v1.2.1

Fixes

• The template for the settings resource needs to be a Helm pre-install hook to prevent races during install. The hook annotation was accidentally removed with the 1.2.0 release; this change adds it back. (solo-io#1838)

v1.2.0

Dependency Bumps

• envoyproxy/go-control-plane has been upgraded to v0.9.0.
• knative/serving has been upgraded to v0.10.0.
• solo-io/go-utils has been upgraded to v0.11.0.
• solo-io/reporting-client has been upgraded to v0.1.2.
• k8s.io/api has been upgraded to kubernetes-1.16.2.
• k8s.io/client-go has been upgraded to kubernetes-1.16.2.
• k8s.io/kubectl has been upgraded to kubernetes-1.16.2.
• k8s.io/apimachinery has been upgraded to kubernetes-1.16.2.
• k8s.io/apiextensions-apiserver has been upgraded to kubernetes-1.16.2.
• k8s.io/apiserver has been upgraded to kubernetes-1.16.2.

Helm Changes

• Move gatewayProxies.NAME.kind.deployment.antiAffinity Helm value out into gatewayProxies.NAME.antiAffinity, since it can be applied to both DaemonSets and Deployments. (solo-io#1775)
• Added hook-delete-policy to clean up the validation webhook certificate generation job after it has successfully completed. (solo-io#1732)

New Features

• Gloo Validation now always rejects resources which fail to unmarshal, even when strict validation is disabled. (solo-io#1795)
• The Gloo Helm chart is now compatible with Helm 3. (solo-io#1732)
• Refactor glooctl to make it compatible with the new Helm 3 chart format. glooctl now uses the new Helm 3 libraries and delegates the install and uninstall operations to the corresponding Helm functions to provide consistent behavior across different installation flows; for example, it is now possible to install Gloo using glooctl and uninstall it using Helm, or vice-versa (solo-io#1732)
• Deprecated the installConfig.installationId Helm value to track the resources that belong to a Gloo installation. Helm keeps track of resources by storing release information in a Kubernetes Secret in the namespace Gloo was installed in (this is the default with Helm 3 and can be changed via the HELM_DRIVER environment variable). glooctl install and glooctl uninstall now take the same approach (under the hood the two commands now delegate to their counterparts in the Helm 3 libraries). (solo-io#1635)
• Helm users can now easily install Gloo in ingress or knative mode by using value overrides. The Gloo Helm chart now packages a single values file instead of creating variants for ingress and knative. The values specific to those two installation modes have been merged into the default values.yaml, where they will be ignored when those two features are disabled (which is the default). To produce the manifests specific to the ingress and knative installations, users can now just disable the gateway and enable the desired component via Helm value overrides. (solo-io#1732)
• Add advanced rule priority options to Gloo Enterprise rate limit API, which will be supported in the next 1.x Gloo Enterprise release. (solo-io#1724)
• Add virtual_service_namespaces configuration to the HttpGateway, which allows HttpGateways to reference VirtualServices outside of their own namespace using the label selector. The default behavior, which remains unchanged, is to restrict gateways to referencing virtual services in their own namespace. (solo-io#1695)

Fixes

• Fix a crash in Gloo that occurs when no kubeconfig is present
  (which is expected in non-Kubernetes environments). (solo-io#1777)

v1.1.0

Helm Changes

• Add the Helm field extraEnvoyArgs to .Values.gatewayProxies.gatewayProxy so users can add additional envoy command line arguments (e.g. --component-log-level "upstream:trace,misc:error", to set log levels for individual envoy components). See the full list of Envoy command line args here - https://www.envoyproxy.io/docs/envoy/latest/operations/cli (solo-io#1737)

New Features

• Bump default version of Knative Serving installed via glooctl install to 0.10.0 (solo-io#1761)
• Add the Helm field .Values.gatewayProxies.gatewayProxy.extraEnvoyArgs so users can add additional envoy command line arguments (e.g. --set component-log-level="...", to set log levels for individual envoy components). See the full list of Envoy command line args here - https://www.envoyproxy.io/docs/envoy/latest/operations/cli (solo-io#1737)
• Allow multiple value files to be passed in during installation, (e.g. glooctl install gateway --dry-run --values file1.yaml,file2.yaml --values file3.yaml). (solo-io#1731)

v0.21.3

New Features

• The default version of GlooE installed by the CLI is now 0.21.0. (solo-io#1725)

v0.21.2

Helm Changes

• Add enabled to .Values.gateway.validation and .Values.gateway.certGenJob so users can disable the features without setting the root resource to nil. (solo-io#1561)
• Added Helm settings.linkerd chart value (solo-io#1651)

New Features

• Glooctl will now print a warning if the version of the binary differs by either major or minor version from the Gloo server components. In the same message, it will also suggest a command to run to bring glooctl's version in line with the server version. (solo-io#1513)

v1.0.0

Breaking Changes

• Rename the Gateway field tcpGateway.destinations to tcpGateway.tcpHosts in order to eliminate the duplicated field names (i.e., tcpGateway.destinations[].destination) (solo-io#1171)
• Remove deprecated v1 Gateway in favor of v2 Gateway; rename v2 gateway resources to v1. (solo-io#1171)
• When a Gateway has an empty httpGateway.virtualServices ref list, include all virtual services in the same namespace as the gateway. Previously the behavior was to include all virtual services in the cluster, which is unfriendly to multi-tenant setups. (solo-io#1142)
• Move the Helm values field "installConfig.installationId" to "global.glooInstallationId" in order to better facilitate usage of the Gloo sub-chart in Gloo Enterprise (solo-io#1635)
• Remove some deprecated APIs:

1. Remove CorsPolicy from Gateway and Gloo VirtualHost, prefer setting CorsPolicy on VirtualHostPlugins.
2. Remove name from gateway VirtualHost, was previously ignored.
3. Remove bind_addr and circuit_breakers from Settings, prefer gloo.xdsBindAddr and gloo.circuitBreakers on same message. (solo-io#1171)

• Rename all instances of plugins to options in Gloo's API. This prevents confusion as Gloo "plugins" is really an implementation detail for devs, and Gloo does not currently support dynamically-loaded plugins (aside from ExtAuth plugins).

Proto messages have been updated as such:

1. VirtualHostPlugins -> VirtualHostOptions
2. RoutePlugins -> RouteOptions
3. WeightedDestinationPlugins -> WeightedDestinationOptions
4. ListenerPlugins -> ListenerOptions
5. HttpListenerPlugins -> HttpListenerOptions
6. TcpListenerPlugins -> TcpListenerOptions

When referenced in yaml, each property is referenced as options under the appropriate containing resource. (solo-io#1171)

• Update ExtAuth secret API to use strongly-typed configuration. OAuth and ApiKey secrets are no longer configured in the opaque extensions block, the same configuration lives at the top level in the api_key and oauth blocks. (solo-io#1171)
• Refactor the Upstream API to remove the upstreamSpec field, bringing all the fields contained in upstreamSpec up one level to the top-level Upstream. (solo-io#1171)

Helm Changes

• Add enabled to .Values.gateway.validation and .Values.gateway.certGenJob so users can disable the features without setting the root resource to nil. (solo-io#1561)
• Allow the gateway certgen job to have a ttlSecondsAfterFinished set on it, defaulting to 60 seconds. A new Helm value "gateway.certGenJob.ttlSecondsAfterFinished" is provided to configure the value. This setting is currently in k8s Alpha (https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#ttl-mechanism-for-finished-jobs) so you may disable it entirely by setting "gateway.certGenJob.setTtlAfterFinished" to false. See https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates for information on the k8s feature flag corresponding to this setting ("TTLAfterFinished"). (solo-io#1631)
• Add a Helm values field gateway.readGatewaysFromAllNamespaces. This new field defaults to false to preserve the old Gateway controller behavior, which is to read Gateway CRDs only from the namespace in which the controller is running. When the field is set to true, it will read Gateway CRDs from any of the watch namespaces. (solo-io#1489)
• Move the Helm values field "installConfig.installationId" to "global.glooInstallationId" in order to better facilitate usage of the Gloo sub-chart in Gloo Enterprise (solo-io#1635)
• knative helm charts use compareSemver (solo-io#1623)

New Features

• The Gateway controller can now optionally process Gateway CRDs from anywhere in the watch namespaces, not just the namespace where the controller is running. The new setting controlling that can be found in the Gloo Settings object, at gateway.readGatewaysFromAllNamespaces. The value of this field can be configured at install time by setting the new Helm field gateway.readGatewaysFromAllNamespaces to your desired value; it defaults to false to preserve the old behavior. (solo-io#1489)
• Adds the glooctl command "glooctl debug yaml". This command dumps a YAML manifest representing the current state of the Gloo installation running in the specified namespace. This is mainly used as a debug tool, and is not yet suitable for use as a Gloo backup tool; the dumped manifest contains resourceVersions, so you may be unable to do, for example, "glooctl debug yaml | kubectl apply -f -" if a resource has changed between the dump and the "kubectl apply". (solo-io#1650)
• Glooctl will now print a warning if the version of the binary differs by either major or minor version from the Gloo server components. In the same message, it will also suggest a command to run to bring glooctl's version in line with the server version. (solo-io#1513)
• Implement a utility to print snapshot content with the Secret content redacted (solo-io#1679)
• Undeprecate Extensions (as configured on Gloo resources such as Listeners, VirtualHosts, Routes, etc.) and update documentation to explain its new purpose.

Extensions are now used for:

• controllers, deployment pipelines, helm charts, etc. which wish to use extensions as a kind of opaque metadata. Extensions will be passed along from Gateways, VirtualServices, and Route tables to the underlying Proxy, making them useful for controllers, validation tools, etc. which interact with kubernetes yaml.
• gRPC-based plugins which communicate with the Gloo translator out-of-process. Having extensions available enables development of out-of-process plugins without requiring recompiling & redeploying Gloo's API (solo-io#1205)

Fixes

• Fix potential race where plugins may be called across translates invoked by the Validation server at the same time as the Translation sync. (solo-io#1616)
• Use the installation ID set by Helm to ensure that glooctl uninstalls only resources created for the instance of Gloo being uninstalled. It does this by attempting to read the "installationId" label from the gloo pod. If the label is not found, the uninstall will fail. You can choose to proceed by passing the new --force flag to "glooctl uninstall", which will attempt to perform an uninstall that may inadvertently delete cluster-scoped resources belonging to some other installation of Gloo. (solo-io#1593)
• Downgrade the log level from Error to Warn when gloo fails to report statistics (solo-io#1633)
• Security Fix: Fix a bug where, when Gloo's logging level is set to Debug, we may inadvertently write the content of Secrets into the pod logs. We now print the same content into the logs, but with the Secret data redacted. (solo-io#1679)

v0.21.1

Helm Changes

• Allow the gateway certgen job to have a ttlSecondsAfterFinished set on it, defaulting to 60 seconds. A new Helm value "gateway.certGenJob.ttlSecondsAfterFinished" is provided to configure the value. This setting is currently in k8s Alpha (https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#ttl-mechanism-for-finished-jobs) so you may disable it entirely by setting "gateway.certGenJob.setTtlAfterFinished" to false. See https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates for information on the k8s feature flag corresponding to this setting ("TTLAfterFinished"). (solo-io#1631)

New Features

• Adds the glooctl command "glooctl debug yaml". This command dumps a YAML manifest representing the current state of the Gloo installation running in the specified namespace. This is mainly used as a debug tool, and is not yet suitable for use as a Gloo backup tool; the dumped manifest contains resourceVersions, so you may be unable to do, for example, "glooctl debug yaml | kubectl apply -f -" if a resource has changed between the dump and the "kubectl apply". (solo-io#1650)
• Implement a utility to print snapshot content with the Secret content redacted (solo-io#1679)

Fixes

• Downgrade the log level from Error to Warn when gloo fails to report statistics (solo-io#1633)
• Security Fix: Fix a bug where, when Gloo's logging level is set to Debug, we may inadvertently write the content of Secrets into the pod logs. We now print the same content into the logs, but with the Secret data redacted. (solo-io#1679)

v0.21.0

Dependency Bumps

• solo-io/go-utils has been upgraded to v0.10.25.

Breaking Changes

• This release changes the names of Gloo's ClusterRoles. By default, cluster-scoped roles will have the namespace of the associated Gloo installation appended to their name (i.e., the cluster-scoped role "gloo-resource-reader" created along with a Gloo installation to the gloo-system namespace will now become "gloo-resource-reader-gloo-system"). This may cause a problem during upgrades from Gloo <0.21.0 to Gloo >=0.21.0 for both open-source and enterprise Gloo, as the role ref in a ClusterRoleBinding is immutable. To resolve this, you can delete the existing ClusterRoleBindings with "kubectl delete clusterrolebinding -l app=gloo" and they will be recreated correctly by the rest of the upgrade process. (solo-io#1459)

Helm Changes

• At install time, set an installation ID on all resources. This ID is determined by using the value of the new Helm setting "installConfig.installationId", or selecting an ID at random if that setting is not provided. If providing your own installation ID, the value you provide must be a valid kubernetes label (refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set). (solo-io#1589)
• Allow RBAC resource names to receive custom suffixes through the introduction of the new Helm setting "global.glooRbac.nameSuffix". This enables, for example, blue/green deployments of Gloo to different namespaces within the same cluster when using cluster-scoped RBAC resources. This change is backwards compatible. However, if you are performing an upgrade of Gloo from a version prior to this change and plan to use the new Helm value, then you may end up with duplicate RBAC resources in your cluster (e.g. Roles/RoleBindings with and without the suffix). If this is the case, the old resources (without the suffix) can be safely cleaned up. (solo-io#1459)

New Features

• The default version of GlooE installed by the CLI is now 0.20.8. (solo-io#1596)
• Support for Envoy's forward_client_cert_details and set_current_client_cert_details HTTP connection manager options (solo-io#1577)

Fixes

• Use the installation ID set by Helm to ensure that glooctl uninstalls only resources created for the instance of Gloo being uninstalled. It does this by attempting to read the "installationId" label from the gloo pod. If the label is not found, the uninstall will fail. You can choose to proceed by passing the new --force flag to "glooctl uninstall", which will attempt to perform an uninstall that may inadvertently delete cluster-scoped resources belonging to some other installation of Gloo. (solo-io#1593)
• Currently Gloo logs a warning each time it replaces an illegal character in the name of a Virtual Host. Change it to a debug level message to not flood the logs. (solo-io#1604)

v1.0.0-rc2

Dependency Bumps

• solo-io/go-utils has been upgraded to v0.10.22.
• solo-io/go-utils has been upgraded to v0.10.25.
• solo-io/envoy-gloo has been upgraded to v0.1.18.
• solo-io/solo-kit has been upgraded to v0.11.7.

Breaking Changes

• Remove some deprecated APIs:

1. weighed_destination_plugins on WeightedDestinations, prefer weighted_destination_plugins
2. gateway_proxy_name on Gateway, prefer proxy_names
3. role_arns on UpstreamSpec, prefer role_arn
4. Extauth's VhostExtension and RouteExtension, among other minor removals. Prefer configuring Gloo Enterprise ExtAuth using AuthConfig Custom Resources, and configure Virtual Services via ExtAuthExtension to either reference these AuthConfigs or reference your own custom auth implementation using CustomAuth. (solo-io#1171)

• This release changes the names of Gloo's ClusterRoles. By default, cluster-scoped roles will have the namespace of the associated Gloo installation appended to their name (i.e., the cluster-scoped role gloo-resource-reader created along with a Gloo installation to the gloo-system namespace will now become gloo-resource-reader-gloo-system). This may cause a problem during upgrades from Gloo <0.21.0 to Gloo >=0.21.0 for both open-source and enterprise Gloo, as the role ref in a ClusterRoleBinding is immutable. To resolve this, you can delete the existing ClusterRoleBindings with kubectl

Helm Changes

• At install time, set an installation ID on all resources. This ID is determined by using the value of the new Helm setting "installConfig.installationId", or selecting an ID at random if that setting is not provided. If providing your own installation ID, the value you provide must be a valid kubernetes label (refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set). (solo-io#1589)
• Fix casing of helm value global.glooRbac.namespaced in the generated docs. The value global.glooRbac.namespaced has always been supported but we had been generating docs that have the value capitalized (global.glooRbac.Namespaced), incorrectly. (solo-io#1569)
• Allow RBAC resource names to receive custom suffixes through the introduction of the new Helm setting "global.glooRbac.nameSuffix". This enables, for example, blue/green deployments of Gloo to different namespaces within the same cluster when using cluster-scoped RBAC resources. This change is backwards compatible. However, if you are performing an upgrade of Gloo from a version prior to this change and plan to use the new Helm value, then you may end up with duplicate RBAC resources in your cluster (e.g. Roles/RoleBindings with and without the suffix). If this is the case, the old resources (without the suffix) can be safely cleaned up. (solo-io#1459)

New Features

• Add API for data loss prevention filter. (solo-io#1500)
• Allow the gateway-proxy pod to optionally receive both init containers to run and extra volumes to define through helm (solo-io#1537)
• Support for Envoy's forward_client_cert_details and set_current_client_cert_details HTTP connection manager options (solo-io#1577)
• Add native generated Kubernetes types for Gloo config resources (solo-io#1520)
• This change adds new features to the transformation API. It is now possible to define Extractors which target the request/response body and use the resulting data in templates. You can decide whether to parse the body as JSON or as raw text; in the latter case extraction happens via regular expressions, in the former you will also be able to use all the templating capabilities. These have been augmented with three new template functions: body() will return the whole request body, context() will return the base JSON context (allowing for example to range on a JSON body that is an array), and env(NAME) will return the value of an environment variable with the given name. Finally, it is now possible to set Dynamic Metadata using all the available extraction and templating features. You can now use this metadata to include any request/response property you like in the access logs (see the DYNAMIC_METADATA command operator here). (solo-io#1546)
• Add glooctl commands to create and get AuthConfigs, and update glooctl create vs command to allow providing AuthConfig refs to configure extauth. (solo-io#1171)

Fixes

• Update docs as part of fix to standard DLP SSN and credit card regexes to ignore boundary characters during regex match. This fixes potential issues where DLP masks characters outside the interesting part of the match, for example, the opening quote if the SSN/Credit Card is part of a JSON response. Before this fix, DLP would incorrectly transform this response into invalid JSON by masking the opening parenthesis. (solo-io#1591)
• Make sure glooctl reports the same signature across multiple invocations (solo-io#1559)
• Mute logging of kubernetes health check in gateway (solo-io#1435)
• Currently Gloo logs a warning each time it replaces an illegal character in the name of a Virtual Host. Change it to a debug level message to not flood the logs. (solo-io#1604)

v0.20.13

Fixes

• Avoid panicking on routes without matchers when running glooctl get vs. (solo-io#1563)
• Handle the rate_limit_before_auth setting in its deprecated location. We currently correctly handle the flag in its new location (spec.ratelimit_server.rate_limit_before_auth). (solo-io#1572) but ignore it in the deprecated one (spec.extensions.configs.rate-limit.rate_limit_before_auth)