Merge branch 'main' into issue_10414_issue_7309

.github/workflows/push-docs.yaml

@@ -48,6 +48,9 @@ jobs:
         if [[ "${{ steps.lts-version.outputs.lts }}" == "main" ]]; then
           minor="1.18"
           directory="main"
+        elif [[ "${{ steps.lts-version.outputs.lts }}" == "v1.18.x" ]]; then
+          minor="1.18"
+          directory="main"
         elif [[ "${{ steps.lts-version.outputs.lts }}" == "v1.17.x" ]]; then
           minor="1.17"
           directory="latest"

changelog/v1.19.0-beta1/docs-deprecation.yaml

@@ -0,0 +1,7 @@
+changelog:
+  - type: NON_USER_FACING
+    issueLink: https://github.com/solo-io/docs/issues/702
+    resolvesIssue: true
+    description: >-
+      Add a not-recommended notice for Aerospike.
+      skipCI-kube-tests:true

docs/content/guides/security/rate_limiting/enterprise/_index.md

@@ -29,42 +29,9 @@ By default, the rate limit server is backed by a Redis instance that Gloo Gatewa
 * Using a database that is external to the cluster, such as for data privacy concerns
 
 Gloo Gateway supports the following external databases for the rate limit server:
-* [Aerospike](#aerospike)
 * [DynamoDB](#dynamodb)
 * [Redis](#redis)
 
-### Aerospike-backed rate limit server {#aerospike}
-
-You can use [Aerospike](https://docs.aerospike.com/database) as the backing storage database for the Gloo Gateway rate limit server. Aerospike is a real-time data platform with support for helpful features such as in-memory storage and streaming.
-
-{{% notice note %}}
-You can use Aerospike with **Gloo Gateway Enterprise** version 1.13.0 or later.<br><br>
-If you use also use Aerospike to store your Gloo Portal API keys, your Aerospike configurations must match. For example, use the same Aerospike IP address, port, and namespace in your Gloo Portal Storage custom resoure configuration and the rate limit server.
-{{% /notice %}}
-
-1. Create an Aerospike database instance to use as the backing storage for the rate limit server. For setup steps, see the [Gloo Portal documentation](https://docs.solo.io/gloo-portal/main/guides/portal_features/apikey_storage/). 
-2. To rate limit APIs that you manage with Gloo Portal, make sure that your configuration matches the configuration that you used with your [Gloo Portal Storage custom resource](https://docs.solo.io/gloo-portal/main/guides/portal_features/apikey_storage/).
-3. [Install]({{< versioned_link_path fromRoot="/installation/enterprise/">}}) or [upgrade]({{< versioned_link_path fromRoot="/operations/upgrading/">}}) your Gloo Gateway Enterprise Helm installation by completing the following steps:
-   1. Disable the default Redis server backing storage by setting `rateLimit.enabled` to `false`.
-   2. Provide the rate limiting Aerospike Helm chart configuration options, as shown in the following table. These values match what you configured in your Aerospike database setup. 
-
-| Option | Type | Description |
-| --- | --- | --- |
-|rateLimit.deployment.aerospike.address|string|The IP address or hostname of the Aerospike database. The address must be reachable from Gloo Gateway, such as in a virtual machine with a public IP address or in a pod in the cluster. By setting this value, you also enable Aerospike database as the backing storage for the rate limit service.|
-|rateLimit.deployment.aerospike.namespace|string|The Aerospike namespace of the database. The default value is `solo-namespace`.|
-|rateLimit.deployment.aerospike.set|string|The Aerospike name of the database set. The default value is `ratelimiter`.|
-|rateLimit.deployment.aerospike.port|int|The port of the `rateLimit.deployment.aerospike.address`. The default port is `3000`.|
-|rateLimit.deployment.aerospike.batchSize|int|The size of the batch, which is the number of keys sent in the request. The default value is `5000`.|
-|rateLimit.deployment.aerospike.commitLevel|int|The level of guaranteed consistency for transaction commits on the Aerospike server. For possible values, see the [Aerospike commit policy](https://github.com/aerospike/aerospike-client-go/blob/master/commit_policy.go). The default value is `1`.|
-|rateLimit.deployment.aerospike.readModeSC|int|The read mode for strong consistency (SC) options. For possible values, see the [Aerospike read mode SC](https://github.com/aerospike/aerospike-client-go/blob/master/read_mode_sc.go). The default value is `0`.|
-|rateLimit.deployment.aerospike.readModeAP|int|The read mode for availability (AP). For possible values, see the [Aerospike read mode AP](https://github.com/aerospike/aerospike-client-go/blob/master/read_mode_ap.go). The default value is `0`.|
-|rateLimit.deployment.aerospike.tls.name|string|The subject name of the TLS authority. For more information, see the [Aerospike docs](https://docs.aerospike.com/reference/configuration#tls-name).|
-|rateLimit.deployment.aerospike.tls.version|string|The TLS version. Versions 1.0, 1.1, 1.2, and 1.3 are supported. The default value is `1.3`.|
-|rateLimit.deployment.aerospike.tls.insecure|bool|The TLS insecure setting. If set to `true`, the authority of the certificate on the client's end is not authenticated. You might use insecure mode in non-production environments when the certificate is not known. The default value is `false`.|
-|rateLimit.deployment.aerospike.tls.certSecretName|string| The name of the `kubernetes.io/tls` secret that has the `tls.crt` and `tls.key` data.|
-|rateLimit.deployment.aerospike.tls.rootCASecretName|string|The secret name for the Opaque root CA that sets the key as `tls.crt`.|
-|rateLimit.deployment.aerospike.tls.curveGroups[]|string|The TLS identifier for an elliptic curve. For more information, see [TLS supported groups](https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8).|
-
 ### DynamoDB-backed rate limit server {#dynamodb}
 
 You can use DynamoDB as the backing storage database for the Gloo Gateway rate limit server. DynamoDB is built for single-millisecond latencies. It includes features such as built-in replication ([DynamoDB Global Tables](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GlobalTables.html)) that can help you set up global rate limiting across multiple instances or multiple data centers.

docs/content/static/content/version_gee_latest.md

@@ -1 +1 @@
-1.18.0-beta2
+1.18.0-rc3

docs/content/static/content/version_gee_n+1.md

@@ -1 +1 @@
-1.18.0-beta2
+1.18.0-rc3

docs/content/static/content/version_geoss_latest.md

@@ -1 +1 @@
-1.18.0-beta33
+1.18.0-rc3

docs/content/static/content/version_geoss_n+1.md

@@ -1 +1 @@
-1.18.0-beta33
+1.18.0-rc3

projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto

@@ -580,6 +580,8 @@ message ExtAuthConfig {
 
         oneof storage_backend {
             K8sSecretApiKeyStorage k8s_secret_apikey_storage = 4;
+            // <b>Deprecated</b>: Support for Aerospike is deprecated and will be removed in a future release.
+            // Use of this feature is not recommended.
             AerospikeApiKeyStorage aerospike_apikey_storage = 5;
             ServerDefaultApiKeyStorage server_default_apikey_storage = 7;
         }

projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto

@@ -493,8 +493,12 @@ message UserSession {
             // Cookies are not sent on normal cross-site subrequests, but are sent when
             // navigating to the origin site.
             LaxMode = 1;
-            // Only be sent in a first-party context and not be sent along with requests
-            // initiated by third party websites.
+            // Cookies are sent only in first-party contexts and are not sent along with requests
+            // initiated by third-party websites.
+            //
+            // **Warning**: Do not use this mode if the app and the IdP have different domains.
+            // In this case, some browsers incorrectly detect the redirect from `/callback` to `/login`
+            // as a cross-site request.
             StrictMode = 2;
             // Cookies are sent in all contexts. Cookie NotSecure must be unset.
             NoneMode = 3;
@@ -1154,6 +1158,8 @@ message ApiKeyAuth {
 
     oneof storage_backend {
         K8sSecretApiKeyStorage k8s_secret_apikey_storage = 6;
+        // <b>Deprecated</b>: Support for Aerospike is deprecated and will be removed in a future release.
+        // Use of this feature is not recommended.
         AerospikeApiKeyStorage aerospike_apikey_storage = 7;
     }
 
@@ -1195,6 +1201,8 @@ message K8sSecretApiKeyStorage {
     repeated core.solo.io.ResourceRef api_key_secret_refs = 2;
 }
 
+// <b>Deprecated</b>: Support for Aerospike is deprecated and will be removed in a future release.
+// Use of this feature is not recommended.
 message AerospikeApiKeyStorage {
     // The IP address or hostname of one of the cluster members of your Aerospike database. The address must be reachable from Gloo Edge, such as in a virtual machine with a public IP address or in a pod in the cluster.
     // The client automatically discovers other members of the cluster after establishing a connection.