Emissary-Ingress - v3.5.0

Security

:tada: Emissary Ingress 3.5.0 :tada:

Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.5.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

  • Security: Upgrading to the latest release of Golang as part of our general dependency upgrade
    process. This includes security fixes for CVE-2022-41725, CVE-2022-41723.

  • Feature: In Envoy 1.24, experimental support for a native OpenTelemetry tracing driver was
    introduced that allows exporting spans in the otlp format. Many Observability platforms accept
    that format and is the recommend replacement for the LightStep driver. Emissary-ingress now
    supports setting the TracingService.spec.driver=opentelemetry to export spans in otlp
    format.


    Thanks to Paul for helping us
    get this tested and implemented!

  • Bugfix: When wanting to expose traffic to clients on ports other than 80/443, users will set a
    port in the Host.hostname (eg.Host.hostname=example.com:8500. The config generated allowed
    matching on the :authority header. This worked in v1.Y series due to the way emissary was
    generating Envoy configuration under a single wild-card virtual_host and matching on
    :authority.

In v2.Y/v3.Y+, the way emissary generates Envoy configuration changed to address
memory pressure and improve route lookup speed in Envoy. However, when including a port in the
hostname, an incorrect configuration was generated with an sni match including the port. This has
been fixed and the correct envoy configuration is being generated. (fix: hostname port issue)

  • Change: Previously, specifying backend ports by name in Ingress was not supported and would result
    in defaulting to port 80. This allows emissary-ingress to now resolve port names for backend
    services. If the port number cannot be resolved by the name (e.g named port in the Service doesn't
    exist) then it defaults back to the original behavior. (Thanks to Anton Ustyuzhanin!). (#4809)

  • Change: The emissary-apiext server is a Kubernetes Conversion Webhook that converts between the
    Emissary-ingress CRD versions. On startup, it ensures that a self-signed cert is available so that
    K8s API Server can talk to the conversion webhook (TLS is required by K8s). We have introduced
    a startupProbe to ensure that emissary-apiext server has enough time to configure the webhooks
    before running liveness and readiness probes. This is to ensure slow startup doesn't cause K8s to
    needlessly restart the pod.


Details

date
Feb. 15, 2023, 3:27 p.m.
name
Emissary Ingress 3.5.0
type
Minor
👇
Register or login to:
  • 🔍View and search all Emissary-Ingress releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or