Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[release/v1.3] v1.3.0-rc.1 release note
Signed-off-by: Guy Daich <[email protected]>
- Loading branch information
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| v1.3.0-rc.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| date: January 23, 2025 | ||
|
|
||
| # Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. | ||
| breaking changes: | | ||
| The Container `ports` field of the gateway instance has been removed, which will cause the gateway Pod to be rebuilt when upgrading the version. | ||
| ClientTrafficPolicy previously treated an empty TLS ALPNProtocols list as being undefined and applied Envoy Gateway defaults. | ||
| An empty TLS ALPNProtocols list is now treated as user-defined disablement of the TLS ALPN extension. | ||
| Outlier detection (passive health check) is now disabled by default. | ||
| refer to https://gateway.envoyproxy.io/docs/api/extension_types/#backendtrafficpolicy for working with passive health checks. | ||
| Envoy Gateway treats errors in calls to an extension service as fail-closed by default. Any error returned from the extension server will replace the affected resource with an "Internal Server Error" immediate response. The previous behavior can be enabled by setting the `failOpen` field to `true` in the extension service configuration. | ||
| Envoy Gateway now return a 500 response when a ClientTrafficPolicy translation fails for HTTP/GRPC routes, and forwards. | ||
| client traffic to an empty cluster when a ClientTrafficPolicy translation fails for TCP routes. | ||
| Any issues with `EnvoyProxy` reference in a `Gateway` will prevent the Envoy fleet from being created or result in the deletion of an existing Envoy fleet. | ||
| Envoy Gateway now returns a 500 response when a BackendTLSPolicy translation fails for HTTP/GRPC/TLS routes. | ||
| # Updates addressing vulnerabilities, security flaws, or compliance requirements. | ||
| security updates: | | ||
| Fixed vulnerability which exposed the Envoy admin interface through the prometheus stats endpoint. | ||
| # New features or capabilities added in this release. | ||
| new features: | | ||
| Added support for trusted CIDRs in the ClientIPDetectionSettings API. | ||
| Added support for sending attributes to external processor in EnvoyExtensionPolicy API. | ||
| Added support for patching EnvoyProxy.spec.provider.kubernetes.envoyHpa and EnvoyProxy.spec.provider.kubernetes.envoyPDB. | ||
| Added support for defining rateLimitHpa in EnvoyGateway API. | ||
| Added support for preserving the user defined HTTPRoute match order in EnvoyProxy API. | ||
| Added support for response compression in the BackendTrafficPolicy API. | ||
| Added support for cost specifier in the rate limit API. | ||
| Added support for specifying dynamic metadata namespaces that External Processing services can access read from and write to in EnvoyExtensionPolicy API. | ||
| Added support for API Key Authentication in the SecurityPolicy API. | ||
| Continue using and drain endpoints during their graceful termination, as indicated by their respective EndpointConditions. | ||
| Added support for GEP-1731 (HTTPRoute Retries). | ||
| Added support for routing to Backend resources in the GRPCRoute, TCPRoute and UDPRoute APIs. | ||
| Added support for configuring Max GRPC message size for the Extension Manager in EnvoyGateway config. | ||
| Added support for configuring tracing sampling rate with Fraction. | ||
| Added support for dynamic reload of System WellKnownCACertificates in BackendTLSPolicy. | ||
| Added support for overriding status code in response overrides ClientTrafficPolicy. | ||
| Added support for AllowModeOverride for ext-proc in EnvoyExtensionPolicy. | ||
| Added support for configuring remote JWKS settings with BackendCluster in SecurityPolicy. | ||
| Added support for infra deployment in the gateway namespace. | ||
| Added support for sending body to Ext-Auth server in SecurityPolicy. | ||
| Added support for Sending attributes to ext-proc in EnvoyExtensionPolicy. | ||
| Added support for configuring hostEnvKeys for Wasm extensions in EnvoyExtensionPolicy. | ||
| bug fixes: | | ||
| Fixed a panic in the provider goroutine when the body in the direct response configuration was nil. | ||
| Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes. | ||
| Fixed failed to update SecurityPolicy resources with the `backendRef` field specified. | ||
| Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname. | ||
| Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn. | ||
| Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s. | ||
| Fixed BackendTLSPolicy not supporting the use of a port name as the sectionName in targetRefs. | ||
| Fixed reference grant from EnvoyExtensionPolicy to the referenced ext-proc backend not being respected. | ||
| Fixed BackendTrafficPolicy not applying to Gateway Routes when a Route has a Request Timeout defined. | ||
| Fixed proxies connected to the secondary Envoy Gateway not receiving xDS configuration. | ||
| Fixed traffic splitting not working when some backends were invalid. | ||
| Fixed a nil pointer error that occurred when a SecurityPolicy referred to a UDS backend. | ||
| Fixed an issue where the Gateway API translator did not use the TLS configuration from the BackendTLSPolicy when connecting to the OIDC provider’s well-known endpoint. | ||
| Fixed a validation failure that occurred when multiple HTTPRoutes referred to the same extension filter. | ||
| Fixed a nil pointer error caused by accessing the cookie TTL without verifying if it was valid. | ||
| Fixed unexpected port number shifting in standalone mode. | ||
| Fixed an issue where the shutdown-manager did not respect the security context of the container spec. | ||
| Fixed readiness checks failing for single-stack IPv6 Envoy Gateway deployments on dual-stack clusters. | ||
| Fixed IPv6 dual-stack support not working as intended. | ||
| Fixed the ability to overwrite control plane certs with the certgen command by using a new command arg (-o). | ||
| Fixed a panic that occurred following update to the envoy-gateway-config ConfigMap. | ||
| Fixed prometheus format conversion of ratelimit metrics for remote address. | ||
| Fixed limitations that prevented creation of FQDN Endpoints with a single-character subdomain in Backend. | ||
| Fixed issue where SecurityContext of shutdown-manager container was not updated by overriding helm values. | ||
| Fixed issue with incorrect IPFamily detection for backends. | ||
| Gateway API Route rule name is propagated to XDS metadata as sectionName. | ||
| # Other notable changes not covered by the above sections. | ||
| Other changes: | | ||
| Bumped Gateway API to v1.2.1. | ||
| Use `V4_PREFERRED` instead of `V4_ONLY` by default for the cluster's `DnsLookupFamily`. | ||
| EG Listens on IPv4 by default, but if IPFamily is set to IPv6 or DualStack, it listens on :: and enables ipv4_compat for DualStack. | ||
| Modified the base container image to gcr.io/distroless/base-nossl:nonroot. | ||
| [SecurityPolicy] Modify the JWT Provider Issuer validation constraint. | ||
| Add support for Kubernetes 1.32.x in the test matrix, and remove support for Kubernetes 1.28.x. | ||
| Added metrics and dashboards for Envoy Gateway panics in watchables. | ||
| Bumped go-control-plane to v0.13.4. | ||
| Envoy Gateway now validates all XDS resources are before adding them to the snapshot. | ||
| Increased the maximum amount of endpoints to 64 in Backend. | ||
| Envoy Gateway would recover from panics in the reconciliation flow. | ||
| Bumped Golang to 1.23.3. | ||
| Added e2e test for BackendTLSPolicy with System Truststore. | ||
| Added e2e test for response code override. | ||
| Added e2e test remote JWKS Backend Cluster settings. | ||
| Added e2e test for GRPCRoute, TCPRoute and UDPRoute referencing Backend. | ||
| Added e2e test for ratelimit cost. | ||
| Added e2e test for XFF Trusted CIDRs. | ||
| Added e2e test for Compression. | ||
| Added e2e test for API Key Auth. | ||
| Added e2e test for Ext-Proc Metadata Options. | ||
| Added e2e test for Route order preservation. | ||
| Added e2e test for OIDC provider with TLS. | ||
| Added e2e test for Basic Auth. | ||
| Added e2e tests for IPv6. | ||
| Added e2e test for Ext-Proc Attributes. | ||
| Added docs for using OIDC provider with self-singed certificate. | ||
| Added docs for using dual-stack. | ||
| Fixed docs for Extension Server RBAC requirements. | ||
| Added docs for patching bootstrap config with JSONPatch using EnvoyProxy. | ||
| Added docs for standalone mode. | ||
| Added docs for OIDC cookieDomain. | ||
| Added docs for Response Override. | ||
| Added note on CRD upgrades. | ||
| Added docs for failover. | ||
|
Check failure on line 117 in release-notes/v1.3.0-rc.1.yaml
|
||
Oops, something went wrong.