From 078d606f081afd6455a0e0c5d27dd57d19d8aa20 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 03:47:25 +0000 Subject: [PATCH 01/20] add release note for v1.2.0 Signed-off-by: Huabing Zhao update release note Signed-off-by: Huabing Zhao update release note Signed-off-by: Huabing Zhao --- release-notes/current.yaml | 9 +- release-notes/v1.2.0.yaml | 149 +++++++++++++++++ site/content/en/news/releases/notes/v1.2.0.md | 150 ++++++++++++++++++ 3 files changed, 301 insertions(+), 7 deletions(-) create mode 100644 release-notes/v1.2.0.yaml create mode 100644 site/content/en/news/releases/notes/v1.2.0.md diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 2a028241148..bfc711148bd 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -10,16 +10,11 @@ security updates: | # New features or capabilities added in this release. new features: | - Add support for modifying container securityContext for Envoy Gateway deployment in Helm + Add a new feature here # Fixes for bugs identified in previous versions. bug fixes: | - Only log endpoint configuration in verbose logging mode (`-v 4` or higher) - The xDS translation failed when wasm http code source configured without a sha - HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses - Route with multiple parents has incorrect namespace in parentRef status - BackendTlsPolicy specify multiple targetRefs of the same service, only one will work - Helm chart fails for Flux HelmRelease + Add a bug fix here # Enhancements that improve performance. performance improvements: | diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml new file mode 100644 index 00000000000..3db7f3a1a63 --- /dev/null +++ b/release-notes/v1.2.0.yaml @@ -0,0 +1,149 @@ +date: November 6, 2024 + +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. +breaking changes: | + Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed. + Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information. + Removed default CPU limit of the Envoy Gateway deployment + Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively + +# New features or capabilities added in this release. +new features: | + Added support for Gateway-API v1.2.0 + Added support for IPv4/IPv6 Dual Stack for Envoy listeners and BackendRef resources + Added support for EG standalone(host deployment) mode (experimental) + Added support for JWT claims based Authorization in SecurityPolicy CRD + Added support for Direct Response in HTTPRouteFilter CRD + Added support for Response Override in BackendTrafficPolicy CRD + Added support for RequestTimeout in BackendTrafficPolicy CRD + Added support for inverting header matches for rate limit in BackendTrafficPolicy CRD + Added support for client TLS session resumption in ClientTrafficPolicy CRD + Added support for HTTPRouteFilter and path regex rewrite + Added support for host header rewrite in HTTPRouteFilter CRD + Added support for Listener Access Log in EnvoyProxy CRD + Added support for Datadog tracing support in EnvoyProxy CRD + Added support for request response sizes stats in EnvoyProxy CRD + Added support for modifying container SecurityContext for Envoy Gateway deployment in Helm + Added support for wildcard matching for CORS AllowMethods and AllowHeaders settings in SecurityPolicy CRD + Added support for match conditions for access log in EnvoyProxy CRD + Added support for using BackendCluster to represent OIDCProvider + Added support for RecomputeRoute for ExtAuth in SecurityPolicy CRD + Added support for sharing token cookies between multiple domains in SecurityPolicy CRD + Added support for JSONPatches for proxy bootstrap modifications in EnvoyProxy CRD + Added support for LB priority for non xRoute endpoints + Added support for configuring the GRPC Health Checker in the BackendTrafficPolicy CRD + Added support for early request header mutation in the ClientTrafficPolicy CRD + Added support for JsonPath in the EnvoyPatchPolicy CRD + Added support for cluster settings for tracing and access log backends in EnvoyProxy CRD + Added support for cluster settings for non xRoute-generated backend refs + Added support for socket buffer limit field in ClientTrafficPolicy and BackendTrafficPolicy CRD + Added support for http2 upstream settings in BackendTrafficPolicy CRD + Added support for DNS resolution settings in BackendTrafficPolicy CRD + Added support for configuring service annotations in the Envoy Gateway helm chart + Added support for configuring priorityClassName to Envoy Gateway helm chart + Added support for ratelimit metrics monitoring in grafana in the addons helm chart + Added support for default user group and user id for the SecurityContexts in the Envoy Gateway helm chart + Added support for maxUnavailable in the PodDisruptionBudget in the Envoy Gateway helm chart + Added support for configuring NodeSelector in the Envoy Gateway helm chart + Added support for nonce in the OIDC auth flow + Added support for choosing an HTTPRoute's non-wildcard hostname as the default Host + Added support for returning 500 when EnvoyExtensionTrafficPolicy translation fails + Added support for returning 500 when SecurityPolicy translation fails + Added support for multiple backendRefs for ExtAuth and ExtProc + Added support for session persistence in HTTPRoute rules + Added support for the Backend resource for ExtAuth + Added support for target selectors on Envoy Gateway Extension Server policies + Added support for non-Kubernetes Backends for TLSRoute + Added support for fallback to the Backend API + Added support for reloadable EnvoyGateway configuration + Added support for adding Labels to the Envoy Service + Added support for custom name for ratelimit deployment + Added default SecurityContext for EG components + Added startupProbe to all provisioned containers + Added support for local validations for egctl translate and file provider + Added support for egctl x collect to collect information from the cluster for debugging + Added support for a native prometheus metrics endpoint in the ratelimit server + +# Fixes for bugs identified in previous versions. +bug fixes: | + Fixed xDS translation failed when wasm http code source configured without sha + Fixed unsupported listener protocol type causing an error while updating Gateway Status + Fixed some status updates were being discarded by the status updater + Fixed Gateway crash adding BackendTLSPolicy to External Backend of an HTTPRoute + Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors + Fixed JSONPath not correctly translated to JSONPatch paths + Fixed allow empty slowStart when using LeastRequest + Fixed Backends which should be rejected are still used as an HTTPRoute's destination + Fixed losing timeout settings that originate from the route when translating the backend traffic policy + Fixed Backend resources don't get status updates + Fixed Active Health check requires expectedStatuses field to work + Fixed HTTPHeaderFilter processing doesn't correctly support multiple header values + Fixed multiple reference grants in same namespace + Fixed upstream get unwanted /. + Fixed creation of SecurityPolicy with targetSelectors fails + Fixed wrong gateway is chosen as HTTPRoute parent + Fixed override issue for EEP + Fixed nil pointer err translating hash load balancing + Fixed ratelimit does not work across multiple GatewayClasses + Fixed upstream mTLS only works for HTTPS listeners + Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not + Fixed empty connection limit causes xDS rejection + Fixed ratelimit not working with both headers and cidr matches + Fixed EDS didn't update when deployments was created after services + Fixed RBAC issue for deleting infrastructure resources + Fixed customized infrastructure resources not being deleted + Fixed Gateways never become ready/programmed when running Envoy as a Daemonset + Fixed Ratelimit Deployment ignoring pod labels and annotation merge + Fixed the API Server receives unnecessary requests + Fixed terminating envoy pods don't respond with "Connection: close" (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy + Fixed ratelimit statsd not working + Fixed not generating selector of deployment/daemonset based on the custom label configuration of EnvoyProxy + Fixed egctl experimental translate using a wrong ns + Fixed reconcile not triggered for Secret updates referenced by a BackendTLSPolicy + Fixed Route with multiple parents has incorrect namespace in parentRef status + Fixed only log endpoint configuration in verbose logging mode (`-v 4` or higher) + Fixed the xDS translation failed when wasm http code source configured without a sha + Fixed HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses + Fixed Route with multiple parents has incorrect namespace in parentRef status + Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work + Fixed Helm chart fails for Flux HelmRelease + +# Enhancements that improve performance. +performance improvements: | + Fixed repeated resources and optimize memory usage + +# Other notable changes not covered by the above sections. +Other changes: | + Upgraded Envoy to v1.32.1 + Reduced the amount of configuration logging, and make it line-delimited friendly + Made watching alpha CRDs optional, so that gateway-api upgrade don't break envoy gateway + Removed grafana test framework from the addons helm chart + Disabled ALPN for non-HTTP routes + Added statPrefix for HCM and TCPProxy + Enabled GatewayHTTPListenerIsolation conformance test + Enabled GRPC conformance profile + Enabled HTTPRouteBackendRequestHeaderModifier conformance test + Added e2e test for Daemonset mode + Updated upgrades tests to use VERSION env variable + Fixed OVS scanner wrong license warnings + Added e2e test for Gateway with EnvoyProxy + Added e2e test for TLS session resumption + Added heap profile into benchmark report + Added e2e test for RecomputeRoute in ExtAuth + Added benchmark memory profiles into report + Fixed flaky gateway_with_conflicted_listener_cannot_be_merged e2e test + Fixed flaky Zipkin Tracing e2e test + Added e2e test for cookie based consistent hash load balancing + Added e2e test for load balancing + Fixed flaky authorization tests + Enabled upgrade test + Fixed flaky basic auth e2e test + Enabled use-client-protocol e2e test + Added performance benchmarking test for 1000 HTTPRoutes + Added e2e test for Datadog tracing + Added e2e tests for ratelimit invert matching headers + Reduced readinessProbe failureThreshold and periodSeconds + Bumped go-control-plane to v0.13.1 + Enabled e2e tests for dual stack + Set ignore_health_on_host_removal to true for clusters with static endpoints + Use grafana alloy instead of fluent-bit in the addons helm chart for log forwarding diff --git a/site/content/en/news/releases/notes/v1.2.0.md b/site/content/en/news/releases/notes/v1.2.0.md new file mode 100644 index 00000000000..aee24d04606 --- /dev/null +++ b/site/content/en/news/releases/notes/v1.2.0.md @@ -0,0 +1,150 @@ +--- +title: "v1.2.0" +publishdate: 2024-11-06 +--- + +Date: November 6, 2024 + +## Breaking changes +- Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed. +- Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information. +- Removed default CPU limit of the Envoy Gateway deployment +- Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively + +## New features +- Added support for Gateway-API v1.2.0 +- Added support for IPv4/IPv6 Dual Stack for Envoy listeners and BackendRef resources +- Added support for EG standalone(host deployment) mode (experimental) +- Added support for JWT claims based Authorization in SecurityPolicy CRD +- Added support for Direct Response in HTTPRouteFilter CRD +- Added support for Response Override in BackendTrafficPolicy CRD +- Added support for RequestTimeout in BackendTrafficPolicy CRD +- Added support for inverting header matches for rate limit in BackendTrafficPolicy CRD +- Added support for client TLS session resumption in ClientTrafficPolicy CRD +- Added support for HTTPRouteFilter and path regex rewrite +- Added support for host header rewrite in HTTPRouteFilter CRD +- Added support for Listener Access Log in EnvoyProxy CRD +- Added support for Datadog tracing support in EnvoyProxy CRD +- Added support for request response sizes stats in EnvoyProxy CRD +- Added support for modifying container SecurityContext for Envoy Gateway deployment in Helm +- Added support for wildcard matching for CORS AllowMethods and AllowHeaders settings in SecurityPolicy CRD +- Added support for match conditions for access log in EnvoyProxy CRD +- Added support for using BackendCluster to represent OIDCProvider +- Added support for RecomputeRoute for ExtAuth in SecurityPolicy CRD +- Added support for sharing token cookies between multiple domains in SecurityPolicy CRD +- Added support for JSONPatches for proxy bootstrap modifications in EnvoyProxy CRD +- Added support for LB priority for non xRoute endpoints +- Added support for configuring the GRPC Health Checker in the BackendTrafficPolicy CRD +- Added support for early request header mutation in the ClientTrafficPolicy CRD +- Added support for JsonPath in the EnvoyPatchPolicy CRD +- Added support for cluster settings for tracing and access log backends in EnvoyProxy CRD +- Added support for cluster settings for non xRoute-generated backend refs +- Added support for socket buffer limit field in ClientTrafficPolicy and BackendTrafficPolicy CRD +- Added support for http2 upstream settings in BackendTrafficPolicy CRD +- Added support for DNS resolution settings in BackendTrafficPolicy CRD +- Added support for configuring service annotations in the Envoy Gateway helm chart +- Added support for configuring priorityClassName to Envoy Gateway helm chart +- Added support for ratelimit metrics monitoring in grafana in the addons helm chart +- Added support for default user group and user id for the SecurityContexts in the Envoy Gateway helm chart +- Added support for maxUnavailable in the PodDisruptionBudget in the Envoy Gateway helm chart +- Added support for configuring NodeSelector in the Envoy Gateway helm chart +- Added support for nonce in the OIDC auth flow +- Added support for choosing an HTTPRoute's non-wildcard hostname as the default Host +- Added support for returning 500 when EnvoyExtensionTrafficPolicy translation fails +- Added support for returning 500 when SecurityPolicy translation fails +- Added support for multiple backendRefs for ExtAuth and ExtProc +- Added support for session persistence in HTTPRoute rules +- Added support for the Backend resource for ExtAuth +- Added support for target selectors on Envoy Gateway Extension Server policies +- Added support for non-Kubernetes Backends for TLSRoute +- Added support for fallback to the Backend API +- Added support for reloadable EnvoyGateway configuration +- Added support for adding Labels to the Envoy Service +- Added support for custom name for ratelimit deployment +- Added default SecurityContext for EG components +- Added startupProbe to all provisioned containers +- Added support for local validations for egctl translate and file provider +- Added support for egctl x collect to collect information from the cluster for debugging +- Added support for a native prometheus metrics endpoint in the ratelimit server + +## Bug fixes +- Fixed xDS translation failed when wasm http code source configured without sha +- Fixed unsupported listener protocol type causing an error while updating Gateway Status +- Fixed some status updates were being discarded by the status updater +- Fixed Gateway crash adding BackendTLSPolicy to External Backend of an HTTPRoute +- Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors +- Fixed JSONPath not correctly translated to JSONPatch paths +- Fixed allow empty slowStart when using LeastRequest +- Fixed Backends which should be rejected are still used as an HTTPRoute's destination +- Fixed losing timeout settings that originate from the route when translating the backend traffic policy +- Fixed Backend resources don't get status updates +- Fixed Active Health check requires expectedStatuses field to work +- Fixed HTTPHeaderFilter processing doesn't correctly support multiple header values +- Fixed multiple reference grants in same namespace +- Fixed upstream get unwanted /. +- Fixed creation of SecurityPolicy with targetSelectors fails +- Fixed wrong gateway is chosen as HTTPRoute parent +- Fixed override issue for EEP +- Fixed nil pointer err translating hash load balancing +- Fixed ratelimit does not work across multiple GatewayClasses +- Fixed upstream mTLS only works for HTTPS listeners +- Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not +- Fixed empty connection limit causes xDS rejection +- Fixed ratelimit not working with both headers and cidr matches +- Fixed EDS didn't update when deployments was created after services +- Fixed RBAC issue for deleting infrastructure resources +- Fixed customized infrastructure resources not being deleted +- Fixed Gateways never become ready/programmed when running Envoy as a Daemonset +- Fixed Ratelimit Deployment ignoring pod labels and annotation merge +- Fixed the API Server receives unnecessary requests +- Fixed terminating envoy pods don't respond with "Connection: close" (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy +- Fixed ratelimit statsd not working +- Fixed not generating selector of deployment/daemonset based on the custom label configuration of EnvoyProxy +- Fixed egctl experimental translate using a wrong ns +- Fixed reconcile not triggered for Secret updates referenced by a BackendTLSPolicy +- Fixed Route with multiple parents has incorrect namespace in parentRef status +- Fixed only log endpoint configuration in verbose logging mode (`-v 4` or higher) +- Fixed the xDS translation failed when wasm http code source configured without a sha +- Fixed HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses +- Fixed Route with multiple parents has incorrect namespace in parentRef status +- Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work +- Fixed Helm chart fails for Flux HelmRelease + +## Performance improvements +- Fixed repeated resources and optimize memory usage + +## Other changes +- Upgraded Envoy to v1.32.1 +- Reduced the amount of configuration logging, and make it line-delimited friendly +- Made watching alpha CRDs optional, so that gateway-api upgrade don't break envoy gateway +- Removed grafana test framework from the addons helm chart +- Disabled ALPN for non-HTTP routes +- Added statPrefix for HCM and TCPProxy +- Enabled GatewayHTTPListenerIsolation conformance test +- Enabled GRPC conformance profile +- Enabled HTTPRouteBackendRequestHeaderModifier conformance test +- Added e2e test for Daemonset mode +- Updated upgrades tests to use VERSION env variable +- Fixed OVS scanner wrong license warnings +- Added e2e test for Gateway with EnvoyProxy +- Added e2e test for TLS session resumption +- Added heap profile into benchmark report +- Added e2e test for RecomputeRoute in ExtAuth +- Added benchmark memory profiles into report +- Fixed flaky gateway_with_conflicted_listener_cannot_be_merged e2e test +- Fixed flaky Zipkin Tracing e2e test +- Added e2e test for cookie based consistent hash load balancing +- Added e2e test for load balancing +- Fixed flaky authorization tests +- Enabled upgrade test +- Fixed flaky basic auth e2e test +- Enabled use-client-protocol e2e test +- Added performance benchmarking test for 1000 HTTPRoutes +- Added e2e test for Datadog tracing +- Added e2e tests for ratelimit invert matching headers +- Reduced readinessProbe failureThreshold and periodSeconds +- Bumped go-control-plane to v0.13.1 +- Enabled e2e tests for dual stack +- Set ignore_health_on_host_removal to true for clusters with static endpoints +- Use grafana alloy instead of fluent-bit in the addons helm chart for log forwarding + From 33559e8efe01f8a6c0efd87689ef486bc1de90f2 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 04:46:06 +0000 Subject: [PATCH 02/20] manually create release note Signed-off-by: Huabing Zhao --- site/content/en/news/releases/notes/v1.2.0.md | 213 ++++++------------ tools/make/docs.mk | 2 +- 2 files changed, 72 insertions(+), 143 deletions(-) diff --git a/site/content/en/news/releases/notes/v1.2.0.md b/site/content/en/news/releases/notes/v1.2.0.md index aee24d04606..9b296b9c21a 100644 --- a/site/content/en/news/releases/notes/v1.2.0.md +++ b/site/content/en/news/releases/notes/v1.2.0.md @@ -5,146 +5,75 @@ publishdate: 2024-11-06 Date: November 6, 2024 -## Breaking changes -- Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed. -- Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information. -- Removed default CPU limit of the Envoy Gateway deployment -- Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively - -## New features -- Added support for Gateway-API v1.2.0 -- Added support for IPv4/IPv6 Dual Stack for Envoy listeners and BackendRef resources -- Added support for EG standalone(host deployment) mode (experimental) -- Added support for JWT claims based Authorization in SecurityPolicy CRD -- Added support for Direct Response in HTTPRouteFilter CRD -- Added support for Response Override in BackendTrafficPolicy CRD -- Added support for RequestTimeout in BackendTrafficPolicy CRD -- Added support for inverting header matches for rate limit in BackendTrafficPolicy CRD -- Added support for client TLS session resumption in ClientTrafficPolicy CRD -- Added support for HTTPRouteFilter and path regex rewrite -- Added support for host header rewrite in HTTPRouteFilter CRD -- Added support for Listener Access Log in EnvoyProxy CRD -- Added support for Datadog tracing support in EnvoyProxy CRD -- Added support for request response sizes stats in EnvoyProxy CRD -- Added support for modifying container SecurityContext for Envoy Gateway deployment in Helm -- Added support for wildcard matching for CORS AllowMethods and AllowHeaders settings in SecurityPolicy CRD -- Added support for match conditions for access log in EnvoyProxy CRD -- Added support for using BackendCluster to represent OIDCProvider -- Added support for RecomputeRoute for ExtAuth in SecurityPolicy CRD -- Added support for sharing token cookies between multiple domains in SecurityPolicy CRD -- Added support for JSONPatches for proxy bootstrap modifications in EnvoyProxy CRD -- Added support for LB priority for non xRoute endpoints -- Added support for configuring the GRPC Health Checker in the BackendTrafficPolicy CRD -- Added support for early request header mutation in the ClientTrafficPolicy CRD -- Added support for JsonPath in the EnvoyPatchPolicy CRD -- Added support for cluster settings for tracing and access log backends in EnvoyProxy CRD -- Added support for cluster settings for non xRoute-generated backend refs -- Added support for socket buffer limit field in ClientTrafficPolicy and BackendTrafficPolicy CRD -- Added support for http2 upstream settings in BackendTrafficPolicy CRD -- Added support for DNS resolution settings in BackendTrafficPolicy CRD -- Added support for configuring service annotations in the Envoy Gateway helm chart -- Added support for configuring priorityClassName to Envoy Gateway helm chart -- Added support for ratelimit metrics monitoring in grafana in the addons helm chart -- Added support for default user group and user id for the SecurityContexts in the Envoy Gateway helm chart -- Added support for maxUnavailable in the PodDisruptionBudget in the Envoy Gateway helm chart -- Added support for configuring NodeSelector in the Envoy Gateway helm chart -- Added support for nonce in the OIDC auth flow -- Added support for choosing an HTTPRoute's non-wildcard hostname as the default Host -- Added support for returning 500 when EnvoyExtensionTrafficPolicy translation fails -- Added support for returning 500 when SecurityPolicy translation fails -- Added support for multiple backendRefs for ExtAuth and ExtProc -- Added support for session persistence in HTTPRoute rules -- Added support for the Backend resource for ExtAuth -- Added support for target selectors on Envoy Gateway Extension Server policies -- Added support for non-Kubernetes Backends for TLSRoute -- Added support for fallback to the Backend API -- Added support for reloadable EnvoyGateway configuration -- Added support for adding Labels to the Envoy Service -- Added support for custom name for ratelimit deployment -- Added default SecurityContext for EG components -- Added startupProbe to all provisioned containers -- Added support for local validations for egctl translate and file provider -- Added support for egctl x collect to collect information from the cluster for debugging -- Added support for a native prometheus metrics endpoint in the ratelimit server - -## Bug fixes -- Fixed xDS translation failed when wasm http code source configured without sha -- Fixed unsupported listener protocol type causing an error while updating Gateway Status -- Fixed some status updates were being discarded by the status updater -- Fixed Gateway crash adding BackendTLSPolicy to External Backend of an HTTPRoute -- Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors -- Fixed JSONPath not correctly translated to JSONPatch paths -- Fixed allow empty slowStart when using LeastRequest -- Fixed Backends which should be rejected are still used as an HTTPRoute's destination -- Fixed losing timeout settings that originate from the route when translating the backend traffic policy -- Fixed Backend resources don't get status updates -- Fixed Active Health check requires expectedStatuses field to work -- Fixed HTTPHeaderFilter processing doesn't correctly support multiple header values -- Fixed multiple reference grants in same namespace -- Fixed upstream get unwanted /. -- Fixed creation of SecurityPolicy with targetSelectors fails -- Fixed wrong gateway is chosen as HTTPRoute parent -- Fixed override issue for EEP -- Fixed nil pointer err translating hash load balancing -- Fixed ratelimit does not work across multiple GatewayClasses -- Fixed upstream mTLS only works for HTTPS listeners -- Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not -- Fixed empty connection limit causes xDS rejection -- Fixed ratelimit not working with both headers and cidr matches -- Fixed EDS didn't update when deployments was created after services -- Fixed RBAC issue for deleting infrastructure resources -- Fixed customized infrastructure resources not being deleted -- Fixed Gateways never become ready/programmed when running Envoy as a Daemonset -- Fixed Ratelimit Deployment ignoring pod labels and annotation merge -- Fixed the API Server receives unnecessary requests -- Fixed terminating envoy pods don't respond with "Connection: close" (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy -- Fixed ratelimit statsd not working -- Fixed not generating selector of deployment/daemonset based on the custom label configuration of EnvoyProxy -- Fixed egctl experimental translate using a wrong ns -- Fixed reconcile not triggered for Secret updates referenced by a BackendTLSPolicy -- Fixed Route with multiple parents has incorrect namespace in parentRef status -- Fixed only log endpoint configuration in verbose logging mode (`-v 4` or higher) -- Fixed the xDS translation failed when wasm http code source configured without a sha -- Fixed HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses -- Fixed Route with multiple parents has incorrect namespace in parentRef status -- Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work -- Fixed Helm chart fails for Flux HelmRelease - -## Performance improvements -- Fixed repeated resources and optimize memory usage - -## Other changes -- Upgraded Envoy to v1.32.1 -- Reduced the amount of configuration logging, and make it line-delimited friendly -- Made watching alpha CRDs optional, so that gateway-api upgrade don't break envoy gateway -- Removed grafana test framework from the addons helm chart -- Disabled ALPN for non-HTTP routes -- Added statPrefix for HCM and TCPProxy -- Enabled GatewayHTTPListenerIsolation conformance test -- Enabled GRPC conformance profile -- Enabled HTTPRouteBackendRequestHeaderModifier conformance test -- Added e2e test for Daemonset mode -- Updated upgrades tests to use VERSION env variable -- Fixed OVS scanner wrong license warnings -- Added e2e test for Gateway with EnvoyProxy -- Added e2e test for TLS session resumption -- Added heap profile into benchmark report -- Added e2e test for RecomputeRoute in ExtAuth -- Added benchmark memory profiles into report -- Fixed flaky gateway_with_conflicted_listener_cannot_be_merged e2e test -- Fixed flaky Zipkin Tracing e2e test -- Added e2e test for cookie based consistent hash load balancing -- Added e2e test for load balancing -- Fixed flaky authorization tests -- Enabled upgrade test -- Fixed flaky basic auth e2e test -- Enabled use-client-protocol e2e test -- Added performance benchmarking test for 1000 HTTPRoutes -- Added e2e test for Datadog tracing -- Added e2e tests for ratelimit invert matching headers -- Reduced readinessProbe failureThreshold and periodSeconds -- Bumped go-control-plane to v0.13.1 -- Enabled e2e tests for dual stack -- Set ignore_health_on_host_removal to true for clusters with static endpoints -- Use grafana alloy instead of fluent-bit in the addons helm chart for log forwarding +--- +# Envoy Gateway v1.2.0 Release Notes + +**Release Date:** November 6, 2024 + +The Envoy Gateway v1.2.0 release is packed with new capabilities focused on dual-stack networking, advanced traffic controls, and enhanced security features. Dive into the latest changes to see how v1.2.0 can help you manage, secure, and scale your API traffic more effectively. + +--- + +## 🚨 Breaking Changes +- **Removed**: `Gateway API GRPCRoute` and `ReferenceGrant v1alpha2` are no longer supported. [More details in the Gateway API documentation](https://github.com/kubernetes-sigs/gateway-api/releases). +- **Default CPU Limit**: Removed for the Envoy Gateway deployment. +- **Envoy Shutdown Settings Updated**: + - **Drain Strategy**: Now set to "immediate." + - **Default Times**: + - `minDrainDuration`: 10s + - `drainTimeout`: 60s + - `terminationGracePeriodSeconds`: 360s + +--- + +## ✨ New Features +### Gateway API Enhancements +- **Support for Gateway-API v1.2.0**: Aligns with the latest API standards. + +### Networking & Traffic Management +- **IPv4/IPv6 Dual Stack Support**: Now available for Envoy listeners and BackendRef resources. +- **Direct Response in HTTPRouteFilter**: Supports direct responses for custom traffic routing. +- **RequestTimeout in BackendTrafficPolicy**: Fine-tune request timeouts for backends. +- **Rate Limit Header Matching**: Adds flexibility with inverted header matches. +- **Session Persistence in HTTPRoute Rules**: Essential for Gen AI and other stateful applications. + +### Security & Authorization +- **JWT Claims-Based Authorization**: Control access more precisely with claims-based policies. +- **CORS Configuration**: Wildcard matching for `AllowMethods` and `AllowHeaders`. +- **Cross-Domain Cookie Sharing**: Enable token cookies across multiple domains for improved SSO support. + +### Observability & Tracing +- **Datadog Tracing**: Native support to enhance distributed tracing insights. +- **Enhanced Access Logs**: Match conditions now supported for selective logging. +- **Prometheus Metrics**: Native endpoint added to the rate limit server for detailed monitoring. + +### Helm Customization +- **Container SecurityContext**: Customizable security context for improved deployment security. +- **NodeSelector and PriorityClassName**: Fine-grained configuration for PodDisruptionBudget, service annotations, and custom pod labeling. + +--- + +## 🐞 Bug Fixes +- Fixed issues with **xDS translation** for WASM code without SHA. +- **SecurityPolicy Propagation**: Addressed delays when using targetSelectors. +- Resolved various **HTTPRoute and BackendTrafficPolicy** inconsistencies, such as handling empty timeout settings, unsupported destinations, and improved multi-backend support. + +--- + +## 🚀 Performance & Improvements +- **Memory Optimization**: Streamlined resource usage for reduced memory footprint. +- **Envoy Upgrade**: Updated to Envoy v1.32.1 for added stability. +- **Improved Logging**: Reduced verbosity and optimized configuration log outputs. + +--- + +## ⚙️ Other Changes +- Enhanced e2e testing, including performance benchmarks and multi-route scenarios. +- Added support for **dual-stack conformance testing**. +- **Optional CRD Watching**: Reduces breakages on Gateway API upgrades. + +For a full breakdown of this release, visit the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases). + +--- +This release takes Envoy Gateway to the next level with robust support for high-demand traffic and enhanced security, observability, and configuration options! \ No newline at end of file diff --git a/tools/make/docs.mk b/tools/make/docs.mk index f1ee2844f4b..761fb183d75 100644 --- a/tools/make/docs.mk +++ b/tools/make/docs.mk @@ -26,7 +26,7 @@ copy-current-release-docs: ## Copy the current release docs to the docs folder cp -r $(ROOT_DIR)/site/content/en/$$CURRENT_RELEASE/** $(ROOT_DIR)/site/content/en/docs .PHONY: docs-release -docs-release: docs-release-prepare release-notes-docs docs-release-gen docs ## Generate Envoy Gateway Release Docs +docs-release: docs-release-prepare docs-release-gen docs ## Generate Envoy Gateway Release Docs .PHONY: docs-serve docs-serve: copy-current-release-docs ## Start Envoy Gateway Site Locally From afbac9e744babc8151b5b184fc21c747ea2b6c9c Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 04:48:26 +0000 Subject: [PATCH 03/20] address comment Signed-off-by: Huabing Zhao --- release-notes/v1.2.0.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index 3db7f3a1a63..d97972ce8a8 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -146,4 +146,4 @@ Other changes: | Bumped go-control-plane to v0.13.1 Enabled e2e tests for dual stack Set ignore_health_on_host_removal to true for clusters with static endpoints - Use grafana alloy instead of fluent-bit in the addons helm chart for log forwarding + Use grafana alloy instead of fluent-bit for e2e tests From b967a618c315d875a6b7c3b52cb11ea1cc9e1f08 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 12:49:19 +0800 Subject: [PATCH 04/20] Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao --- release-notes/v1.2.0.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index d97972ce8a8..dc2d4224562 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -10,7 +10,7 @@ breaking changes: | # New features or capabilities added in this release. new features: | Added support for Gateway-API v1.2.0 - Added support for IPv4/IPv6 Dual Stack for Envoy listeners and BackendRef resources + Added support for IPv4/IPv6 Dual Stack for EnvoyProxy fleet and BackendRef resources Added support for EG standalone(host deployment) mode (experimental) Added support for JWT claims based Authorization in SecurityPolicy CRD Added support for Direct Response in HTTPRouteFilter CRD From 3b3b1e3c8f4a26bbc79a28ddeda3c9b910f5df63 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 12:49:37 +0800 Subject: [PATCH 05/20] Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao --- release-notes/v1.2.0.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index dc2d4224562..da0831623ae 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -11,7 +11,7 @@ breaking changes: | new features: | Added support for Gateway-API v1.2.0 Added support for IPv4/IPv6 Dual Stack for EnvoyProxy fleet and BackendRef resources - Added support for EG standalone(host deployment) mode (experimental) + Added experimental support for EG standalone(host deployment) mode. Added support for JWT claims based Authorization in SecurityPolicy CRD Added support for Direct Response in HTTPRouteFilter CRD Added support for Response Override in BackendTrafficPolicy CRD From 4ee8f76963d327e74b8abd65566e1391d9bcbafc Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 12:49:45 +0800 Subject: [PATCH 06/20] Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao --- release-notes/v1.2.0.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index da0831623ae..123b14d9aab 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -16,7 +16,7 @@ new features: | Added support for Direct Response in HTTPRouteFilter CRD Added support for Response Override in BackendTrafficPolicy CRD Added support for RequestTimeout in BackendTrafficPolicy CRD - Added support for inverting header matches for rate limit in BackendTrafficPolicy CRD + Added support for inverting header matches for Rate Limit in BackendTrafficPolicy CRD Added support for client TLS session resumption in ClientTrafficPolicy CRD Added support for HTTPRouteFilter and path regex rewrite Added support for host header rewrite in HTTPRouteFilter CRD From 2ec7559f89710e58bb938d898ac9bb397d385f10 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 05:13:56 +0000 Subject: [PATCH 07/20] address comment Signed-off-by: Huabing Zhao --- release-notes/v1.2.0.yaml | 71 +++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 37 deletions(-) diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index 123b14d9aab..ee0f7a4a44f 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -2,18 +2,19 @@ date: November 6, 2024 # Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. breaking changes: | - Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed. - Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information. + Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed + Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information Removed default CPU limit of the Envoy Gateway deployment Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively + Set ignore_health_on_host_removal to true for clusters with static endpoints This was done to speed up removal of static endpoints by the control plane when active health check is configured + Xds and Infra IR logs are logged at Debug level instead of Info level. They will now not be seen by default in Envoy Gateway logs. You can change the logging level to default: debug to view them # New features or capabilities added in this release. new features: | Added support for Gateway-API v1.2.0 Added support for IPv4/IPv6 Dual Stack for EnvoyProxy fleet and BackendRef resources - Added experimental support for EG standalone(host deployment) mode. + Added experimental support for EG standalone(host deployment) mode Added support for JWT claims based Authorization in SecurityPolicy CRD - Added support for Direct Response in HTTPRouteFilter CRD Added support for Response Override in BackendTrafficPolicy CRD Added support for RequestTimeout in BackendTrafficPolicy CRD Added support for inverting header matches for Rate Limit in BackendTrafficPolicy CRD @@ -30,7 +31,7 @@ new features: | Added support for RecomputeRoute for ExtAuth in SecurityPolicy CRD Added support for sharing token cookies between multiple domains in SecurityPolicy CRD Added support for JSONPatches for proxy bootstrap modifications in EnvoyProxy CRD - Added support for LB priority for non xRoute endpoints + Added support for Active Passive Failover Backends Added support for configuring the GRPC Health Checker in the BackendTrafficPolicy CRD Added support for early request header mutation in the ClientTrafficPolicy CRD Added support for JsonPath in the EnvoyPatchPolicy CRD @@ -66,51 +67,47 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | - Fixed xDS translation failed when wasm http code source configured without sha - Fixed unsupported listener protocol type causing an error while updating Gateway Status - Fixed some status updates were being discarded by the status updater - Fixed Gateway crash adding BackendTLSPolicy to External Backend of an HTTPRoute + Fixed xDS translation failing when the WASM HTTP code source was configured without an SHA + Fixed unsupported listener protocol types causing errors while updating Gateway status + Fixed unsupported listener protocol types causing errors while updating Gateway status + Fixed invalid sectionName in BackendTLSPolicy for Backend Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors - Fixed JSONPath not correctly translated to JSONPatch paths - Fixed allow empty slowStart when using LeastRequest + Fixed JSONPath not being correctly translated to JSONPatch paths + Fixed allowing an empty slowStart value when using LeastRequest Fixed Backends which should be rejected are still used as an HTTPRoute's destination - Fixed losing timeout settings that originate from the route when translating the backend traffic policy - Fixed Backend resources don't get status updates - Fixed Active Health check requires expectedStatuses field to work - Fixed HTTPHeaderFilter processing doesn't correctly support multiple header values - Fixed multiple reference grants in same namespace - Fixed upstream get unwanted /. + Fixed timeout settings originating from the route being lost when translating the backend traffic policy + Fixed Backend resources not receiving status updates + Fixed active health checks requiring the expectedStatuses field to function correctly + Fixed HTTPHeaderFilter processing not correctly supporting multiple header values + Fixed reconciling multiple ReferenceGrants within the same namespace + Fixed unwanted / appearing in the Path when using Prefix Rewrites Fixed creation of SecurityPolicy with targetSelectors fails - Fixed wrong gateway is chosen as HTTPRoute parent - Fixed override issue for EEP - Fixed nil pointer err translating hash load balancing + Fixed incorrect gateway being selected as the HTTPRoute parent + Fixed override issues for EnvoyExtensionPolicy + Fixed nil pointer error when translating hash load balancing Fixed ratelimit does not work across multiple GatewayClasses Fixed upstream mTLS only works for HTTPS listeners Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not - Fixed empty connection limit causes xDS rejection - Fixed ratelimit not working with both headers and cidr matches - Fixed EDS didn't update when deployments was created after services + Fixed empty connection limits causing xDS rejection + Fixed rate limiting not working with both headers and CIDR matches + Fixed EDS not updating when deployments were created after services Fixed RBAC issue for deleting infrastructure resources - Fixed customized infrastructure resources not being deleted - Fixed Gateways never become ready/programmed when running Envoy as a Daemonset - Fixed Ratelimit Deployment ignoring pod labels and annotation merge + Fixed gateways never reaching ready/programmed status when running Envoy as a Daemonset + Fixed rate limit deployment ignoring pod labels and annotation merges Fixed the API Server receives unnecessary requests Fixed terminating envoy pods don't respond with "Connection: close" (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy Fixed ratelimit statsd not working Fixed not generating selector of deployment/daemonset based on the custom label configuration of EnvoyProxy - Fixed egctl experimental translate using a wrong ns - Fixed reconcile not triggered for Secret updates referenced by a BackendTLSPolicy - Fixed Route with multiple parents has incorrect namespace in parentRef status - Fixed only log endpoint configuration in verbose logging mode (`-v 4` or higher) - Fixed the xDS translation failed when wasm http code source configured without a sha - Fixed HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses - Fixed Route with multiple parents has incorrect namespace in parentRef status - Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work - Fixed Helm chart fails for Flux HelmRelease + Fixed egctl experimental translate using an incorrect namespace + Fixed reconciliation not being triggered for Secret updates referenced by a BackendTLSPolicy + Fixed xDS translation failure when WASM HTTP code source was configured without an SHA + Fixed HTTPRoute status displaying only one parent when targeting multiple gateways from different GatewayClasses + Fixed Route with multiple parents having an incorrect namespace in the parentRef status + Fixed BackendTlsPolicy specifying multiple targetRefs for the same service, to work # Enhancements that improve performance. performance improvements: | - Fixed repeated resources and optimize memory usage + Optimize memory usage by only storing distinct resources # Other notable changes not covered by the above sections. Other changes: | @@ -145,5 +142,5 @@ Other changes: | Reduced readinessProbe failureThreshold and periodSeconds Bumped go-control-plane to v0.13.1 Enabled e2e tests for dual stack - Set ignore_health_on_host_removal to true for clusters with static endpoints Use grafana alloy instead of fluent-bit for e2e tests + Push tags without the v prefix for helm charts to support Flux HelmReleases From 34aaec4a578c295b5141802e9e20db259fd07365 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 05:15:19 +0000 Subject: [PATCH 08/20] address comment Signed-off-by: Huabing Zhao --- release-notes/v1.2.0.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index ee0f7a4a44f..c9e4ce278bd 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -4,7 +4,7 @@ date: November 6, 2024 breaking changes: | Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information - Removed default CPU limit of the Envoy Gateway deployment + Removed default CPU limit of the Envoy Gateway deployment, to eliminate CPU throttling Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively Set ignore_health_on_host_removal to true for clusters with static endpoints This was done to speed up removal of static endpoints by the control plane when active health check is configured Xds and Infra IR logs are logged at Debug level instead of Info level. They will now not be seen by default in Envoy Gateway logs. You can change the logging level to default: debug to view them From 04895e67c4203f065d904d7f5777cccc2aa05b0e Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 05:21:40 +0000 Subject: [PATCH 09/20] address comment Signed-off-by: Huabing Zhao --- release-notes/v1.2.0.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index c9e4ce278bd..bd75ff23b43 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -96,7 +96,6 @@ bug fixes: | Fixed rate limit deployment ignoring pod labels and annotation merges Fixed the API Server receives unnecessary requests Fixed terminating envoy pods don't respond with "Connection: close" (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy - Fixed ratelimit statsd not working Fixed not generating selector of deployment/daemonset based on the custom label configuration of EnvoyProxy Fixed egctl experimental translate using an incorrect namespace Fixed reconciliation not being triggered for Secret updates referenced by a BackendTLSPolicy @@ -111,9 +110,9 @@ performance improvements: | # Other notable changes not covered by the above sections. Other changes: | - Upgraded Envoy to v1.32.1 + Upgraded Envoy Proxy to v1.32.1 Reduced the amount of configuration logging, and make it line-delimited friendly - Made watching alpha CRDs optional, so that gateway-api upgrade don't break envoy gateway + Made watching alpha CRDs optional, so that Envoy Gateway can run with older Gateway Api versions Removed grafana test framework from the addons helm chart Disabled ALPN for non-HTTP routes Added statPrefix for HCM and TCPProxy @@ -121,7 +120,6 @@ Other changes: | Enabled GRPC conformance profile Enabled HTTPRouteBackendRequestHeaderModifier conformance test Added e2e test for Daemonset mode - Updated upgrades tests to use VERSION env variable Fixed OVS scanner wrong license warnings Added e2e test for Gateway with EnvoyProxy Added e2e test for TLS session resumption From 2d90edfd9ca3b07002ef7f3d09acd5700621c7cc Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 05:33:18 +0000 Subject: [PATCH 10/20] address comment Signed-off-by: Huabing Zhao --- release-notes/v1.2.0.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index bd75ff23b43..cc745310af8 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -85,8 +85,6 @@ bug fixes: | Fixed incorrect gateway being selected as the HTTPRoute parent Fixed override issues for EnvoyExtensionPolicy Fixed nil pointer error when translating hash load balancing - Fixed ratelimit does not work across multiple GatewayClasses - Fixed upstream mTLS only works for HTTPS listeners Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not Fixed empty connection limits causing xDS rejection Fixed rate limiting not working with both headers and CIDR matches From d9ffcf898d547ca91b1d180ca812c0558209cec3 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 05:37:30 +0000 Subject: [PATCH 11/20] manually create release note Signed-off-by: Huabing Zhao --- tools/make/common.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/make/common.mk b/tools/make/common.mk index 4eca7ce06ec..c2e0d380f2b 100644 --- a/tools/make/common.mk +++ b/tools/make/common.mk @@ -120,7 +120,7 @@ export USAGE_OPTIONS .PHONY: generate generate: ## Generate go code from templates and tags -generate: kube-generate docs-api helm-generate go.generate release-notes-docs copy-current-release-docs +generate: kube-generate docs-api helm-generate go.generate copy-current-release-docs ## help: Show this help info. .PHONY: help From f28715942bb99c9b1fc770fbc2306b048c95b068 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 05:39:27 +0000 Subject: [PATCH 12/20] manually create release note Signed-off-by: Huabing Zhao --- site/content/en/news/releases/notes/v1.2.0.md | 1 - 1 file changed, 1 deletion(-) diff --git a/site/content/en/news/releases/notes/v1.2.0.md b/site/content/en/news/releases/notes/v1.2.0.md index 9b296b9c21a..1a8a91e2249 100644 --- a/site/content/en/news/releases/notes/v1.2.0.md +++ b/site/content/en/news/releases/notes/v1.2.0.md @@ -3,7 +3,6 @@ title: "v1.2.0" publishdate: 2024-11-06 --- -Date: November 6, 2024 --- # Envoy Gateway v1.2.0 Release Notes From d3659c747fd5fb4d69969e00b1cc556c7048c200 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 05:46:33 +0000 Subject: [PATCH 13/20] address comment Signed-off-by: Huabing Zhao --- release-notes/v1.2.0.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index cc745310af8..c7ecd098b65 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -81,7 +81,6 @@ bug fixes: | Fixed HTTPHeaderFilter processing not correctly supporting multiple header values Fixed reconciling multiple ReferenceGrants within the same namespace Fixed unwanted / appearing in the Path when using Prefix Rewrites - Fixed creation of SecurityPolicy with targetSelectors fails Fixed incorrect gateway being selected as the HTTPRoute parent Fixed override issues for EnvoyExtensionPolicy Fixed nil pointer error when translating hash load balancing @@ -94,7 +93,6 @@ bug fixes: | Fixed rate limit deployment ignoring pod labels and annotation merges Fixed the API Server receives unnecessary requests Fixed terminating envoy pods don't respond with "Connection: close" (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy - Fixed not generating selector of deployment/daemonset based on the custom label configuration of EnvoyProxy Fixed egctl experimental translate using an incorrect namespace Fixed reconciliation not being triggered for Secret updates referenced by a BackendTLSPolicy Fixed xDS translation failure when WASM HTTP code source was configured without an SHA @@ -140,3 +138,4 @@ Other changes: | Enabled e2e tests for dual stack Use grafana alloy instead of fluent-bit for e2e tests Push tags without the v prefix for helm charts to support Flux HelmReleases + Use a stable label selector when creating Envoy Proxy fleet pods From 14af238bab35a6d61b63da28799c29a9c7564517 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 05:53:57 +0000 Subject: [PATCH 14/20] address comment Signed-off-by: Huabing Zhao --- site/content/en/news/releases/notes/v1.2.0-rc.1.md | 1 - 1 file changed, 1 deletion(-) diff --git a/site/content/en/news/releases/notes/v1.2.0-rc.1.md b/site/content/en/news/releases/notes/v1.2.0-rc.1.md index cfdfe12d27f..223428d7fc1 100644 --- a/site/content/en/news/releases/notes/v1.2.0-rc.1.md +++ b/site/content/en/news/releases/notes/v1.2.0-rc.1.md @@ -95,7 +95,6 @@ Date: October 25, 2024 - Fixed Gateways never become ready/programmed when running Envoy as a Daemonset - Fixed Ratelimit Deployment ignoring pod labels and annotation merge - Fixed the API Server receives unnecessary requests -- Fixed terminating envoy pods don't respond with "Connection: close" (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy - Fixed ratelimit statsd not working - Fixed not generating selector of deployment/daemonset based on the custom label configuration of EnvoyProxy - Fixed egctl experimental translate using a wrong ns From 43699306b6c8d0e7fc049d720574532508e555ce Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 13:55:00 +0800 Subject: [PATCH 15/20] Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao --- release-notes/v1.2.0.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index c7ecd098b65..3a2a45ad6d4 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -1,6 +1,6 @@ date: November 6, 2024 -# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs or updating default values. breaking changes: | Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information From 32004796fa39a4092876419fea206207498579e6 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 05:58:28 +0000 Subject: [PATCH 16/20] address comment Signed-off-by: Huabing Zhao --- release-notes/v1.2.0.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index 3a2a45ad6d4..02aedbfc26f 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -92,7 +92,6 @@ bug fixes: | Fixed gateways never reaching ready/programmed status when running Envoy as a Daemonset Fixed rate limit deployment ignoring pod labels and annotation merges Fixed the API Server receives unnecessary requests - Fixed terminating envoy pods don't respond with "Connection: close" (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy Fixed egctl experimental translate using an incorrect namespace Fixed reconciliation not being triggered for Secret updates referenced by a BackendTLSPolicy Fixed xDS translation failure when WASM HTTP code source was configured without an SHA From 4732965f2bea9ce7882a782d01a2f5a240a8c2aa Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 06:00:42 +0000 Subject: [PATCH 17/20] address comment Signed-off-by: Huabing Zhao --- site/content/en/news/releases/notes/v1.2.0-rc.1.md | 1 + 1 file changed, 1 insertion(+) diff --git a/site/content/en/news/releases/notes/v1.2.0-rc.1.md b/site/content/en/news/releases/notes/v1.2.0-rc.1.md index 223428d7fc1..cfdfe12d27f 100644 --- a/site/content/en/news/releases/notes/v1.2.0-rc.1.md +++ b/site/content/en/news/releases/notes/v1.2.0-rc.1.md @@ -95,6 +95,7 @@ Date: October 25, 2024 - Fixed Gateways never become ready/programmed when running Envoy as a Daemonset - Fixed Ratelimit Deployment ignoring pod labels and annotation merge - Fixed the API Server receives unnecessary requests +- Fixed terminating envoy pods don't respond with "Connection: close" (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy - Fixed ratelimit statsd not working - Fixed not generating selector of deployment/daemonset based on the custom label configuration of EnvoyProxy - Fixed egctl experimental translate using a wrong ns From 5b4fceeb36f6c77fe50460853e1afd7b93a6e380 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 06:02:11 +0000 Subject: [PATCH 18/20] address comment Signed-off-by: Huabing Zhao --- release-notes/v1.2.0-rc.1.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/v1.2.0-rc.1.yaml b/release-notes/v1.2.0-rc.1.yaml index 0ff64d9325f..9705c899aed 100644 --- a/release-notes/v1.2.0-rc.1.yaml +++ b/release-notes/v1.2.0-rc.1.yaml @@ -71,7 +71,7 @@ bug fixes: | Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors Fixed JSONPath not correctly translated to JSONPatch paths Fixed allow empty slowStart when using LeastRequest - Fixed Backends which should be rejected are still used as an HTTPRoute's destination + Fixed updating the HTTPRoute status correctly when the linked Backend resource is invalid Fixed losing timeout settings that originate from the route when translating the backend traffic policy Fixed Backend resources don't get status updates Fixed Active Health check requires expectedStatuses field to work From e9681d66a0981aa60fd511cb000621a452a780e3 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 06:42:11 +0000 Subject: [PATCH 19/20] address comment Signed-off-by: Huabing Zhao --- release-notes/v1.2.0-rc.1.yaml | 2 +- release-notes/v1.2.0.yaml | 2 +- site/content/en/news/releases/notes/v1.2.0.md | 91 ++++++++++--------- 3 files changed, 51 insertions(+), 44 deletions(-) diff --git a/release-notes/v1.2.0-rc.1.yaml b/release-notes/v1.2.0-rc.1.yaml index 9705c899aed..0ff64d9325f 100644 --- a/release-notes/v1.2.0-rc.1.yaml +++ b/release-notes/v1.2.0-rc.1.yaml @@ -71,7 +71,7 @@ bug fixes: | Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors Fixed JSONPath not correctly translated to JSONPatch paths Fixed allow empty slowStart when using LeastRequest - Fixed updating the HTTPRoute status correctly when the linked Backend resource is invalid + Fixed Backends which should be rejected are still used as an HTTPRoute's destination Fixed losing timeout settings that originate from the route when translating the backend traffic policy Fixed Backend resources don't get status updates Fixed Active Health check requires expectedStatuses field to work diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml index 02aedbfc26f..c87a1d2c1d5 100644 --- a/release-notes/v1.2.0.yaml +++ b/release-notes/v1.2.0.yaml @@ -74,7 +74,7 @@ bug fixes: | Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors Fixed JSONPath not being correctly translated to JSONPatch paths Fixed allowing an empty slowStart value when using LeastRequest - Fixed Backends which should be rejected are still used as an HTTPRoute's destination + Fixed updating the HTTPRoute status correctly when the linked Backend resource is invalid Fixed timeout settings originating from the route being lost when translating the backend traffic policy Fixed Backend resources not receiving status updates Fixed active health checks requiring the expectedStatuses field to function correctly diff --git a/site/content/en/news/releases/notes/v1.2.0.md b/site/content/en/news/releases/notes/v1.2.0.md index 1a8a91e2249..c19cde4cc98 100644 --- a/site/content/en/news/releases/notes/v1.2.0.md +++ b/site/content/en/news/releases/notes/v1.2.0.md @@ -3,76 +3,83 @@ title: "v1.2.0" publishdate: 2024-11-06 --- - ---- # Envoy Gateway v1.2.0 Release Notes **Release Date:** November 6, 2024 -The Envoy Gateway v1.2.0 release is packed with new capabilities focused on dual-stack networking, advanced traffic controls, and enhanced security features. Dive into the latest changes to see how v1.2.0 can help you manage, secure, and scale your API traffic more effectively. +The Envoy Gateway v1.2.0 release brings a host of new features, performance improvements, and critical bug fixes to enhance networking, traffic management, and security. Explore the latest changes below. --- ## 🚨 Breaking Changes -- **Removed**: `Gateway API GRPCRoute` and `ReferenceGrant v1alpha2` are no longer supported. [More details in the Gateway API documentation](https://github.com/kubernetes-sigs/gateway-api/releases). -- **Default CPU Limit**: Removed for the Envoy Gateway deployment. -- **Envoy Shutdown Settings Updated**: - - **Drain Strategy**: Now set to "immediate." - - **Default Times**: - - `minDrainDuration`: 10s - - `drainTimeout`: 60s - - `terminationGracePeriodSeconds`: 360s + +- **Gateway API Updates**: Removed `GRPCRoute` and `ReferenceGrant` v1alpha2. [See the Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0) for details. +- **CPU Limits**: Removed default CPU limit for Envoy Gateway deployment to avoid throttling. +- **Envoy Shutdown Settings**: Drain strategy set to immediate, with default values as follows: + - `minDrainDuration`: 10s + - `drainTimeout`: 60s + - `terminationGracePeriodSeconds`: 360s +- **Endpoint Health Removal**: Enabled `ignore_health_on_host_removal` for clusters with static endpoints to improve removal speed. +- **Logging Level Adjustment**: Set xDS and Infra IR logs to Debug level instead of Info, so they will no longer appear in Envoy Gateway logs by default. Change logging level to `debug` to view them. --- ## ✨ New Features -### Gateway API Enhancements -- **Support for Gateway-API v1.2.0**: Aligns with the latest API standards. - -### Networking & Traffic Management -- **IPv4/IPv6 Dual Stack Support**: Now available for Envoy listeners and BackendRef resources. -- **Direct Response in HTTPRouteFilter**: Supports direct responses for custom traffic routing. -- **RequestTimeout in BackendTrafficPolicy**: Fine-tune request timeouts for backends. -- **Rate Limit Header Matching**: Adds flexibility with inverted header matches. -- **Session Persistence in HTTPRoute Rules**: Essential for Gen AI and other stateful applications. -### Security & Authorization -- **JWT Claims-Based Authorization**: Control access more precisely with claims-based policies. -- **CORS Configuration**: Wildcard matching for `AllowMethods` and `AllowHeaders`. -- **Cross-Domain Cookie Sharing**: Enable token cookies across multiple domains for improved SSO support. +### API & Traffic Management Enhancements +- **Gateway-API v1.2.0 Support**: Fully compatible with the latest Gateway-API standards. +- **IPv4/IPv6 Dual Stack**: Now available for EnvoyProxy fleet and `BackendRef` resources. +- **Standalone Mode**: Experimental support for Envoy Gateway standalone (host deployment) mode. +- **JWT Authorization**: Added JWT claims-based authorization in [`SecurityPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#securitypolicy) CRD. +- **Response Override**: Added support for `Response Override` and `RequestTimeout` in [`BackendTrafficPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#backendtrafficpolicy). +- **Active Passive Failover**: Supported with the new `fallback` field in the [Backend](https://gateway.envoyproxy.io/latest/api/extension_types/#backend) API. +- **Session Persistence in HTTPRoute**: Session persistence is supported in [`HTTPRoute`](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute) rules for stateful traffic management. +- ** HTTPRouteFilter**: Adds support for Direct Response and Path Regex Rewrites in [`HTTPRouteFilter`](https://gateway.envoyproxy.io/latest/api/extension_types/#httproutefilter) + +### Security Enhancements +- **JWT Claims-Based Authorization**: Advanced security control with claims-based policies in [`SecurityPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#securitypolicy). +- **CORS Wildcard Matching**: Wildcard matching for `AllowMethods` and `AllowHeaders` settings. +- **OIDC Flow Support**: Added nonce support for OIDC authorization. ### Observability & Tracing -- **Datadog Tracing**: Native support to enhance distributed tracing insights. -- **Enhanced Access Logs**: Match conditions now supported for selective logging. -- **Prometheus Metrics**: Native endpoint added to the rate limit server for detailed monitoring. +- **Datadog Tracing Integration**: Improved support for Datadog tracing in [`EnvoyProxy`](https://gateway.envoyproxy.io/latest/api/extension_types/#envoyproxy) CRD. +- **Access Log Matching**: Filter logs based on custom criteria using `match conditions` in EnvoyProxy. +- **Native Prometheus Metrics**: Introduced a Prometheus metrics endpoint for rate limit monitoring. ### Helm Customization -- **Container SecurityContext**: Customizable security context for improved deployment security. -- **NodeSelector and PriorityClassName**: Fine-grained configuration for PodDisruptionBudget, service annotations, and custom pod labeling. +- **SecurityContext Options**: Customizable security context for improved deployment. +- **NodeSelector and PriorityClassName**: Added for more granular deployment configuration. --- ## 🐞 Bug Fixes -- Fixed issues with **xDS translation** for WASM code without SHA. -- **SecurityPolicy Propagation**: Addressed delays when using targetSelectors. -- Resolved various **HTTPRoute and BackendTrafficPolicy** inconsistencies, such as handling empty timeout settings, unsupported destinations, and improved multi-backend support. + +- Fixed xDS translation failure when the WASM HTTP code source was configured without an SHA. +- Resolved unsupported listener protocol types causing errors in Gateway status updates. +- Fixed `BackendTLSPolicy` causing crashes due to invalid `sectionName` in `Backend` configurations. +- Fixed propagation delays in `SecurityPolicy` updates for `HTTPRoute` when using `targetSelectors`. +- Improved `JSONPath` to `JSONPatch` translation accuracy. +- Fixed unwanted `/` appearing in paths when using prefix rewrites. +- Corrected nil pointer errors when configuring hash load balancing. +- Fixed active health check issues where `expectedStatuses` was not functioning properly. +- Ensured correct status updates for `Backend` resources and `HTTPRoute`. --- -## 🚀 Performance & Improvements -- **Memory Optimization**: Streamlined resource usage for reduced memory footprint. -- **Envoy Upgrade**: Updated to Envoy v1.32.1 for added stability. -- **Improved Logging**: Reduced verbosity and optimized configuration log outputs. +## 🚀 Performance Improvements + +- **Memory Optimization**: Enhanced memory usage by eliminating redundant resource storage. --- -## ⚙️ Other Changes -- Enhanced e2e testing, including performance benchmarks and multi-route scenarios. -- Added support for **dual-stack conformance testing**. -- **Optional CRD Watching**: Reduces breakages on Gateway API upgrades. +## ⚙️ Other Notable Changes + +- **Envoy Upgrade**: Now using Envoy [v1.32.1](https://www.envoyproxy.io/docs/envoy/v1.32.1/version_history/v1.32/v1.32.1) for added stability and performance. +- **Optional Alpha CRD Watching**: Allows Envoy Gateway to run with older Gateway API versions. + -For a full breakdown of this release, visit the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases). +For more information and full API documentation, please visit the [Envoy Gateway Documentation](https://gateway.envoyproxy.io/docs/). --- -This release takes Envoy Gateway to the next level with robust support for high-demand traffic and enhanced security, observability, and configuration options! \ No newline at end of file +This release strengthens Envoy Gateway with enhanced API support, security policies, and observability features to better serve high-demand environments. \ No newline at end of file From 039e977718738364b3e1629d941a8082ac588510 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 06:47:26 +0000 Subject: [PATCH 20/20] fix lint Signed-off-by: Huabing Zhao --- site/content/en/news/releases/notes/v1.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/en/news/releases/notes/v1.2.0.md b/site/content/en/news/releases/notes/v1.2.0.md index c19cde4cc98..de9eb3a0bff 100644 --- a/site/content/en/news/releases/notes/v1.2.0.md +++ b/site/content/en/news/releases/notes/v1.2.0.md @@ -34,7 +34,7 @@ The Envoy Gateway v1.2.0 release brings a host of new features, performance impr - **Response Override**: Added support for `Response Override` and `RequestTimeout` in [`BackendTrafficPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#backendtrafficpolicy). - **Active Passive Failover**: Supported with the new `fallback` field in the [Backend](https://gateway.envoyproxy.io/latest/api/extension_types/#backend) API. - **Session Persistence in HTTPRoute**: Session persistence is supported in [`HTTPRoute`](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute) rules for stateful traffic management. -- ** HTTPRouteFilter**: Adds support for Direct Response and Path Regex Rewrites in [`HTTPRouteFilter`](https://gateway.envoyproxy.io/latest/api/extension_types/#httproutefilter) +- **HTTPRouteFilter**: Adds support for Direct Response and Path Regex Rewrites in [`HTTPRouteFilter`](https://gateway.envoyproxy.io/latest/api/extension_types/#httproutefilter) ### Security Enhancements - **JWT Claims-Based Authorization**: Advanced security control with claims-based policies in [`SecurityPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#securitypolicy).