From 486e37b28e6c5caf3c051b34acf50b440da99806 Mon Sep 17 00:00:00 2001 From: Rachael Graham Date: Wed, 4 Dec 2024 14:30:28 -0600 Subject: [PATCH] Docs - Deprecate aerospike (#10422) Co-authored-by: Sam Heilbron --- .github/workflows/push-docs.yaml | 3 ++ changelog/v1.19.0-beta1/docs-deprecation.yaml | 7 ++++ .../rate_limiting/enterprise/_index.md | 33 ------------------- .../extauth/v1/extauth-internal.proto.sk.md | 2 +- .../options/extauth/v1/extauth.proto.sk.md | 8 +++-- .../static/content/version_gee_latest.md | 2 +- .../content/static/content/version_gee_n+1.md | 2 +- .../static/content/version_geoss_latest.md | 2 +- .../static/content/version_geoss_n+1.md | 2 +- .../options/extauth/v1/extauth-internal.proto | 2 ++ .../options/extauth/v1/extauth.proto | 12 +++++-- .../options/extauth/v1/extauth-internal.pb.go | 2 ++ .../options/extauth/v1/extauth.pb.go | 12 +++++-- 13 files changed, 44 insertions(+), 45 deletions(-) create mode 100644 changelog/v1.19.0-beta1/docs-deprecation.yaml diff --git a/.github/workflows/push-docs.yaml b/.github/workflows/push-docs.yaml index bacc176f521..35e7eec7b37 100644 --- a/.github/workflows/push-docs.yaml +++ b/.github/workflows/push-docs.yaml @@ -48,6 +48,9 @@ jobs: if [[ "${{ steps.lts-version.outputs.lts }}" == "main" ]]; then minor="1.18" directory="main" + elif [[ "${{ steps.lts-version.outputs.lts }}" == "v1.18.x" ]]; then + minor="1.18" + directory="main" elif [[ "${{ steps.lts-version.outputs.lts }}" == "v1.17.x" ]]; then minor="1.17" directory="latest" diff --git a/changelog/v1.19.0-beta1/docs-deprecation.yaml b/changelog/v1.19.0-beta1/docs-deprecation.yaml new file mode 100644 index 00000000000..f079a330fd6 --- /dev/null +++ b/changelog/v1.19.0-beta1/docs-deprecation.yaml @@ -0,0 +1,7 @@ +changelog: + - type: NON_USER_FACING + issueLink: https://github.com/solo-io/docs/issues/702 + resolvesIssue: true + description: >- + Add a not-recommended notice for Aerospike. + skipCI-kube-tests:true \ No newline at end of file diff --git a/docs/content/guides/security/rate_limiting/enterprise/_index.md b/docs/content/guides/security/rate_limiting/enterprise/_index.md index 9ae448b7d02..3e1242c505c 100644 --- a/docs/content/guides/security/rate_limiting/enterprise/_index.md +++ b/docs/content/guides/security/rate_limiting/enterprise/_index.md @@ -29,42 +29,9 @@ By default, the rate limit server is backed by a Redis instance that Gloo Gatewa * Using a database that is external to the cluster, such as for data privacy concerns Gloo Gateway supports the following external databases for the rate limit server: -* [Aerospike](#aerospike) * [DynamoDB](#dynamodb) * [Redis](#redis) -### Aerospike-backed rate limit server {#aerospike} - -You can use [Aerospike](https://docs.aerospike.com/database) as the backing storage database for the Gloo Gateway rate limit server. Aerospike is a real-time data platform with support for helpful features such as in-memory storage and streaming. - -{{% notice note %}} -You can use Aerospike with **Gloo Gateway Enterprise** version 1.13.0 or later.

-If you use also use Aerospike to store your Gloo Portal API keys, your Aerospike configurations must match. For example, use the same Aerospike IP address, port, and namespace in your Gloo Portal Storage custom resoure configuration and the rate limit server. -{{% /notice %}} - -1. Create an Aerospike database instance to use as the backing storage for the rate limit server. For setup steps, see the [Gloo Portal documentation](https://docs.solo.io/gloo-portal/main/guides/portal_features/apikey_storage/). -2. To rate limit APIs that you manage with Gloo Portal, make sure that your configuration matches the configuration that you used with your [Gloo Portal Storage custom resource](https://docs.solo.io/gloo-portal/main/guides/portal_features/apikey_storage/). -3. [Install]({{< versioned_link_path fromRoot="/installation/enterprise/">}}) or [upgrade]({{< versioned_link_path fromRoot="/operations/upgrading/">}}) your Gloo Gateway Enterprise Helm installation by completing the following steps: - 1. Disable the default Redis server backing storage by setting `rateLimit.enabled` to `false`. - 2. Provide the rate limiting Aerospike Helm chart configuration options, as shown in the following table. These values match what you configured in your Aerospike database setup. - -| Option | Type | Description | -| --- | --- | --- | -|rateLimit.deployment.aerospike.address|string|The IP address or hostname of the Aerospike database. The address must be reachable from Gloo Gateway, such as in a virtual machine with a public IP address or in a pod in the cluster. By setting this value, you also enable Aerospike database as the backing storage for the rate limit service.| -|rateLimit.deployment.aerospike.namespace|string|The Aerospike namespace of the database. The default value is `solo-namespace`.| -|rateLimit.deployment.aerospike.set|string|The Aerospike name of the database set. The default value is `ratelimiter`.| -|rateLimit.deployment.aerospike.port|int|The port of the `rateLimit.deployment.aerospike.address`. The default port is `3000`.| -|rateLimit.deployment.aerospike.batchSize|int|The size of the batch, which is the number of keys sent in the request. The default value is `5000`.| -|rateLimit.deployment.aerospike.commitLevel|int|The level of guaranteed consistency for transaction commits on the Aerospike server. For possible values, see the [Aerospike commit policy](https://github.com/aerospike/aerospike-client-go/blob/master/commit_policy.go). The default value is `1`.| -|rateLimit.deployment.aerospike.readModeSC|int|The read mode for strong consistency (SC) options. For possible values, see the [Aerospike read mode SC](https://github.com/aerospike/aerospike-client-go/blob/master/read_mode_sc.go). The default value is `0`.| -|rateLimit.deployment.aerospike.readModeAP|int|The read mode for availability (AP). For possible values, see the [Aerospike read mode AP](https://github.com/aerospike/aerospike-client-go/blob/master/read_mode_ap.go). The default value is `0`.| -|rateLimit.deployment.aerospike.tls.name|string|The subject name of the TLS authority. For more information, see the [Aerospike docs](https://docs.aerospike.com/reference/configuration#tls-name).| -|rateLimit.deployment.aerospike.tls.version|string|The TLS version. Versions 1.0, 1.1, 1.2, and 1.3 are supported. The default value is `1.3`.| -|rateLimit.deployment.aerospike.tls.insecure|bool|The TLS insecure setting. If set to `true`, the authority of the certificate on the client's end is not authenticated. You might use insecure mode in non-production environments when the certificate is not known. The default value is `false`.| -|rateLimit.deployment.aerospike.tls.certSecretName|string| The name of the `kubernetes.io/tls` secret that has the `tls.crt` and `tls.key` data.| -|rateLimit.deployment.aerospike.tls.rootCASecretName|string|The secret name for the Opaque root CA that sets the key as `tls.crt`.| -|rateLimit.deployment.aerospike.tls.curveGroups[]|string|The TLS identifier for an elliptic curve. For more information, see [TLS supported groups](https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8).| - ### DynamoDB-backed rate limit server {#dynamodb} You can use DynamoDB as the backing storage database for the Gloo Gateway rate limit server. DynamoDB is built for single-millisecond latencies. It includes features such as built-in replication ([DynamoDB Global Tables](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GlobalTables.html)) that can help you set up global rate limiting across multiple instances or multiple data centers. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto.sk.md index ecb9523d4b6..88393324273 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto.sk.md @@ -743,7 +743,7 @@ No-op, represents default OIDC behavior | `headerName` | `string` | (Optional) When receiving a request, the Gloo Edge Enterprise external auth server will look for an API key in a header with this name. This field is optional; if not provided it defaults to `api-key`. | | `headersFromKeyMetadata` | `map` | Determines the key metadata that will be included as headers on the upstream request. Each entry represents a header to add: the key is the name of the header, and the value is the key that will be used to look up the data entry in the key metadata. | | `k8SSecretApikeyStorage` | [.enterprise.gloo.solo.io.K8sSecretApiKeyStorage](../extauth.proto.sk/#k8ssecretapikeystorage) | Only one of `k8sSecretApikeyStorage`, `aerospikeApikeyStorage`, or `serverDefaultApikeyStorage` can be set. | -| `aerospikeApikeyStorage` | [.enterprise.gloo.solo.io.AerospikeApiKeyStorage](../extauth.proto.sk/#aerospikeapikeystorage) | Only one of `aerospikeApikeyStorage`, `k8sSecretApikeyStorage`, or `serverDefaultApikeyStorage` can be set. | +| `aerospikeApikeyStorage` | [.enterprise.gloo.solo.io.AerospikeApiKeyStorage](../extauth.proto.sk/#aerospikeapikeystorage) | Deprecated: Support for Aerospike is deprecated and will be removed in a future release. Use of this feature is not recommended. Only one of `aerospikeApikeyStorage`, `k8sSecretApikeyStorage`, or `serverDefaultApikeyStorage` can be set. | | `serverDefaultApikeyStorage` | [.enterprise.gloo.solo.io.ServerDefaultApiKeyStorage](../extauth.proto.sk/#serverdefaultapikeystorage) | Only one of `serverDefaultApikeyStorage`, `k8sSecretApikeyStorage`, or `aerospikeApikeyStorage` can be set. | | `skipMetadataValidation` | `bool` | API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator. This validation comes with a performance cost, and can be disabled by setting this field to `true`. | diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md index 0a50a87c22e..ced7c9b350d 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md @@ -807,7 +807,7 @@ The SameSite options. The default value is LaxMode. | ----- | ----------- | | `DefaultMode` | Default Mode is the same as LaxMode but will not show up in the Cookie Header. This value is ignored. | | `LaxMode` | Cookies are not sent on normal cross-site subrequests, but are sent when navigating to the origin site. | -| `StrictMode` | Only be sent in a first-party context and not be sent along with requests initiated by third party websites. | +| `StrictMode` | Cookies are sent only in first-party contexts and are not sent along with requests initiated by third-party websites. **Warning**: Do not use this mode if the app and the IdP have different domains. In this case, some browsers incorrectly detect the redirect from `/callback` to `/login` as a cross-site request. | | `NoneMode` | Cookies are sent in all contexts. Cookie NotSecure must be unset. | @@ -1483,7 +1483,7 @@ added to the `AuthorizationRequest` state under the "api_key_value" key name. | `headersFromMetadata` | `map` | DEPRECATED: use headers_from_metadata_entry. | | `headersFromMetadataEntry` | `map>` | API key structures might contain additional data (e.g. the ID of the user that the API key belongs to) in the form of extra fields included in the API key metadata structure. This configuration can be used to add this data to the headers of successfully authenticated requests. Each key in the map represents the name of header to be added; the corresponding value determines the key in the API key metadata structure that will be inspected to determine the value for the header. When the provided API key token has been successfully validated, and this field has been configured, then any extra API key metadata fields that were able to be discovered will be added to the `AuthorizationRequest` state under the key name that was configured. For example, using the `x-user-name` string as the header name, and referencing an existing "user-email" API key metadata entry will result in the value of this "user-email" metadata entry being accessable in other auth modules in the `AuthorizationRequest.State["x-user-name"]` key. This behavior allows other modules (e.g. OPA) to build more powerful rules to further validate the contents of the extra API key metadata than what's possible using the standalone API key module. | | `k8SSecretApikeyStorage` | [.enterprise.gloo.solo.io.K8sSecretApiKeyStorage](../extauth.proto.sk/#k8ssecretapikeystorage) | Only one of `k8sSecretApikeyStorage` or `aerospikeApikeyStorage` can be set. | -| `aerospikeApikeyStorage` | [.enterprise.gloo.solo.io.AerospikeApiKeyStorage](../extauth.proto.sk/#aerospikeapikeystorage) | Only one of `aerospikeApikeyStorage` or `k8sSecretApikeyStorage` can be set. | +| `aerospikeApikeyStorage` | [.enterprise.gloo.solo.io.AerospikeApiKeyStorage](../extauth.proto.sk/#aerospikeapikeystorage) | Deprecated: Support for Aerospike is deprecated and will be removed in a future release. Use of this feature is not recommended. Only one of `aerospikeApikeyStorage` or `k8sSecretApikeyStorage` can be set. | | `skipMetadataValidation` | `bool` | API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator. This validation comes with a performance cost, and can be disabled by setting this field to `true`. | @@ -1552,7 +1552,9 @@ For the Aerospike backend, this data is stored as bins on the key's record --- ### AerospikeApiKeyStorage - + +Deprecated: Support for Aerospike is deprecated and will be removed in a future release. +Use of this feature is not recommended. ```yaml "hostname": string diff --git a/docs/content/static/content/version_gee_latest.md b/docs/content/static/content/version_gee_latest.md index 0ef51e2e4f9..e4b5c5fd145 100644 --- a/docs/content/static/content/version_gee_latest.md +++ b/docs/content/static/content/version_gee_latest.md @@ -1 +1 @@ -1.18.0-beta2 \ No newline at end of file +1.18.0-rc3 \ No newline at end of file diff --git a/docs/content/static/content/version_gee_n+1.md b/docs/content/static/content/version_gee_n+1.md index 0ef51e2e4f9..e4b5c5fd145 100644 --- a/docs/content/static/content/version_gee_n+1.md +++ b/docs/content/static/content/version_gee_n+1.md @@ -1 +1 @@ -1.18.0-beta2 \ No newline at end of file +1.18.0-rc3 \ No newline at end of file diff --git a/docs/content/static/content/version_geoss_latest.md b/docs/content/static/content/version_geoss_latest.md index 340c8aa8661..e4b5c5fd145 100644 --- a/docs/content/static/content/version_geoss_latest.md +++ b/docs/content/static/content/version_geoss_latest.md @@ -1 +1 @@ -1.18.0-beta33 \ No newline at end of file +1.18.0-rc3 \ No newline at end of file diff --git a/docs/content/static/content/version_geoss_n+1.md b/docs/content/static/content/version_geoss_n+1.md index 340c8aa8661..e4b5c5fd145 100644 --- a/docs/content/static/content/version_geoss_n+1.md +++ b/docs/content/static/content/version_geoss_n+1.md @@ -1 +1 @@ -1.18.0-beta33 \ No newline at end of file +1.18.0-rc3 \ No newline at end of file diff --git a/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto b/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto index 55007407cce..27d90434b9a 100644 --- a/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto +++ b/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto @@ -580,6 +580,8 @@ message ExtAuthConfig { oneof storage_backend { K8sSecretApiKeyStorage k8s_secret_apikey_storage = 4; + // Deprecated: Support for Aerospike is deprecated and will be removed in a future release. + // Use of this feature is not recommended. AerospikeApiKeyStorage aerospike_apikey_storage = 5; ServerDefaultApiKeyStorage server_default_apikey_storage = 7; } diff --git a/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto b/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto index dc703cdca32..d9904ec28a7 100644 --- a/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto +++ b/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto @@ -493,8 +493,12 @@ message UserSession { // Cookies are not sent on normal cross-site subrequests, but are sent when // navigating to the origin site. LaxMode = 1; - // Only be sent in a first-party context and not be sent along with requests - // initiated by third party websites. + // Cookies are sent only in first-party contexts and are not sent along with requests + // initiated by third-party websites. + // + // **Warning**: Do not use this mode if the app and the IdP have different domains. + // In this case, some browsers incorrectly detect the redirect from `/callback` to `/login` + // as a cross-site request. StrictMode = 2; // Cookies are sent in all contexts. Cookie NotSecure must be unset. NoneMode = 3; @@ -1154,6 +1158,8 @@ message ApiKeyAuth { oneof storage_backend { K8sSecretApiKeyStorage k8s_secret_apikey_storage = 6; + // Deprecated: Support for Aerospike is deprecated and will be removed in a future release. + // Use of this feature is not recommended. AerospikeApiKeyStorage aerospike_apikey_storage = 7; } @@ -1195,6 +1201,8 @@ message K8sSecretApiKeyStorage { repeated core.solo.io.ResourceRef api_key_secret_refs = 2; } +// Deprecated: Support for Aerospike is deprecated and will be removed in a future release. +// Use of this feature is not recommended. message AerospikeApiKeyStorage { // The IP address or hostname of one of the cluster members of your Aerospike database. The address must be reachable from Gloo Edge, such as in a virtual machine with a public IP address or in a pod in the cluster. // The client automatically discovers other members of the cluster after establishing a connection. diff --git a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth-internal.pb.go b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth-internal.pb.go index 8fb737ecd05..0c215d8386f 100644 --- a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth-internal.pb.go +++ b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth-internal.pb.go @@ -1997,6 +1997,8 @@ type ExtAuthConfig_ApiKeyAuthConfig_K8SSecretApikeyStorage struct { } type ExtAuthConfig_ApiKeyAuthConfig_AerospikeApikeyStorage struct { + // Deprecated: Support for Aerospike is deprecated and will be removed in a future release. + // Use of this feature is not recommended. AerospikeApikeyStorage *AerospikeApiKeyStorage `protobuf:"bytes,5,opt,name=aerospike_apikey_storage,json=aerospikeApikeyStorage,proto3,oneof"` } diff --git a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go index b306139a027..7770f4fb5dc 100644 --- a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go +++ b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go @@ -132,8 +132,12 @@ const ( // Cookies are not sent on normal cross-site subrequests, but are sent when // navigating to the origin site. UserSession_CookieOptions_LaxMode UserSession_CookieOptions_SameSite = 1 - // Only be sent in a first-party context and not be sent along with requests - // initiated by third party websites. + // Cookies are sent only in first-party contexts and are not sent along with requests + // initiated by third-party websites. + // + // **Warning**: Do not use this mode if the app and the IdP have different domains. + // In this case, some browsers incorrectly detect the redirect from `/callback` to `/login` + // as a cross-site request. UserSession_CookieOptions_StrictMode UserSession_CookieOptions_SameSite = 2 // Cookies are sent in all contexts. Cookie NotSecure must be unset. UserSession_CookieOptions_NoneMode UserSession_CookieOptions_SameSite = 3 @@ -3432,6 +3436,8 @@ type ApiKeyAuth_K8SSecretApikeyStorage struct { } type ApiKeyAuth_AerospikeApikeyStorage struct { + // Deprecated: Support for Aerospike is deprecated and will be removed in a future release. + // Use of this feature is not recommended. AerospikeApikeyStorage *AerospikeApiKeyStorage `protobuf:"bytes,7,opt,name=aerospike_apikey_storage,json=aerospikeApikeyStorage,proto3,oneof"` } @@ -3496,6 +3502,8 @@ func (x *K8SSecretApiKeyStorage) GetApiKeySecretRefs() []*core.ResourceRef { return nil } +// Deprecated: Support for Aerospike is deprecated and will be removed in a future release. +// Use of this feature is not recommended. type AerospikeApiKeyStorage struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache