v1.17.5

Helm Changes

• New field gateway.validation.warnMissingTlsSecret controls whether missing TLS secrets referenced in SslConfig and UpstreamSslConfig will be treated as a warning instead of an error during validation. Defaults to false. This field has no effect if allowWarnings is false or acceptAllResources is true. (#6957)

Fixes

• Fix for issue where a missing TLS secret was treated by validation as an error, potentially bringing down the entire HTTPS gateway if the gloo pod restarts while in this bad state. This is a breaking change in the default behavior of validation.
  To enable this behavior, use the helm setting gateway.validation.warnMissingTlsSecret=true or the same field on the Settings CR. This field has no effect if allowWarnings is false or acceptAllResources is true. (#6957)

v1.18.0-beta16

Breaking Changes

• Fix for issue where a missing TLS secret was treated by validation as an error, potentially bringing down the entire HTTPS gateway if the gloo pod restarts while in this bad state. This is a breaking change in the default behavior of validation.
  To disable this behavior, use the helm setting gateway.validation.warnMissingTlsSecret=false or the same field on the Settings CR. This field has no effect if allowWarnings is false or acceptAllResources is true. (#6957)

Helm Changes

• Ensure that gateway-proxy deployments respect the gatewayProxy.NAME.kind.deployment.priorityClassName field. This API allows you to set the PriorityClassName for gateway-proxy Pods. This is already supported on all other Gloo deployments. (#8677)
• New field gateway.validation.warnMissingTlsSecret controls whether missing TLS secrets referenced in SslConfig and UpstreamSslConfig will be treated as a warning instead of an error during validation. Defaults to true. This field has no effect if allowWarnings is false or acceptAllResources is true. (#6957)

Fixes

• Set the 'message' field on various HTTPRoute conditions to enable easier troubleshooting (#9859)
• Support defining the PriorityClassName on a GatewayProxy deployment. This allows users to attach pods to PriorityClasses (https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) (#9010)

v1.17.4

Dependency Bumps

• solo-io/envoy-gloo has been upgraded to 1.30.4-patch4.

Helm Changes

• Ensure that gateway-proxy deployments respect the gatewayProxy.NAME.kind.deployment.priorityClassName field. This API allows you to set the PriorityClassName for gateway-proxy Pods. This is already supported on all other Gloo deployments. (#8677)
• Introduce gatewayProxies.gatewayProxy.istioSpiffeCertProviderAddress which overrides the Istio SPIFFE certificate provider (CA_ADDR env variable). It defaults to gatewayProxies.gatewayProxy.discoveryAddress. (#9855)

Fixes

• gateway2/route-options: merge extensionRef based attachments

Enables merging of multiple ExtensionRef based RouteOption
attachments for a rule within an HTTPRoute. (solo-io/solo-projects#6675)

• Only update the K8s Gateway resource statuses on change to improve HTTPRoute translation time. (solo-io/solo-projects#6638)
• Support defining the PriorityClassName on a GatewayProxy deployment. This allows users to attach pods to PriorityClasses (https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) (#9010)
• gateway2: merge multiple targetRef based Route & VirtualHost options

Implements merging of targetRef based RouteOptions and
VirtualHostOptions in a specific order of precedence from
oldest to newest created resource.

The merging uses shallow merging such that for an option
A that is higher priority than option B, merge(A,B) merges
the top-level options of B that have not already been set on A.
This allows options later in the precedence chain to augment
the existing options during a merge but not overwrite them. (solo-io/solo-projects#6313)

• Update Envoy to enable thread-local slots to be deallocated on worker threads. This provides greater stability in Envoy when the main thread is under heavy load. This behaviour can be disabled by toggling the runtime flag envoy_restart_features_allow_slot_destroy_on_worker_threads. (solo-io/solo-projects#6713)

v1.16.19

Dependency Bumps

• solo-io/envoy-gloo has been upgraded to v1.27.7-patch2.

Helm Changes

• Introduce gatewayProxies.gatewayProxy.istioSpiffeCertProviderAddress which overrides the Istio SPIFFE certificate provider (CA_ADDR env variable). It defaults to gatewayProxies.gatewayProxy.discoveryAddress. (#9855)

Fixes

• Update Envoy to enable thread-local slots to be deallocated on worker threads. This provides greater stability in Envoy when the main thread is under heavy load. This behaviour can be disabled by toggling the runtime flag envoy_restart_features_allow_slot_destroy_on_worker_threads. (solo-io/solo-projects#6713)
• Fix a bug where the service and function names of a discovered gRPC service are not printed in JSON and YAML
  output when running glooctl get upstreams (#9743)

v1.18.0-beta15

Helm Changes

• Introduce gatewayProxies.gatewayProxy.istioSpiffeCertProviderAddress which overrides the Istio SPIFFE certificate provider (CA_ADDR env variable). It defaults to gatewayProxies.gatewayProxy.discoveryAddress. (#9855)

New Features

• Expose CorsPolicyMergeSettings on VirtualHostOptions which allows users to specify how to reconcile CORS settings when configured on both Route and VirtualHost. Specifically it is now possible to define a UNION merge strategy for the ExposeHeaders field, resulting in the union of the headers set at Route and VirtualHost level being applied to traffic for the Route. (#7689)

Fixes

• Only update the K8s Gateway resource statuses on change to improve HTTPRoute translation time. (solo-io/solo-projects#6638)

v1.17.3

Helm Changes

• Add a new field global.securitySettings.floatingUserId to the Gloo Helm chart that when set to true has the same effect as setting floatingUserId=true for all deployment-specific floatingUserIds, as well as setting discovery.deployment.enablePodSecurityContext=false and gatewayProxies.gatewayProxy.podTemplate.enablePodSecurityContext=false`to allow for easy OpenShift deployment. The global value will override any local settings. (#5034)

Fixes

• Provide a Helm field global.securitySettings.floatingUserId to apply floatingUserId logic, which unsets runAsUser for security contexts, for all deployments in the Gloo Helm chart. The global field will also cause templates to be rendered as if deployments with "enablePodSecurityContextfields have their value set tofalseto allow for easy OpenShift deployment. This functionality has also been added to Gloo Gateway via the GatewayParameters resource. IffloatingUserId` is set in GatewayParameters, it will be applied to all deployments in the Gloo Gateway Helm chart, unless a deployment-specific value is set. (#5034)

v1.18.0-beta14

Helm Changes

• Add a new field global.securitySettings.floatingUserId to the Gloo Helm chart that when set to true has the same effect as setting floatingUserId=true for all deployment-specific floatingUserIds, as well as setting discovery.deployment.enablePodSecurityContext=false and gatewayProxies.gatewayProxy.podTemplate.enablePodSecurityContext=false`to allow for easy OpenShift deployment. The global value will override any local settings. (#5034)
• Ensure that image digests are set correctly for all image variants (standard, fips, distroless, fips-distroless). (#9860)

New Features

• Provide a Helm field global.securitySettings.floatingUserId to apply floatingUserId logic, which unsets runAsUser for security contexts, for all deployments in the Gloo Helm chart. The global field will also cause templates to be rendered as if deployments with "enablePodSecurityContextfields have their value set tofalseto allow for easy OpenShift deployment. This functionality has also been added to Gloo Gateway via the GatewayParameters resource. IffloatingUserId` is set in GatewayParameters, it will be applied to all deployments in the Gloo Gateway Helm chart, unless a deployment-specific value is set. (#5034)
• Check the validity of Gloo Gateway License using glooctl license validate --license-key <key>. (#3520)

Fixes

• Fix a bug that causes edge to try to list endpoints across all namespaces when no upstreams exist. (#5885)

v1.17.2

Helm Changes

• Ensure that image digests are set correctly for all image variants (standard, fips, distroless, fips-distroless). (#9860)

Fixes

• Set the 'message' field on various HTTPRoute conditions to enable easier troubleshooting (#9859)
• gateway2/delegation: fix extraneous route arising from invalid child rule

There's a bug where if a child route contains an invalid rule (rule
not matching the parent matcher), then even though the matcher is
discarded, the rule with an empty matcher but valid backendRef
is returned by GetDelegatedRoutes(). The result is that a /
route is programmed for such an invalid route rule. A more
precise fix is to also prune the rules that do not have a valid
matcher so that we do not rely on the translator to interpret
a route without a valid matcher as '/', which could be an alternative
fix though fragile.

The essence of this fix is to prune both the rules and matches
field on the child route when we process it in the context of the
parent matcher, so that:

1. invalid matchers on the child route are discarded
2. invalid rules (no valid child matchers) are also discarded

Previously, 2. was missing so a child route with a rule without
a matcher was configured, which results in a / route being exposed
for the corresponding backendRef. (solo-io/solo-projects#6621)

• Fix a bug that causes edge to try to list endpoints across all namespaces when no upstreams exist. (#5885)

v1.18.0-beta13

New Features

• Introduce API for oneWayTls in UpstreamSslConfig, which enables the capability for an upstream to be configured for one way TLS even if root CA data exists in the secret referenced by the UpstreamSslConfig. This feature does nothing when SDS is configured. (#9826)

v1.18.0-beta12

Dependency Bumps

• solo-io/envoy-gloo has been upgraded to v1.30.4-patch2.

New Features

• gateway2/route-options: merge extensionRef based attachments

Enables merging of multiple ExtensionRef based RouteOption
attachments for a rule within an HTTPRoute. (solo-io/solo-projects#6675)