Emissary Ingress 3.5.0
🎉 Emissary Ingress 3.5.0 🎉
Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.
Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html
View changelog - https://github.com/emissary-ingress/emissary/blob/v3.5.0/CHANGELOG.md
Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started
-
Security: Upgrading to the latest release of Golang as part of our general dependency upgrade
process. This includes security fixes for CVE-2022-41725, CVE-2022-41723. -
Feature: In Envoy 1.24, experimental support for a native OpenTelemetry tracing driver was
introduced that allows exporting spans in the otlp format. Many Observability platforms accept
that format and is the recommend replacement for the LightStep driver. Emissary-ingress now
supports setting theTracingService.spec.driver=opentelemetry
to export spans in otlp
format.
Thanks to Paul for helping us
get this tested and implemented! -
Bugfix: When wanting to expose traffic to clients on ports other than 80/443, users will set a
port in the Host.hostname (eg.Host.hostname=example.com:8500
. The config generated allowed
matching on the :authority header. This worked in v1.Y series due to the way emissary was
generating Envoy configuration under a single wild-card virtual_host and matching on
:authority.In v2.Y/v3.Y+, the way emissary generates Envoy configuration changed to address
memory pressure and improve route lookup speed in Envoy. However, when including a port in the
hostname, an incorrect configuration was generated with an sni match including the port. This has
been fixed and the correct envoy configuration is being generated. (fix: hostname port issue) -
Change: Previously, specifying backend ports by name in Ingress was not supported and would result
in defaulting to port 80. This allows emissary-ingress to now resolve port names for backend
services. If the port number cannot be resolved by the name (e.g named port in the Service doesn't
exist) then it defaults back to the original behavior. (Thanks to Anton Ustyuzhanin!). (#4809) -
Change: The
emissary-apiext
server is a Kubernetes Conversion Webhook that converts between the
Emissary-ingress CRD versions. On startup, it ensures that a self-signed cert is available so that
K8s API Server can talk to the conversion webhook (TLS is required by K8s). We have introduced
a startupProbe to ensure that emissary-apiext server has enough time to configure the webhooks
before running liveness and readiness probes. This is to ensure slow startup doesn't cause K8s to
needlessly restart the pod.