Gloo Enterprise

Gloo Enterprise

v1.5.10

Dependency Bumps

• gloo/solo-io has been upgraded to v1.5.10.

v1.5.9

Dependency Bumps

• gloo/solo-io has been upgraded to v1.5.9.

Helm Changes

• Setting resource limits for the api server deployment no longer requires apiServer.Enterprise to be true. (https://github.com/solo-io/gloo/issues/3793)
• Fixes bug where rate limit gateway proxy pod is still being created even when gateway proxy is disabled (https://github.com/solo-io/gloo/issues/3751)

v1.6.0-beta8

Dependency Bumps

• solo-io/ext-auth-service has been upgraded to v0.7.0.
• gloo/solo-io has been upgraded to v1.6.0-beta10.

Helm Changes

• Setting resource limits for the api server deployment no longer requires apiServer.Enterprise to be true. (https://github.com/solo-io/gloo/issues/3793)
• Fixes bug where rate limit gateway proxy pod is still being created even when gateway proxy is disabled (https://github.com/solo-io/gloo/issues/3751)
• Add a new helm value, license_secret_name, which defines the name of the license key kubernetes secret. This enables users to run a full gitops workflow where they manage their own kubernetes license key secrets. (https://github.com/solo-io/gloo/issues/3789)
• refactoring comments so that the comments don’t appear in the rendered helm template. (https://github.com/solo-io/solo-projects/issues/1954)

Fixes

• Modals in Gloo UI are able to be closed by hitting escape. Modal borders have been debugged. (https://github.com/solo-io/solo-projects/issues/1955)

v1.5.8

Fixes

• Add logout url support to OIDC. (https://github.com/solo-io/gloo/issues/3328)
• URLs with query params will redirect correctly with OIDC. (https://github.com/solo-io/gloo/issues/3765)
• Allow forwarding ID token as upstream header (https://github.com/solo-io/gloo/issues/3816)
• Allow storing session data in redis session when using OIDC. (https://github.com/solo-io/gloo/issues/3656)

v1.5.7

Helm Changes

• This change stops Upstream, Service, ConfigMap, and Deployment objects from being created for gateway proxies if “disabled = true” under the helm chart values override. (https://github.com/solo-io/gloo/issues/3751)
• added image pull secrets check to all deployments and refactored existing image pull secrets checks (https://github.com/solo-io/gloo/issues/3269)

v1.6.0-beta7

Helm Changes

• This change stops Upstream, Service, ConfigMap, and Deployment objects from being created for gateway proxies if “disabled = true” under the helm chart values override. (https://github.com/solo-io/gloo/issues/3751)
• added image pull secrets check to all deployments and refactored existing image pull secrets checks (https://github.com/solo-io/gloo/issues/3269)

New Features

• Allow forwarding ID token as upstream header (https://github.com/solo-io/gloo/issues/3816)

v1.5.6

Dependency Bumps

• solo-kit/gloo has been upgraded to v1.5.6.

Helm Changes

• Add resource limits to helm config for all deployments. (https://github.com/solo-io/gloo/issues/2979)

v1.6.0-beta6

Dependency Bumps

• solo-io/ext-auth-service has been upgraded to v0.6.19.

Helm Changes

• Added the ability to enable client-side sharding for scaling Redis replicas. (https://github.com/solo-io/gloo/issues/3269)

New Features

• Make the token introspection response available in the request state for use by extauth plugins on the chain. (https://github.com/solo-io/gloo/issues/3767)

v1.5.5

Dependency Bumps

• solo-io/gloo has been upgraded to v1.5.5.

Fixes

• Expose apiserver over HTTPS using custom certs. (https://github.com/solo-io/gloo/issues/3384)

v1.6.0-beta5

Dependency Bumps

• envoy-gloo-ee/solo-io has been upgraded to v1.17.0-rc1.
• gloo/solo-io has been upgraded to v1.16.0-beta3.

Helm Changes

• Add resource limits to helm config for all deployments. (https://github.com/solo-io/gloo/issues/2979)
• Removed the global.wasm.enabled HELM value for toggling experimental wasm support. Wasm is now enabled by default. This flag is no longer required as there is no more need for a separate gateway-proxy image since wasm support was merged into upstream envoy. (https://github.com/solo-io/gloo/issues/3753)

New Features

• Use official wasm support from upstream envoy, rather than envoy-wasm fork. (https://github.com/solo-io/gloo/issues/3753)
• Expose apiserver over HTTPS using custom certs. (https://github.com/solo-io/gloo/issues/3384)

Fixes

• Fix the grpc service names in health checks. This fixes a regression that was introduced in Gloo enterprise v1.5.0-beta8 and v1.4.7. Without this fix, the rate-limit and ext-auth grpc services will fail health checks and go into panic mode (which by default, ignores health checks, so requests still work). (https://github.com/solo-io/gloo/issues/3745)
• Add logout url support to OIDC. (https://github.com/solo-io/gloo/issues/3328)
• URLs with query params will redirect correctly with OIDC. (https://github.com/solo-io/gloo/issues/3765)
• Correct observability watch namespace behavior to default to all namespaces if none are provided. (https://github.com/solo-io/gloo/issues/3060)
• Allow storing session data in redis session when using OIDC. (https://github.com/solo-io/gloo/issues/3656)
• No longer let the api-server create a default settings CRD when none is provided. (https://github.com/solo-io/gloo/issues/3677)
• When Proxies are viewed in the Gloo admin UI, render the entire Proxy spec, even if it is compressed. Compression is determined by the presence of the gloo.solo.io/compress annotation on the Proxy. (https://github.com/solo-io/gloo/issues/3718)

v1.5.4

Dependency Bumps

• solo-io/gloo has been upgraded to v1.5.3.

v1.5.3

Fixes

• Correct observability pod to watch all namespaces if none are provided. V1.5 backport. (https://github.com/solo-io/gloo/issues/3060)
• When Proxies are viewed in the Gloo admin UI, render the entire Proxy spec, even if it is compressed. Compression is determined by the presence of the gloo.solo.io/compress annotation on the Proxy. (https://github.com/solo-io/gloo/issues/3718)

v1.5.2

Dependency Bumps

• solo-io/gloo has been upgraded to v1.5.2.

Fixes

• No longer let the api-server create a default settings CRD when none is provided. (https://github.com/solo-io/gloo/issues/3677)
• Fix the grpc service names in health checks. This fixes a regression that was introduced in Gloo enterprise v1.5.0-beta8 and v1.4.7. Without this fix, the rate-limit and ext-auth grpc services will fail health checks and go into panic mode (which by default, ignores health checks, so requests still work). (https://github.com/solo-io/gloo/issues/3745)

v1.5.1

Helm Changes

• Fix helm chart to honor .Values.settings.replaceInvalidRoutes value. (https://github.com/solo-io/gloo/issues/3619)
• Add the ability to specify a number of replicas for the redis, rate-limit, apiserver, and observability deployments via helm values. Note: Extra redis replicas still won’t scale properly until https://github.com/solo-io/gloo/issues/3269 is addressed. (https://github.com/solo-io/gloo/issues/3262)
• Add the ability to NOT specify a number of replicas for the redis, rate-limit, apiserver, observability and extAuth deployments explicitly in deployments. This prevents issues when using flux and horizontal autoscaling. See https://docs.fluxcd.io/en/1.18.0/faq.html#how-can-i-prevent-flux-overriding-the-replicas-when-using-hpa for more details. (https://github.com/solo-io/gloo/issues/2650)

Fixes

• Expose apiserver over HTTPS using self-signed certs when running in glooMtls mode. (https://github.com/solo-io/gloo/issues/3384)
• Ensure the rest of our docker containers run with user 10101 rather than root (https://github.com/solo-io/gloo/issues/3346)
• With each release, we will additionally be publishing an alternate set of docker containers (tagged as usual but with the “-extended” suffix) that have some additional dependencies built in (e.g., curl for debugging). You can deploy these images by setting the helm value global.image.extended=true. (https://github.com/solo-io/gloo/issues/3399)
• Implement AuthConfig API that allows users to specify a boolean expression to determine how to evaluate auth configs within an auth chain. Previously, each config on an auth config must be authorized for the entire request to be authorized. This remains the default, but now users can additionally specify a boolean expression (the booleanExpr field on an auth config) to reference the auth configs and AND/OR/NOT them together to achieve the desired access policy. (https://github.com/solo-io/gloo/issues/3207)
• Prohibit duplicate route names for routes with Basic rate limits configured. (https://github.com/solo-io/gloo/issues/3674)
• Upgrade base image for grpcserver-enovy image (https://github.com/solo-io/gloo/issues/3617)
• Upgrade base image for grpcserver-ui image (https://github.com/solo-io/gloo/issues/3616)

v1.6.0-beta4

This release contained no user-facing changes.

v1.6.0-beta3

This release build failed.

This release contained no user-facing changes.

v1.6.0-beta2

This release build failed.

This release contained no user-facing changes.

v1.6.0-beta1

This release build failed.

Helm Changes

• Fix helm chart to honor .Values.settings.replaceInvalidRoutes value. (https://github.com/solo-io/gloo/issues/3619)
• Add the ability to specify a number of replicas for the redis, rate-limit, apiserver, and observability deployments via helm values. Note: Extra redis replicas still won’t scale properly until https://github.com/solo-io/gloo/issues/3269 is addressed. (https://github.com/solo-io/gloo/issues/3262)
• Add the ability to NOT specify a number of replicas for the redis, rate-limit, apiserver, observability and extAuth deployments explicitly in deployments. This prevents issues when using flux and horizontal autoscaling. See https://docs.fluxcd.io/en/1.18.0/faq.html#how-can-i-prevent-flux-overriding-the-replicas-when-using-hpa for more details. (https://github.com/solo-io/gloo/issues/2650)

New Features

• Expose apiserver over HTTPS using self-signed certs when running in glooMtls mode. (https://github.com/solo-io/gloo/issues/3384)
• With each release, we will additionally be publishing an alternate set of docker containers (tagged as usual but with the “-extended” suffix) that have some additional dependencies built in (e.g., curl for debugging). You can deploy these images by setting the helm value global.image.extended=true. (https://github.com/solo-io/gloo/issues/3399)
• Implement new AuthConfig API that allows users to specify a boolean expression to determine how to evaluate auth configs within an auth chain. Previously, each config on an auth config must be authorized for the entire request to be authorized. This remains the default, but now users can additionally specify a boolean expression (the booleanExpr field on an auth config) to reference the auth configs and AND/OR/NOT them together to achieve the desired access policy. (https://github.com/solo-io/gloo/issues/3207)

Fixes

• Ensure the rest of our docker containers run with user 10101 rather than root (https://github.com/solo-io/gloo/issues/3346)
• Fix NPE when secret ref is missing. (https://github.com/solo-io/solo-projects/issues/1908)
• Prohibit duplicate route names for routes with Basic rate limits configured. (https://github.com/solo-io/gloo/issues/3674)
• Upgrade base image for grpcserver-enovy image (https://github.com/solo-io/gloo/issues/3617)
• Upgrade base image for grpcserver-ui image (https://github.com/solo-io/gloo/issues/3616)

v1.4.6-patch2

This release contained no user-facing changes.

v1.4.6-patch1

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.8-patch1.

v1.5.0

Dependency Bumps

• solo-io/gloo has been upgraded to v1.5.0.
• solo-io/envoy-gloo-ee has been upgraded to v1.16.0-rc6.

v1.4.16

Dependency Bumps

• solo-io/envoy-gloo-ee has been upgraded to 1.15.1-patch2.

Fixes

• Upgrade envoy-gloo version to fix seg fault in aws lambda filter (https://github.com/solo-io/gloo/issues/3684)
• Upgrade envoy-gloo-ee version to handle CVE-2020-25017 and CVE-2020-25018 (https://github.com/solo-io/gloo/issues/3687)

v1.3.14

Dependency Bumps

• solo-io/envoy-gloo-ee has been upgraded to 1.14.5-patch1.

Fixes

• Upgrade envoy-gloo version to fix seg fault in aws lambda filter (https://github.com/solo-io/gloo/issues/3684)
• Upgrade envoy-gloo-ee version to handle CVE-2020-25017 and CVE-2020-25018 (https://github.com/solo-io/gloo/issues/3687)

v1.5.0-beta12

marked as a pre-release due to a regression that will crash Gloo if it has an AWS upstream

Dependency Bumps

• solo-io/envoy-gloo-ee has been upgraded to 1.16.0-rc5.
• solo-io/gloo has been upgraded to v1.5.0-beta26.

New Features

• Allow users to specify rate limits at the route level using the Gloo basic rate limit API. (https://github.com/solo-io/gloo/issues/2517)

Fixes

• Upgrade envoy-gloo-ee version to handle CVE-2020-25017 and CVE-2020-25018 (https://github.com/solo-io/gloo/issues/3687)

v1.4.15

marked as a pre-release due to a regression that will crash Gloo if it has an AWS upstream

Dependency Bumps

• solo-io/ext-auth-service has been upgraded to v0.6.12-patch1.

v1.5.0-beta11

marked as a pre-release due to a regression that will crash Gloo if it has an AWS upstream

Dependency Bumps

• solo-io/gloo has been upgraded to v1.5.0-beta25.

Fixes

• Allow skipping the body processing in the WAF filter. (https://github.com/solo-io/gloo/issues/3540)

v1.4.14

marked as a pre-release due to a regression that will crash Gloo if it has an AWS upstream

Fixes

• Allow skipping the body processing in the WAF filter. (https://github.com/solo-io/gloo/issues/3540)

v1.4.13

Fixes

• The virtual services list page’s table view crashed when there was an error with the virtual service. (https://github.com/solo-io/gloo/issues/3521)

v1.5.0-beta10

This release contained no user-facing changes.

v1.4.12

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.12.

v1.5.0-beta9

Dependency Bumps

• solo-io/gloo has been upgraded to v1.5.0-beta20.

Helm Changes

• Can now add custom labels to the deployments added by gloo-E (that aren’t from subcharts) (https://github.com/solo-io/gloo/issues/3441)

Fixes

• The extauth service now supports tls connections to the extauth service itself using a kubernetes secret rather than using cert and key files. To enable extauth tls mode, set TLS_ENABLED to true in the extauth service by setting the helm value global.extensions.extAuth.tlsEnabled to true. To pull the cert and key from a kubernetes secret, set the helm value global.extensions.extAuth.secretName to the name of the tls secret containing the tls.crt and tls.key data. Note that the secret must be in the same namespace as the extauth deployment. (https://github.com/solo-io/gloo/issues/3430)
• Add DNS resolution to Failover Endpoints (https://github.com/solo-io/gloo/issues/3565)
• Allow user to create resources even when running a namespaced version of glooE. (https://github.com/solo-io/solo-projects/issues/1847)
• Fix opentracing causing envoy failure. Adds type-checking for all envoy go-control-plane data structures. (https://github.com/solo-io/gloo/issues/3496)
• Remove the unused Rate Limit feature from the gloo UI. (https://github.com/solo-io/gloo/issues/3484)
• The virtual services list page’s table view crashed when there was an error with the virtual service. (https://github.com/solo-io/gloo/issues/3521)

v1.4.11

Helm Changes

• Fix the multi dataplane per proxy helm functionality (global.extensions.dataplanePerProxy, default false) that was introduced in Gloo v1.4.7. Since Gloo v1.4.7, if users provided multiple proxies (not a default install) and dataplanePerProxy was false, then the Gloo Enterprise chart would also try to install duplicates of some extauth, ratelimit, and redis resources; this would fail those installations/upgrades. (https://github.com/solo-io/gloo/issues/3516)

Fixes

• Removes crd permissions from the apiserver-ui Role so namespaced glooE can be installed by a namespaced user. (https://github.com/solo-io/gloo/issues/3424)
• The extauth service now supports tls connections to the extauth service itself using a kubernetes secret rather than using cert and key files. To enable extauth tls mode, set TLS_ENABLED to true in the extauth service by setting the helm value global.extensions.extAuth.tlsEnabled to true. To pull the cert and key from a kubernetes secret, set the helm value global.extensions.extAuth.secretName to the name of the tls secret containing the tls.crt and tls.key data. Note that the secret must be in the same namespace as the extauth deployment. (https://github.com/solo-io/gloo/issues/3430)

v1.5.0-beta8

Dependency Bumps

• solo-io/gloo has been upgraded to v1.5.0-beta19.
• solo-io/ext-auth-service has been upgraded to v0.6.15.
• serialize-javascript/gloo-ui has been upgraded to 3.1.0.
• dot-prop/gloo-ui has been upgraded to 4.2.1.

Helm Changes

• The bootstrap configuration for the Envoy sidecar that handles traffic between the Gloo Enterprise Admin Dashboard and the API server is now exposed as a ConfigMap named default-apiserver-envoy-config. This ConfigMap is installed by default by the Gloo Enterprise Helm chart. Users can provide their own custom bootstrap configuration for the sidecar via the new apiServer.deployment.envoy.bootstrapConfig.configMapName Helm value. The value must contain the name of a ConfigMap that is present in the same namespace as the api-server deployment. This ConfigMap must contain the Envoy bootstrap configuration in YAMl format under a data entry named config.yaml. (https://github.com/solo-io/gloo/issues/3477)
• Add the new helm value global.extensions.dataplanePerProxy (default false). When true, Gloo will deploy a set of dataplane resources for each proxy deployment (i.e., gateway/ingress). These resources include the extauth server and rate limit server, as well as their dependent resources. Note that if dataplanePerProxy is enabled, that each Gateway resource will need to be updated to point to their respective dataplane, via the gatewayProxies.NAME.gatewaySettings.customHttpGateway and/or the gatewayProxies.NAME.gatewaySettings.customHttpsGateway helm values. (https://github.com/solo-io/gloo/issues/3236)
• Add helm value for rate limit descriptors in settings. (https://github.com/solo-io/gloo/issues/3422)

New Features

• Allow adding arbitrary API key secret data to the headers of successfully authorized requests. (https://github.com/solo-io/gloo/issues/3385)
• Allow users to change the name of the header that the Gloo Enterprise external auth server inspects for API keys. (https://github.com/solo-io/gloo/issues/3390)
• The API keys can now be provided as simple Kubernetes secrets. Instead of being nested in a YAML document inside the secret data, the key is now simply the value of the api-key data key. This change is backwards compatible, i.e. Gloo will still support existing secrets with the old format. glooctl create secret apikey will now generate secrets with the new format. (https://github.com/solo-io/gloo/issues/3472)

Fixes

• Removes crd permissions from the apiserver-ui Role so namespaced glooE can be installed by a namespaced user. (https://github.com/solo-io/gloo/issues/3424)
• Update the version of golang Gloo was built with from 1.14.0 to 1.14.6, to pickup patch fixes to go; most notably, a workaround in go for a bug in affected Linux kernels (5.2.x, 5.3.0-5.3.14, 5.4.0-5.4.1) that could result in a corrupted AVX register and crash Gloo. (https://github.com/solo-io/gloo/issues/3493)
• Display error messages when there is an unexpected error with the ListEnvoyDetails API call. (https://github.com/solo-io/gloo/issues/3512)
• Resolve helm warnings during installation regarding customReadinessProbe (https://github.com/solo-io/gloo/issues/3467)
• Allow path overrides in http health checks on a per-host basis. (https://github.com/solo-io/gloo/issues/2821)

v1.3.13

Dependency Bumps

• solo-io/gloo has been upgraded to v1.3.32.
• solo-io/solo-kit has been upgraded to v0.13.8.

v1.4.10

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.11.

v1.4.9

Helm Changes

• The bootstrap configuration for the Envoy sidecar that handles traffic between the Gloo Enterprise Admin Dashboard and the API server is now exposed as a ConfigMap named default-apiserver-envoy-config. This ConfigMap is installed by default by the Gloo Enterprise Helm chart. Users can provide their own custom bootstrap configuration for the sidecar via the new apiServer.deployment.envoy.bootstrapConfig.configMapName Helm value. The value must contain the name of a ConfigMap that is present in the same namespace as the api-server deployment. This ConfigMap must contain the Envoy bootstrap configuration in YAMl format under a data entry named config.yaml. (https://github.com/solo-io/gloo/issues/3477)

Fixes

• Display error messages when there is an unexpected error with the ListEnvoyDetails API call. (https://github.com/solo-io/gloo/issues/3512)

v1.4.8

Fixes

• Allow path overrides in http health checks on a per-host basis. (https://github.com/solo-io/gloo/issues/2821)

v1.4.7

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.9.

Helm Changes

• Add the new helm value global.extensions.dataplanePerProxy (default false). When true, Gloo will deploy a set of dataplane resources for each proxy deployment (i.e., gateway/ingress). These resources include the extauth server and rate limit server, as well as their dependent resources. Note that if dataplanePerProxy is enabled, that each Gateway resource will need to be updated to point to their respective dataplane, via the gatewayProxies.NAME.gatewaySettings.customHttpGateway and/or the gatewayProxies.NAME.gatewaySettings.customHttpsGateway helm values. (https://github.com/solo-io/gloo/issues/3236)
• Add helm value for rate limit descriptors in settings. (https://github.com/solo-io/gloo/issues/3422)

Fixes

• Update the version of golang Gloo was built with from 1.14.0 to 1.14.6, to pickup patch fixes to go; most notably, a workaround in go for a bug in affected Linux kernels (5.2.x, 5.3.0-5.3.14, 5.4.0-5.4.1) that could result in a corrupted AVX register and crash Gloo. (https://github.com/solo-io/gloo/issues/3493)

v1.5.0-beta7

Dependency Bumps

• elliptic/elliptic has been upgraded to 4.11.9.
• solo-io/gloo has been upgraded to v1.5.0-beta16.
• solo-io/gloo has been upgraded to v1.5.0-beta14.

Helm Changes

• In v1.4.0-beta8 the api-server service was changed from a NodePort service to a ClusterIP service, so that it is not available outside of the cluster. Now the service type is configurable in case users still want to make the service accessible outside the cluster. (https://github.com/solo-io/gloo/issues/3318)

Fixes

• Correct the upstream name on auto-generated Observability dashboards for manually-added Kubernetes upstreams. (https://github.com/solo-io/gloo/issues/3061)
• An authconfig missing a clientSecretRef will no longer segfault (https://github.com/solo-io/gloo/issues/3358)

v1.4.6

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.8.

Helm Changes

• In v1.4.0-beta8 the api-server service was changed from a NodePort service to a ClusterIP service, so that it is not available outside of the cluster. Now the service type is configurable in case users still want to make the service accessible outside the cluster. (https://github.com/solo-io/gloo/issues/3318)

Fixes

• Correct the upstream name on auto-generated Observability dashboards for manually-added Kubernetes upstreams. (https://github.com/solo-io/gloo/issues/3061)
• An authconfig missing a clientSecretRef will no longer segfault (https://github.com/solo-io/gloo/issues/3358)

v1.4.5

Dependency Bumps

• solo-io/envoy-gloo-ee has been upgraded to v1.15.0-patch1.
• solo-io/gloo has been upgraded to v1.4.6.

Fixes

• Update envoy to support emitting proxy latency timings to access log via dynamic metadata. (https://github.com/solo-io/gloo/issues/3392)

v1.5.0-beta6

Dependency Bumps

• solo-io/envoy-gloo-ee has been upgraded to v1.15.0-patch1.
• solo-io/gloo has been upgraded to v1.5.0-beta12.

Fixes

• Update envoy to support emitting proxy latency timings to access log via dynamic metadata. (https://github.com/solo-io/gloo/issues/3392)

v1.5.0-beta5

This release build failed. Some images weren’t built and pushed properly, do not attempt to use this release.

Dependency Bumps

• solo-io/gloo has been upgraded to v1.5.0-beta11.

New Features

• Add support for wasm-enabled gloo-ee (https://github.com/solo-io/gloo/issues/3035)

v1.5.0-beta4

Dependency Bumps

• solo-io/gloo has been upgraded to v1.5.0-beta10.

v1.5.0-beta3

Dependency Bumps

• solo-io/gloo has been upgraded to v1.5.0-beta8.
• lodash/lodash has been upgraded to 4.7.19.
• solo-io/dev-portal has been upgraded to v0.1.12.
• solo-io/go-utils has been upgraded to v0.16.5.
• solo-io/rate-limiter has been upgraded to v0.1.0.
• solo-io/solo-kit has been upgraded to v0.13.9.

New Features

• Gloo Enterprise now supports enforcing rate limit policies using RateLimitConfig resources. Users can apply a set of policies to VirtualHosts and Routes by referencing a set of RateLimitConfig resources. Each resource represents a rate limit policy that will be independently enforced. Please see the docs for a detailed explanation of the new API. (https://github.com/solo-io/gloo/issues/3335)

v1.4.4

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.5.

v1.5.0-beta2

Dependency Bumps

• solo-io/gloo has been upgraded to v1.5.0-beta7.

New Features

• Add support for OAuth2 access token validation via token introspection (i.e., opaque access tokens) to the extauth service. Also add support for configuring the userinfo OIDC endpoint to the new access token validation API, which allows users to leverage the userinfo response in extauth plugins. (https://github.com/solo-io/gloo/issues/3055)

Fixes

• Correctly append custom headers added from extauth plugins when a UserID is also being set in the extauth plugin (or from any other extauth plugin in a chain of AuthConfigs). Previously, headers added from extauth plugins were ignored (i.e. not available to the upstream service) when a UserID was set. (https://github.com/solo-io/gloo/issues/3208)

v1.4.3

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.4.

v1.4.2

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.3.

Fixes

• Fix issue where gateway-level extauth could not be overriden by lower-level virtualhost, route, and weighted destination extauth config. Also fix issue where extauth config at listener level wouldn’t override the global setting for userIdHeader. Also fix issue where ratelimit config for rateLimitBeforeAuth at listener level wouldn’t override the global default, similarly true for the “basic” ratelimit API. (https://github.com/solo-io/gloo/issues/3270)

v1.5.0-beta1

Dependency Bumps

• solo-io/ext-auth-service has been upgraded to v0.6.12.
• envoy-gloo-ee/solo-io has been upgraded to v1.15.0-rc1.
• solo-io/gloo has been upgraded to v1.5.0-beta6.

Fixes

• A single invalid AuthConfig can no longer halt processing of other valid AuthConfigs. (https://github.com/solo-io/gloo/issues/3097)
• Fix issue where gateway-level extauth could not be overriden by lower-level virtualhost, route, and weighted destination extauth config. Also fix issue where extauth config at listener level wouldn’t override the global setting for userIdHeader. Also fix issue where ratelimit config for rateLimitBeforeAuth at listener level wouldn’t override the global default, similarly true for the “basic” ratelimit API. (https://github.com/solo-io/gloo/issues/3270)

v1.2.13

Dependency Bumps

• envoy-gloo-ee/solo-io has been upgraded to v1.14.3-patch1.
• solo-io/gloo has been upgraded to v1.2.25.

v1.3.12

Dependency Bumps

• envoy-gloo-ee/solo-io has been upgraded to v1.14.3-patch1.
• solo-io/gloo has been upgraded to v1.3.31.

Fixes

• Secure the api-server service by converting it into a ClusterIP service, rather than NodePort, so that it is not available outside of the cluster. (https://github.com/solo-io/gloo/issues/3120)

v1.4.1

CVEs

Updated envoy-gloo-ee to one based on envoy master (1.15.0), which includes security fixes in envoy. For more details on the CVEs, see the envoy release notes here.

Note that one of the CVEs requires setting the global_downstream_max_connections, which may affect traffic if you perform a rolling upgrade from a version vulnerable to the CVE. The max connections is configurable and defaults to 250,000.

Dependency Bumps

• envoy-gloo-ee/solo-io has been upgraded to v1.15.0-rc1.
• solo-io/gloo has been upgraded to v1.4.2.

Fixes

• A single invalid AuthConfig can no longer halt processing of other valid AuthConfigs. (https://github.com/solo-io/gloo/issues/3097)

v1.4.0

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.0.

New Features

• Enable gloo and glooe to run in a fully restricted kubernetes environment. Gloo pods and jobs now all start as a non-root user. Most pods can be run as a custom user by specifying a deployment.runAsUser value. Service accounts have been created for extauth and ratelimit. Grafana, Redis and Nginx are all now initialized as non-root users also. (https://github.com/solo-io/gloo/issues/3084)
• Implement prioritized failover in Gloo. This Implements the API created in https://github.com/solo-io/gloo/pull/3138. (https://github.com/solo-io/gloo/issues/3141)

Fixes

• Secure the api-server service by converting it into a ClusterIP service, rather than NodePort, so that it is not available outside of the cluster. (https://github.com/solo-io/gloo/issues/3120)
• Redact secret ext auth config data, like OAuth client secrets, from the ext auth server logs (https://github.com/solo-io/gloo/issues/3105)
• The issuerUrl needs a trailing slash to find .well-known. Have Gloo append a trailing slash if it is missing. (https://github.com/solo-io/gloo/issues/3071)
• Prevent virtual services details page in the admin console from crashing when there is a nonexistent destination. (https://github.com/solo-io/gloo/issues/3048)
• Address DoS UI vulnerability disclosed in https://nvd.nist.gov/vuln/detail/CVE-2020-7662 (https://github.com/solo-io/gloo/issues/3159)

v1.3.11

Dependency Bumps

• solo-io/gloo has been upgraded to v1.3.30.

Fixes

• Address DoS UI vulnerability disclosed in https://nvd.nist.gov/vuln/detail/CVE-2020-7662 (https://github.com/solo-io/gloo/issues/3159)

v1.3.10

Fixes

• Redact secret ext auth config data, like OAuth client secrets, from the ext auth server logs (https://github.com/solo-io/gloo/issues/3105)
• The issuerUrl needs a trailing slash to find .well-known. Have Gloo append a trailing slash if it is missing. (https://github.com/solo-io/gloo/issues/3071)
• Prevent virtual service details page from crashing when a route is invalid. (https://github.com/solo-io/gloo/issues/3048)

v1.4.0-beta7

Dependency Bumps

• solo-io/ext-auth-service has been upgraded to v0.6.11.
• solo-io/gloo has been upgraded to v1.4.0-beta13.
• solo-io/envoy-gloo-ee has been upgraded to v1.4.6.

Fixes

• This fixes the queries used in the default Grafana charts. Previously, they were picking up stats from both kubernetes pods and Envoy, so that several charts displayed double the correct value. (https://github.com/solo-io/gloo/issues/2919)
• This fixes the open source installation of Gloo with the read-only UI. Previously, the gateway pod was in an error state with the logs stating that “no validation configuration was provided”. (https://github.com/solo-io/gloo/issues/2127)

v1.3.9

Dependency Bumps

• solo-io/gloo has been upgraded to v1.3.28.

Fixes

• This fixes the open source installation of Gloo with the read-only UI. Previously, the gateway pod was in an error state with the logs stating that “no validation configuration was provided”. (https://github.com/solo-io/gloo/issues/2127)
• Enterprise Gloo now publishes a stat glooe_rate_limit_connected_state, which is 1 if there is valid rate limit config, and 0 if there is an error. (https://github.com/solo-io/gloo/issues/2832)

v1.3.8

Dependency Bumps

• solo-io/ext-auth-service has been upgraded to v0.6.11.
• solo-io/gloo has been upgraded to v1.3.27.

New Features

• Gloo’s validation webhook now validates inja compilation syntax before accepting/rejecting virtual services that use transformations. Note that strict validation is still disabled by default, and must be enabled in the Gloo settings (set gateway.validation.alwaysAccept=true). Users can now rely more on kubectl apply --server-dry-run against live clusters to properly validate whether config is valid before attempting to apply them to their cluster. (https://github.com/solo-io/gloo/issues/2114)

Fixes

• This fixes the queries used in the default Grafana charts. Previously, they were picking up stats from both kubernetes pods and Envoy, so that several charts displayed double the correct value. (https://github.com/solo-io/gloo/issues/2919)

v1.3.7

Fixes

• We now support emitting ModSecurity WAF Audit Log in Envoy’s access log. (https://github.com/solo-io/gloo/issues/1525)

v1.4.0-beta6

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.0-beta8.
• SpiderLabs/owasp-modsecurity-crs has been upgraded to v3.2.0.

New Features

• The extauth service now supports tls connections to the extauth service itself rather than through an envoy sidecar that handles tls termination. To enable extauth tls mode, set TLS_ENABLED to true in the extauth service. This can be configured by setting the helm value global.extensions.extAuth.tlsEnabled to true. When enabled, the extauth service looks for tls cert files at /etc/envoy/ssl/tls.crt and tls key files at /etc/envoy/ssl/tls.key, which are configurable by the CERT_PATH and KEY_PATH environment variables, respectively. (https://github.com/solo-io/gloo/issues/2929)
• We now support emitting ModSecurity WAF Audit Log in Envoy’s access log. (https://github.com/solo-io/gloo/issues/1525)

Fixes

• Fix extauth healthcheck flake by waiting for the extauth server to start before doing the first healthcheck. (https://github.com/solo-io/solo-projects/issues/1715)
• Enterprise Gloo now publishes a stat glooe_rate_limit_connected_state, which is 1 if there is valid rate limit config, and 0 if there is an error. (https://github.com/solo-io/gloo/issues/2832)

v1.3.6

Dependency Bumps

• solo-io/gloo has been upgraded to v1.3.25.

New Features

• The extauth service now supports tls connections to the extauth service itself rather than through an envoy sidecar that handles tls termination. To enable extauth tls mode, set TLS_ENABLED to true in the extauth service. This can be configured by setting the helm value global.extensions.extAuth.tlsEnabled to true. When enabled, the extauth service looks for tls cert files at /etc/envoy/ssl/tls.crt and tls key files at /etc/envoy/ssl/tls.key, which are configurable by the CERT_PATH and KEY_PATH environment variables, respectively. (https://github.com/solo-io/gloo/issues/2929)

Fixes

• Fix extauth healthcheck flake by waiting for the extauth server to start before doing the first healthcheck. (https://github.com/solo-io/solo-projects/issues/1715)

v1.4.0-beta5

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.0-beta7.

New Features

• Allow adjusting proxy latency measurement to happen before a connection to the upstream is established. This allows measuring the latency of the filter chain alone. (https://github.com/solo-io/solo-projects/issues/1660)

Fixes

• When zoomed in, the create route button was not accessbile in the create route modal in the UI. (https://github.com/solo-io/solo-projects/issues/1968)
• Update copyright to 2020. (https://github.com/solo-io/solo-projects/issues/1708)

v1.3.5

Fixes

• When zoomed in, the create route button was not accessbile in the create route modal in the UI. (https://github.com/solo-io/solo-projects/issues/1968)
• Allow adjusting proxy latency measurement to happen before a connection to the upstream is established. This allows measuring the latency of the filter chain alone. (https://github.com/solo-io/solo-projects/issues/1660)
• Expose proxy latency as a metric. This can metric can help you get an idea on how much time is spent processing inside the proxy itself. Using features in the data path usually has a cost of increased latency. This metric can help you understand that cost more accurately. (https://github.com/solo-io/solo-projects/issues/1660)

v1.4.0-beta4

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.0-beta6.

v1.4.0-beta3

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.0-beta5.
• helm/helm has been upgraded to v3.1.2.
• solo-io/dev-portal has been upgraded to v0.1.11.
• https-proxy-agent/gloo-ui has been upgraded to 2.2.3.

New Features

• Add “gloo” tags to Envoy and Kubernetes static dashboards that come with Enterprise Gloo. (https://github.com/solo-io/gloo/issues/2812)
• Gloo’s validation webhook now validates inja compilation syntax before accepting/rejecting virtual services that use transformations. Note that strict validation is still disabled by default, and must be enabled in the Gloo settings. Users can now rely more on kubectl apply --server-dry-run against live clusters to properly validate whether config is valid before attempting to apply them to their cluster. (https://github.com/solo-io/gloo/issues/2114)

Fixes

• We have been building all of the Gloo Enterprise binaries in module-aware mode (run go help modules for more info on build modes), except for the extauth server and the extauth plugin verification script, which were built in GOPATH mode. This exception has caused issues with our extauth plugin development toolkit. The root cause of these issues was related to package import paths, which the go tool considers part of the identity of a package; when building in GOPATH mode, the actual import paths of some packages were different than the ones expected by our toolkit, which could lead to the infamous plugin was built with a different version of package xyz error (check out this repository for a detailed explanation of the problem). We now build both the extauth server and the verify-plugins-linux-amd64 script in module-aware mode, which causes all packages to be loaded from the modules cache located at /go/pkg/mod, thus providing for predictable package paths that our toolkit (and yours) can rely on. (https://github.com/solo-io/solo-projects/issues/1668)
• The destination dropdown in the Create Route Form now has correct width. (https://github.com/solo-io/solo-projects/issues/1694)
• The “Add Group” form in the API details page of the developer portal UI showed incorrect header. (https://github.com/solo-io/solo-projects/issues/1689)
• Developer portal overview page showed incorrect data for the number of published api docs. (https://github.com/solo-io/solo-projects/issues/1682)

v1.3.4

Dependency Bumps

• solo-io/gloo has been upgraded to v1.3.23.
• solo-io/dev-portal has been upgraded to v0.1.11.
• https-proxy-agent/gloo-ui has been upgraded to 2.2.3.

Fixes

• We have been building all of the Gloo Enterprise binaries in module-aware mode (run go help modules for more info on build modes), except for the extauth server and the extauth plugin verification script, which were built in GOPATH mode. This exception has caused issues with our extauth plugin development toolkit. The root cause of these issues was related to package import paths, which the go tool considers part of the identity of a package; when building in GOPATH mode, the actual import paths of some packages were different than the ones expected by our toolkit, which could lead to the infamous plugin was built with a different version of package xyz error (check out this repository for a detailed explanation of the problem). We now build both the extauth server and the verify-plugins-linux-amd64 script in module-aware mode, which causes all packages to be loaded from the modules cache located at /go/pkg/mod, thus providing for predictable package paths that our toolkit (and yours) can rely on. (https://github.com/solo-io/solo-projects/issues/1668)
• The destination dropdown in the Create Route Form now has correct width. (https://github.com/solo-io/solo-projects/issues/1694)
• The “Add Group” form in the API details page of the developer portal UI showed incorrect header. (https://github.com/solo-io/solo-projects/issues/1689)

v1.3.3

Dependency Bumps

• solo-io/gloo has been upgraded to v1.3.22.

Fixes

• Developer portal overview page showed incorrect data for the number of published api docs. (https://github.com/solo-io/solo-projects/issues/1682)

v1.3.2

Dependency Bumps

• acorn/gloo-ui has been upgraded to 7.1.1.
• minimist/gloo-ui has been upgraded to 0.2.1.
• solo-io/dev-portal has been upgraded to v0.1.8.
• solo-io/gloo has been upgraded to v1.3.21.

Fixes

• Added the gloo.solo.io/h2_service: "true" annotation to the apiserver Kubernetes service, so discovery will set useHttp2 to true on the corresponding upstream. This will allow Gloo to correctly proxy the apiserver, which serves as a backend for the Gloo Admin UI. See the linked issue for more details. (https://github.com/solo-io/gloo/issues/2788)
• Fix alignments in upstream listing. (https://github.com/solo-io/solo-projects/issues/1662)
• Swagger Editor should show errors, better styling. (https://github.com/solo-io/solo-projects/issues/1664)
• Fix alignment in overview pages for Safari. (https://github.com/solo-io/solo-projects/issues/1653)
• Allows editing and adding domain names for a Portal when the domain set is initially empty. (https://github.com/solo-io/solo-projects/issues/1674)
• Only validate auth configs that are referenced in virtual services. (https://github.com/solo-io/gloo/issues/2773)
• With disableProxyGarbageCollection enabled (the default), Gloo used to clear the extauth and ratelimit snapshots from the XDS cache, resulting in null configurations temporarily in the extauth and ratelimit services. This caused blips of invalid 403/429 responses. To fix this, Gloo now returns any Envoy Node ID keys set by its TranslatorSyncerExtension Sync() functions, so Gloo doesn’t garbage collect these snapshots anymore. (https://github.com/solo-io/gloo/issues/2721)

v1.4.0-beta2

Dependency Bumps

• solo-io/gloo has been upgraded to v1.4.0-beta4.
• solo-io/dev-portal has been upgraded to v0.1.8.

New Features

• Expose proxy latency as a metric. This can metric can help you get an idea on how much time is spent processing inside the proxy itself. Using features in the data path usually has a cost of increased latency. This metric can help you understand that cost more accurately. (https://github.com/solo-io/solo-projects/issues/1660)

Fixes

• Added the gloo.solo.io/h2_service: "true" annotation to the apiserver Kubernetes service, so discovery will set useHttp2 to true on the corresponding upstream. This will allow Gloo to correctly proxy the apiserver, which serves as a backend for the Gloo Admin UI. See the linked issue for more details. (https://github.com/solo-io/gloo/issues/2788)
• Fix alignments in upstream listing. (https://github.com/solo-io/solo-projects/issues/1662)
• Swagger Editor should show errors, better styling. (https://github.com/solo-io/solo-projects/issues/1664)
• Allows editing and adding domain names for a Portal when the domain set is initially empty. (https://github.com/solo-io/solo-projects/issues/1674)
• Only validate auth configs that are referenced in virtual services. (https://github.com/solo-io/gloo/issues/2773)
• With disableProxyGarbageCollection enabled (the default), Gloo used to clear the extauth and ratelimit snapshots from the XDS cache, resulting in null configurations temporarily in the extauth and ratelimit services. This caused blips of invalid 403/429 responses. To fix this, Gloo now returns any Envoy Node ID keys set by its TranslatorSyncerExtension Sync() functions, so Gloo doesn’t garbage collect these snapshots anymore. (https://github.com/solo-io/gloo/issues/2721)

v1.3.1

Dependency Bumps

• solo-io/envoy-gloo-ee has been upgraded to 1.4.3.
• solo-io/gloo has been upgraded to v1.3.19.

Fixes

• Write error status to Auth Config CRs if there is an error in the configuration. (https://github.com/solo-io/gloo/issues/2623)

v1.4.0-beta1

Dependency Bumps

• solo-io/envoy-gloo-ee has been upgraded to 1.4.3.
• acorn/gloo-ui has been upgraded to 7.1.1.
• minimist/gloo-ui has been upgraded to 0.2.1.
• solo-io/gloo has been upgraded to v1.4.0-beta1.

Fixes

• Fix alignment in overview pages for Safari. (https://github.com/solo-io/solo-projects/issues/1653)
• Write error status to Auth Config CRs if there is an error in the configuration. (https://github.com/solo-io/gloo/issues/2623)

v1.3.0

Dependency Bumps

• solo-io/gloo has been upgraded to v1.3.17.

New Features

• Add Developer Portal to Gloo Enterprise. The developer portal can be enabled by passing the devPortal.enabled=true Helm value when installing Gloo Enterprise. See the Developer Portal documentation for more information. (https://github.com/solo-io/gloo/issues/2722)

v1.3.0-beta7

Dependency Bumps

• kubernetes-sigs/controller-runtime has been upgraded to v0.5.0.
• open-policy-agent/opa has been upgraded to v0.18.0.
• solo-io/gloo has been upgraded to v1.3.16.
• grafana/https://kubernetes-charts.storage.googleapis.com/ has been upgraded to 5.0.8.
• solo-io/solo-kit has been upgraded to v0.13.3.
• solo-io/gloo has been upgraded to v1.3.15.

Helm Changes

• The timeout for Envoy when checking authorization with the extauth server is now exposed as global.extensions.extAuth.requestTimeout in the helm chart. For instance, setting global.extensions.extAuth.requestTimeout=1s would set the timeout to one second. (https://github.com/solo-io/gloo/issues/2531)

New Features

• Key scopes are now listed and CRUD-interactable within the UI. !Not connected to backend! (https://github.com/solo-io/solo-projects/issues/1528)
• The OPA debug-level logging now includes data about the OPA input, eval traces, and result set. The following command can be used to stream a clean OPA trace with those three things from the extauth service: kubectl logs -n gloo-system deploy/extauth -f | jq -r -j "select(.trace != null) | .trace" (https://github.com/solo-io/solo-projects/issues/1536)
• Settings are now as an overview page that links to either the Secrets view or the Settings Details view where users can configure the namespaces watched by Gloo and edit the Settings YAML file directly. (https://github.com/solo-io/solo-projects/issues/1469)

Fixes

• Fix helm upgrade for Gloo Enterprise chart due to bug with PersistentVolumeClaims in grafana subchart. (https://github.com/solo-io/gloo/issues/2566)
• Show Gateway status errors in the Gloo UI in the Envoy status. (https://github.com/solo-io/gloo/issues/2594)
• With disableProxyCollection: false (the default), extauth had a race condition where it could recevie nil config. This could result in 403s that shouldn’t happen. This change pulls in a fix from gloo where an empty snapshot was being set with an empty version. Fixing this issue means that this nil config should no longer occur. (https://github.com/solo-io/gloo/issues/2645)
• Propagate the JWT remote cache duration to envoy. (https://github.com/solo-io/gloo/issues/2677)
• Envoy details view now shows correct Helm values needed to surface the Envoy config in the UI. (https://github.com/solo-io/solo-projects/issues/1470)
• The word ‘Enterprise’ should not show up in the overview page when in read-only (non-enterprise) mode. (https://github.com/solo-io/solo-projects/issues/1123)

v1.3.0-beta6

Dependency Bumps

• solo-io/gloo has been upgraded to v1.3.14.

New Features

• Add support for OPA tracing in debug logs for ext auth service. (https://github.com/solo-io/gloo/issues/2625)

Fixes

• Fix extauth initialization so stats server can be used for setting the log level. (https://github.com/solo-io/gloo/issues/2630)

v1.2.12

Dependency Bumps

• solo-io/gloo has been upgraded to 1.2.24.

v1.3.0-beta5

Dependency Bumps

• solo-io/gloo has been upgraded to v1.3.12.
• golang/go has been upgraded to go1.14.

Helm Changes

• Add a new Helm value .Values.observability.customGrafana.caBundle to enable https connections with 1-way TLS to a custom Grafana instance. (https://github.com/solo-io/gloo/issues/2344)

New Features

• Add the optional GRAFANA_CA_BUNDLE env variable to the observability deployment in order to enable https connections with 1-way TLS to a custom Grafana instance. (https://github.com/solo-io/gloo/issues/2344)

Fixes

• The extauth server was getting alternating nil and correct configs from Gloo. This was because the snapshot hash was being generated from auth configs that showed up in proxy objects in the snapshot. However, a new snapshot was being created once after the auth config was added, and once after the gateway pod created the proxy object. The first would generate a nil config, and the second would create the correct config. This changes the implementation such that we only look at the auth configs to create the hash, and only change whenever an auth config is added or removed. (https://github.com/solo-io/gloo/issues/2512)
• Use safe-regex in grpcserver envoy cors configuration. (https://github.com/solo-io/solo-projects/issues/1505)
• When terminating the extauth server (e.g. k8s rolling update), we send a “x-envoy-immediate-health-check-fail” header to envoy. In MTLS mode, if the sds and envoy sidecars shut down before the extauth server does, we can’t send this header. This change adds a lifecycle pre-stop check to the sds and envoy sidecars to wait for the main extauth container to shut down first. (https://github.com/solo-io/gloo/issues/2489)
• Add a readinessProbe to the extauth standalone deployment. This waits for the extauth server to start up before marking it as ready. During extauth upgrades, this will reduce downtime. (https://github.com/solo-io/gloo/issues/2489)
• Fix the helm chart rendering in the extauth deployment when there are multiple plugins. (https://github.com/solo-io/gloo/issues/2355)

v1.2.11

Fixes

• Use safe-regex in grpcserver envoy cors configuration, since allow_origin is deprecated. (https://github.com/solo-io/solo-projects/issues/1505)
• The extauth server was getting alternating nil and correct configs from Gloo. This was because the snapshot hash was being generated from auth configs that showed up in proxy objects in the snapshot. However, a new snapshot was being created once after the auth config was added, and once after the gateway pod created the proxy object. The first would generate a nil config, and the second would create the correct config. This changes the implementation such that we only look at the auth configs to create the hash, and only change whenever an auth config is added or removed. (https://github.com/solo-io/gloo/issues/2512)
• Fix the helm chart rendering in the extauth deployment when there are multiple plugins. (https://github.com/solo-io/gloo/issues/2355)
• Remove unnecessary solo-io-readerbot-pull-secret pull secret from default Helm values file. (https://github.com/solo-io/gloo/issues/2556)

v1.3.0-beta4

Dependency Bumps

• solo-io/envoy-gloo-ee has been upgraded to 1.3.0.
• solo-io/go-utils has been upgraded to v0.14.2.
• solo-io/gloo has been upgraded to v1.3.12.

Helm Changes

• Add a new helm value, create_license_secret, which when set to false, disables the license key kubernetes secret from being installed with Gloo Enterprise. This enables users to run a full gitops workflow where they manage their own kubernetes license key secrets. (https://github.com/solo-io/gloo/issues/2433)

New Features

• Support TLS between gateway-proxy and extauth if global.glooMtls.enabled is set to true. (https://github.com/solo-io/gloo/issues/2483)

Fixes

• Upgrade envoy-gloo version to handle CVE https://groups.google.com/forum/#!topic/envoy-announce/sVqmxy0un2s (https://github.com/solo-io/gloo/issues/2555)
• When terminating the extauth server (e.g. k8s rolling update) envoy continues to route to the old extauth server endpoints in addition to the new ones (load-balancing between the two 50-50) until the old one’s health check completely fails five minutes later. This PR adds a health check interceptor that sends a “x-envoy-immediate-health-check-fail” header to envoy when the extauth server shuts down. This tells envoy to exclusively route to the new (healthy) server. (https://github.com/solo-io/gloo/issues/2489)
• Remove unnecessary solo-io-readerbot-pull-secret pull secret from default Helm values file. (https://github.com/solo-io/gloo/issues/2556)

v1.2.10

Dependency Bumps

• solo-io/envoy-gloo-ee has been upgraded to 1.2.0.

Fixes

• Upgrade envoy-gloo version to handle CVE https://groups.google.com/forum/#!topic/envoy-announce/sVqmxy0un2s (https://github.com/solo-io/gloo/issues/2555)

v1.2.9

Fixes

• When the extauth server is shutting down, it should notify Envoy by sending back the x-envoy-immediate-health-check-fail header; this forces Envoy to stop sending traffic to the terminating server. One caveat of this approach is that this header can’t be sent unless during shutdown the server responds to 1) a health check request or 2) an authorization request. This fix decreases the extauth upstream healthcheck interval from 60s to 10s. Additionally, the healthy and unhealthy thresholds are decreased from 5 to 3. This guarantees that the header is sent back during the 30 second shutdown grace period. (https://github.com/solo-io/gloo/issues/2489)

v1.2.8

Dependency Bumps

• solo-io/gloo has been upgraded to v1.2.22.
• solo-io/gloo has been upgraded to v1.2.21.

Helm Changes

• Add a new helm value, create_license_secret, which when set to false, disables the license key kubernetes secret from being installed with Gloo Enterprise. This enables users to run a full gitops workflow where they manage their own kubernetes license key secrets. (https://github.com/solo-io/gloo/issues/2433)

Fixes

• Fix reconciler and resource status reporter to retry more than once on resource version conflict errors. (https://github.com/solo-io/gloo/issues/2498)
• Make sure gateway and discovery stats are enabled by default, as documented in the Gloo docs. (https://github.com/solo-io/gloo/issues/2508)
• When terminating the extauth server (e.g., k8s rolling update) envoy continues to route to the old extauth server endpoints in addition to the new ones (load-balancing between the two 50-50) until the old one’s health check completely fails five minutes later. This PR adds a health check interceptor that sends a “x-envoy-immediate-health-check-fail” header to envoy when the extauth server shuts down. This tells envoy to exclusively route to the new (healthy) server. (https://github.com/solo-io/gloo/issues/2489)

v1.3.0-beta3

Dependency Bumps

• solo-io/gloo has been upgraded to v1.3.6.
• solo-io/gloo has been upgraded to v1.3.9.

Helm Changes

• Allow setting compute resources for apiserver containers. (https://github.com/solo-io/gloo/issues/2454)
• Add a new Helm value to allow setting the number of replicas for the external auth deployment. (https://github.com/solo-io/gloo/issues/2432)

New Features

• Enable mTLS authentication in between Gloo and our default Extauth and Rate Limiting server. When the environment variable GLOO_MTLS is set to enabled in the rate-limit or extauth deployments, those processes will look for keys, certs, and trusted CAs in the following file locations:
• /etc/envoy/ssl/tls.key
• /etc/envoy/ssl/tls.crt
• /etc/envoy/ssl/ca.crt Then, they will connect to Gloo using TLS instead of an insecure gRPC connection. This is all done by default if Gloo Enterprise is installed through Helm with the helm setting global.glooMtls.enabled is set to true. (https://github.com/solo-io/gloo/issues/2382)

Fixes

• Fixes listener config sent to envoy to be idempotent, so that config no longer reloads as “different” when there are no changes. This resolves the issue of the “Average Request Time” graph in grafana showing gaps in the downstream data, among other potential issues. (https://github.com/solo-io/gloo/issues/2185)
• Read-only UI now displays a modal with a helpful error message, rather than hanging and logging an error in the browser console. (https://github.com/solo-io/gloo/issues/2378)

v1.2.7

Dependency Bumps

• solo-io/gloo has been upgraded to v1.2.20.

Fixes

• When a Gateway has an empty httpGateway.virtualServiceNamespaces list, it will now search for virtual services in all the namespaces watched by Gloo. Previously the behavior was to include only virtual services in the same namespace as the gateway, which has proven unintuitive to users. (https://github.com/solo-io/gloo/issues/2156)

v1.2.6

Dependency Bumps

• solo-io/gloo has been upgraded to v1.2.19.

Fixes

• Fixes listener config sent to envoy to be idempotent, so that config no longer reloads as “different” when there are no changes. This resolves the issue of the “Average Request Time” graph in grafana showing gaps in the downstream data, among other potential issues. (https://github.com/solo-io/gloo/issues/2185)
• AWS Upstreams status updates automatically without refreshing. (https://github.com/solo-io/solo-projects/issues/1451)
• Only show AWS Secrets in the dropdown in the Create Upstream Form. (https://github.com/solo-io/solo-projects/issues/1449)
• Read-only UI now displays a modal with a helpful error message, rather than hanging and logging an error in the browser console. (https://github.com/solo-io/gloo/issues/2378)

v1.2.5

Dependency Bumps

• solo-io/gloo has been upgraded to v1.2.18.

Fixes

• Expose the disableKubernetesDestinations settings field as a Helm chart value, which if enabled in a Gloo deployment monitoring a large number of kubernetes services, can drastically reduce Gloo memory usage. (https://github.com/solo-io/gloo/issues/2299)

v1.3.0-beta2

Dependency Bumps

• solo-io/ext-auth-plugins has been upgraded to v0.1.2.
• solo-io/ext-auth-service has been upgraded to v0.6.6.
• solo-io/go-utils has been upgraded to v0.13.3.
• solo-io/gloo has been upgraded to v1.3.5.
• solo-io/go-utils has been upgraded to v0.13.1.
• solo-io/ext-auth-service has been upgraded to v0.6.5.
• solo-io/go-utils has been upgraded to v0.12.0.
• solo-io/envoy-gloo-ee has been upgraded to v0.1.28.
• serialize-javascript/gloo-ui has been upgraded to 2.1.1.
• serialize-javascript/gloo-ui has been upgraded to 2.1.1.

Helm Changes

• The Helm template for the Settings resource was defined as a pre-install Helm hook until now. This was done to avoid races with the Gloo pods, which used to create a default Settings resource if none was present. Since we removed this feature, the Settings template does not need to be a hook anymore. This change promotes it to a regular Helm release resource. (https://github.com/solo-io/gloo/issues/2317)

New Features

• On the VirtualService and RouteTable details views, the admin UI now displays the number of route tables that match a delegated route which uses a RouteTable selector. By hovering over the text, you display details about the selector and navigate to any of the matching RouteTables. (https://github.com/solo-io/gloo/issues/2054)
• Modify getSettings API call to return YAML file, and allow for updating that YAML. (https://github.com/solo-io/solo-projects/issues/1458)
• Add Upstream Details, create Upstream Group, Upstream Group Details views to UI. (https://github.com/solo-io/solo-projects/issues/1455)
• Add Upstream Details, create Upstream Group, Upstream Group Details views to UI. (https://github.com/solo-io/solo-projects/issues/1455)

Fixes

• Fixes an issue where specifying multiple HTTP methods in an RBAC role would restrict traffic to that role. (https://github.com/solo-io/gloo/issues/2371)
• Add puppeteer tests for basic workflows, fix Upstream creation issues in UI. (https://github.com/solo-io/solo-projects/issues/1282)
• AWS Upstreams status updates automatically without refreshing. (https://github.com/solo-io/solo-projects/issues/1451)
• Only show AWS Secrets in the dropdown in the Create Upstream Form. (https://github.com/solo-io/solo-projects/issues/1449)
• Add puppeteer tests for basic workflows, fix Upstream creation issues in UI. (https://github.com/solo-io/solo-projects/issues/1282)
• Add default weights to upstream group creation and fix bug that prevented creation from completing. (https://github.com/solo-io/solo-projects/issues/1456)

v1.2.4

Dependency Bumps

• solo-io/gloo has been upgraded to v1.2.17.

Fixes

• Fixes an issue where specifying multiple HTTP methods in an RBAC role would restrict traffic to that role. (https://github.com/solo-io/gloo/issues/2371)

v1.2.3

Dependency Bumps

• solo-io/gloo has been upgraded to v1.2.16.

v1.2.2

Dependency Bumps

• solo-io/ext-auth-plugins has been upgraded to v0.1.2.
• solo-io/gloo has been upgraded to v1.2.15.

New Features

• On the VirtualService and RouteTable details views, the admin UI now displays the number of route tables that match a delegated route which uses a RouteTable selector. By hovering over the text, you display details about the selector and navigate to any of the matching RouteTables. (https://github.com/solo-io/gloo/issues/2054)

Fixes

• Update the Delegation API to support delegating routing decisions to multiple RouteTables. RouteTables to delegate to can be selected by either namespaces, labels, or both, using the new RouteTableSelector field. The routes of all matching RouteTables will be merged and the resulting route set will be sorted by descending specificity of the matchers on each route, e.g. matchers with longer prefixes will appear first. This change is marked as a fix because it is meant to replace the virtual service merging feature that we deprecated with the stable v1 release of Gloo. Virtual service merging allowed users to define multiple VirtualServices for the same domain, which Gloo would then merge into a single VirtualHost on the Proxy resource. Although useful to many users, this feature could lead to confusion: the API is not self-documenting with respect to the merging behavior and multiple users could inadvertently step on each other’s toes when defining routes for the same domain. As of this release, virtual service merging is not supported anymore; defining two virtual services with overlapping domain sets will result in an error. To be able to define the routes for a given domain on different resources, users can now use the Delegation API. With the new RouteTableSelector attribute, the Delegation API now enables the same use cases as virtual service merging and has the advantage of surfacing the fact that multiple resources define routes for the same domains to the API. To give a simple example, a Gloo administrator can define a VirtualService with a single route that delegates all requests for a domain to any RouteTables that have the domain: example.com label (namespaces to search can be configured as well); this will allow users to add routes for that domain by creating their own RouteTables (with a domain: example.com label) without having to request updates to the parent VirtualService. (https://github.com/solo-io/gloo/issues/2054)
• Docs say that all pods have metrics enabled by default; fix rate-limit, observability, and api-server deployments to match. (https://github.com/solo-io/solo-projects/issues/1431)

v1.3.0-beta1

Dependency Bumps

• solo-io/handlebars has been upgraded to v4.3.0.
• solo-io/solo-kit has been upgraded to v0.12.1.
• solo-io/go-utils has been upgraded to v0.11.5.
• solo-io/rate-limiter has been upgraded to v0.0.3.

New Features

• Make Gloo fully compatible with go.mod, so that it can be run outside of the GOPATH. As a result of this all of the proto import paths needed to be stripped of the github.com/solo-io prefix, as that is no longer assured outside of the GOPATH. (https://github.com/solo-io/gloo/issues/835)
• Add a new auth_endpoint_query_params field to the AuthConfig CRD. When using the Gloo Enterprise OAuth feature, this allows you to append additional query parameters to the request that Gloo sends to the OIDC authorization endpoint to initiate the authorization code flow. This can be useful to integrate Gloo with some identity providers that require custom parameters to be sent to the authorization endpoint. The new field is a map, where each key-value pair will result in an additional query parameter:

  name: google-oidc
  namespace: gloo-system
spec:
  configs:
  - oauth:
      app_url: http://localhost:8080
      callback_path: /callback
      client_id: $CLIENT_ID
      client_secret_ref:
        name: google
        namespace: gloo-system
      issuer_url: https://accounts.google.com
      auth_endpoint_query_params:
        key1 : value1
        key2 : value2

We also added a new --auth-endpoint-query-params flag to the glooctl create authconfig command; the flag takes in a comma-separated list of key value pairs (e.g. a=b,c=d). (https://github.com/solo-io/solo-projects/issues/1309)

Fixes

• Add version information to each log line in the enterprise pods. (https://github.com/solo-io/solo-projects/issues/1364)

v1.2.1

Dependency Bumps

• solo-io/handlebars has been upgraded to v4.3.0.
• solo-io/go-utils has been upgraded to v0.11.5.
• solo-io/rate-limiter has been upgraded to v0.0.3.

v1.2.0

Breaking Changes

• Gloo Enterprise 1.2.0 is released 🎉. This version is built against Gloo v1.2.12. The Gloo changelog docs show an accurate progression of the changes in the release; for a complete summary of changes from Gloo Enterprise v0.x see our 1.0.0+ upgrade docs. (https://github.com/solo-io/gloo/issues/2033)

v1.0.0-rc10

This release contained no user-facing changes.

v1.0.0-rc9

This release build failed.

Dependency Bumps

• solo-io/gloo has been upgraded to v1.2.12.

Fixes

• Update helm values to use enterprise envoy with knative and ingress. Without this, envoy will fail to load some enterprise-only filters, such as io.solo.filters.http.transformation_ee in the DLP plugin. (https://github.com/solo-io/gloo/issues/1992)
• Include the output of go list -m all and go list -m --json all in the dependency information we publish with each release. These files provide a clear and simple summary of all the dependencies (direct and indirect) for the Gloo Enterprise module. (https://github.com/solo-io/gloo/issues/1987)

v1.0.0-rc8

Fixes

• Update settings template to check for whether gateway validation is enabled. (https://github.com/solo-io/gloo/issues/1975)
• Omit ratelimit and extauth config from settings when not enabled via helm values. (https://github.com/solo-io/gloo/issues/1977)
• There is a race condition where the observability pod can become ready before Grafana is ready. This can cause the dynamic dashboards to be missing, as observability tries only a single time to make the Grafana service call. This change introduces a 10-second retry window into the observability sync loop. (https://github.com/solo-io/gloo/issues/1985)
• As part of each Gloo Enterprise release we publish information about all the dependencies that we use. This is needed for external auth plugin developers to be able to create plugins compatible with a particular Gloo Enterprise version. As we have recently started to use Go Modules instead of Dep to build Gloo, this change adds the go.mod/go.sum files to the list of published dependency info. (https://github.com/solo-io/gloo/issues/1987)

v0.21.2

Dependency Bumps

• serialize-javascript/gloo-ui has been upgraded to 2.1.1.
• envoy-gloo-ee/solo-io has been upgraded to v0.1.27.

Fixes

• Add puppeteer tests for basic workflows, fix Upstream creation issues in UI. (https://github.com/solo-io/solo-projects/issues/1282)

v1.0.0-rc7

This release contained no user-facing changes.

v1.0.0-rc6

This release build failed.

Dependency Bumps

• solo-io/gloo has been upgraded to v1.2.10.

Fixes

• Fix regression when deleting aws routes. (https://github.com/solo-io/solo-projects/issues/1380)
• Correctly redirect breadcrumb in route table details view. (https://github.com/solo-io/solo-projects/issues/1353)
• Strip Descriptor field when sending gRPC upstreams to the frontend to reduce response payload. Note that this the upstream YAML downloaded from the UI will not contain those descriptors. (https://github.com/solo-io/solo-projects/issues/1367)
• Correctly preselect values on create route form. (https://github.com/solo-io/solo-projects/issues/1381)
• Route container field in create route form was not being correctly shown when selected. (https://github.com/solo-io/solo-projects/issues/1381)
• Use klog shim so that klog doesn’t attempt to write files. (https://github.com/solo-io/gloo/issues/1039)
• Fix the issue that was causing the observability pod memory footprint to increase over time, eventually resulting in the pod being evicted. (https://github.com/solo-io/gloo/issues/1904)

v1.0.0-rc5

Dependency Bumps

• solo-io/gloo has been upgraded to 1.2.5.
• prometheus/prometheus has been upgraded to v9.5.1.
• envoy-gloo-ee/solo-io has been upgraded to v0.1.27.

New Features

• Allow user to specify domains when creating a virtual service. (https://github.com/solo-io/solo-projects/issues/1358)

Fixes

• Fix malformed JSON in the Envoy Grafana dashboard. (https://github.com/solo-io/gloo/issues/1888)
• Wire up stats to static envoy in apiserver. (https://github.com/solo-io/solo-projects/issues/1346)
• Bump Prometheus to 9.5.1 from 9.3.1 to fix a compatibility issue with k8s 1.13. The root cause is that Prometheus 9.3.1 creates ClusterRoles for unused Prometheus components that have an empty rules: object. Prometheus 9.5.1 creates ClusterRoles for those unused components that have rules: []. (https://github.com/solo-io/gloo/issues/1869)
• Fix observability deployment template by moving the START_STATS_SERVER env variable to the correct place. (https://github.com/solo-io/solo-projects/issues/1370)
• Use the correct links to documentation. (https://github.com/solo-io/solo-projects/issues/1291)
• Add missing breadcrumb link in route table details view. (https://github.com/solo-io/solo-projects/issues/1353)
• Show the correct Helm chart value in the admin section to enable reading the envoy config. (https://github.com/solo-io/solo-projects/issues/1274)
• Fix bug where having a virtual service and a route table with the same name caused problems. (https://github.com/solo-io/solo-projects/issues/1351)
• Fix bug that prevented deleting routes from a virtual service. (https://github.com/solo-io/solo-projects/issues/1349)
• Fix bug that prevented creating routes to AWS upstreams. (https://github.com/solo-io/solo-projects/issues/1345)
• Fix bug that prevented creating routes to AWS upstreams. (https://github.com/solo-io/solo-projects/issues/1298)
• Fix bug that prevented reordering routes in a route table. (https://github.com/solo-io/solo-projects/issues/1320)
• Fix bug where routes with the same path were treated equally. (https://github.com/solo-io/solo-projects/issues/1352)
• Fix bug where new routes were added to the bottom of the list in route tables. (https://github.com/solo-io/solo-projects/issues/1321)