FEATURE RELEASE
The Ambassador Edge Stack & Ambassador API Gateway 1.5 Now Available
Flexible URL Rewrite, Envoy 1.14, RBAC Flexibility, Redis Encryption, Community Improvements to Service Mesh Integration, Knative Integration, and X-Request-ID Preservation
Ambassador API Gateway and Ambassador Edge Stack 1.5 are now generally available. This release includes major enhancements to Service Preview, an update to Envoy Proxy 1.14, improved Knative support, and much more. Special thanks to our many community members who have contributed to this release.
Flexible URL Rewrite
A commonly requested feature is the ability to have more flexibility around URL rewrites and how requests are passed upstream. This feature is useful for keeping business logic when migrating to Ambassador or for having the option to store information in URLs rather than in headers.
Once Ambassador uses a prefix to identify the service to which a given request should be passed, it can rewrite the URL before handing it off to the service.
With Ambassador 1.5, here are two approaches for rewriting: rewrite for simpler scenarios and regex_rewrite for more advanced rewriting.
Please note that only one of these two can be configured for a mapping at the same time. As a result, Ambassador Edge Stack ignores rewrite when regex_rewrite is provided.
See examples and get instructions in the documentation here.
Envoy Proxy 1.14 Support
In Ambassador 1.5, we’ve updated to Envoy Proxy 1.14 and started transitioning to Envoy’s v3 API format.
Support for Istio Sidecar Injection
Ambassador 1.5 now supports setting the Envoy shared memory base ID. This feature allows multiple Envoy Proxy instances to be deployed on the same pod, which is necessary to enable sidecar injection from service meshes such as Istio. Thanks to Phil Peble from ActiveCampaign for the patch!
If you find yourself on the Ambassador Open Source Slack and asking about Ambassador and Istio, you may hear from Phil Peble at ActiveCampaign. Phil is one of our many community members deploying Ambassador with Istio, and he’s been an active contributor to Ambassador.
Knative Integration Improvements
Knative is a popular serverless framework for Kubernetes. In this release, we added support for the path and timeout options of the Knative ingress, as well as improved performance. Thanks to Noah Fontes from Puppet for the patches!
Noah is another active community member that has contributed greatly to Ambassador, with a specific focus on Knative. We hope to showcase Noah’s work on our blog very soon.
Preserving X-Request-IDs with Multiple Envoys
In Ambassador API Gateway 1.5, you can now preserve X-Request-ID on requests from external clients. This feature is helpful when you have multiple tiers of Ambassadors or Envoys, and you don’t want your X-Request-ID to be overwritten by following Envoys after it was set at the first Envoy. This is thanks to a contribution by Prakhar Joshi from Disney+ Hotstar.
Redis Support and Security Improvements
Last month, Redis 6 was released with several new features, including new encryption support. To enable Ambassador users to allow users to take advantage of this new feature, the Ambassador Edge Stack can now use encryption and authentication when talking to Redis. We are committed to ensuring the continued security of Ambassador and believe in providing defense in depth against attackers.
Additional security improvements in the Ambassador Edge Stack 1.5 include:
- Add click-jacking protection to Edge Console
- Ensure Edge Console cookies are secure
- Do not expose internal sockets outside the pod
Cluster-wide RBAC No Longer Required
Another common request was for the Ambassador Edge Stack to have more flexibility in how you secure your cluster. The Ambassador Edge Stack no longer requires cluster-wide RBAC for AMBASSADOR_SINGLE_NAMESPACE. With this change, Ambassador users can give Ambassador access to a namespace rather than to the entire cluster.
Docker Hub and Quay
We’ve experienced several Quay outages, so we’ve switched to Docker Hub as our primary distribution mechanism. We’ll continue to publish images to Quay, but recommend you update your manifests to point to Docker Hub instead. Our Helm charts and YAML have already been updated.
Additional Bug Fixes and Enhancements
This is a major release, with many additional bug fixes and enhancements driven by requests from our community and commercial customers.
The following additional fixes and enhancements apply to both the Ambassador API Gateway and the Ambassador Edge Stack 1.5:
Features
- Switch to Envoy 1.14.1
- Allow defaults for
add_request_header,remove_request_header,add_response_header, andremove_response_header - Inform Knative of the route to the Ambassador service if available (thanks, Noah Fontes!)
- Support the path and timeout options of the Knative ingress path rules (thanks, Noah Fontes!)
- Allow preserving
X-Request-IDon requests from external clients (thanks, Prakhar Joshi!) - Mappings now support query parameters (thanks, Phil Peble!)
- Allow setting the Envoy shared-memory base ID (thanks, Phil Peble!)
- Additional security configurations not set on default YAMLs
- Let Ambassador configure
regex_rewritefor advanced forwarding
Bugfixes
- Only update Knative ingress CRDs when the generation changes (thanks, Noah Fontes!)
- Now behaves properly when
AMBASSADOR_SINGLE_NAMESPACEis set to an empty string; rather than getting into a weird in-between state - The websocket library used by the test suite has been upgraded to incorporate security fixes (thanks, Andrew Allbright!)
- Fixed evaluation of label selectors causing the wrong IP to be put in to Ingress resource statuses
- The
watt(port 8002) andambex(port 8003) components now bind to localhost instead of 0.0.0.0, so they are no longer erroneously available from outside the Pod
The following additional fixes and enhancements apply to just the Ambassador Edge Stack 1.5:
Features
edgectl upgradeallows upgrading API Gateway installations to AES- Rate-limited 429 responses now include the
Retry-Afterheader - The
JWTFilter now makeshasKeyanddoNotSetfunctions available to header field templates; in order to facilitate only conditionally setting a header field. - The
OAuth2Filter now has anexpirationSafetyMarginsetting that will cause an access token to be treated as expired sooner, in order to have a safety margin of time to send it to the upstream Resource Server that grants insufficient leeway. - The
JWTFilter now hasleewayFor{ExpiresAt,IssuedAt,NotBefore}settings for configuring leeway when validating the timestamps of a token. - The environment variables
REDIS{,_PERSECOND}_{USERNAME,PASSWORD,TLS_ENABLED,TLS_INSECURE}may now be used to further configure how the Ambassador Edge Stack communicates with Redis. edgectl interceptcan generatepreview-urlsfor Host resources that enabled the featureedgectl installwill now automatically install the Service Preview components (ambassador-injector,telepresence-proxy) and scoped RBAC
Bugfixes
- Don’t start the dev portal running if
POLL_EVERY_SECSis 0 - Now no longer needs cluster-wide RBAC when running with
AMBASSADOR_SINGLE_NAMESPACE. - The
OAuth2Filter now validates the reported-to-Client scope of an Access Token even if a separateaccessTokenJWTFilteris configured. - The
OAuth2Filter now sends the user back to the identity provider to upgrade the scope if they request an endpoint that requires broader scope than initially requested; instead of mirroring. - The
OAuth2Filter will no longer send RFC 7235 challenges back to the user agent if it would not accept RFC 7235 credentials (previously it only avoided sending HTTP 401 challenges, but still sent 400 or 403 challenges). - The
amb-sidecar(port 8500) component now binds to localhost instead of 0.0.0.0, so it is no longer erroneously available from outside the Pod
Get Started Today
The Ambassador Edge Stack is a complete superset of the open-source Ambassador API Gateway, with integrated support for rate limiting, authentication, filter management, and more. You can install the Ambassador Edge Stack in three simple steps. To get started, follow the quick start.
Installing and Upgrading to 1.5
Given the mission-critical nature of Ambassador for our customers, we decided to switch our container registry from Quay to Docker Hub.
The latest versions of Ambassador are now available here:
You can also install with Helm
# Add repository and create namespace
helm repo add datawire https://www.getambassador.io
kubectl create namespace ambassador#Using Helm 3
helm install ambassador --namespace ambassador datawire/ambassador#Using Helm 2
helm install --name ambassador --namespace ambassador datawire/ambassador
To install the Ambassador Edge Stack, follow the quick start.
To upgrade from your current version of the Ambassador Edge Stack to 1.5, please follow the instructions here.
Join the Community
The Ambassador community is vibrant and growing rapidly. Feedback and discussions for this group of developers and DevOps professionals have been instrumental in helping us continually improve Ambassador.
Interested in getting more involved with the Ambassador community? Here’s how:
- Join discussions, get help, and help others on our Slack community
- View case studies and presentations
- Suggest improvements to the Ambassador Docs
- Find us @ambassadorlabs on Twitter.
We’d love to hear about how the Ambassador Edge Stack is working for you.
