Gloo Edge Enterprise


Changelog

v1.7

v1.7.0-beta11 (Uses Gloo Edge OSS v1.7.0-beta18)

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.10.1.

  • solo-io/rate-limiter has been upgraded to v0.2.5.

  • solo-io/solo-apis has been upgraded to gloo-v1.7.0-beta18.

v1.7.0-beta10 (Uses Gloo Edge OSS v1.7.0-beta18)

New Features

  • Provides an enterprise-only option to use the leftmost IP address from the x-forwarded-for header and set it as the downstream address. This is useful if the network topology (load balancers, etc.) prior to gloo is unknown or dynamic. If using this option, be sure to sanitize this header from downstream requests to prevent security risks. (https://github.com/solo-io/gloo/issues/4014)

  • (From OSS v1.7.0-beta18) Provides an option to define global SslParameters that will be applied to all upstreams by default. An individual upstream can override these properties by specifying SslParameters. (https://github.com/solo-io/gloo/issues/4285)

  • (From OSS v1.7.0-beta17) Provides an enterprise-only option to use the leftmost IP address from the x-forwarded-for header and set it as the downstream address. This is useful if the network topology (load balancers, etc.) prior to gloo is unknown or dynamic. If using this option, be sure to sanitize this header from downstream requests to prevent security risks. (https://github.com/solo-io/gloo/issues/4014)

  • (From OSS v1.7.0-beta17) Add new regexRewrite option to routes. This new field can be used to substitute matched regex patterns for alternate text in request paths, optionally including capture groups from the regex. (https://github.com/solo-io/gloo/issues/3321)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.7.0-beta18.

  • solo-io/go-list-licenses has been upgraded to v0.1.3.

Helm Changes

v1.7.0-beta9 (Uses Gloo Edge OSS v1.7.0-beta16)

New Features

  • Added glooctl fed CLI extension to make it easier to interact with federated Gloo Edge resources (e.g. federated upstreams, virtualservices, gateways). (https://github.com/solo-io/gloo/issues/4209)

  • The Gloo Enterprise external auth server can now easily be configured to validate OAuth2.0 access tokens that conform to the JSON Web Token (JWT) specification via the AccessTokenValidation API. Tokens are validated using a JSON Web Key Set (as defined in Section 5 of RFC7517), which can be either inlined in the configuration or fetched from a remote location via HTTP. The server will validate both the JWT signature and the standard claims it contains. If the JWT has been successfully validated, its set of claims will be added to the AuthorizationRequest state under the “jwtAccessToken” key. Additionally, if the server has been configured accordingly, the identifier of the authenticated user will be added to the request streams as dynamic metadata and/or a header. For more information see the external auth API reference. (https://github.com/solo-io/gloo/issues/4224)

Fixes

Dependency Bumps

  • solo-io/k8s-utils has been upgraded to v0.0.6.

  • solo-io/gloo has been upgraded to v1.7.0-beta16.

  • solo-io/ext-auth-service has been upgraded to v0.10.0.

  • solo-io/skv2 has been upgraded to v0.17.3.

Helm Changes

v1.7.0-beta8 (Uses Gloo Edge OSS v1.7.0-beta15)

Fixes

Helm Changes

Upgrade Notes

v1.7.0-beta7 (Uses Gloo Edge OSS v1.7.0-beta13)

New Features

  • Added glooctl wasm CLI extension to make it easier to manage wasm filters deployed on Gloo Edge Gateway Proxies. (https://github.com/solo-io/solo-projects/issues/2051)

  • Add ability for the Gloo Edge Enterprise external auth server to validate OAuth 2.0 access tokens based on access token scopes. The new match_all field of AccessTokenValidation can be used to specify a list of required scopes for a token. (https://github.com/solo-io/gloo/issues/4224)

  • (From OSS v1.7.0-beta13) Add ability for the Gloo Edge Enterprise external auth server to validate OAuth 2.0 access tokens based on access token scopes. The new requiredScopes field of AccessTokenValidation can be used to specify a list of required scopes for a token. Omitting the field means that scope validation is skipped. (https://github.com/solo-io/gloo/issues/4224)

Fixes

Dependency Bumps

  • solo-io/protoc-gen-ext has been upgraded to v0.0.15.

  • solo-io/skv2 has been upgraded to v0.17.2.

  • solo-io/solo-apis has been upgraded to gloo-v1.7.0-beta11.

  • solo-io/gloo has been upgraded to v1.7.0-beta13.

  • solo-io/solo-apis has been upgraded to gloo-v1.7.0-beta13.

  • solo-io/ext-auth-server has been upgraded to v0.7.11.

  • (From OSS v1.7.0-beta13) solo-io/skv2 has been upgraded to v0.17.2.

  • (From OSS v1.7.0-beta12) solo-io/protoc-gen-ext has been upgraded to v0.0.15.

  • (From OSS v1.7.0-beta12) solo-io/go-utils has been upgraded to v0.20.2.

v1.7.0-beta6 (Uses Gloo Edge OSS v1.7.0-beta11)

New Features

  • (From OSS v1.7.0-beta11) Allow for the configuration of socket options on the envoy listener. This is useful, for example, to set TCP keep alive for downstream connections to envoy (e.g., NLB in front of envoy). (https://github.com/solo-io/gloo/issues/3758)

  • (From OSS v1.7.0-beta10) Added the new transport_api_version field to the extauth settings. The field determines the API version for the ext_authz transport protocol that will be used by Envoy to communicate with the auth server. The currently allowed values are V2 and V3, with the former being the default; this was done to maintain compatibility with existing custom auth servers. Note that in order for the external auth server to be able to emit dynamic metadata the field needs to be set to V3. For more info, see the transport_api_version field here. (https://github.com/solo-io/gloo/issues/4160)

  • (From OSS v1.7.0-beta9) Added the new envoy_metadata route option. This field can be used to provide additional information which can be consumed by the Envoy filters that process requests that match the route. For more info about metadata, see here. (https://github.com/solo-io/gloo/issues/4160)

  • (From OSS v1.7.0-beta9) Add support for metadata actions to the rate limit API. The new metadata action type can now be used to generate rate limit descriptors based on both static and dynamic Envoy metadata. (https://github.com/solo-io/gloo/issues/4160)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.7.0-beta11.

  • solo-io/ext-auth-service has been upgraded to v0.7.10.

  • solo-io/gloo has been upgraded to v1.7.0-beta10.

  • solo-io/solo-apis has been upgraded to gloo-v1.7.0-beta10.

  • solo-io/skv2 has been upgraded to v0.7.0.

  • solo-io/skv2-enterprise has been upgraded to v0.7.0.

  • solo-io/rate-limiter has been upgraded to v0.7.0.

  • solo-io/solo-apis has been upgraded to v0.0.0-20210122142844-ac0df2dce136.

  • helm/helm has been upgraded to v3.4.2.

  • containerd/containerd has been upgraded to v1.4.3.

  • k8s.io/kube-openapi has been upgraded to v0.0.0-20200805222855-6aeccd4b50c6.

  • k8s.io/utils has been upgraded to v0.0.0-20201110183641-67b214c5f920.

  • k8s.io/controller-runtime has been upgraded to v0.7.0.

  • k8s.io/kubernetes has been upgraded to v1.19.6.

  • (From OSS v1.7.0-beta9) solo-io/skv1 has been upgraded to v0.7.0.

  • (From OSS v1.7.0-beta9) solo-io/solo-apis has been upgraded to v0.0.0-20210122142844-ac0df2dce136.

  • (From OSS v1.7.0-beta9) helm/helm has been upgraded to v3.4.2.

  • (From OSS v1.7.0-beta9) containerd/containerd has been upgraded to v1.4.3.

  • (From OSS v1.7.0-beta9) k8s.io/kube-openapi has been upgraded to v0.0.0-20200805222855-6aeccd4b50c6.

  • (From OSS v1.7.0-beta9) k8s.io/utils has been upgraded to v0.0.0-20201110183641-67b214c5f920.

  • (From OSS v1.7.0-beta9) k8s.io/controller-runtime has been upgraded to v0.7.0.

  • (From OSS v1.7.0-beta9) k8s.io/kubernetes has been upgraded to v1.19.6.

Helm Changes

  • Allow setting the API version of the ext_authz transport protocol via the new global.extensions.extAuth.transportApiVersion Helm value. The allowed values are V2 and V3, with the latter being the default. Users who are running a custom external auth server should make sure that the server supports V3 of the API. If it does not, transportApiVersion should be set to V2 to maintain backwards compatibility. This does not apply to the default Gloo Edge Enterprise external auth server, which supports both protocol versions. Note that transportApiVersion needs to be V3 in order for the external auth server to be able to emit dynamic metadata. (https://github.com/solo-io/gloo/issues/4160)
v1.7.0-beta5 (Uses Gloo Edge OSS v1.7.0-beta8)

New Features

Fixes

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.7.9.

  • solo-io/gloo has been upgraded to v1.7.0-beta7.

  • solo-io/skv2 has been upgraded to v0.16.1.

v1.7.0-beta4 (Uses Gloo Edge OSS v1.7.0-beta8)

New Features

Fixes

v1.7.0-beta3 (Uses Gloo Edge OSS v1.7.0-beta5)

Fixes

  • (From OSS v1.7.0-beta5) CPU profile of Gloo at scale (5000+ upstreams) indicated that the generateXDSSnapshot function was taking upwards of 5 seconds of CPU on a ~50 second sample. This change optimizes the code by using creating hashes for the XDS snapshot using deterministic proto marshalling and fnv hashing rather than the reflection-based mitchellh/hashstructure which was benchmarked to be several orders of magnitude slower. (https://github.com/solo-io/gloo/issues/4084)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.7.0-beta5.
v1.7.0-beta2 (Uses Gloo Edge OSS v1.7.0-beta4)

New Features

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.7.0-beta4.

  • (From OSS v1.7.0-beta2) solo-io/protoc-gen-ext has been upgraded to v0.0.14.

Helm Changes

  • Have Gloo-EE’s helm config make use of Gloo-OS’s new Istio integration config and blacklist pods from Istio discovery. (https://github.com/solo-io/gloo/issues/3924)

  • (From OSS v1.7.0-beta3) Add 3 configuration values under global.istioIntegration to control automatic discovery and sidecar injection for Gloo pods by Istio. LabelInstallNamespace adds a label to mark the namespace for Istio discovery if the namespace is designated to be created in the chart. WhitelistDiscovery explicitly annotates Gloo’s discovery pod for Istio sidecar injection. DisableAutoinjection annotates all pods that aren’t more specifically noted elsewhere never receive Istio sidecar injection. (https://github.com/solo-io/gloo/issues/3924)

v1.7.0-beta1

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.7.0-beta1.

v1.6

v1.6.15 (Uses Gloo Edge OSS v1.6.10)

New Features

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.6.10.
v1.6.14 (Uses Gloo Edge OSS v1.6.8)

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.7.15.
v1.6.13 (Uses Gloo Edge OSS v1.6.8)

Fixes

v1.6.12 (Uses Gloo Edge OSS v1.6.8)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.6.8.
v1.6.11 (Uses Gloo Edge OSS v1.6.7)

Fixes

v1.6.10 (Uses Gloo Edge OSS v1.6.7)

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.7.14.
v1.6.9 (Uses Gloo Edge OSS v1.6.7)

Fixes

  • Fix per value rate-limits in the set-style API. (i.e., when omitting the optional value from a simple descriptor, create a rate limit for each unique value instead of having the unique values share the same limit). (https://github.com/solo-io/gloo/issues/4257)
v1.6.8 (Uses Gloo Edge OSS v1.6.7)

Fixes

Dependency Bumps

  • solo-io/protoc-gen-ext has been upgraded to v0.0.15.

  • solo-io/gloo has been upgraded to v1.6.7.

  • solo-io/k8s-utils has been upgraded to v0.0.5.

  • (From OSS v1.6.7) solo-io/protoc-gen-ext has been upgraded to v0.0.15.

Helm Changes

v1.6.7 (Uses Gloo Edge OSS v1.6.6)

Fixes

v1.6.6 (Uses Gloo Edge OSS v1.6.6)

Fixes

  • Fixes an issue where gloo would repeatedly send unchanged configs to the extauth service, triggering excessive logging and user confusion. This was caused by an inconsistent ordering of configurations when hashing them to determine if anything had changed. (https://github.com/solo-io/gloo/issues/3631)

  • (From OSS v1.6.6) Allow for the configuration of socket options on the envoy listener. This is useful, for example, to set TCP keep alive for downstream connections to envoy (e.g., NLB in front of envoy). (https://github.com/solo-io/gloo/issues/3758)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.6.6.
v1.6.5 (Uses Gloo Edge OSS v1.6.5)

Fixes

v1.6.4 (Uses Gloo Edge OSS v1.6.4)

Fixes

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.7.9.
v1.6.3 (Uses Gloo Edge OSS v1.6.4)

New Features

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.6.4.
v1.6.2 (Uses Gloo Edge OSS v1.6.3)

New Features

Fixes

  • Fix the proxy memory leak in the Gloo pod. It was being caused by a map or resources with status updates never being cleared. Rather than have this map created and passed in at setup time, it will instead be an argument to the various functions. (https://github.com/solo-io/gloo/issues/4078)

  • (From OSS v1.6.3) CPU profile of Gloo at scale (5000+ upstreams) indicated that the generateXDSSnapshot function was taking upwards of 5 seconds of CPU on a ~50 second sample. This change optimizes the code by using creating hashes for the XDS snapshot using deterministic proto marshalling and fnv hashing rather than the reflection-based mitchellh/hashstructure which was benchmarked to be several orders of magnitude slower. (https://github.com/solo-io/gloo/issues/4084)

  • (From OSS v1.6.3) CPU profile of Gloo at scale (5000+ upstreams) indicated that the endpointsForUpstream function was taking upwards of 5 seconds of CPU on a ~50 second sample. This change optimizes the code by using a map instead of looping over all endpoints for each upstream. (https://github.com/solo-io/gloo/issues/4084)

  • (From OSS v1.6.3) Gloo Edge now proactively reports warnings on virtual services that have matchers that are short-circuited.

  • (From OSS v1.6.3) Fix a race condition in the gateway-validation-webhook, where resources applied concurrently can avoid validation. (https://github.com/solo-io/gloo/issues/4136)

  • (From OSS v1.6.2) Gloo Edge now proactively reports warnings on virtual services that have matchers that are short-circuited.

  • (From OSS v1.6.2) Switching CSRF mode from enabled to shadow mode does not apply default enabled value to filter. (https://github.com/solo-io/gloo/issues/4053)

Dependency Bumps

  • (From OSS v1.6.2) solo-io/protoc-gen-ext has been upgraded to v0.0.14.
v1.6.1 (Uses Gloo Edge OSS v1.6.1)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.6.1.
v1.6.0 (Uses Gloo Edge OSS v1.6.0)

New Features

  • Observability deployment uses upstreams’ dashboardFolderId values to place corresponding grafana dashboards in specified folders. (https://github.com/solo-io/gloo/issues/3920)

  • Allows wasm filters to be loaded from a filepath. This allows for pre-loading wasm filters on pod startup, removing the need to make network requests at runtime to retrieve filters. (https://github.com/solo-io/gloo/issues/4025)

  • (From OSS v1.6.0) Gloo Edge can now more proactively report warnings on virtual services that are likely misconfigured.

  • (From OSS v1.6.0-beta24) Adds a new headers_to_append field to the HTTP request transformation API. This allows users to specify headers which can contain multiple values and to specify transformations for each of the values. (https://github.com/solo-io/gloo/issues/3901)

Fixes

Dependency Bumps

  • gloo/solo-io has been upgraded to v1.6.0.

  • solo-io/gloo has been upgraded to v1.6.0-beta25.

  • (From OSS v1.6.0) solo-io/envoy-gloo has been upgraded to v1.17.0-rc4.

  • (From OSS v1.6.0-beta24) solo-io/envoy-gloo has been upgraded to v1.17.0-rc3.

Helm Changes

  • (From OSS v1.6.0-beta24) Add the helm value gatewayProxies.gatewayProxy.readConfigMulticluster, set to false by default. Setting this to true will add a gateway-proxy-config-dump-service Service to the gloo installation namespace. This service allows multicluster management planes to access the envoy config dump on port 8082 of the gateway-proxy. (https://github.com/solo-io/gloo/issues/4012)

Upgrade Notes

v1.6.0-beta13 (Uses Gloo Edge OSS v1.6.0-beta23)

New Features

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.6.0-beta23.

  • solo-io/ext-auth-service has been upgraded to v0.7.8.

  • solo-io/solo-kit has been upgraded to v0.17.0.

  • (From OSS v1.6.0-beta21) solo-io/skv2 has been upgraded to v0.15.2.

Helm Changes

v1.6.0-beta12 (Uses Gloo Edge OSS v1.6.0-beta20)

Fixes

v1.6.0-beta11 (Uses Gloo Edge OSS v1.6.0-beta18)

New Features

Fixes

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.7.4.

  • solo-io/gloo has been upgraded to v1.6.0-beta18.

  • solo-io/ext-auth-service has been upgraded to v0.7.5.

  • (From OSS v1.6.0-beta18) solo-io/go-utils has been upgraded to v0.20.1.

Helm Changes

  • (From OSS v1.6.0-beta18) Add a helm value for setting extauth field for gloo.solo.io.Settings. This allows to configure custom external auth server while installing Helm chart, without need to post-render or patch Settings object after helm chart was installed or upgraded. (https://github.com/solo-io/gloo/issues/1892)
v1.6.0-beta10 (Uses Gloo Edge OSS v1.6.0-beta17)

New Features

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.6.0-beta17.

  • (From OSS v1.6.0-beta16) solo-io/go-utils has been upgraded to v0.20.0.

  • (From OSS v1.6.0-beta13) linux/alpine has been upgraded to v3.12.1.

Helm Changes

v1.6.0-beta9 (Uses Gloo Edge OSS v1.6.0-beta12)

New Features

Fixes

Dependency Bumps

  • solo-io/rate-limiter has been upgraded to v0.1.2.

  • solo-io/gloo has been upgraded to v1.6.0-beta12.

  • solo-io/solo-apis has been upgraded to actual-rate-limiter-v0.1.2.

  • linux/alpine has been upgraded to v3.12.1.

v1.6.0-beta8 (Uses Gloo Edge OSS v1.6.0-beta10)

New Features

Fixes

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.7.0.

  • gloo/solo-io has been upgraded to v1.6.0-beta10.

  • (From OSS v1.6.0-beta8) solo-io/solo-apis has been upgraded to rate-limiter-v0.1.2.

Helm Changes

v1.6.0-beta7 (Uses Gloo Edge OSS v1.6.0-beta7)

New Features

Fixes

Dependency Bumps

Helm Changes

v1.6.0-beta6 (Uses Gloo Edge OSS v1.6.0-beta5)

New Features

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.6.19.

Helm Changes

v1.6.0-beta5 (Uses Gloo Edge OSS v1.6.0-beta5)

New Features

Fixes

Dependency Bumps

  • envoy-gloo-ee/solo-io has been upgraded to v1.17.0-rc1.

  • gloo/solo-io has been upgraded to v1.16.0-beta3.

  • (From OSS v1.6.0-beta3) envoy-gloo/solo-io has been upgraded to v1.17.0-rc1.

Helm Changes

v1.6.0-beta4 (Uses Gloo Edge OSS v1.6.0-beta2)
  • This release contained no user-facing changes.
v1.6.0-beta3
  • This release build failed.

  • This release contained no user-facing changes.

v1.6.0-beta2
  • This release build failed.

  • This release contained no user-facing changes.

v1.6.0-beta1
  • This release build failed.

New Features

  • Expose apiserver over HTTPS using self-signed certs when running in glooMtls mode. (https://github.com/solo-io/gloo/issues/3384)

  • With each release, we will additionally be publishing an alternate set of docker containers (tagged as usual but with the “-extended” suffix) that have some additional dependencies built in (e.g., curl for debugging). You can deploy these images by setting the helm value global.image.extended=true. (https://github.com/solo-io/gloo/issues/3399)

  • Implement new AuthConfig API that allows users to specify a boolean expression to determine how to evaluate auth configs within an auth chain. Previously, each config on an auth config must be authorized for the entire request to be authorized. This remains the default, but now users can additionally specify a boolean expression (the booleanExpr field on an auth config) to reference the auth configs and AND/OR/NOT them together to achieve the desired access policy. (https://github.com/solo-io/gloo/issues/3207)

Fixes

Helm Changes

v1.5

v1.5.16 (Uses Gloo Edge OSS v1.5.16)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.16.
v1.5.15 (Uses Gloo Edge OSS v1.5.15)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.15.
v1.5.14 (Uses Gloo Edge OSS v1.5.14)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.14.
v1.5.13 (Uses Gloo Edge OSS v1.5.13)

Helm Changes

v1.5.12 (Uses Gloo Edge OSS v1.5.13)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.13.

  • (From OSS v1.5.13) solo-io/envoy-gloo has been upgraded to v1.16.1-patch1.

v1.5.11 (Uses Gloo Edge OSS v1.5.12)

Fixes

Dependency Bumps

  • gloo/solo-io has been upgraded to v1.5.12.

Helm Changes

v1.5.10 (Uses Gloo Edge OSS v1.5.10)

Fixes

Dependency Bumps

  • gloo/solo-io has been upgraded to v1.5.10.
v1.5.9 (Uses Gloo Edge OSS v1.5.9)

Fixes

Dependency Bumps

  • gloo/solo-io has been upgraded to v1.5.9.

Helm Changes

v1.5.8 (Uses Gloo Edge OSS v1.5.8)

Fixes

v1.5.7 (Uses Gloo Edge OSS v1.5.7)

Helm Changes

v1.5.6 (Uses Gloo Edge OSS v1.5.6)

Fixes

Dependency Bumps

  • solo-kit/gloo has been upgraded to v1.5.6.

  • (From OSS v1.5.6) solo-kit/solo-io has been upgraded to v0.13.14.

Helm Changes

v1.5.5 (Uses Gloo Edge OSS v1.5.5)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.5.

Helm Changes

v1.5.4 (Uses Gloo Edge OSS v1.5.3)

Fixes

  • (From OSS v1.5.3) Fix an issue where ssl configurations across different virtual services may be incorrectly cached if they ssl configurations only differ by ssl-parameters (e.g., min tls version). After this change, ssl configurations that are only different by ssl parameters must have different sni domains. Prior to this change, such a configuration would not error but could result in one ssl configuration being selected over another; now an explicit error is recorded on the virtual service. (https://github.com/solo-io/gloo/issues/3776)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.3.
v1.5.3 (Uses Gloo Edge OSS v1.5.2)

Fixes

v1.5.2 (Uses Gloo Edge OSS v1.5.2)

Fixes

  • No longer let the api-server create a default settings CRD when none is provided. (https://github.com/solo-io/gloo/issues/3677)

  • Fix the grpc service names in health checks. This fixes a regression that was introduced in Gloo enterprise v1.5.0-beta8 and v1.4.7. Without this fix, the rate-limit and ext-auth grpc services will fail health checks and go into panic mode (which by default, ignores health checks, so requests still work). (https://github.com/solo-io/gloo/issues/3745)

  • (From OSS v1.5.2) Fix the validation API to only return proxies that would be generated by proposed resources if requested. This change means the default behavior matches the kubernetes validation webhook API. By including the top-level value returnProxies=true in the json/yaml request to the API, you can signal the endpoint to return the proxies that would be generated (previously, always returning by default). (https://github.com/solo-io/gloo/issues/3613)

  • (From OSS v1.5.2) Fix the validation API to return all errors encountered while validating a list of resources, rather than immediately returning on the first unmarshal error encountered for a resource in a list resource. (https://github.com/solo-io/gloo/issues/3610)

  • (From OSS v1.5.2) Fix the validation API error reporting to include the resource associated with the error returned. (https://github.com/solo-io/gloo/issues/3610)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.2.
v1.5.1 (Uses Gloo Edge OSS v1.5.1)

Fixes

Helm Changes

v1.5.0 (Uses Gloo Edge OSS v1.5.0)

New Features

  • (From OSS v1.5.0-beta27) Add API to AuthConfig that allows users to specify a boolean expression to determine how to evaluate auth configs within an auth chain. Previously, each config on an auth config must be authorized for the entire request to be authorized. This remains the default, but now users can additionally specify a boolean expression (the booleanExpr field on an auth config) to reference the auth configs and AND/OR/NOT them together to achieve the desired access policy. (https://github.com/solo-io/gloo/issues/3207)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.0.

  • solo-io/envoy-gloo-ee has been upgraded to v1.16.0-rc6.

  • (From OSS v1.5.0) solo-io/envoy-gloo has been upgraded to 1.16.0-rc4.

  • (From OSS v1.5.0-beta28) solo-io/envoy-gloo has been upgraded to 1.16.0-rc3.

v1.5.0-beta12 (Uses Gloo Edge OSS v1.5.0-beta26)
  • marked as a pre-release due to a regression that will crash Gloo if it has an AWS upstream

New Features

Fixes

Dependency Bumps

  • solo-io/envoy-gloo-ee has been upgraded to 1.16.0-rc5.

  • solo-io/gloo has been upgraded to v1.5.0-beta26.

v1.5.0-beta11 (Uses Gloo Edge OSS v1.5.0-beta25)
  • marked as a pre-release due to a regression that will crash Gloo if it has an AWS upstream

New Features

  • (From OSS v1.5.0-beta25) Add new field inheritableMatchers boolean field (default false) to virtual services and route tables that, when true, changes how route delegation handles header, method, and query parameter matchers from the parent resource. By default, route tables must have matchers that are a superset of those from the parent, as this improves readability. By setting inheritableMatchers to true, any header, method, and query parameter matchers from the parent that are absent from the child will be automatically included on the generated route. (https://github.com/solo-io/gloo/issues/3327)

  • (From OSS v1.5.0-beta25) Generate standard Kubernetes go types and clients for AuthConfig custom resources so users can programmatically manage these objects without having to use our solo-kit based clients. (https://github.com/solo-io/gloo/issues/3643)

  • (From OSS v1.5.0-beta23) Added improvements to the user experience for using gloo with Istio. Added helper commands for glooctl, so that users can simply perform glooctl istio inject and glooctl istio enable-mtls --upstream foo in order to have Gloo and Istio up and running and communicating together over mTLS. (https://github.com/solo-io/gloo/issues/3532)

  • (From OSS v1.5.0-beta23) Allow secrets to be added to request headers by referencing a k8s secret resource via its namespace and name. (https://github.com/solo-io/gloo/issues/2751)

  • (From OSS v1.5.0-beta23) Change the glooctl cluster unregister command to glooctl cluster deregister. The deregister command now deletes the service account, cluster role, and cluster role binding created on the remote cluster during the cluster registration process. Example usage is glooctl cluster deregister --cluster-name kind-remote --remote-context kind-remote. (https://github.com/solo-io/gloo/issues/3369)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.0-beta25.

  • (From OSS v1.5.0-beta23) envoyproxy/envoy has been upgraded to v1.16-rc2.

  • (From OSS v1.5.0-beta23) solo-io/skv2 has been upgraded to v0.8.1.

v1.5.0-beta10 (Uses Gloo Edge OSS v1.5.0-beta22)
  • This release contained no user-facing changes.

New Features

Fixes

Helm Changes

v1.5.0-beta9 (Uses Gloo Edge OSS v1.5.0-beta20)

New Features

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.0-beta20.

Helm Changes

v1.5.0-beta8 (Uses Gloo Edge OSS v1.5.0-beta19)

New Features

  • Allow adding arbitrary API key secret data to the headers of successfully authorized requests. (https://github.com/solo-io/gloo/issues/3385)

  • Allow users to change the name of the header that the Gloo Enterprise external auth server inspects for API keys. (https://github.com/solo-io/gloo/issues/3390)

  • The API keys can now be provided as simple Kubernetes secrets. Instead of being nested in a YAML document inside the secret data, the key is now simply the value of the api-key data key. This change is backwards compatible, i.e. Gloo will still support existing secrets with the old format. glooctl create secret apikey will now generate secrets with the new format. (https://github.com/solo-io/gloo/issues/3472)

  • (From OSS v1.5.0-beta19) Expose the raw envoy configuration for the gRPC to JSON transcoding filter, which can be leveraged to expose a gRPC service both as a gRPC service and as a REST API. Exposing the underlying envoy configuration allows users more granular control over the gRPC to JSON mappings than the current Gloo API for gRPC to JSON (that doesn’t require explicit protobuf descriptors to be provided since they will be discovered). One example where users may want more granular control of their gRPC to JSON mappings may be to leverage query parameter transcoding. (https://github.com/solo-io/gloo/issues/2188)

  • (From OSS v1.5.0-beta19) Allow users to specify extra headers for health check requests as secrets. New gloo secret type “header”, containing header name-value pairs, can now be created (details here). Health checks can reference header secrets for additional headers to add in addition to specifying them explicitly. (https://github.com/solo-io/gloo/issues/2914)

  • (From OSS v1.5.0-beta18) Support a flag “-x” for excluding certain checks with glooctl. (https://github.com/solo-io/gloo/issues/3492)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.0-beta19.

  • solo-io/ext-auth-service has been upgraded to v0.6.15.

  • serialize-javascript/gloo-ui has been upgraded to 3.1.0.

  • dot-prop/gloo-ui has been upgraded to 4.2.1.

  • (From OSS v1.5.0-beta18) solo-io/solo-apis has been upgraded to gloo-fed-v0.0.19.

Helm Changes

  • The bootstrap configuration for the Envoy sidecar that handles traffic between the Gloo Enterprise Admin Dashboard and the API server is now exposed as a ConfigMap named default-apiserver-envoy-config. This ConfigMap is installed by default by the Gloo Enterprise Helm chart. Users can provide their own custom bootstrap configuration for the sidecar via the new apiServer.deployment.envoy.bootstrapConfig.configMapName Helm value. The value must contain the name of a ConfigMap that is present in the same namespace as the api-server deployment. This ConfigMap must contain the Envoy bootstrap configuration in YAMl format under a data entry named config.yaml. (https://github.com/solo-io/gloo/issues/3477)

  • Add the new helm value global.extensions.dataplanePerProxy (default false). When true, Gloo will deploy a set of dataplane resources for each proxy deployment (i.e., gateway/ingress). These resources include the extauth server and rate limit server, as well as their dependent resources. Note that if dataplanePerProxy is enabled, that each Gateway resource will need to be updated to point to their respective dataplane, via the gatewayProxies.NAME.gatewaySettings.customHttpGateway and/or the gatewayProxies.NAME.gatewaySettings.customHttpsGateway helm values. (https://github.com/solo-io/gloo/issues/3236)

  • Add helm value for rate limit descriptors in settings. (https://github.com/solo-io/gloo/issues/3422)

  • (From OSS v1.5.0-beta19) Add ability to supply arbitrary labels to gloo pods via helm configuration (https://github.com/solo-io/gloo/issues/3441)

v1.5.0-beta7 (Uses Gloo Edge OSS v1.5.0-beta16)

Fixes

Dependency Bumps

  • elliptic/elliptic has been upgraded to 4.11.9.

  • solo-io/gloo has been upgraded to v1.5.0-beta16.

  • solo-io/gloo has been upgraded to v1.5.0-beta14.

Helm Changes

  • In v1.4.0-beta8 the api-server service was changed from a NodePort service to a ClusterIP service, so that it is not available outside of the cluster. Now the service type is configurable in case users still want to make the service accessible outside the cluster. (https://github.com/solo-io/gloo/issues/3318)
v1.5.0-beta6 (Uses Gloo Edge OSS v1.5.0-beta12)

Fixes

Dependency Bumps

  • solo-io/envoy-gloo-ee has been upgraded to v1.15.0-patch1.

  • solo-io/gloo has been upgraded to v1.5.0-beta12.

v1.5.0-beta5
  • This release build failed. Some images weren’t built and pushed properly, do not attempt to use this release.

New Features

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.0-beta11.
v1.5.0-beta4 (Uses Gloo Edge OSS v1.5.0-beta10)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.0-beta10.
v1.5.0-beta3 (Uses Gloo Edge OSS v1.5.0-beta8)

New Features

  • Gloo Enterprise now supports enforcing rate limit policies using RateLimitConfig resources. Users can apply a set of policies to VirtualHosts and Routes by referencing a set of RateLimitConfig resources. Each resource represents a rate limit policy that will be independently enforced. Please see the docs for a detailed explanation of the new API. (https://github.com/solo-io/gloo/issues/3335)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.0-beta8.

  • lodash/lodash has been upgraded to 4.7.19.

  • solo-io/dev-portal has been upgraded to v0.1.12.

  • solo-io/go-utils has been upgraded to v0.16.5.

  • solo-io/rate-limiter has been upgraded to v0.1.0.

  • solo-io/solo-kit has been upgraded to v0.13.9.

v1.5.0-beta2 (Uses Gloo Edge OSS v1.5.0-beta7)

New Features

  • Add support for OAuth2 access token validation via token introspection (i.e., opaque access tokens) to the extauth service. Also add support for configuring the userinfo OIDC endpoint to the new access token validation API, which allows users to leverage the userinfo response in extauth plugins. (https://github.com/solo-io/gloo/issues/3055)

Fixes

  • Correctly append custom headers added from extauth plugins when a UserID is also being set in the extauth plugin (or from any other extauth plugin in a chain of AuthConfigs). Previously, headers added from extauth plugins were ignored (i.e. not available to the upstream service) when a UserID was set. (https://github.com/solo-io/gloo/issues/3208)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.5.0-beta7.
v1.5.0-beta1

Fixes

  • A single invalid AuthConfig can no longer halt processing of other valid AuthConfigs. (https://github.com/solo-io/gloo/issues/3097)

  • Fix issue where gateway-level extauth could not be overriden by lower-level virtualhost, route, and weighted destination extauth config. Also fix issue where extauth config at listener level wouldn’t override the global setting for userIdHeader. Also fix issue where ratelimit config for rateLimitBeforeAuth at listener level wouldn’t override the global default, similarly true for the “basic” ratelimit API. (https://github.com/solo-io/gloo/issues/3270)

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.6.12.

  • envoy-gloo-ee/solo-io has been upgraded to v1.15.0-rc1.

  • solo-io/gloo has been upgraded to v1.5.0-beta6.

v1.4

v1.4.16 (Uses Gloo Edge OSS v1.4.13)

Fixes

Dependency Bumps

  • solo-io/envoy-gloo-ee has been upgraded to 1.15.1-patch2.
v1.4.15 (Uses Gloo Edge OSS v1.4.13)
  • marked as a pre-release due to a regression that will crash Gloo if it has an AWS upstream

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.6.12-patch1.
v1.4.14 (Uses Gloo Edge OSS v1.4.13)
  • marked as a pre-release due to a regression that will crash Gloo if it has an AWS upstream

Fixes

v1.4.13 (Uses Gloo Edge OSS v1.4.12)

Fixes

v1.4.12 (Uses Gloo Edge OSS v1.4.12)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.4.12.
v1.4.11 (Uses Gloo Edge OSS v1.4.11)

Fixes

  • Removes crd permissions from the apiserver-ui Role so namespaced glooE can be installed by a namespaced user. (https://github.com/solo-io/gloo/issues/3424)

  • The extauth service now supports tls connections to the extauth service itself using a kubernetes secret rather than using cert and key files. To enable extauth tls mode, set TLS_ENABLED to true in the extauth service by setting the helm value global.extensions.extAuth.tlsEnabled to true. To pull the cert and key from a kubernetes secret, set the helm value global.extensions.extAuth.secretName to the name of the tls secret containing the tls.crt and tls.key data. Note that the secret must be in the same namespace as the extauth deployment. (https://github.com/solo-io/gloo/issues/3430)

Helm Changes

  • Fix the multi dataplane per proxy helm functionality (global.extensions.dataplanePerProxy, default false) that was introduced in Gloo v1.4.7. Since Gloo v1.4.7, if users provided multiple proxies (not a default install) and dataplanePerProxy was false, then the Gloo Enterprise chart would also try to install duplicates of some extauth, ratelimit, and redis resources; this would fail those installations/upgrades. (https://github.com/solo-io/gloo/issues/3516)
v1.4.10 (Uses Gloo Edge OSS v1.4.11)

New Features

  • (From OSS v1.4.11) Allow users to specify extra headers for health check requests as secrets. New gloo secret type “header”, containing header name-value pairs, can now be created (details here). Health checks can reference header secrets for additional headers to add in addition to specifying them explicitly. (https://github.com/solo-io/gloo/issues/2914)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.4.11.
v1.4.9 (Uses Gloo Edge OSS v1.4.10)

Fixes

Helm Changes

  • The bootstrap configuration for the Envoy sidecar that handles traffic between the Gloo Enterprise Admin Dashboard and the API server is now exposed as a ConfigMap named default-apiserver-envoy-config. This ConfigMap is installed by default by the Gloo Enterprise Helm chart. Users can provide their own custom bootstrap configuration for the sidecar via the new apiServer.deployment.envoy.bootstrapConfig.configMapName Helm value. The value must contain the name of a ConfigMap that is present in the same namespace as the api-server deployment. This ConfigMap must contain the Envoy bootstrap configuration in YAMl format under a data entry named config.yaml. (https://github.com/solo-io/gloo/issues/3477)
v1.4.8 (Uses Gloo Edge OSS v1.4.10)

Fixes

v1.4.7 (Uses Gloo Edge OSS v1.4.9)

Fixes

  • Update the version of golang Gloo was built with from 1.14.0 to 1.14.6, to pickup patch fixes to go; most notably, a workaround in go for a bug in affected Linux kernels (5.2.x, 5.3.0-5.3.14, 5.4.0-5.4.1) that could result in a corrupted AVX register and crash Gloo. (https://github.com/solo-io/gloo/issues/3493)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.4.9.

Helm Changes

  • Add the new helm value global.extensions.dataplanePerProxy (default false). When true, Gloo will deploy a set of dataplane resources for each proxy deployment (i.e., gateway/ingress). These resources include the extauth server and rate limit server, as well as their dependent resources. Note that if dataplanePerProxy is enabled, that each Gateway resource will need to be updated to point to their respective dataplane, via the gatewayProxies.NAME.gatewaySettings.customHttpGateway and/or the gatewayProxies.NAME.gatewaySettings.customHttpsGateway helm values. (https://github.com/solo-io/gloo/issues/3236)

  • Add helm value for rate limit descriptors in settings. (https://github.com/solo-io/gloo/issues/3422)

v1.4.6 (Uses Gloo Edge OSS v1.4.8)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.4.8.

Helm Changes

  • In v1.4.0-beta8 the api-server service was changed from a NodePort service to a ClusterIP service, so that it is not available outside of the cluster. Now the service type is configurable in case users still want to make the service accessible outside the cluster. (https://github.com/solo-io/gloo/issues/3318)
v1.4.6-patch2 (Uses Gloo Edge OSS v1.4.8-patch1)
  • This release contained no user-facing changes.
v1.4.6-patch1 (Uses Gloo Edge OSS v1.4.8-patch1)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.4.8-patch1.
v1.4.5 (Uses Gloo Edge OSS v1.4.6)

Fixes

Dependency Bumps

  • solo-io/envoy-gloo-ee has been upgraded to v1.15.0-patch1.

  • solo-io/gloo has been upgraded to v1.4.6.

v1.4.4 (Uses Gloo Edge OSS v1.4.5)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.4.5.
v1.4.3 (Uses Gloo Edge OSS v1.4.4)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.4.4.
v1.4.2 (Uses Gloo Edge OSS v1.4.3)

Fixes

  • Fix issue where gateway-level extauth could not be overriden by lower-level virtualhost, route, and weighted destination extauth config. Also fix issue where extauth config at listener level wouldn’t override the global setting for userIdHeader. Also fix issue where ratelimit config for rateLimitBeforeAuth at listener level wouldn’t override the global default, similarly true for the “basic” ratelimit API. (https://github.com/solo-io/gloo/issues/3270)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.4.3.
v1.4.1 (Uses Gloo Edge OSS v1.4.2)

Fixes

Dependency Bumps

  • envoy-gloo-ee/solo-io has been upgraded to v1.15.0-rc1.

  • solo-io/gloo has been upgraded to v1.4.2.

CVEs

  • Updated envoy-gloo-ee to one based on envoy master (1.15.0), which includes security fixes in envoy. For more details on the CVEs, see the envoy release notes here.

  • Note that one of the CVEs requires setting the global_downstream_max_connections, which may affect traffic if you perform a rolling upgrade from a version vulnerable to the CVE. The max connections is configurable and defaults to 250,000.

v1.4.0 (Uses Gloo Edge OSS v1.4.1)

New Features

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.4.0.
v1.4.0-beta7 (Uses Gloo Edge OSS v1.4.0-beta13)

Fixes

  • This fixes the queries used in the default Grafana charts. Previously, they were picking up stats from both kubernetes pods and Envoy, so that several charts displayed double the correct value. (https://github.com/solo-io/gloo/issues/2919)

  • This fixes the open source installation of Gloo with the read-only UI. Previously, the gateway pod was in an error state with the logs stating that “no validation configuration was provided”. (https://github.com/solo-io/gloo/issues/2127)

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.6.11.

  • solo-io/gloo has been upgraded to v1.4.0-beta13.

  • solo-io/envoy-gloo-ee has been upgraded to v1.4.6.

v1.4.0-beta6

New Features

  • The extauth service now supports tls connections to the extauth service itself rather than through an envoy sidecar that handles tls termination. To enable extauth tls mode, set TLS_ENABLED to true in the extauth service. This can be configured by setting the helm value global.extensions.extAuth.tlsEnabled to true. When enabled, the extauth service looks for tls cert files at /etc/envoy/ssl/tls.crt and tls key files at /etc/envoy/ssl/tls.key, which are configurable by the CERT_PATH and KEY_PATH environment variables, respectively. (https://github.com/solo-io/gloo/issues/2929)

  • We now support emitting ModSecurity WAF Audit Log in Envoy’s access log. (https://github.com/solo-io/gloo/issues/1525)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.4.0-beta8.

  • SpiderLabs/owasp-modsecurity-crs has been upgraded to v3.2.0.

v1.3

v1.3.14 (Uses Gloo Edge OSS v1.3.32)

Fixes

Dependency Bumps

  • solo-io/envoy-gloo-ee has been upgraded to 1.14.5-patch1.
v1.3.13 (Uses Gloo Edge OSS v1.3.32)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.3.32.

  • solo-io/solo-kit has been upgraded to v0.13.8.

  • (From OSS v1.3.32) solo-io/solo-kit has been upgraded to v0.13.8.

v1.3.12 (Uses Gloo Edge OSS v1.3.31)

Fixes

Dependency Bumps

  • envoy-gloo-ee/solo-io has been upgraded to v1.14.3-patch1.

  • solo-io/gloo has been upgraded to v1.3.31.

v1.3.11 (Uses Gloo Edge OSS v1.3.30)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.3.30.
v1.3.10 (Uses Gloo Edge OSS v1.3.29)

Fixes

v1.3.9 (Uses Gloo Edge OSS v1.3.28)

Fixes

  • This fixes the open source installation of Gloo with the read-only UI. Previously, the gateway pod was in an error state with the logs stating that “no validation configuration was provided”. (https://github.com/solo-io/gloo/issues/2127)

  • Enterprise Gloo now publishes a stat glooe_rate_limit_connected_state, which is 1 if there is valid rate limit config, and 0 if there is an error. (https://github.com/solo-io/gloo/issues/2832)

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.3.28.
v1.3.8 (Uses Gloo Edge OSS v1.3.27)

New Features

  • Gloo’s validation webhook now validates inja compilation syntax before accepting/rejecting virtual services that use transformations. Note that strict validation is still disabled by default, and must be enabled in the Gloo settings (set gateway.validation.alwaysAccept=true). Users can now rely more on kubectl apply --server-dry-run against live clusters to properly validate whether config is valid before attempting to apply them to their cluster. (https://github.com/solo-io/gloo/issues/2114)

Fixes

  • This fixes the queries used in the default Grafana charts. Previously, they were picking up stats from both kubernetes pods and Envoy, so that several charts displayed double the correct value. (https://github.com/solo-io/gloo/issues/2919)

Dependency Bumps

  • solo-io/ext-auth-service has been upgraded to v0.6.11.

  • solo-io/gloo has been upgraded to v1.3.27.

v1.3.7 (Uses Gloo Edge OSS v1.3.26)

Fixes

v1.3.6

New Features

  • The extauth service now supports tls connections to the extauth service itself rather than through an envoy sidecar that handles tls termination. To enable extauth tls mode, set TLS_ENABLED to true in the extauth service. This can be configured by setting the helm value global.extensions.extAuth.tlsEnabled to true. When enabled, the extauth service looks for tls cert files at /etc/envoy/ssl/tls.crt and tls key files at /etc/envoy/ssl/tls.key, which are configurable by the CERT_PATH and KEY_PATH environment variables, respectively. (https://github.com/solo-io/gloo/issues/2929)

Fixes

Dependency Bumps

  • solo-io/gloo has been upgraded to v1.3.25.

v1.2

v1.2.13

Dependency Bumps

  • envoy-gloo-ee/solo-io has been upgraded to v1.14.3-patch1.

  • solo-io/gloo has been upgraded to v1.2.25.