffic-Agent injection. Feature: The TracingService Zipkin config now supports setting collector_endpoint_version to tell Envoy to use Zipkin v2.

Zipkin config now supports setting to tell Envoy to use Zipkin v2. Feature: You can now inject request and/or response headers from a RateLimit .

. Bugfix: Don't crash during startup if Redis is down.

Bugfix: Service Preview correctly uses the Host default Path value for the spec.previewUrl.type field.

value for the field. Bugfix: The JWT , OAuth2 , and other Filters are now better about reusing connections for outgoing HTTP requests.

, , and other Filters are now better about reusing connections for outgoing HTTP requests. Bugfix: Fixed a potential deadlock in the HTTP cache used for fetching JWKS and such for Filters .

. Bugfix: Fixed insecure route action behavior. Host security policies no longer affect other Hosts.

Bugfix: Internal Ambassador data is no longer exposed to the /.ambassador-internal/ endpoints used by the DevPortal.

endpoints used by the DevPortal. Bugfix: Problems with license key limits will no longer trigger spurious HTTP 429 errors. Using the RateLimit resource beyond 5rps without any form of license key will still trigger 429 responses, but now with a X-Ambassador-Message header indicating that's what happned.

resource beyond 5rps without any form of license key will still trigger 429 responses, but now with a header indicating that's what happned. Bugfix: When multiple RateLimit s overlap, it is supposed to enforce the strictest limit; but the strictness comparison didn't correctly handle comparing limits with different units.

Ambassador API Gateway + Ambassador Edge Stack

Bugfix: The (new in 1.6.0) Host.spec.tls and Host.spec.tlsContext fields now work when AMBASSADOR_FAST_VALIDATION=fast is not set.

and fields now work when is not set. Bugfix: Setting use_websocket: true on a Mapping now only affects routes generated from that Mapping , instead of affecting all routes on that port.

on a now only affects routes generated from that , instead of affecting all routes on that port. Feature: It is now possible to "upgrade" to non-HTTP protocols other than WebSocket; the new allow_upgrade is a generalization of use_websocket .

Ambassador Edge Stack only

Bugfix: The Host.spec.requestPolicy.insecure.additionalPort field works again.

field works again. Bugfix: The Host.spec.ambassadorId is once again handled in addition to .ambassador_id ; allowing hosts written by older versions AES prior to 1.6.0 to continue working.

is once again handled in addition to ; allowing hosts written by older versions AES prior to 1.6.0 to continue working. Bugfix: Fix a redirect loop that could occur when using using multiple protectedOrigins in a Host .

Ambassador API Gateway + Ambassador Edge Stack

Bugfix: Mapping with https scheme for service are correctly parsed.

scheme for service are correctly parsed. Bugfix: Mapping with both a scheme and a hostname of localhost is now handled correctly.

is now handled correctly. Bugfix: ConsulResolver now works again for Mappings outside of Ambassador's namespace.

Ambassador API Gateway + Ambassador Edge Stack

Incorporate the Envoy 1.14.4 security update.

API CHANGE: Turning off the Diagnostics UI via the Ambassador Module now disables access to the UI from both inside and outside the Ambassador Pod.

API CHANGE: Default changes updating Mapping status from default-on to default-off; see below.

status from default-on to default-off; see below. Feature: Add support for circuit breakers in TCP mapping (thanks, Pierre Fersing!)

Feature: Ambassador CRDs now include schema. This enables validation by kubectl apply .

. Feature: Advanced TLS configuration can be specified in Host resource via tlsContext and tls fields.

resource via and fields. Feature: Implement sampling percentage in tracing service.

Performance improvement: Diagnostics are generated on demand rather than on every reconfig.

Performance improvement: Experimental fast validation of the contents of Ambassador resources has been added. The AMBASSADOR_FAST_VALIDATION env var must be set to enable this.

env var must be set to enable this. Internal: Configuration endpoints used internally by Ambassador are no longer accessible from outside the Ambassador Pod.

Bugfix: envoy_log_format can now be set with envoy_log_type: json .

can now be set with . Docs: Fixed OAuth2 documentation spelling errors (thanks, Travis Byrum!)

As previously announced, the default value of AMBASSADOR_UPDATE_MAPPING_STATUS has now changed from true to false ; Ambassador will no longer attempt to update the Status of a Mapping unless you explicitly set AMBASSADOR_UPDATE_MAPPING_STATUS=true in the environment. If you do not have tooling that relies on Mapping status updates, we do not recommend setting AMBASSADOR_UPDATE_MAPPING_STATUS .

In Ambassador 1.7, TLS secrets in Ingress resources will not be able to use .namespace suffixes to cross namespaces.

Ambassador Edge Stack only

Feature: The Edge Policy Console's Debugging page now has a "Log Out" button to terminate all EPC sessions.

Feature: X-Content-Type-Options: nosniff to response headers are now set for the Edge Policy Console, to prevent MIME confusion attacks.

to response headers are now set for the Edge Policy Console, to prevent MIME confusion attacks. Feature: The OAuth2 Filter now has a allowMalformedAccessToken setting to enable use with IDPs that generate access tokens that are not compliant with RFC 6750.

Filter now has a setting to enable use with IDPs that generate access tokens that are not compliant with RFC 6750. Bugfix: All JWT Filter errors are now formatted per the specified errorResponse .

. Feature: Options for making Redis connection pooling configurable.

Bugfix: User is now directed to the correct URL after clicking in Microsoft Office.

Feature: The Console's Dashboard page has speedometer gauges to visualize Rate Limited and Authenticated traffic.

Ambassador API Gateway + Ambassador Edge Stack

Incorporate the Envoy 1.14.3 security update.

Ambassador API Gateway + Ambassador Edge Stack

Bugfix: Allow disabling Mapping -status updates (RECOMMENDED: see below)

-status updates (RECOMMENDED: see below) Bugfix: Logging has been made much quieter; the default Envoy log level has been turned down from "warning" to "error"

Ambassador now logs timing information about reconfigures

We recommend that users set AMBASSADOR_UPDATE_MAPPING_STATUS=false in the environment to tell Ambassador not to update Mapping statuses unless you have some script that relies on Mapping status updates. The default value of AMBASSADOR_UPDATE_MAPPING_STATUS will change to false in Ambassador 1.6.

Ambassador API Gateway + Ambassador Edge Stack

Bugfix: Restore Envoy listener drain time to its pre-Ambassador 1.3.0 default of 10 minutes.

Ambassador Edge Stack only

Bugfix: Allow deletion of ProjectControllers.

Bugfix: Fix regression introduced in 1.4.2 where the OAuth2 AuthorizationCode filter no longer works when behind another gateway that rewrites the request hostname. The behavior here is now controllable via the internalOrigin sub-field.

Ambassador API Gateway + Ambassador Edge Stack

Bugfix: Read Knative ingress generation from the correct place in the Kubernetes object

Ambassador API Gateway + Ambassador Edge Stack

Incorporate the Envoy 1.14.2 security update.

Upgrade the base Docker images used by several tests (thanks, Daniel Sutton!).

Ambassador Edge Stack only

Feature: (BETA) Added an in-cluster micro CI/CD system to enable building, staging, and publishing of GitHub projects from source. This has been included in previous versions as an alpha, but disabled by default. It is now in BETA.

Bugfix: The DEVPORTAL_CONTENT_URL environment variable now properly handles file:/// URLs to refer to volume-mounted content.

environment variable now properly handles URLs to refer to volume-mounted content. Bugfix: acmeProvider.authority: none is no longer case sensitive

is no longer case sensitive Bugfix: edgectl connect works again on Ubuntu and other Linux setups with old versions of nss-mdns (older than version 0.11)

works again on Ubuntu and other Linux setups with old versions of nss-mdns (older than version 0.11) Bugfix: edgectl works again on Windows

works again on Windows Bugfix: The Edge Policy Console now correctly creates FilterPolicy resources

Ambassador API Gateway + Ambassador Edge Stack

Bugfix: Logging has been made much quieter

Bugfix: A service that somehow has no hostname should no longer cause an exception

Ambassador API Gateway + Ambassador Edge Stack

Switched from quay.io back to DockerHub as our primary publication point. If you are using your own Kubernetes manifests, you will have to update them! Datawire's Helm charts and published YAML have already been updated.

Feature: switch to Envoy 1.14.1

Feature: Allow defaults for add_request_header , remove_request_header , add_response_header , and remove_response_header

Feature: Inform Knative of the route to the Ambassador service if available (thanks, Noah Fontes!)

Feature: Support the path and timeout options of the Knative ingress path rules (thanks, Noah Fontes!)

Feature: Allow preserving X-Request-ID on requests from external clients (thanks, Prakhar Joshi!)

Feature: Mappings now support query parameters (thanks, Phil Peble!)

Feature: Allow setting the Envoy shared-memory base ID (thanks, Phil Peble!)

Feature: Additional security configurations not set on default YAMLs

Feature: Let Ambassador configure regex_rewrite for advanced forwarding

Bugfix: Only update Knative ingress CRDs when the generation changes (thanks, Noah Fontes!)

Bugfix: Now behaves properly when AMBASSADOR_SINGLE_NAMESPACE is set to an empty string; rather than getting in to a weird in-between state

Bugfix: The websocket library used by the test suite has been upgraded to incorporate security fixes (thanks, Andrew Allbright!)

Bugfix: Fixed evaluation of label selectors causing the wrong IP to be put in to Ingress resource statuses

Bugfix: The watt (port 8002) and ambex (port 8003) components now bind to localhost instead of 0.0.0.0, so they are no longer erroneously available from outside the Pod

Ambassador Edge Stack only

Feature: edgectl upgrade allows upgrading API Gateway installations to AES

allows upgrading API Gateway installations to AES Feature: edgectl intercept can generate preview-urls for Host resources that enabled the feature

can generate preview-urls for Host resources that enabled the feature Feature: edgectl install will now automatically install the Service Preview components (ambassador-injector, telepresence-proxy) and scoped RBAC

will now automatically install the Service Preview components (ambassador-injector, telepresence-proxy) and scoped RBAC Feature: Rate-limited 429 responses now include the Retry-After header

header Feature: The JWT Filter now makes hasKey and doNotSet functions available to header field templates; in order to facilitate only conditionally setting a header field.

Filter now makes and functions available to header field templates; in order to facilitate only conditionally setting a header field. Feature: The OAuth2 Filter now has an expirationSafetyMargin setting that will cause an access token to be treated as expired sooner, in order to have a safety margin of time to send it to the upstream Resource Server that grants insufficient leeway.

Filter now has an setting that will cause an access token to be treated as expired sooner, in order to have a safety margin of time to send it to the upstream Resource Server that grants insufficient leeway. Feature: The JWT Filter now has leewayFor{ExpiresAt,IssuedAt,NotBefore} settings for configuring leeway when validating the timestamps of a token.

Filter now has settings for configuring leeway when validating the timestamps of a token. Feature: The environment variables REDIS{,_PERSECOND}_{USERNAME,PASSWORD,TLS_ENABLED,TLS_INSECURE} may now be used to further configure how the Ambassador Edge Stack communicates with Redis.

may now be used to further configure how the Ambassador Edge Stack communicates with Redis. Bugfix: Don't start the dev portal running if POLL_EVERY_SECS is 0

is 0 Bugfix: Now no longer needs cluster-wide RBAC when running with AMBASSADOR_SINGLE_NAMESPACE .

. Bugfix: The OAuth2 Filter now validates the reported-to-Client scope of an Access Token even if a separate accessTokenJWTFilter is configured.

Filter now validates the reported-to-Client scope of an Access Token even if a separate is configured. Bugfix: The OAuth2 Filter now sends the user back to the identity provider to upgrade the scope if they request an endpoint that requires broader scope than initially requested; instead of erroring.

Filter now sends the user back to the identity provider to upgrade the scope if they request an endpoint that requires broader scope than initially requested; instead of erroring. Bugfix: The OAuth2 Filter will no longer send RFC 7235 challenges back to the user agent if it would not accept RFC 7235 credentials (previously it only avoided sending HTTP 401 challenges, but still sent 400 or 403 challenges).

Filter will no longer send RFC 7235 challenges back to the user agent if it would not accept RFC 7235 credentials (previously it only avoided sending HTTP 401 challenges, but still sent 400 or 403 challenges). Bugfix: The amb-sidecar (port 8500) component now binds to localhost instead of 0.0.0.0, so it is no longer erroneously available from outside the Pod

Ambassador Edge Stack Only

Bugfix: Don't generate spurious 403s in logs when using Edge Policy Console.

Ambassador Edge Stack Only

Bugfix: The Traffic Agent binds to port 9900 by default. That port can be configured in the Agent's Pod spec. For more about using the Traffic Agent, see the Service Preview documentation.

Bugfix: The OAuth2 Filter redirection-endpoint now handles various XSRF errors more consistently (the way we meant it to in 1.2.1)

Filter redirection-endpoint now handles various XSRF errors more consistently (the way we meant it to in 1.2.1) Bugfix: The OAuth2 Filter now supports multiple authentication domains that share the same credentials. For more about using multiple domains, see the OAuth2 Filter documentation.

Filter now supports multiple authentication domains that share the same credentials. Bugfix: The ACME client now obeys AMBASSADOR_ID

Ambassador Edge Stack Only

Internal: edgectl install uses Helm under the hood

Ambassador API Gateway + Ambassador Edge Stack

Feature: Support Ingress Path types improvements from networking.k8s.io/v1beta1 on Kubernetes 1.18+

Feature: Support Ingress hostname wildcards

Feature: Support for the IngressClass Resource, added to networking.k8s.io/v1beta1 on Kubernetes 1.18+ For more about new Ingress support, see the Ingress Controller documentation.

Feature: Mapping s support the cluster_tag attribute to control the name of the generated Envoy cluster (thanks, Stefan Sedich!) See the Advanced Mapping Configuration documentation for more.

s support the attribute to control the name of the generated Envoy cluster (thanks, Stefan Sedich!) Feature: Support Envoy's ability to force response headers to canonical HTTP case (thanks, Puneet Loya!) See the Ambassador Module documentation for more.

Bugfix: Correctly ignore Kubernetes services with no metadata (thanks, Fabrice!)

Ambassador Edge Stack Only

Feature: edgectl install output has clearer formatting

output has clearer formatting Feature: edgectl install offers help when installation does not succeed

offers help when installation does not succeed Feature: edgectl install uploads installer and AES logs to a private area upon failure so Datawire support can help

uploads installer and AES logs to a private area upon failure so Datawire support can help Bugfix: The "Filters" tab in the webui no longer renders the value of OAuth client secrets that are stored in Kubernetes secrets.

Bugfix: The ACME client of of one Ambassador install will no longer interfere with the ACME client of another Ambassador install in the same namespace with a different AMBASSADOR_ID.

Bugfix: edgectl intercept supports matching headers values against regular expressions once more

supports matching headers values against regular expressions once more Bugfix: edgectl install correctly handles more local and cluster environments For more about edgectl improvements, see the Service Preview and Edge Control documentation.

correctly handles more local and cluster environments

Ambassador Edge Stack

Bugfix: edgectl install correctly installs on Amazon EKS and other clusters that provide load balancers with fixed DNS names

correctly installs on Amazon EKS and other clusters that provide load balancers with fixed DNS names Bugfix: edgectl install when using Helm once again works as documented

when using Helm once again works as documented Bugfix: edgectl install console logs are improved and neatened

console logs are improved and neatened Bugfix: edgectl install --verbose output is improved

output is improved Bugfix: edgectl install automatically opens documentation pages for some errors

automatically opens documentation pages for some errors Bugfix: edgectl install help text is improved

Ambassador Edge Stack

Bugfix: edgectl install will not install on top of a running Ambassador

will not install on top of a running Ambassador Bugfix: edgectl install can detect and report if kubectl is missing

can detect and report if is missing Bugfix: edgectl install can detect and report if it cannot talk to a Kubernetes cluster

can detect and report if it cannot talk to a Kubernetes cluster Bugfix: When using the Authorization Code grant type for OAuth2 , expired tokens are correctly handled so that the user will be prompted to renew

grant type for , expired tokens are correctly handled so that the user will be prompted to renew Bugfix: When using the Password grant type for OAuth2 , authentication sessions are properly associated with each user

grant type for , authentication sessions are properly associated with each user Bugfix: When using the Password grant type for OAuth2 , you can set up multiple Filter s to allow requesting different scopes for different endpoints

Ambassador Edge Stack

Feature: Support username and password as headers for OAuth2 authentication ( grantType: Password )

) Feature: edgectl install provides better feedback for clusters that are unreachable from the public Internet

provides better feedback for clusters that are unreachable from the public Internet Feature: edgectl install supports KIND clusters (thanks, @factorypreset!)

supports KIND clusters (thanks, @factorypreset!) Feature: edgectl intercept supports HTTPS

supports HTTPS Feature: Ambassador Edge Stack Docker image is ~150MB smaller

Feature: The Edge Policy Console can be fully disabled with the diagnostics.enable element in the ambassador Module

element in the Module Feature: aes-plugin-runner now allows passing in docker run flags after the main argument list.

now allows passing in flags after the main argument list. Bugfix: Ambassador Edge Stack doesn't crash if the Developer Portal content URL is not accessible

Bugfix: edgectl connect does a better job handling clusters with many services

does a better job handling clusters with many services Bugfix: The Plugin Filter now correctly sets request.TLS to nil/non-nil based on if the original request was encrypted or not.

Filter now correctly sets to nil/non-nil based on if the original request was encrypted or not. Change: There is no longer a separate traffic-proxy image; that functionality is now part of the main AES image. Set command: ["traffic-manager"] to use it.

Ambassador API Gateway + Ambassador Edge Stack

Bugfix: re-support PROXY protocol when terminating TLS (#2348)

Bugfix: Incorporate the Envoy 1.12.3 security update

Internal: Fix an error in Edge Stack update checks

Ambassador Edge Stack only

Bugfix: The aes-plugin-runner binary for GNU/Linux is now statically linked (instead of being linked against musl libc), so it should now work on either musl libc or GNU libc systems

binary for GNU/Linux is now statically linked (instead of being linked against musl libc), so it should now work on either musl libc or GNU libc systems Bugfix: The OAuth2 Filter redirection-endpoint now handles various XSRF errors more consistently

Filter redirection-endpoint now handles various XSRF errors more consistently Change: The OAuth2 Filter redirection-endpoint now handles XSRF errors by redirecting back to the identity provider

(1.2.1 is superseded by 1.2.2.)

Ambassador API Gateway + Ambassador Edge Stack

Feature: add idle_timeout_ms support for common HTTP listener (thanks, Jordan Neufeld!) (#2155)

Feature: allow override of bind addresses, including for IPv6! (thanks to Josue Diaz!) (#2293)

Bugfix: Support Istio mTLS secrets natively (thanks, Phil Peble!) (#1475)

Bugfix: TLS custom secret with period in name doesn't work (thanks, Phil Peble!) (#1255)

Bugfix: Honor ingress.class when running with Knative

Internal: Fix CRD-versioning issue in CI tests (thanks, Ricky Taylor!)

Bugfix: Stop using deprecated Envoy configuration elements

Bugfix: Resume building a debuggable Envoy binary

Ambassador Edge Stack only

Change: The ambassador service now uses the default externalTrafficPolicy of Cluster rather than explicitly setting it to Local . This is a safer setting for GKE where the Local policy can cause outages when ambassador is updated. See https://stackoverflow.com/questions/60121956/are-hitless-rolling-updates-possible-on-gke-with-externaltrafficpolicy-local for details.

service now uses the default of rather than explicitly setting it to . This is a safer setting for GKE where the policy can cause outages when ambassador is updated. See https://stackoverflow.com/questions/60121956/are-hitless-rolling-updates-possible-on-gke-with-externaltrafficpolicy-local for details. Feature: edgectl install provides a much cleaner, quicker experience when installing Ambassador Edge Stack

provides a much cleaner, quicker experience when installing Ambassador Edge Stack Feature: Ambassador Edge Stack supports the Ambassador operator for automated management and upgrade

Feature: ifRequestHeader can now have valueRegex instead of value

can now have instead of Feature: The OAuth2 Filter now has useSessionCookies option to have cookies expire when the browser closes, rather than at a fixed duration

Filter now has option to have cookies expire when the browser closes, rather than at a fixed duration Feature: ifRequestHeader now has negate: bool to invert the match

now has to invert the match Bugfix: The RBAC for Ingress now supports the networking.k8s.io apiGroup

now supports the Bugfix: Quiet Dev Portal debug logs

Bugfix: The Edge Policy Console is much less chatty when logged out

Change: The intercept agent is now incorporated into the aes image

image Change: The OAuth2 Filter no longer sets cookies when insteadOfRedirect triggers

Filter no longer sets cookies when triggers Change: The OAuth2 Filter more frequently adjusts the cookies

Ambassador API Gateway + Ambassador Edge Stack

Bugfix: Load explicitly referenced secrets in another namespace, even when AMBASSADOR_SINGLE_NAMESPACE (thanks, Thibault Cohen!) (#2202)

(thanks, Thibault Cohen!) (#2202) Bugfix: Fix Host support for choosing cleartext or TLS (#2279)

Bugfix: Fix intermittent error when rendering /ambassador/v0/diag/

Internal: Various CLI tooling improvements

Ambassador Edge Stack only

Feature: The Policy Console can now set the log level to "trace" (in addition to "info" or "debug")

Bugfix: Don't have the Policy Console poll for snapshots when logged out

Bugfix: Do a better job of noticing when the license key changes

Bugfix: aes-plugin-runner --version now works properly

now works properly Bugfix: Only serve the custom CONGRATULATIONS! 404 page on /

Change: The OAuth2 Filter stateTTL setting is now ignored; the lifetime of state-tokens is now managed automatically

(Note that Ambassador 1.1.0 is identical to Ambassador 1.1.0-rc.0, from January 24, 2020. Also, we're now using "-rc.N" rather than just "-rcN", for better compliance with SemVer.

Ambassador API Gateway + Ambassador Edge Stack

Feature: support resources with the same name but in different namespaces (#2226, #2198)

Feature: support DNS overrides in edgectl

Bugfix: Reduce log noise about "kubestatus" updates

Bugfix: manage the diagnostics snapshot cache more aggressively to reduce memory footprint

Bugfix: re-enable Docker demo mode (and improve the test to make sure we don't break it again!) (#2227)

Bugfix: correct potential issue with building edgectl on Windows

Internal: fix an error with an undefined Python type in the TLS test (thanks, Christian Clauss!)

Ambassador Edge Stack only

Feature: make the External filter type fully compatible with the AuthService type

filter type fully compatible with the type Docs: add instructions for what to do after downloading edgectl

Bugfix: make it much faster to apply the Edge Stack License

Bugfix: make sure the ACME terms-of-service link is always shown

Bugfix: make the Edge Policy Console more performant

All of Ambassador's CRDs have been switched to apiVersion: getambassador.io/v2 , and your resources will be upgraded when you apply the new CRDs. We recommend that you follow the migration instructions and check your installation's behavior before upgrading your CRDs.

Ambassador API Gateway + Ambassador Edge Stack

Breaking changes

When a resource specifies a service or secret name without a corresponding namespace, Ambassador will now look for the service or secret in the namespace of the resource that mentioned it. In the past, Ambassador would look in the namespace in which Ambassador was running.

Features

The Host CR provides an easy way to tell Ambassador about domains it should expect to handle, and how it should handle secure and insecure requests for those domains

Redirection from HTTP to HTTPS defaults to ON when termination contexts are present

Mapping and Host CRs, as well as Ingress resources, get Status updates to provide better feedback

Improve performance of processing events from Kubernetes

Automatic HTTPS should work with any ACME clients doing the http-01 challenge

Bugfixes

CORS now happens before rate limiting

The reconfiguration engine is better protected from exceptions

Don’t try to check for upgrades on every UI snapshot update

Reduced reconfiguration churn

Don't force SNI routes to be lower-priority than non-SNI routes

Knative mappings fallback to the Ambassador namespace if no namespace is specified

Fix ambassador_id handling for Knative resources

handling for Knative resources Treat ambassadorId as a synonym for ambassador_id ( ambassadorId is the Protobuf 3 canonical form of ambassador_id )

Ambassador Edge Stack

Ambassador Edge Stack incorporates the functionality of the old Ambassador Pro product.

Authentication and ratelimiting are now available under a free community license

Given a Host CR, Ambassador can manage TLS certificates using ACME (or you can manage them by hand)

There is now an edgectl program that you can use for interacting with Ambassador from the command line

program that you can use for interacting with Ambassador from the command line There is a web user-interface for Ambassador

BREAKING CHANGE: APP_LOG_LEVEL is now AES_LOG_LEVEL

AES: Bugfix: Fix ACME client with multiple replicas

AES: Bugfix: Fix ACME client race conditions with the API server and WATT

AES: Bugfix: Don't crash in the ACME client if Redis is unavailable

Change: Less verbose yet more useful Ambassador pod logs

Bugfix: Various bugfixes for listeners and route rejection

Bugfix: Don't append the service namespace for localhost

AES: Bugfix: Fix rendering mapping labels YAML in the webui

AES: Bugfix: Organize help output from edgectl so it is easier to read

so it is easier to read AES: Bugfix: Various bugfixes around ACME support with manually-configured TLSContexts

AES: Change: Don't disable scout or enable extra-verbose logging when migrating from OSS

AES: BREAKING CHANGE: APP_LOG_LEVEL is now AES_LOG_LEVEL

Internal: Improvements to release machinery

Internal: Fix the dev shell

Internal: Adjust KAT tests to work with the Edge Stack

BREAKING CHANGE: Rename Host CR status field reason to errorReason

to Feature: Host CRs now default .spec.hostname to .metadata.name

to Feature: Host CRs now have a requestPolicy field to control redirecting from cleartext to TLS

field to control redirecting from cleartext to TLS Feature: Redirecting from cleartext to TLS no longer interferes with ACME http-01 challenges

Feature: Improved edgectl help and informational messages

help and informational messages Bugfix: Host CR status is now a sub-resource

Bugfix: Have diagd snapshot JSON not include "serialization" keys (which could potentially leak secrets)

Bugfix: Fix ambassador_id handling for Knative resources

handling for Knative resources Bugfix: Use the correct namespace for resources found via annotations

Bugfix: Treat ambassadorId as a synonym for ambassador_id ( ambassadorId is the Protobuf 3 canonical form of ambassador_id )

as a synonym for ( is the Protobuf 3 canonical form of ) Internal: Allow passing a DOCKER_NETWORK variable to the build-system

Bugfix: Knative mappings populate and fallback to the Ambassador namespace if unspecified

Internal: Knative tests for versions 0.7.1 and 0.8.0 were removed

Internal: Knative tests for version 0.11.0 were added

Internal: Improved performance with Edge Stack using /ambassador/v0/diag/ with an optional patch_client query param to send a partial representation in JSON Patch format, reducing the memory and network traffic for large deployments

query param to send a partial representation in JSON Patch format, reducing the memory and network traffic for large deployments Internal: Silencing warnings from which in docs preflight-check

BREAKING CHANGE: When a resource specifies a service or secret name without a corresponding namespace, Ambassador uses the namespace of the resource. In the past, Ambassador would use its own namespace.

Bugfix: Add the appropriate label so Ingress works with Edge Stack

Bugfix: Remove superfluous imagePullSecret

Bugfix: Fix various admin UI quirks, especially in Firefox Bogus warnings about duplicate resources Drag-and-drop reordering of rate limit configuration Missing icons

Internal: Drop duplicated resources earlier in the processing chain

Internal: Streamline code generation from protobufs

Internal: Automated broken-link checks in the documentation

Bugfix: Use proper executable name for Windows edgectl

Bugfix: Don't force SNI routes to be lower-priority than non-SNI routes

Bugfix: Prevent the self-signed fallback context from conflicting with a manual context

Bugfix: UI buttons can hide themselves

Bugfix: Developer Portal API acquisition

Bugfix: Developer Portal internal routing

Internal: Better JS console usage

Internal: Rationalize usage reporting for Edge Stack

Feature: Improve performance of processing events from Kubernetes

Feature: Automatic HTTPS should work with any ACME clients doing the http-01 challenge

Internal: General improvements to test infrastructure

Internal: Improved the release process

ambassador-internal-access-control Filter and FilterPolicy are now created internally. Remove them from your cluster if upgrading from a previous version.

Internal: Improved the reliability of CI

Internal: Improved the release process

Feature: initial edgectl support for Windows!

UX: be explicit that seeing the license applied can take a few minutes

Bugfix: don’t try to check for upgrades on every UI snapshot update

Bugfix: don’t activate the fallback TLSContext if its secret is not available

Bugfix: first cut at reducing reconfiguration churn

All of Ambassador's CRDs have been switched to apiVersion: getambassador.io/v2 , and your resources will be upgraded when you apply the new CRDs. We recommend that you follow the migration instructions and check your installation's behavior before upgrading your CRDs.

Features

Authentication and ratelimiting are now available under a free community license

The Host CRD provides an easy way to tell Ambassador about domains it should expect to handle

Given a Host CRD, Ambassador can manage TLS certificates using ACME (or you can manage them by hand)

Redirection from HTTP to HTTPS defaults to ON when termination contexts are present

Mapping and Host CRDs, as well as Ingress resources, get Status updates to provide better feedback

Bugfixes

CVE-2019–18801, CVE-2019–18802, and CVE-2019–18836 are fixed by including Envoy 1.12.2

CORS now happens before rate limiting

The reconfiguration engine is better protected from exceptions

Envoy updated to 1.12.2 for security fixes

Envoy TCP keepalives are now supported (thanks, Bartek Kowalczyk!)

Envoy remote access logs are now supported

Correctly handle upgrades when the LogService CRD is not present

(Ambassador 0.86.0 was superseded by Ambassador 0.86.1.)

Features

Support configuring the Envoy access log format (thanks to John Esmet!)

Major changes:

Bugfix: Fix /ambassador permissions to allow running as non-root - Thanks @dmayle (https://github.com/dmayle) for reporting the bug.

Support setting window_bits for the GZip filter (thanks to Florent Delannoy!)

Correctly support tuning the regex_max_size, and bump its default to 200 (thanks to Paul Salaberria!)

Support setting redirect_cleartext_from in a TLSContext

Correctly update loadbalancer status of Ingress resources

Don't enable diagd debugging in the test suite unless explicitly requested (thanks to Jonathan Suever!)

Switch to an Envoy release build

Developer Notes:

Many many things about the build system have changed under the hood! Start with make help , and Join our Slack channel for more help!



Major changes:

Update Ambassador to address CVE-2019-15225 and CVE-2019-15226.

NOTE: this switches the default regex engine! See the documentation for the ambassador Module for more.

Major changes:

Feature: Arrange for the Prometheus metrics endpoint to also return associated headers (thanks, Jennifer Wu!)

Feature: Support setting a TLS origination context when doing TLS to a RateLimitService (thanks, Phil Peble!)

Feature: Allow configuring Envoy's access log path (thanks, Jonathan Suever!)

Update: Switch to Python 3.7 and Alpine 3.10

Developer notes:

Switch back to the latest mypy (currently 0.730)

Environment variable KAT_IMAGE_PULL_POLICY can override the imagePullPolicy when running KAT tests

Updated Generated Envoy Golang APIs

Major changes:

Feature: ${} environment variable interpolation is supported in all Ambassador configuration resources (thanks, Stefan Sedich!)

Feature: DataDog APM tracing is now supported (thanks again, Stefan Sedich!)

Bugfix: Fix an error in the TLSContext schema (thanks, @georgekaz!)

Developer notes:

Test services can now be built, deployed, and tested more easily (see BUILDING.md)

mypy is temporarily pinned to version 0.720.

Major changes:

Feature: Basic support for the Kubernetes Ingress resource

Feature: Basic reporting for some common configuration errors (lack of Mappings, lack of TLS contexts)

Bugfix: Update Envoy to prevent crashing when updating AuthService under load

Developer notes

Golang components now use Go 1.13

Ambassador build now requires clean type hinting

KAT client and server have been pulled back into the Ambassador repo

Major changes:

Feature: Support setting cipher_suites and ecdh_curves in TLSContext - #1782 (Thanks @teejaded)

Feature: Make 128-bits traceids the default - #1794 (Thanks @Pluies)

Feature: Set cap_net_bind_service to allow binding to low ports - #1720 (Thanks @swalberg)

Minor changes:

Testing: Add test that ambassador cli does not crash when called with --help - #1806 (Thanks @rokostik)

(Feature) Support the least_request load balancer policy (thanks, Steve Flanders!)

load balancer policy (thanks, Steve Flanders!) (Misc) Many test and release-engineering improvements under the hood

circuit breakers now properly handle overriding a global circuit breaker within a Mapping (#1767)

support for Knative 0.8.0 (#1732)

(Feature) Update to Envoy 1.11.1, including security fixes

(Feature) You can use a TLSContext without a secret to set origination options (#1708)

without a to set origination options (#1708) (Feature) Canary deployments can now use multiple host_rewrite values (#1159)

values (#1159) (Bugfix) Make sure that Ambassador won't mistakenly complain about the number of RateLimit and Tracing services (thanks, Christian Claus!)

(bugfix) Make sure that updates properly trigger reconfigures (#1727)

(misc) Arrange for startup logging to have timestamps

Bugfix: Make sure that the pod dies if Envoy dies

Bugfix: Correctly allow setting timeout_ms for AuthService (thanks, John Esmet!!)

for (thanks, John Esmet!!) Feature: Permit configuring cluster_idle_timeout_ms for upstream services (thanks, John Esmet!!) (#1542)

Feature: Experimental native support for Knative! (#1579)

Feature: Better Linkerd interoperability! (#1578, #1594)

Feature: Add a legend for the colors of service names on the diagnostic overview (thanks, Wyatt Pearsall!)

Feature: Allow switching Envoy to output JSON logs (thanks, Pedro Tavares!)

Feature: Allow setting AMBASSADOR_LABEL_SELECTOR and AMBASSADOR_FIELD_SELECTOR to let Ambassador use Kubernetes selectors to determine which things to read (thanks, John Esmet!) (#1292)

Feature: Allow configuring retries for AuthService (thanks, Kevin Dagostino!) (#1622, #1461)

Bugfix: Allow Ambassador to ride through Envoy-validation timeouts (thanks, John Morrisey!)

Bugfix: Allow Ambassador to ride through parse errors on input resources (thanks, Andrei Predoiu!) (#1625)

Bugfix: Allow '.' in a secret name to just be a '.' (#1255)

Bugfix: Allow manually defining an Ambassador Service resource, same as any other resource

Bugfix: Prevent spurious duplicate-resource errors when loading config from the filesystem

Envoy: Update Envoy to commit 8f57f7d765

Bugfix: Auth spans are now properly connected to requests (#1414)

Bugfix: include_body now works correctly (#1531, #1595)

now works correctly (#1531, #1595) Bugfix: x_forwarded_proto_redirect works again (thanks to Kyle Martin!) (#1571)

works again (thanks to Kyle Martin!) (#1571) Bugfix: Ambassador works correctly with read-only filesystems (thanks, Niko Kurtti!) (#1614, #1619)

Bugfix: Correctly render groups associated with a given resolver in diagnostics JSON output

Feature: Give the Ambassador CLI a way to specify the directory into which to write secrets.

Feature: GZIP support #744

Feature: diag UI shows active Resolvers #1453

Feature: CRDs exist for Resolvers #1563

Feature: Resolvers with custom names work, even as CRDs #1497

Feature: The /metrics endpoint provides direct access to Prometheus-format stats (thanks to Rotem Tamir!)

endpoint provides direct access to Prometheus-format stats (thanks to Rotem Tamir!) Bugfix: statsd-exporter now correctly defaults to port 8125 (thanks to Jonathan Suever!)

now correctly defaults to port 8125 (thanks to Jonathan Suever!) Bugfix: redirect_cleartext_from no longer strips the URL path #1463

Bugfix: canary weights of 0 and 100 work correctly #1379

Bugfix: docker run works again for the Ambassador demo, and is part of our tests now #1569

works again for the Ambassador demo, and is part of our tests now #1569 Bugfix: Scout DEBUG messages don’t get leaked into the diag UI #1573

messages don’t get leaked into the diag UI #1573 Maintenance: warn of upcoming protocol version changes

Maintenance: check in with Scout every 24 hours, but no more than twice per day

Minor changes:

Bugfix: Disable CRD support if Ambassador cannot access them

Upgrade: Upgrade to watt 0.5.1

Major changes:

Feature: Support CRDs in the getambassador.io API group for configuration (#482)

API group for configuration (#482) Feature: Update to Envoy 1.10

Minor changes:

Feature: Support removing request headers (thanks @ysaakpr!)

Bugfix: watt should better coalesce calls to the watch hook on startup

should better coalesce calls to the watch hook on startup Bugfix: Ambassador no longer uses ports 7000 or 18000 (#1526, #1527)

Bugfix: Make sure that Consul discovery properly handles the datacenter name (#1533)

Bugfix: Make sure that the feature-walk code is protected against clusters with no endpoints at all (#1532)

Ambassador 0.61.0 metadata

Feature: Support for minimum and maximum TLS versions (#689)

Feature: Allow choosing whether to append or overwrite when adding request or response headers (#1481) - thanks to @ysaakpr

Feature: Support for circuit breakers (#360)

Feature: Support for automatic retries (#1127) - thanks to @l1v3

Feature: Support for shadow traffic weighting - thanks to @nemo83

Feature: Support for HTTP/1.0 (#988) - thanks to @cyrus-mc

Bugfix: Problem with local Consul agent resolver and non-standard HTTP port (#1508)

Bugfix: Round each mapping's weight to an integer to prevent invalid Envoy configurations when using weights (#1289) - thanks to @esmet

Bugfix: Fix deadlock on invalid Envoy configuration (#1491) - thanks to @esmet

Bugfix: Fixed LightStep gRPC TracingService (#1189) - thanks to @sbaum1994

Changes since 0.60.2

When scanning its configuration for secrets and endpoints that must be watched, 0.60.2 could fail with certain configurations if TLS termination but not origination was active. Those failures are fixed now.

Changes since 0.60.1

Ambassador is now much more careful about which endpoints and secrets it pays attention to. (#1465 again -- thanks to @flands and @seandon for the help here!)

Changes since 0.60.0

Speed up initial parsing of WATT snapshots considerably (#1465)

Don't look at secrets in the kube-system namespace, or for service-account tokens.

Make sure that secrets we do look at are correctly associated with their namespaces (#1467 -- thanks to @flands and @derrickburns for their contributions here!)

Allow tuning the number of input snapshots retained for debugging

Include the grab-snapshots.py script to help with debuggability

Changes since 0.53.1

BREAKING CHANGE: Ambassador listens on 8080 and 8443 by default so it does not need to run as root

Ambassador natively supports using Consul for service discovery

AMBASSADOR_ENABLE_ENDPOINTS is no longer needed; configure using the Resolver resource instead

is no longer needed; configure using the resource instead Support for the Maglev load balancing algorithm

Support connect_timeout_ms . Thanks to Pétur Erlingsson.

. Thanks to Pétur Erlingsson. Support for idle_timeout_ms Thanks to Aaron Triplett.

Thanks to Aaron Triplett. Ambassador will properly reload renewed Let's Encrypt certificates (#1416). Thanks to Matthew Ceroni.

Ambassador will now properly redirect from HTTP to HTTPS based on x-forwarded-proto (#1233).

(#1233). The case_sensitive field now works when host_redirect is set to true (#699). Thanks to Peter Choi and Christopher Coté.

(0.53.0 was immediately supplanted by 0.53.1.)

SECURITY FIXES

Ambassador 0.53.1 addresses two security issues in Envoy Proxy, CVE-2019-9900 and CVE-2019-9901:

CVE-2019-9900 (Score 8.3/High). When parsing HTTP/1.x header values, Envoy 1.9 and before does not reject embedded zero characters (NUL, ASCII 0x0).

CVE-2019-9901 (Score 8.3/High). Envoy does not normalize HTTP URL paths in Envoy 1.9 and before.

Since these issues can potentially allow a remote attacker to use maliciously-crafted URLs to bypass authentication, anyone running an Ambassador prior to 0.53.1 should upgrade.

UPCOMING CHANGES

Ambassador 0.60 will listen on ports 8080/8443 by default. The diagnostics service in Ambassador 0.52.0 will try to warn you if your configuration will be affected by this change.

Other changes since 0.52.1

AuthService version ambassador/v1 can now explicitly configure how much body data is sent to the external authentication service.

Changes since 0.52.0

You can specify the AMBASSADOR_NO_SECRETS environment variable to prevent Ambassador from watching Kubernetes secrets at all (thanks @esmet!) (#1293)

environment variable to prevent Ambassador from watching Kubernetes secrets at all (thanks @esmet!) (#1293) The services used when you do docker run ambassador --demo have been moved into the Docker image, to remove external dependencies from the Ambassador quickstart.

Changes since 0.51.2

Initial support for endpoint routing, rather than relying on kube-proxy (#1031) set AMBASSADOR_ENABLE_ENDPOINTS in the environment to allow this

(#1031) Initial support for Envoy ring hashing and session affinity (requires endpoint routing!)

Support Lua filters (thanks to @lolletsoc!)

Support gRPC-Web (thanks to @gertvdijk!) (#456)

Support for gRPC HTTP 1.1 bridge (thanks to @rotemtam!)

Allow configuring num-trusted-hosts for X-Forwarded-For

for External auth services using gRPC can now correctly add new headers (#1313)

External auth services correctly add trace spans

Ambassador should respond to changes more quickly now (#1294, #1318)

Ambassador startup should be faster now

Changes since 0.51.1

Cookies are now correctly handled when using external auth services... really. (#1211)

Changes since 0.51.0

Ambassador correctly handles services in namespaces other than the one Ambassador is running in.

0.51.0 is not recommended: upgrade to 0.51.1.

Changes since 0.50.3

Ambassador can now route any TCP connection, using the new TCPMapping resource. (#420)

resource. (#420) Cookies are now correctly handled when using external auth services (#1211)

Lots of work in docs and testing under the hood

Limitations in 0.51.0

At present, you cannot mix HTTP and HTTPS upstream service s in any Ambassador resource. This restriction will be lifted in a future Ambassador release.

Fixes since 0.50.2

Ambassador saves configuration snapshots as it manages configuration changes. 0.50.3 keeps only 5 snapshots, to bound its disk usage. The most recent snapshot has no suffix; the -1 suffix is the next most recent, and the -4 suffix is the oldest.

suffix is the next most recent, and the suffix is the oldest. Ambassador will not check for available updates more often than once every four hours.

Limitations in 0.50.3

At present, you cannot mix HTTP and HTTPS upstream service s in any Ambassador resource. This restriction will be lifted in a future Ambassador release.

Important fixes since 0.50.1

Ambassador no longer requires annotations in order to start -- with no configuration, it will launch with only the diagnostics service available. (#1203)

If external auth changes headers, routing will happen based on the changed values. (#1226)

Other changes since 0.50.1

Ambassador will no longer log errors about Envoy statistics being unavaible before startup is complete (#1216)

The tls attribute is again available to control the client certificate offered by an AuthService (#1202)

Limitations in 0.50.2

At present, you cannot mix HTTP and HTTPS upstream service s in any Ambassador resource. This restriction will be lifted in a future Ambassador release.

0.50.1 is not recommended: upgrade to 0.52.0.

Changes since 0.50.0

Ambassador defaults to only doing IPv4 DNS lookups. IPv6 can be enabled in the Ambassador module or in a Mapping. (#944)

An invalid Envoy configuration should not cause Ambassador to hang.

Testing using docker run and docker compose is supported again. (#1160)

and is supported again. (#1160) Configuration from the filesystem is supported again, but see the "Running Ambassador" documentation for more.

Datawire's default Ambassador YAML no longer asks for any permissions for ConfigMap s.

Ambassador 0.50.0 is a major rearchitecture of Ambassador onto Envoy V2 using the ADS. See the "BREAKING NEWS" section above for more information.

(Note that Ambassador 0.50.0-rc7 and -rc8 were internal releases.)

Changes since 0.50.0-rc6

AMBASSADOR_SINGLE_NAMESPACE is finally correctly supported and properly tested (#1098)

is finally correctly supported and properly tested (#1098) Ambassador won't throw an exception for name collisions between resources (#1155)

A TLS Module can now coexist with SNI (the TLS Module effectively defines a fallback cert) (#1156)

can now coexist with SNI (the TLS effectively defines a fallback cert) (#1156) ambassador dump --diag no longer requires you to explicitly state --v1 or --v2

Limitations in 0.50.0 GA

Configuration from the filesystem is not supported in 0.50.0. It will be resupported in 0.50.1.

A TLSContext referencing a secret in another namespace will not function when AMBASSADOR_SINGLE_NAMESPACE is set.

Ambassador 0.50.0-rc6 is a release candidate.

Changes since 0.50.0-rc5

Ambassador watches certificates and automatically updates TLS on certificate changes (#474)

Ambassador no longer saves secrets it hasn't been told to use to disk (#1093)

Ambassador correctly honors AMBASSADOR_SINGLE_NAMESPACE rather than trying to access all namespaces (#1098)

rather than trying to access all namespaces (#1098) Ambassador correctly honors the AMBASSADOR_CONFIG_BASE_DIR setting again (#1118)

setting again (#1118) Configuration changes take effect much more quickly than in RC5 (#1148)

redirect_cleartext_from works with no configured secret, to support TLS termination at a downstream load balancer (#1104)

works with no configured secret, to support TLS termination at a downstream load balancer (#1104) redirect_cleartext_from works with the PROXY protocol (#1115)

works with the protocol (#1115) Multiple AuthService resources (for canary deployments) work again (#1106)

resources (for canary deployments) work again (#1106) AuthService with allow_request_body works correctly with an empty body and no Content-Length header (#1140)

with works correctly with an empty body and no header (#1140) Mapping supports the bypass_auth attribute to bypass authentication (thanks, @patricksanders! #174)

supports the attribute to bypass authentication (thanks, @patricksanders! #174) The diagnostic service no longer needs to re-parse the configuration on every page load (#483)

Startup is now faster and more stable

The Makefile should do the right thing if your PATH has spaces in it (thanks, @er1c!)

Lots of Helm chart, statsd, and doc improvements (thanks, @Flydiverny, @alexgervais, @bartlett, @victortv7, and @zencircle!)

Ambassador 0.50.0-rc5 is a release candidate.

Changes since 0.50.0-rc4

Websocket connections will now be authenticated if an AuthService is configured #1026

Client certificate authentication should function whether configured from a TLSContext resource or from the the old-style TLS module (this is the full fix for [#993])

Ambassador can now switch listening ports without a restart (e.g. switching from cleartext to TLS) #1100

TLS origination certificates (including Istio mTLS) should now function #1071

The diagnostics service should function in all cases. #1096

The Ambassador image is significantly (~500MB) smaller than RC4.

Ambassador 0.50.0-rc4 is a release candidate, and fully supports running under Microsoft Azure.

Changes since 0.50.0-rc3

Ambassador fully supports running under Azure #1039

The proto attribute of a v1 AuthService is now optional, and defaults to http

attribute of a v1 is now optional, and defaults to Ambassador will warn about the use of v0 configuration resources.

Ambassador 0.50.0-rc3 is a release candidate, but see below for an important warning about Azure.

Microsoft Azure

There is a known issue with recently-created Microsoft Azure clusters where Ambassador will stop receiving service updates after running for a short time. This will be fixed in 0.50.0-GA.

Changes since 0.50.0-rc2

The Location and Set-Cookie headers should always be allowed from the auth service when using an ambassador/v0 config #1054

and headers should always be allowed from the auth service when using an config #1054 add_response_headers (parallel to add_request_headers ) is now supported (thanks, @n1koo!)

(parallel to ) is now supported (thanks, @n1koo!) host_redirect and shadow both now work correctly #1057, #1069

and both now work correctly #1057, #1069 Kat is able to give better information when it cannot parse a YAML specification.

Ambassador 0.50.0-rc2 fixes some significant TLS bugs found in RC1.

Changes since 0.50.0-rc1:

TLS client certificate verification should function correctly (including requiring client certs).

TLS context handling (especially with multiple contexts and origination contexts) has been made more consistent and correct. Ambassador is now much more careful about reporting errors in TLS configuration (especially around missing keys). You can reference a secret in another namespace with secret: $secret_name.$namespace . Ambassador will now save certificates loaded from Kubernetes to $AMBASSADOR_CONFIG_BASE_DIR/$namespace/secrets/$secret_name .

use_proxy_proto should be correctly supported #1050.

should be correctly supported #1050. AuthService v1 will default its proto to http (thanks @flands!)

v1 will default its to (thanks @flands!) The JSON diagnostics service supports filtering: requesting /ambassador/v0/diag/?json=true&filter=errors , for example, will return only the errors element from the diagnostic output.

Ambassador 0.50.0-rc1 is a release candidate.

Changes since 0.50.0-ea7:

Websockets should work happily with external authentication #1026

A TracingService using a long cluster name works now #1025

using a long cluster name works now #1025 TLS origination certificates are no longer offered to clients when Ambassador does TLS termination #983

Ambassador will listen on port 443 only if TLS termination contexts are present; a TLS origination context will not cause the switch

The diagnostics service is working, and correctly reporting errors, again. #1019

timeout_ms in a Mapping works correctly again #990

in a works correctly again #990 Ambassador sends additional anonymized usage data to help Datawire prioritize bug fixes, etc. See docs/ambassador/running.md for more information, including how to disable this function.

Ambassador 0.50.0-ea7 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.

Upcoming major changes:

API version ambassador/v0 will be officially deprecated in Ambassador 0.50.0. API version ambassador/v1 will the minimum recommended version for resources in Ambassador 0.50.0.

Some resources will change between ambassador/v0 and ambassador/v1 . For example, the Mapping resource will no longer support rate_limits as that functionality will be subsumed by labels .



Changes since 0.50.0-ea6:

Ambassador now supports labels for all Mapping s.

for all s. Configuration of rate limits for a Mapping is now handled by providing labels in the domain configured for the RateLimitService (by default, this is "ambassador").

is now handled by providing in the domain configured for the (by default, this is "ambassador"). Ambassador, once again, supports statsd for statistics gathering.

for statistics gathering. The Envoy buffer filter is supported.

filter is supported. Ambassador can now use GRPC to call the external authentication service, and also include the message body in the auth call.

It's now possible to use environment variables to modify the configuration directory (thanks @n1koo!).

Setting environment variable AMBASSADOR_KUBEWATCH_NO_RETRY will cause the Ambassador pod to exit, and be rescheduled, if it loses its connection to the Kubernetes API server.

will cause the Ambassador pod to exit, and be rescheduled, if it loses its connection to the Kubernetes API server. Many dependencies have been updated, most notably including switching to kube-client 8.0.0.

Ambassador 0.50.0-ea6 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.

Changes since 0.50.0-ea5:

alpn_protocols is now supported in the TLS module and TLSContext s

is now supported in the module and s Using TLSContext s to provide TLS termination contexts will correctly switch Ambassador to listening on port 443.

s to provide TLS termination contexts will correctly switch Ambassador to listening on port 443. redirect_cleartext_from is now supported with SNI

is now supported with SNI Zipkin TracingService configuration now supports 128-bit trace IDs and shared span contexts (thanks, @alexgervais!)

configuration now supports 128-bit trace IDs and shared span contexts (thanks, @alexgervais!) Zipkin should correctly trace calls to external auth services (thanks, @alexgervais!)

AuthService configurations now allow separately configuring headers allowed from the client to the auth service, and from the auth service upstream

configurations now allow separately configuring headers allowed from the client to the auth service, and from the auth service upstream Ambassador won't endlessly append :annotation to K8s resources

to K8s resources The Ambassador CLI no longer requires certificate files to be present when dumping configurations

make mypy will run full type checks on Ambassador to help developers

Ambassador 0.50.0-ea5 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.

Changes since 0.50.0-ea4:

use_remote_address is now set to true by default. If you need the old behavior, you will need to manually set use_remote_address to false in the ambassador Module .

If you need the old behavior, you will need to manually set to in the . Ambassador 0.50.0-ea5 supports SNI! See the docs for more here.

See the docs for more here. Header matching is now supported again, including host and method headers.

Ambassador 0.50.0-ea4 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.

Changes since 0.50.0-ea3:

Ambassador 0.50.0-ea4 uses Envoy 1.8.0.

RateLimitService is now supported. You will need to restart Ambassador if you change the RateLimitService configuration. We expect to lift this restriction in a later release; for now, the diag service will warn you when a restart is required. The RateLimitService also has a new timeout_ms attribute, which allows overriding the default request timeout of 20ms.

is now supported. We expect to lift this restriction in a later release; for now, the diag service will warn you when a restart is required. GRPC is provisionally supported, but still needs improvements in test coverage.

Ambassador will correctly include its EA number when checking for updates.

Ambassador 0.50.0-ea3 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.

Changes since 0.50.0-ea2:

TracingService is now supported. You will need to restart Ambassador if you change the TracingService configuration. We expect to lift this restriction in a later release; for now, the diag service will warn you when a restart is required.

is now supported. We expect to lift this restriction in a later release; for now, the diag service will warn you when a restart is required. Websockets are now supported, including mapping the same websocket prefix to multiple upstream services for canary releases or load balancing.

mapping the same websocket prefix to multiple upstream services for canary releases or load balancing. KAT supports full debug logs by individual Test or Query .

Ambassador 0.50.0 is not yet feature-complete. Read the Limitations and Breaking Changes sections in the 0.50.0-ea1 section below for more information.

Ambassador 0.50.0-ea2 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.

Changes since 0.50.0-ea1:

Attempting to enable TLS termination without supplying a valid cert secret will result in HTTP on port 80, rather than HTTP on port 443. No error will be displayed in the diagnostic service yet. This is a bug and will be fixed in -ea3 .

This is a bug and will be fixed in . CORS is now supported.

Logs are no longer full of accesses from the diagnostic service.

KAT supports isolating OptionTests.

The diagnostics service now shows the V2 config actually in use, not V1.

make will no longer rebuild the Python venv so aggressively.

Ambassador 0.50.0 is not yet feature-complete. Read the Limitations and Breaking Changes sections in the 0.50.0-ea1 section below for more information.

Ambassador 0.50.0-ea1 is an EARLY ACCESS release! IT IS NOT SUPPORTED FOR PRODUCTION USE.

Ambassador 0.50.0 is not yet feature-complete. Limitations:

RateLimitService and TracingService resources are not currently supported.

and resources are not currently supported. WebSockets are not currently supported.

CORS is not currently supported.

GRPC is not currently supported.

TLS termination is not

statsd integration has not been tested.

integration has not been tested. The logs are very cluttered.

Configuration directly from the filesystem isn’t supported.

The diagnostics service cannot correctly drill down by source file, though it can drill down by route or other resources.

Helm installation has not been tested.

AuthService does not currently have full support for configuring headers to be sent to the extauth service. At present it sends all the headers listed in allowed_headers plus: Authorization Cookie Forwarded From Host Proxy-Authenticate Proxy-Authorization Set-Cookie User-Agent X-Forwarded-For X-Forwarded-Host X-Forwarded X-Gateway-Proto WWW-Authenticate

does not currently have full support for configuring headers to be sent to the extauth service. At present it sends all the headers listed in plus:

BREAKING CHANGES from 0.40.0

Configuration from a ConfigMap is no longer supported.

The authentication Module is no longer supported; use AuthService instead (which you probably already were).

External authentication now uses the core Envoy envoy.ext_authz filter, rather than the custom Datawire auth filter. ext_authz speaks the same protocol, and your existing external auth services should work, however: ext_authz does not send all the request headers to the external auth service (see above in Limitations ).

Circuit breakers and outlier detection are not supported. They will be reintroduced in a later Ambassador release.

Ambassador now requires a TLS Module to enable TLS termination, where previous versions would automatically enable termation if the ambassador-certs secret was present. A minimal Module for the same behavior is: --- kind: Module name: tls config: server: secret: ambassador-certs

Minor changes:

Feature: Support using environment variables to modify the configuration directory (thanks @n1koo!)

Feature: In Helmfile, support volumeMounts (thanks @kyschouv!)

(thanks @kyschouv!) Bugfix: In Helmfile, correctly quote .Values.namespace.single (thanks @bobby!)

(thanks @bobby!) Bugfix: In Helmfile, correctly support Nodeport in HTTP and HTTPS (thanks @n1koo!)

Minor changes:

Feature: Support running Ambassador as a Daemonset via Helm (thanks @DipeshMitthalal!)

via Helm (thanks @DipeshMitthalal!) Feature: Switch to Envoy commit 5f795fe2 to fix a crash if attempting to add headers after using an AuthService (#647, #680)

Minor changes:

Feature: Allow users to override the STATSD_HOST value (#810). Thanks to @rsyvarth.

value (#810). Thanks to @rsyvarth. Feature: Support LightStep distributed tracing (#796). Thanks to @alexgervais.

Feature: Add service label in Helm chart (#778). Thanks to @sarce.

Feature: Add support for load balancer IP in Helm chart (#765). Thanks to @larsha.

Feature: Support prometheus mapping configurations (#746). Thanks to @bcatcho.

Feature: Add support for loadBalancerSourceRanges to Helm chart (#764). Thanks to @mtbdeano.

to Helm chart (#764). Thanks to @mtbdeano. Feature: Support for namespaces and Ambassador ID in Helm chart (#588, #643). Thanks to @MichielDeMey and @jstol.

Bugfix: Add AMBASSADOR_VERIFY_SSL_FALSE flag (#782, #807). Thanks to @sonrier.

Bugfix: Fix Ambassador single namespace in Helm chart (#827). Thanks to @sarce.

Bugfix: Fix Helm templates and default values (#826).

Bugfix: Add stats-sink back to Helm chart (#763).

back to Helm chart (#763). Bugfix: Allow setting timeout_ms to 0 for gRPC streaming services (#545). Thanks to @lovers36.

to 0 for gRPC streaming services (#545). Thanks to @lovers36. Bugfix: Update Flask to 0.12.3.

Major Changes:

BugFix: The statsd container has been removed by default in order to avoid DoSing Kubernetes DNS. The functionality can be re-enabled by setting the STATSD_ENABLED environment variable to true in the Ambassador deployment YAML (#568).

environment variable to in the Ambassador deployment YAML (#568). Docs: Added detailed Ambassador + Istio Integration Documentation on monitoring and distributed tracing. - @feitnomore

Minor Changes:

Docs: Added instructions for running Ambassador with Docker Compose. - @bcatcho

BugFix: Fix Ambassador to more aggressively reconnect to Kubernetes (#554). - @nmatsui

Feature: Diagnostic view displays AuthService, RateLimitService, and TracingService (#730). - @alexgervais

Feature: Enable Ambassador to tag tracing spans with request headers via tag_headers . - @alexgervais

Major changes:

Feature: Default CORS configuration can now be set - @KowalczykBartek

BugFix: Ambassador does not crash with empty YAML config anymore - @rohan47

Minor changes:

DevEx: master is now latest, stable tracks the latest released version

is now latest, tracks the latest released version DevEx: release-prep target added to Makefile to facilitate releasing process

DevEx: all tests now run in parallel, consuming lesser time

BugFix: Ambassador SIGCHLD messages are less scary looking now

Major changes:

Feature: Added support for request tracing (by Alex Gervais)

Major changes:

Fix: HEAD requests no longer cause segfaults

Feature: TLS can now be configured with arbitrary secret names, instead of predefined secrets

Change: The Envoy dynamic header value %CLIENT_IP% is no longer supported. Use %DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT% instead. (This is due to a change in Envoy 1.7.0.)

0.35.3 July 18, 2018: READ THE WARNING ABOVE

Changed

Major changes:

Ambassador is now based on Envoy v1.7.0

Support for X-FORWARDED-PROTO based redirection, generally used with Layer 7 load balancers

Support for port based redirection using redirect_cleartext_from , generally used with Layer 4 load balancers

, generally used with Layer 4 load balancers Specifying HTTP and HTTPS target ports in Helm chart

Other changes:

End-to-end tests can now be run with make e2e command

command Helm release automation has been fixed

Mutliple end-to-end tests are now executed in parallel, taking lesser time

Huge revamp to documentation around unit tests

Documentation changes

0.35.2 July 5, 2018: READ THE WARNING ABOVE

Changed

0.35.2 is almost entirely about updates to Datawire testing infrastructure.

The only user-visible change is that Ambassador will do a better job of showing which Kubernetes objects define Ambassador configuration objects when using AMBASSADOR_ID to run multiple Ambassadors in the same cluster.

0.35.1 June 25, 2018: READ THE WARNING ABOVE

Changed

Properly support supplying additional TLS configuration (such as redirect_cleartext_from ) when using certificates from a Kubernetes Secret

) when using certificates from a Kubernetes Update Helm chart to allow customizing annotations on the deployed ambassador Kubernetes Service (thanks @psychopenguin!)

0.35.0 June 25, 2018: READ THE WARNING ABOVE

Changed

0.35.0 re-supports websockets, but see the BREAKING NEWS for an important caveat.

for an important caveat. 0.35.0 supports running as non-root. See the BREAKING NEWS above for more information.

above for more information. Make sure regex matches properly handle backslashes, and properly display in the diagnostics service (thanks @alexgervais!).

Prevent kubewatch from falling into an endless spinloop (thanks @mechpen!).

Support YAML array syntax for CORS array elements.

0.34.3 June 13, 2018: READ THE WARNING ABOVE

Changed

0.34.3 cannot support websockets : see the WARNING above.

: see the above. Fix a possible crash if no annotations are found at all (#519).

Improve logging around service watching and such.

0.34.2 June 11, 2018: READ THE WARNING ABOVE

Changed

0.34.2 cannot support websockets : see the WARNING above.

: see the above. Ambassador is now based on Envoy 1.6.0!

Ambassador external auth services can now modify existing headers in place, as well as adding new headers.

Re-support the ambassador-cacert secret for configuring TLS client-certificate authentication. Note well that a couple of things have changed in setting this up: you'll use the key tls.crt , not fullchain.pem . See https://www.getambassador.io/reference/auth-tls-certs for more.

Bugfixes

Unbuffer log output for better diagnostics.

Switch to gunicorn instead of Werkzeug for the diag service.

Use the YAML we release as the basis for end-to-end testing.

Changed

When originating TLS, use the host_rewrite value to set outgoing SNI. If no host_rewrite is set, do not use SNI.

value to set outgoing SNI. If no is set, do not use SNI. Allow disabling external access to the diagnostics service (with thanks to @alexgervais and @dougwilson).

Changed

Fix YAML error on statsd pod.

Changed

Fix support for host_redirect in a Mapping . See the Mapping documentation for more details: the definition of the host_redirect attribute has changed.

(Note that 0.32.1 was an internal release.)

Changed

Fix a bad bootstrap CSS inclusion that would cause the diagnostic service to render incorrectly.

Changed

Traffic shadowing is supported using the shadow attribute in a Mapping

attribute in a Multiple Ambassadors can now run more happily in a single cluster

The diagnostic service will now show you what AuthService configuration is active

configuration is active The tls keyword now works for AuthService just like it does for Mapping (thanks @dvavili!)

Changed

Rate limiting is now supported (thanks, @alexgervais!) See the docs for more detail here.

The statsd container has been quieted down yet more (thanks again, @alexgervais!).

Changed

drop the JavaScript statsd for a simple socat -based forwarder

for a simple -based forwarder ship an Ambassador Helm chart (thanks @stefanprodan!) Interested in testing Helm? See below!

disable Istio automatic sidecar injection (thanks @majelbstoat!)

clean up some doc issues (thanks @lavoiedn and @endrec!)

To test Helm, make sure you have helm installed and that you have tiller properly set up for your RBAC configuration. Then:

helm repo add datawire https://www.getambassador.io helm upgrade --install --wait my-release datawire/ambassador

You can also use adminService.type=LoadBalancer .

Fixed

The tls module is now able to override TLS settings probed from the ambassador-certs secret

Changed

Support regex matching for prefix (thanks @radu-c!)

(thanks @radu-c!) Fix docs around AuthService usage

Changed

Default restart timings have been increased. This will cause Ambassador to respond to service changes less quickly ; by default, you'll see changes appear within 15 seconds.

; by default, you'll see changes appear within 15 seconds. Liveness and readiness checks are now enabled after 30 seconds, rather than 3 seconds, if you use our published YAML.

The statsd container is now based on mhart/alpine-node:9 rather than :7 .

container is now based on rather than . envoy_override has been reenabled in Mapping s.

0.28.1 March 5, 2018 (and 0.28.0 on March 2, 2018)

(Note that 0.28.1 is identical to 0.28.0, and 0.27.0 was an internal release. These are related to the way CI generates tags, which we'll be revamping soon.)

Changed

Support tuning Envoy restart parameters

Support host_regex , method_regex , and regex_headers to allow regular expression matches in Mappings

, , and to allow regular expression matches in Support use_proxy_proto and use_remote_address in the ambassador module

and in the module Fine-tune the way we sort a Mapping based on its constraints

based on its constraints Support manually setting the precedence of a Mapping , so that there's an escape hatch when the automagic sorting gets it wrong

of a , so that there's an escape hatch when the automagic sorting gets it wrong Expose alpn_protocols in the tls module (thanks @technicianted!)

in the module (thanks @technicianted!) Make logs a lot quieter

Reorganize and update documentation

Make sure that ambassador dump --k8s will work correctly

will work correctly Remove a dependency on a ConfigMap for upgrade checks

Changed

The authentication module is deprecated in favor of the AuthService resource type.

module is deprecated in favor of the resource type. Support redirecting cleartext connections on port 80 to HTTPS on port 443

Streamline end-to-end tests and, hopefully, allow them to work well without Kubernaut

Clean up some documentation (thanks @lavoiedn!)

(Note that 0.24.0 was an internal release.)

Changed

CORS support (thanks @alexgervais!)

Updated docs for GKE Ambassador + Istio Ordering of Mappings Prometheus with Ambassador

Support multiple external authentication service instances, so that canarying extauth services is possible

services is possible Correctly support timeout_ms in a Mapping

in a Various build tweaks and end-to-end test speedups

Changed

Clean up build docs (thanks @alexgervais!)

Support add_request_headers for, uh, adding requests headers (thanks @alexgervais!)

for, uh, adding requests headers (thanks @alexgervais!) Make end-to-end tests and Travis build process a bit more robust

Pin to Kubernaut 0.1.39

Document the use of the develop branch

branch Don't default to imagePullAlways

Switch to Alpine base with a stripped Envoy image

Changed

Switched to using quay.io rather than DockerHub. If you are not using Datawire's published Kubernetes manifests, you will have to update your manifests!

rather than DockerHub. Switched to building over Alpine rather than Ubuntu. (We're still using an unstripped Envoy; that'll change soon.)

Switched to a proper production configuration for the statsd pod, so that it hopefully chews up less memory.

pod, so that it hopefully chews up less memory. Make sure that Ambassador won't generate cluster names that are too long for Envoy.

Fix a bug where Ambassador could crash if there were too many egregious errors in its configuration.

Changed

Ambassador will no longer generate cluster names that exceed Envoy's 60-character limit.

Changed

If AMBASSADOR_SINGLE_NAMESPACE is present in the environment, Ambassador will only look for services in its own namespace.

is present in the environment, Ambassador will only look for services in its own namespace. Ambassador Mapping objects now correctly support host_redirect , path_redirect , host_rewrite , auto_host_rewrite , case_sensitive , use_websocket , timeout_ms , and priority .

Changed

If Ambassador finds an empty YAML document, it will now ignore it rather than raising an exception.

Includes the namespace of a service from an annotation in the name of its generated YAML file.

Always process inputs in the same order from run to run.

Changed

Switch to Envoy 1.5 under the hood.

Refocus the diagnostic service to better reflect what's actually visible when you're working at Ambassador's level.

Allow the diagnostic service to display, and change, the Envoy log level.

Changed

Arrange for logs from the subsystem that watches for Kubernetes service changes (kubewatch) to have timestamps and such.

Only do new-version checks every four hours.

Changed

Allow the diag service to look good (well, OK, not too horrible anyway) when Ambassador is running with TLS termination.

Show clusters on the overview page again.

The diag service now shows you the "health" of a cluster by computing it from the number of requests to a given service that didn't involve a 5xx status code, rather than just forwarding Envoy's stat, since we don't configure Envoy's stat in a meaningful way yet.

Make sure that the tests correctly reported failures (sigh).

Allow updating out-of-date diagnostic reports without requiring multiple test runs.

Changed

Ambassador can now use HTTPS upstream services: just use a service that starts with https:// to enable it. By default, Ambassador will not offer a certificate when using HTTPS to connect to a service, but it is possible to configure certificates. Please contact us on Slack if you need to do this.

that starts with to enable it. HTTP access logs appear in the normal Kubernetes logs for Ambassador.

It’s now possible to tell ambassador config to read Kubernetes manifests from the filesystem and build a configuration from the annotations in them (use the --k8s switch).

to read Kubernetes manifests from the filesystem and build a configuration from the annotations in them (use the switch). Documentation on using Ambassador with Istio now reflects Ambassador 0.19.0 and Istio 0.2.12.

Changed

The diagnostics service will now tell you when updates are available.

Changed

The Host header is no longer overwritten when Ambassador talks to an external auth service. It will now retain whatever value the client passes there.

Fixed

Checks for updates weren’t working, and they have been restored. At present you’ll only see them in the Kubernetes logs if you’re using annotations to configure Ambassador — they’ll start showing up in the diagnostics service in the next release or so.

Changed

Allow Mappings to require matches on HTTP headers and Host

Update tests, docs, and diagnostic service for header matching

Fixed

Published YAML resource files will no longer overwrite annotations on the Ambassador service when creating the Ambassador deployment

Changed

Support configuring Ambassador via annotations on Kubernetes service s

on Kubernetes s No need for volume mounts! Ambassador can read configuration and TLS-certificate information directly from Kubernetes to simplify your Kubernetes YAML

Expose more configuration elements for Envoy route s: host_redirect , path_redirect , host_rewrite , auto_host_rewrite , case_sensitive , use_websocket , timeout_ms , and priority get transparently copied

Fixed

Reenable support for gRPC

Changed

Allow docker run to start Ambassador with a simple default configuration for testing

to start Ambassador with a simple default configuration for testing Support host_rewrite in mappings to force the HTTP Host header value for services that need it

in mappings to force the HTTP header value for services that need it Support envoy_override in mappings for odd situations

in mappings for odd situations Allow asking the diagnostic service for JSON output rather than HTML

Changed

Allow the diagnostic service to show configuration errors.

Changed

Have a diagnostic service!

Support cert_required in TLS config

Changed

Support using IP addresses for services.

Check for collisions, so that trying to e.g. map the same prefix twice will report an error.

Enable liveness and readiness probes, and have Kubernetes perform them by default.

Document the presence of the template-override escape hatch.

Changed

Notify (in the logs) if a new version of Ambassador is available.

Changed

Support for non-default Kubernetes namespaces.

Infrastructure for checking if a new version of Ambassador is available.

Changed

Better schema verification.

Changed

Do schema verification of input YAML files.

Changed

Declarative Ambassador! Configuration is now via YAML files rather than REST calls

The ambassador-store service is no longer needed.

Fixed

Update demo-qotm.yaml with the correct image tag.

Changed

Properly support proxying all methods to an external authentication service, with headers intact, rather than moving request headers into the body of an HTTP POST.

Changed

Make TLS work with standard K8s TLS secrets, and completely ditch push-cert and push-cacert.

Fixed

Move Ambassador out from behind Envoy, so that you can use Ambassador to fix things if you completely botch your Envoy config.

Let Ambassador keep running if Envoy totally chokes and dies, but make sure the pod dies if Ambassador loses access to its storage.

Fixed

Fix broken doc paths and simplify building as a developer. 0.10.8, 0.10.9, and 0.10.10 were all stops along the way to getting this done; hopefully we'll be able to reduce version churn from here on out.

Changed

More CI-build tweaks.

Changed

Fix automagic master build tagging

Changed

Many changes to the build process and versioning. In particular, CI no longer has to commit files.

Added

Changelog

Added

Ambassador supports GRPC services (and other HTTP/2-only services) using the GRPC module

Fixed

Minor typo in Ambassador's Dockerfile that break some versions of Docker

Changed

Made development a little easier by automating dev version numbers so that modified Docker images update in Kubernetes

Updated BUILDING.md

Added

Ambassador supports HTTP Basic Auth

Ambassador now has the concept of modules to enable and configure optional features such as auth

Ambassador now has the concept of consumers to represent end-users of mapped services

Ambassador supports auth via an external auth server

Basic auth is covered in Getting Started. Learn about modules and consumers and see an example of external auth in About Mappings, Modules, and Consumers.

Changed

State management (via Ambassador store) has been refactored

Switched to Ambassador-Envoy for the base Docker image

Added

Mappings can now be updated

Added

Ambassador interoperates with Istio -- see Ambassador and Istio

There is additional documentation for statistics and monitoring

Fixed

Bug in mapping change detection

Release machinery issues

Added

Ambassador releases are now performed by Travis CI

Changed

Documentation updates

Added

Ambassador has a website!

Ambassador supports auth via TLS client certificates

There are some additional helper scripts in the scripts directory

Changed

Ambassador's admin interface is now on local port 8888 while mappings are available on port 80/443 depending on whether TLS is enabled

Multiple instances of Ambassador talking to the same Ambassador Store pod will pick up each other's changes automatically

Added

Ambassador can rewrite the request URL path prefix before forwarding the request to your service (covered in Getting Started)

Ambassador supports additional stats aggregators: Datadog, Grafana

Changed

Services are now known as mappings

Minikube is supported again

Removed

The Ambassador SDS has been removed; Ambassador routes to service names

Added

Ambassador includes a local statsd so that full stats from Envoy can be collected and pushed to a stats aggregator (Prometheus is supported)

Changed

It's easier to develop Ambassador thanks to improved build documentation and Makefile fixes

Added

Ambassador supports inbound TLS

YAML for a demo user service is now included

Changed

The geturl script supports Minikube and handles AWS better

script supports Minikube and handles AWS better Documentation and code cleanup

Changed

Ambassador now reconfigures Envoy automatically once changes have settled for five seconds

Envoy stats and Ambassador stats are separate

Mappings no longer require specifying the port as it is not needed

Fixed

SDS does the right thing with unnamed ports

Added

Envoy stats accessible through Ambassador

Basic interpretation of cluster stats

Changed

Split up ambassador.py into multiple files

into multiple files Switch to a debug build of Envoy

Changed

Ambassador configuration on /ambassador-config/ prefix rather than exposed on port 8001

prefix rather than exposed on port 8001 Updated to current Envoy and pinned the Envoy version

Use Bumpversion for version management

Conditionalized Docker push

Fixed

Ambassador keeps running with an empty services list (part 2)

Fixed

Ambassador SDS correctly handles ports

Changed

Ambassador keeps running with an empty services list

Easier to run with Telepresence

Added

Initial Ambassador

Ambassador service discovery service

Documentation

Based on Keep a Changelog. Ambassador follows Semantic Versioning.