forked from envoyproxy/gateway
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add release docs for v1.2.0 (envoyproxy#4570)
* add release note for v1.2.0 Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> update release note Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> update release note Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * manually create release note Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * manually create release note Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * manually create release note Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com>
- Loading branch information
Showing
5 changed files
with
229 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,140 @@ | ||
| date: November 6, 2024 | ||
|
|
||
| # Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs or updating default values. | ||
| breaking changes: | | ||
| Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed | ||
| Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information | ||
| Removed default CPU limit of the Envoy Gateway deployment, to eliminate CPU throttling | ||
| Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively | ||
| Set ignore_health_on_host_removal to true for clusters with static endpoints This was done to speed up removal of static endpoints by the control plane when active health check is configured | ||
| Xds and Infra IR logs are logged at Debug level instead of Info level. They will now not be seen by default in Envoy Gateway logs. You can change the logging level to default: debug to view them | ||
| # New features or capabilities added in this release. | ||
| new features: | | ||
| Added support for Gateway-API v1.2.0 | ||
| Added support for IPv4/IPv6 Dual Stack for EnvoyProxy fleet and BackendRef resources | ||
| Added experimental support for EG standalone(host deployment) mode | ||
| Added support for JWT claims based Authorization in SecurityPolicy CRD | ||
| Added support for Response Override in BackendTrafficPolicy CRD | ||
| Added support for RequestTimeout in BackendTrafficPolicy CRD | ||
| Added support for inverting header matches for Rate Limit in BackendTrafficPolicy CRD | ||
| Added support for client TLS session resumption in ClientTrafficPolicy CRD | ||
| Added support for HTTPRouteFilter and path regex rewrite | ||
| Added support for host header rewrite in HTTPRouteFilter CRD | ||
| Added support for Listener Access Log in EnvoyProxy CRD | ||
| Added support for Datadog tracing support in EnvoyProxy CRD | ||
| Added support for request response sizes stats in EnvoyProxy CRD | ||
| Added support for modifying container SecurityContext for Envoy Gateway deployment in Helm | ||
| Added support for wildcard matching for CORS AllowMethods and AllowHeaders settings in SecurityPolicy CRD | ||
| Added support for match conditions for access log in EnvoyProxy CRD | ||
| Added support for using BackendCluster to represent OIDCProvider | ||
| Added support for RecomputeRoute for ExtAuth in SecurityPolicy CRD | ||
| Added support for sharing token cookies between multiple domains in SecurityPolicy CRD | ||
| Added support for JSONPatches for proxy bootstrap modifications in EnvoyProxy CRD | ||
| Added support for Active Passive Failover Backends | ||
| Added support for configuring the GRPC Health Checker in the BackendTrafficPolicy CRD | ||
| Added support for early request header mutation in the ClientTrafficPolicy CRD | ||
| Added support for JsonPath in the EnvoyPatchPolicy CRD | ||
| Added support for cluster settings for tracing and access log backends in EnvoyProxy CRD | ||
| Added support for cluster settings for non xRoute-generated backend refs | ||
| Added support for socket buffer limit field in ClientTrafficPolicy and BackendTrafficPolicy CRD | ||
| Added support for http2 upstream settings in BackendTrafficPolicy CRD | ||
| Added support for DNS resolution settings in BackendTrafficPolicy CRD | ||
| Added support for configuring service annotations in the Envoy Gateway helm chart | ||
| Added support for configuring priorityClassName to Envoy Gateway helm chart | ||
| Added support for ratelimit metrics monitoring in grafana in the addons helm chart | ||
| Added support for default user group and user id for the SecurityContexts in the Envoy Gateway helm chart | ||
| Added support for maxUnavailable in the PodDisruptionBudget in the Envoy Gateway helm chart | ||
| Added support for configuring NodeSelector in the Envoy Gateway helm chart | ||
| Added support for nonce in the OIDC auth flow | ||
| Added support for choosing an HTTPRoute's non-wildcard hostname as the default Host | ||
| Added support for returning 500 when EnvoyExtensionTrafficPolicy translation fails | ||
| Added support for returning 500 when SecurityPolicy translation fails | ||
| Added support for multiple backendRefs for ExtAuth and ExtProc | ||
| Added support for session persistence in HTTPRoute rules | ||
| Added support for the Backend resource for ExtAuth | ||
| Added support for target selectors on Envoy Gateway Extension Server policies | ||
| Added support for non-Kubernetes Backends for TLSRoute | ||
| Added support for fallback to the Backend API | ||
| Added support for reloadable EnvoyGateway configuration | ||
| Added support for adding Labels to the Envoy Service | ||
| Added support for custom name for ratelimit deployment | ||
| Added default SecurityContext for EG components | ||
| Added startupProbe to all provisioned containers | ||
| Added support for local validations for egctl translate and file provider | ||
| Added support for egctl x collect to collect information from the cluster for debugging | ||
| Added support for a native prometheus metrics endpoint in the ratelimit server | ||
| # Fixes for bugs identified in previous versions. | ||
| bug fixes: | | ||
| Fixed xDS translation failing when the WASM HTTP code source was configured without an SHA | ||
| Fixed unsupported listener protocol types causing errors while updating Gateway status | ||
| Fixed unsupported listener protocol types causing errors while updating Gateway status | ||
| Fixed invalid sectionName in BackendTLSPolicy for Backend | ||
| Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors | ||
| Fixed JSONPath not being correctly translated to JSONPatch paths | ||
| Fixed allowing an empty slowStart value when using LeastRequest | ||
| Fixed updating the HTTPRoute status correctly when the linked Backend resource is invalid | ||
| Fixed timeout settings originating from the route being lost when translating the backend traffic policy | ||
| Fixed Backend resources not receiving status updates | ||
| Fixed active health checks requiring the expectedStatuses field to function correctly | ||
| Fixed HTTPHeaderFilter processing not correctly supporting multiple header values | ||
| Fixed reconciling multiple ReferenceGrants within the same namespace | ||
| Fixed unwanted / appearing in the Path when using Prefix Rewrites | ||
| Fixed incorrect gateway being selected as the HTTPRoute parent | ||
| Fixed override issues for EnvoyExtensionPolicy | ||
| Fixed nil pointer error when translating hash load balancing | ||
| Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not | ||
| Fixed empty connection limits causing xDS rejection | ||
| Fixed rate limiting not working with both headers and CIDR matches | ||
| Fixed EDS not updating when deployments were created after services | ||
| Fixed RBAC issue for deleting infrastructure resources | ||
| Fixed gateways never reaching ready/programmed status when running Envoy as a Daemonset | ||
| Fixed rate limit deployment ignoring pod labels and annotation merges | ||
| Fixed the API Server receives unnecessary requests | ||
| Fixed egctl experimental translate using an incorrect namespace | ||
| Fixed reconciliation not being triggered for Secret updates referenced by a BackendTLSPolicy | ||
| Fixed xDS translation failure when WASM HTTP code source was configured without an SHA | ||
| Fixed HTTPRoute status displaying only one parent when targeting multiple gateways from different GatewayClasses | ||
| Fixed Route with multiple parents having an incorrect namespace in the parentRef status | ||
| Fixed BackendTlsPolicy specifying multiple targetRefs for the same service, to work | ||
| # Enhancements that improve performance. | ||
| performance improvements: | | ||
| Optimize memory usage by only storing distinct resources | ||
| # Other notable changes not covered by the above sections. | ||
| Other changes: | | ||
| Upgraded Envoy Proxy to v1.32.1 | ||
| Reduced the amount of configuration logging, and make it line-delimited friendly | ||
| Made watching alpha CRDs optional, so that Envoy Gateway can run with older Gateway Api versions | ||
| Removed grafana test framework from the addons helm chart | ||
| Disabled ALPN for non-HTTP routes | ||
| Added statPrefix for HCM and TCPProxy | ||
| Enabled GatewayHTTPListenerIsolation conformance test | ||
| Enabled GRPC conformance profile | ||
| Enabled HTTPRouteBackendRequestHeaderModifier conformance test | ||
| Added e2e test for Daemonset mode | ||
| Fixed OVS scanner wrong license warnings | ||
| Added e2e test for Gateway with EnvoyProxy | ||
| Added e2e test for TLS session resumption | ||
| Added heap profile into benchmark report | ||
| Added e2e test for RecomputeRoute in ExtAuth | ||
| Added benchmark memory profiles into report | ||
| Fixed flaky gateway_with_conflicted_listener_cannot_be_merged e2e test | ||
| Fixed flaky Zipkin Tracing e2e test | ||
| Added e2e test for cookie based consistent hash load balancing | ||
| Added e2e test for load balancing | ||
| Fixed flaky authorization tests | ||
| Enabled upgrade test | ||
| Fixed flaky basic auth e2e test | ||
| Enabled use-client-protocol e2e test | ||
| Added performance benchmarking test for 1000 HTTPRoutes | ||
| Added e2e test for Datadog tracing | ||
| Added e2e tests for ratelimit invert matching headers | ||
| Reduced readinessProbe failureThreshold and periodSeconds | ||
| Bumped go-control-plane to v0.13.1 | ||
| Enabled e2e tests for dual stack | ||
| Use grafana alloy instead of fluent-bit for e2e tests | ||
| Push tags without the v prefix for helm charts to support Flux HelmReleases | ||
| Use a stable label selector when creating Envoy Proxy fleet pods |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| --- | ||
| title: "v1.2.0" | ||
| publishdate: 2024-11-06 | ||
| --- | ||
|
|
||
| # Envoy Gateway v1.2.0 Release Notes | ||
|
|
||
| **Release Date:** November 6, 2024 | ||
|
|
||
| The Envoy Gateway v1.2.0 release brings a host of new features, performance improvements, and critical bug fixes to enhance networking, traffic management, and security. Explore the latest changes below. | ||
|
|
||
| --- | ||
|
|
||
| ## 🚨 Breaking Changes | ||
|
|
||
| - **Gateway API Updates**: Removed `GRPCRoute` and `ReferenceGrant` v1alpha2. [See the Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0) for details. | ||
| - **CPU Limits**: Removed default CPU limit for Envoy Gateway deployment to avoid throttling. | ||
| - **Envoy Shutdown Settings**: Drain strategy set to immediate, with default values as follows: | ||
| - `minDrainDuration`: 10s | ||
| - `drainTimeout`: 60s | ||
| - `terminationGracePeriodSeconds`: 360s | ||
| - **Endpoint Health Removal**: Enabled `ignore_health_on_host_removal` for clusters with static endpoints to improve removal speed. | ||
| - **Logging Level Adjustment**: Set xDS and Infra IR logs to Debug level instead of Info, so they will no longer appear in Envoy Gateway logs by default. Change logging level to `debug` to view them. | ||
|
|
||
| --- | ||
|
|
||
| ## ✨ New Features | ||
|
|
||
| ### API & Traffic Management Enhancements | ||
| - **Gateway-API v1.2.0 Support**: Fully compatible with the latest Gateway-API standards. | ||
| - **IPv4/IPv6 Dual Stack**: Now available for EnvoyProxy fleet and `BackendRef` resources. | ||
| - **Standalone Mode**: Experimental support for Envoy Gateway standalone (host deployment) mode. | ||
| - **JWT Authorization**: Added JWT claims-based authorization in [`SecurityPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#securitypolicy) CRD. | ||
| - **Response Override**: Added support for `Response Override` and `RequestTimeout` in [`BackendTrafficPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#backendtrafficpolicy). | ||
| - **Active Passive Failover**: Supported with the new `fallback` field in the [Backend](https://gateway.envoyproxy.io/latest/api/extension_types/#backend) API. | ||
| - **Session Persistence in HTTPRoute**: Session persistence is supported in [`HTTPRoute`](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute) rules for stateful traffic management. | ||
| - **HTTPRouteFilter**: Adds support for Direct Response and Path Regex Rewrites in [`HTTPRouteFilter`](https://gateway.envoyproxy.io/latest/api/extension_types/#httproutefilter) | ||
|
|
||
| ### Security Enhancements | ||
| - **JWT Claims-Based Authorization**: Advanced security control with claims-based policies in [`SecurityPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#securitypolicy). | ||
| - **CORS Wildcard Matching**: Wildcard matching for `AllowMethods` and `AllowHeaders` settings. | ||
| - **OIDC Flow Support**: Added nonce support for OIDC authorization. | ||
|
|
||
| ### Observability & Tracing | ||
| - **Datadog Tracing Integration**: Improved support for Datadog tracing in [`EnvoyProxy`](https://gateway.envoyproxy.io/latest/api/extension_types/#envoyproxy) CRD. | ||
| - **Access Log Matching**: Filter logs based on custom criteria using `match conditions` in EnvoyProxy. | ||
| - **Native Prometheus Metrics**: Introduced a Prometheus metrics endpoint for rate limit monitoring. | ||
|
|
||
| ### Helm Customization | ||
| - **SecurityContext Options**: Customizable security context for improved deployment. | ||
| - **NodeSelector and PriorityClassName**: Added for more granular deployment configuration. | ||
|
|
||
| --- | ||
|
|
||
| ## 🐞 Bug Fixes | ||
|
|
||
| - Fixed xDS translation failure when the WASM HTTP code source was configured without an SHA. | ||
| - Resolved unsupported listener protocol types causing errors in Gateway status updates. | ||
| - Fixed `BackendTLSPolicy` causing crashes due to invalid `sectionName` in `Backend` configurations. | ||
| - Fixed propagation delays in `SecurityPolicy` updates for `HTTPRoute` when using `targetSelectors`. | ||
| - Improved `JSONPath` to `JSONPatch` translation accuracy. | ||
| - Fixed unwanted `/` appearing in paths when using prefix rewrites. | ||
| - Corrected nil pointer errors when configuring hash load balancing. | ||
| - Fixed active health check issues where `expectedStatuses` was not functioning properly. | ||
| - Ensured correct status updates for `Backend` resources and `HTTPRoute`. | ||
|
|
||
| --- | ||
|
|
||
| ## 🚀 Performance Improvements | ||
|
|
||
| - **Memory Optimization**: Enhanced memory usage by eliminating redundant resource storage. | ||
|
|
||
| --- | ||
|
|
||
| ## ⚙️ Other Notable Changes | ||
|
|
||
| - **Envoy Upgrade**: Now using Envoy [v1.32.1](https://www.envoyproxy.io/docs/envoy/v1.32.1/version_history/v1.32/v1.32.1) for added stability and performance. | ||
| - **Optional Alpha CRD Watching**: Allows Envoy Gateway to run with older Gateway API versions. | ||
|
|
||
|
|
||
| For more information and full API documentation, please visit the [Envoy Gateway Documentation](https://gateway.envoyproxy.io/docs/). | ||
|
|
||
| --- | ||
|
|
||
| This release strengthens Envoy Gateway with enhanced API support, security policies, and observability features to better serve high-demand environments. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters