CHANGELOG.old-pro.md

Ambassador Pro CHANGELOG

DO NOT EDIT THIS FILE FOR ANY NEW DEVELOPMENT.

This is the CHANGELOG for the old "Ambassador Pro" product that was an add-on to the Ambassador API Gateway. In 1.0.0, Ambassador Pro and the Ambassador API Gateway were merged in to a combined "Ambassador Edge Stack" product.

1.0.0 (2020-01-15)

Behavior:

• Developer portal no longer requires the /openapi Mapping
• Renamed environment variable APRO_DEVPORTAL_CONTENT_URL to DEVPORTAL_CONTENT_URL
• Feature: Developer portal can check out a non-default branch. Control with DEVPORTAL_CONTENT_BRANCH env var
• Feature: Developer portal can use a subdir of a checkout. Control with DEVPORTAL_CONTENT_DIR env var
• apictl traffic initialize no longer waits for the traffic-proxy to become ready before exiting.
• Feature: Developer portal will show swagger documentation for up to five services (or more with appropriate license)
• Feature: local-devportal is now a standalone go binary with no external dependencies
• v1 license keys were not being used so augment them to include emails
• The OAuth2 redirection endpoint has moved from /callback to /.ambassador/oauth2/redirection-endpoint. Migrating Pro users will need to notify thier IDP of the change.

Other:

• amb-core and amb-sidecar have been merged in to a combined aes which is based on Ambassador OSS [version TBD].
• login-gate-jscontent has been updated for a clearer first time experience.

0.11.0 (2019-12-10)

Configuration:

• JWT Filter now has a realm setting to configure the realm mentioned in WWW-Authenticate of error responses.
• Feature: JWT Filter now has a FilterPolicy argument scope to preform draft-ietf-oauth-token-exchange-compatible Scope validation.
• Feature: OAuth2 Filter now has a .insteadOfRedirect.filters FilterPolicy argument that lets you provide a list of filters to run; as if you were listing them directly in a FilterPolicy.
• Feature: OAuth2 Filter now has a extraAuthorizationParameters setting to manually pass extra parameters to the IDP's authorization endpoint.
• Feature: OAuth2 Filter now has a accessTokenJWTFilter setting to use a JWT filter for access token validation when accessTokenValidation: jwt or accessTokenValidation: auto.

Behavior:

• Feature: JWT Filter now generates RFC 6750-compliant responses with the WWW-Authenticate header set.

Other:

• Update Ambassador Core from Ambassador 0.85.0 (Envoy 1.11+half-way-to-1.12) to 0.86.0 (Envoy 1.12.2)

0.10.0 (2019-11-11)

Configuration:

• Feature: FilterPolicy may now set ifRequestHeader to only apply a Filter to requests with appropriate headers.
• Feature: FilterPolicy may now set onDeny and onAllow to modify how Filters chain together.
• Feature: JWT Filter injectRequestHeaderse templates can now read the incoming HTTP request headers.
• Feature: JWT Filter errorResponse can now set HTTP headers of the error response.
• Beta feature: OAuth2 Filter can now be configured to receive OAuth client credentials in the HTTP request header, and use them to obtain a client credentials grant. This is only currently tested with Okta.

Behavior:

• The OAuth2 filter's XSRF protection now works differently. You should use the ambassador_xsrf.{name}.{namespace} cookie instead of the ambassador_session.{name}.{namespace} cookie for XSRF-protection purposes.

0.9.1 (2019-10-22)

Configuration:

• The JWT and OAuth2 Filter types support renegotiateTLS
• The JWT Filter now has an errorResponse argument that allows templating the filter's error response.

Other:

• Update Ambassador Core from Ambassador 0.83.0 to 0.85.0

0.9.0 (2019-10-08)

Configuration

• The OAuth2 filter now has a FilterPolicy argument insteadOfRedirect that can specify a different action to perform than redirecting to the IDP.

Behavior:

• Feature: Developer portal URL can be changed by the user. Adjust the ambassador-pro-devportal Mapping CRD (or annotation) by changing the prefix to desired prefix and changing the rewrite to /docs/. The ambassador-pro-devportal-api can not be adjusted yet.
• Feature: The OAuth2 filter can now perform OIDC-session RP-initiated logout when used with an identity provider that supports it.
• Bugfix: Properly return a 404 for unknown paths in the amb-sidecar; instead of serving the index page; this could happen if the devportal Mapping is misconfigured.
• Bugfix: Fix the "loaded filter" log info message.
• Bugfix: Don't publish the "dev-portal-server" Docker image; it was obviated by "amb-sidecar" in 0.8.0.
• Bugfix: The JWT Filter is no longer case-sensitive with the auth-scheme (Bearer vs bearer)
• Bugfix: The JWT Filter no longer accepts authorizations that are missing an auth-scheme

Other:

• Update Ambassador Core from Ambassador 0.75.0 to 0.83.0
• Incorporate the Envoy 1.11.2 security patches in Ambassador Core
• Fast iteration on Developer Portal styling and content using a docker image inside a local checkout of Developer Portal content repo (see reference doc for usage guide)

0.8.0 (2019-09-16)

Configuration:

• amb-sidecar now takes additional configuration related to the developer portal.

Behavior:

• Feature: The developer portal is now in "beta", and incorporated into amb-sidecar.
• Bugfix: The External Filter no longer erroneously follows redirects.
• Bugfix: Fixed a case-folding bug causing the JWT Filter to be inoperable.
• Enhancement: Errors in Filter resource definitions are now recorded and included in error messages.

0.7.0 (2019-08-29)

Configuration:

• amb-sidecar: The default value of USE_STATSD has changed from true to false.
• Bump license key schema v0 → v1. The developer portal requires a v1 license with the "devportal" feature enabled. Some future version of the other functionality will drop support for v0 license keys.
• The JWT Filter can now inject HTTP request headers; configured with the injectRequestHeaders field.

Behavior:

• Fixed a resource leak in dev-portal-server

Other:

• There is now a build of Ambassador with Certified Envoy named "amb-core".

0.6.0 (2019-08-05)

Configuration:

• The CRD field ambassador_id may now be a single string instead of a list of strings (this should have always been the case, but there was a bug in the parser).
• Everything is now on one port: APRO_HTTP_PORT, which defaults to 8500.
• LOG_LEVEL no longer exists; everything obeys APP_LOG_LEVEL.
• The meaning of REDIS_POOL_SIZE has changed slightly; there are no longer separate connection pools for ratelimit and filtering; the maximum number of connections is now REDIS_POOL_SIZE instead of 2×REDIS_POOL_SIZE.
• The amb-sidecar RateLimitService can now report to statsd, and attempts to do so by default (USE_STATSD, STATSD_HOST, STATSD_PORT, GOSTATS_FLUSH_INTERVAL_SECONDS).

Behavior:

• Now also handles gRPC requests for envoy.service.auth.v2, in addition to envoy.service.auth.v2alpha.
• Log a stacktrace at log-level "debug" whenever the HTTP client encounters an error.
• Fix bug where the wrong key was selected from a JWKS.
• Everything in amb-sidecar now runs as a single process.

0.5.0 (2019-06-21)

Configuration:

• Redis is now always required to be configured.
• The amb-sidecar environment variables $APRO_PRIVATE_KEY_PATH and $APRO_PUBLIC_KEY_PATH are replaced by a Kubernetes secret and the $APRO_KEYPAIR_SECRET_NAME and $APRO_KEYPAIR_SECRET_NAMESPACE environment variables.
• If the $APRO_KEYPAIR_SECRET_NAME Kubernetes secret (above) does not exist, amb-sidecar now needs the "create" permission for secrets in its ClusterRole.
• The OAuth2 Filter now ignores the audience field setting. I expect it to make a come-back in 0.5.1 though.
• The OAuth2 Filter now acts as if the openid scope value is always included in the FilterPolicy's scopes argument.
• The OAuth2 Filter can verify Access Tokens with several different methods; configured with the accessTokenValidation field.

Behavior:

• The OAuth2 Filter is now strictly compliant with OAuth 2.0. It is verified to work properly with:
  • Auth0
  • Azure AD
  • Google
  • Keycloak
  • Okta
  • UAA
• The OAuth2 Filter browser cookie has changed:
  • It is now named ambassador_session.{{filter_name}}.{{filter_namespace}} instead of access_token.
  • It is now an opaque string instead of a JWT Access Token. The Access Token is still available in the injected Authorization header.
• The OAuth2 Filter will no longer consider a user-agent-provided Authorization header, it will only consider the cookie.
• The OAuth2 Filter now supports Refresh Tokens; they must be requested by listing offline_access in the scopes argument in the FilterPolicy.
• The OAuth2 Filter's /callback endpoint is no longer vulnerable to XSRF attacks
• The Developer Portal file descriptor leak is fixed.

Other:

• Open Source dependency license compliance is now automated as part of the release machinery. Source releases for the Docker images are now present in the images themselves at /*.opensource.tar.gz.

0.4.3 (2019-05-15)

• Add the Developer Portal (experimental; no documentation available yet)
• apictl traffic initialize: Correctly handle non-default namespaces
• app-sidecar: Respect the APP_LOG_LEVEL environment variable, same as amb-sidecar

0.4.2 (2019-05-03)

• Turn down liveness and readiness probe logging from "info" to "debug"

0.4.1 (2019-04-23)

• Add liveness and readiness probes

0.4.0 (2019-04-18)

• Moved all of the default sidecar ports around; YAML will need to be adjusted (hence 0.4.0 instead of 0.3.2). Additionally, all of the ports are now configurable via environment variables

  Purpose	Variable	Old	New
  Auth gRPC	APRO_AUTH_PORT	8082	8500
  RLS gRPC	GRPC_PORT	8081	8501
  RLS debug (HTTP)	DEBUG_PORT	6070	8502
  RLS HTTP ???	PORT	7000	8503

• apictl no longer sets an imagePullSecret when deploying Pro things to the cluster (since the repo is now public)

0.3.1 (2019-04-05)

• Support running the Ambassador sidecar as a non-root user

0.3.0 (2019-04-03)

• New Filter type External
• Request IDs in the Pro logs are the same as the Request IDs in the Ambassador logs
• OAuth2 Filter type supports secretName and secretNamespace
• Switch to using Ambassador OSS gRPC API
• No longer necessary to set allowed_request_headers or allowed_authorization_headers for Plugin Filters
• RLS logs requests as info instead of warn
• Officially support Okta as an IDP

0.2.5 (2019-04-02)

(0.3.0 was initially tagged as 0.2.5)

0.2.4 (2019-03-19)

• JWT and OAuth2 Filter types support insecureTLS
• OAuth2 now handles JWTs with a scope claim that is a JSON list of scope values, instead of a JSON string containing a whitespace-separated list of scope values (such as those generated by UAA)

0.2.3 (2019-03-13)

• Consul Connect integration no longer requires a license key

0.2.2 (2019-03-11)

• Fix Consul certificate rotation

0.2.1 (2019-03-08)

• Move the AuthService from port 8080 to 8082, and make it configurable with APRO_AUTH_PORT

0.2.0 (2019-03-04)

• Have everything require license keys
• Differentiate between components when phoning-home to Scout
• Phone-home to kubernaut.io/scout, not metriton.datawire.io/scout
• Fix bug where apictl traffic inject wiped existing imagePullSecrets
• Support AMBASSADOR_ID, AMBASSADOR_SINGLE_NAMESPACE, and AMBASSADOR_NAMESPACE
• Log format changed
• OIDC support
• Replace Tenant and Policy CRDs with Filter and FilterPolicy CRDs
• Add JWT validation filter
• Add apro-plugin-runner (previously was in a separate OSS git repo)

0.1.2 (2019-01-24)

• More readable logs in the event of a crash
• apictl traffic sets imagePullSecret
• Have apictl also look for the license key in ~/.config/ as a fallback on macOS. The paths it now looks in, from highest to lowest precedence, are:
  • $HOME/Library/Application Support/ambassador/license-key (macOS only)
  • ${XDG_CONFIG_HOME:-$HOME/.config}/ambassador/license-key
  • $HOME/.ambassador.key

0.1.1 (2019-01-23)

• First release with combined rate-limiting and authentication.