v1.17.4

Dependency Bumps

• solo-io/envoy-gloo has been upgraded to 1.30.4-patch4.

Helm Changes

• Ensure that gateway-proxy deployments respect the gatewayProxy.NAME.kind.deployment.priorityClassName field. This API allows you to set the PriorityClassName for gateway-proxy Pods. This is already supported on all other Gloo deployments. (solo-io#8677)
• Introduce gatewayProxies.gatewayProxy.istioSpiffeCertProviderAddress which overrides the Istio SPIFFE certificate provider (CA_ADDR env variable). It defaults to gatewayProxies.gatewayProxy.discoveryAddress. (solo-io#9855)

Fixes

• gateway2/route-options: merge extensionRef based attachments

Enables merging of multiple ExtensionRef based RouteOption
attachments for a rule within an HTTPRoute. (solo-io/solo-projects#6675)

• Only update the K8s Gateway resource statuses on change to improve HTTPRoute translation time. (solo-io/solo-projects#6638)
• Support defining the PriorityClassName on a GatewayProxy deployment. This allows users to attach pods to PriorityClasses (https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) (solo-io#9010)
• gateway2: merge multiple targetRef based Route & VirtualHost options

Implements merging of targetRef based RouteOptions and
VirtualHostOptions in a specific order of precedence from
oldest to newest created resource.

The merging uses shallow merging such that for an option
A that is higher priority than option B, merge(A,B) merges
the top-level options of B that have not already been set on A.
This allows options later in the precedence chain to augment
the existing options during a merge but not overwrite them. (solo-io/solo-projects#6313)

• Update Envoy to enable thread-local slots to be deallocated on worker threads. This provides greater stability in Envoy when the main thread is under heavy load. This behaviour can be disabled by toggling the runtime flag envoy_restart_features_allow_slot_destroy_on_worker_threads. (solo-io/solo-projects#6713)

v1.16.19

Dependency Bumps

• solo-io/envoy-gloo has been upgraded to v1.27.7-patch2.

Helm Changes

• Introduce gatewayProxies.gatewayProxy.istioSpiffeCertProviderAddress which overrides the Istio SPIFFE certificate provider (CA_ADDR env variable). It defaults to gatewayProxies.gatewayProxy.discoveryAddress. (solo-io#9855)

Fixes

• Update Envoy to enable thread-local slots to be deallocated on worker threads. This provides greater stability in Envoy when the main thread is under heavy load. This behaviour can be disabled by toggling the runtime flag envoy_restart_features_allow_slot_destroy_on_worker_threads. (solo-io/solo-projects#6713)
• Fix a bug where the service and function names of a discovered gRPC service are not printed in JSON and YAML
  output when running glooctl get upstreams (solo-io#9743)

v1.18.0-beta15

Helm Changes

• Introduce gatewayProxies.gatewayProxy.istioSpiffeCertProviderAddress which overrides the Istio SPIFFE certificate provider (CA_ADDR env variable). It defaults to gatewayProxies.gatewayProxy.discoveryAddress. (solo-io#9855)

New Features

• Expose CorsPolicyMergeSettings on VirtualHostOptions which allows users to specify how to reconcile CORS settings when configured on both Route and VirtualHost. Specifically it is now possible to define a UNION merge strategy for the ExposeHeaders field, resulting in the union of the headers set at Route and VirtualHost level being applied to traffic for the Route. (solo-io#7689)

Fixes

• Only update the K8s Gateway resource statuses on change to improve HTTPRoute translation time. (solo-io/solo-projects#6638)

v1.17.3

Helm Changes

• Add a new field global.securitySettings.floatingUserId to the Gloo Helm chart that when set to true has the same effect as setting floatingUserId=true for all deployment-specific floatingUserIds, as well as setting discovery.deployment.enablePodSecurityContext=false and gatewayProxies.gatewayProxy.podTemplate.enablePodSecurityContext=false`to allow for easy OpenShift deployment. The global value will override any local settings. (solo-io#5034)

Fixes

• Provide a Helm field global.securitySettings.floatingUserId to apply floatingUserId logic, which unsets runAsUser for security contexts, for all deployments in the Gloo Helm chart. The global field will also cause templates to be rendered as if deployments with "enablePodSecurityContextfields have their value set tofalseto allow for easy OpenShift deployment. This functionality has also been added to Gloo Gateway via the GatewayParameters resource. IffloatingUserId` is set in GatewayParameters, it will be applied to all deployments in the Gloo Gateway Helm chart, unless a deployment-specific value is set. (solo-io#5034)

v1.18.0-beta14

Helm Changes

• Add a new field global.securitySettings.floatingUserId to the Gloo Helm chart that when set to true has the same effect as setting floatingUserId=true for all deployment-specific floatingUserIds, as well as setting discovery.deployment.enablePodSecurityContext=false and gatewayProxies.gatewayProxy.podTemplate.enablePodSecurityContext=false`to allow for easy OpenShift deployment. The global value will override any local settings. (solo-io#5034)
• Ensure that image digests are set correctly for all image variants (standard, fips, distroless, fips-distroless). (solo-io#9860)

New Features

• Provide a Helm field global.securitySettings.floatingUserId to apply floatingUserId logic, which unsets runAsUser for security contexts, for all deployments in the Gloo Helm chart. The global field will also cause templates to be rendered as if deployments with "enablePodSecurityContextfields have their value set tofalseto allow for easy OpenShift deployment. This functionality has also been added to Gloo Gateway via the GatewayParameters resource. IffloatingUserId` is set in GatewayParameters, it will be applied to all deployments in the Gloo Gateway Helm chart, unless a deployment-specific value is set. (solo-io#5034)
• Check the validity of Gloo Gateway License using glooctl license validate --license-key <key>. (solo-io#3520)

Fixes

• Fix a bug that causes edge to try to list endpoints across all namespaces when no upstreams exist. (solo-io#5885)

v1.17.2

Helm Changes

• Ensure that image digests are set correctly for all image variants (standard, fips, distroless, fips-distroless). (solo-io#9860)

Fixes

• Set the 'message' field on various HTTPRoute conditions to enable easier troubleshooting (solo-io#9859)
• gateway2/delegation: fix extraneous route arising from invalid child rule

There's a bug where if a child route contains an invalid rule (rule
not matching the parent matcher), then even though the matcher is
discarded, the rule with an empty matcher but valid backendRef
is returned by GetDelegatedRoutes(). The result is that a /
route is programmed for such an invalid route rule. A more
precise fix is to also prune the rules that do not have a valid
matcher so that we do not rely on the translator to interpret
a route without a valid matcher as '/', which could be an alternative
fix though fragile.

The essence of this fix is to prune both the rules and matches
field on the child route when we process it in the context of the
parent matcher, so that:

1. invalid matchers on the child route are discarded
2. invalid rules (no valid child matchers) are also discarded

Previously, 2. was missing so a child route with a rule without
a matcher was configured, which results in a / route being exposed
for the corresponding backendRef. (solo-io/solo-projects#6621)

• Fix a bug that causes edge to try to list endpoints across all namespaces when no upstreams exist. (solo-io#5885)

v1.18.0-beta13

New Features

• Introduce API for oneWayTls in UpstreamSslConfig, which enables the capability for an upstream to be configured for one way TLS even if root CA data exists in the secret referenced by the UpstreamSslConfig. This feature does nothing when SDS is configured. (solo-io#9826)

v1.18.0-beta12

Dependency Bumps

• solo-io/envoy-gloo has been upgraded to v1.30.4-patch2.

New Features

• gateway2/route-options: merge extensionRef based attachments

Enables merging of multiple ExtensionRef based RouteOption
attachments for a rule within an HTTPRoute. (solo-io/solo-projects#6675)

v1.18.0-beta11

Fixes

• gateway2/delegation: resolve comments from 739b0e9 (solo-io/solo-projects#6621)
• gateway2/delegation: fix extraneous route arising from invalid child rule

There's a bug where if a child route contains an invalid rule (rule
not matching the parent matcher), then even though the matcher is
discarded, the rule with an empty matcher but valid backendRef
is returned by GetDelegatedRoutes(). The result is that a /
route is programmed for such an invalid route rule. A more
precise fix is to also prune the rules that do not have a valid
matcher so that we do not rely on the translator to interpret
a route without a valid matcher as '/', which could be an alternative
fix though fragile.

The essence of this fix is to prune both the rules and matches
field on the child route when we process it in the context of the
parent matcher, so that:

1. invalid matchers on the child route are discarded
2. invalid rules (no valid child matchers) are also discarded

Previously, 2. was missing so a child route with a rule without
a matcher was configured, which results in a / route being exposed
for the corresponding backendRef. (solo-io/solo-projects#6621)

v1.17.1

Fixes

• Fix a bug where the service and function names of a discovered gRPC service are not printed in JSON and YAML
  output when running glooctl get upstreams (solo-io#9743)