Open in app

Sign up

Sign in

Write

Sign up

Sign in

Mastodon
Ambassador Labs

Code, ship, and run apps for Kubernetes faster and easier than ever — powered by Ambassador’s industry-leading developer experience.

Follow publication

FEATURE RELEASE

The Ambassador Edge Stack & Ambassador API Gateway 1.7 Now Available

Separate Host Security Policies, SPDY support, Envoy 1.15 Support, Control Plane Metrics and Monitoring, Configurable Rate-Limit Headers

Richard Li
Ambassador Labs
Published in
4 min readAug 28, 2020

--

We’re excited to announce the release of the Ambassador API Gateway and the Ambassador Edge Stack 1.7. This release extends Ambassador’s capabilities as a self-service Edge Stack for cloud-native applications and contains additional enhancements for resilience and scalability.

Enhanced Multi-Domain Management

Organizations frequently have multiple domains (hosts), with different applications for each domain. With 1.7, Ambassador API Gateway and Edge Stack users can now independently configure domain-level security policies. This enables Ambassador to serve as the centralized, self-service API Gateway for all your applications — even if there are multiple teams that need to manage different applications behind Ambassador. For example, a team could define a policy for a host to serve HTTP-only traffic, while another team could manage a separate host to serve HTTP/2 traffic over TLS.

Kubectl exec and SPDY support

The kubectl execommand relies on the SPDY protocol. Now with 1.7, Ambassador supports SPDY so users can proxy kubectl exec through Ambassador. This enables administrators to better secure kubectl access to Kubernetes clusters, as kubectl commands can be authenticated with per-user authentication prior to execution.

Envoy 1.15 Upgrade

In Ambassador API Gateway and Ambassador Edge Stack 1.7, we upgraded the version of Envoy used to 1.15. This version of Envoy includes fixes for Prometheus stats and tracing.

Control Plane Metrics and Monitoring

Ambassador has always exposed extensive metrics on traffic thanks to its use of Envoy. With the 1.7 release, Ambassador now adds a number of additional metrics for monitoring the Ambassador control plane itself. These metrics have been refined thanks to many interactions with community members. The metrics are exposed as the same standard metrics endpoint and aggregated with the Envoy metrics.

Configurable Rate-Limit Headers

With 1.7, Ambassador users can have more flexibility in how they set up rate-limit headers. Now, they can set up their headers so that:

  • Response headers are sent to the end-client
  • Request headers are sent to the upstream service

Additional Bug Fixes and Enhancements

The following is the full list of fixes and enhancements that are part of the 1.7 release.

Ambassador API Gateway + Ambassador Edge Stack

  • Feature: Upgrade from Envoy 1.14.4 to 1.15.0.
  • Bugfix: Correctly handle a Host object with incompatible manually-specified TLSContext
  • Feature: The Ambassador control-plane now publishes Prometheus metrics alongside the existing Envoy data-plane metrics under the /metrics endpoint on port 8877.
  • Default-off early access: Experimental changes to allow Ambassador to more quickly process configuration changes (especially with larger configurations) have been added. The AMBASSADOR_FAST_RECONFIGURE env var must be set to enable this. AMBASSADOR_FAST_VALIDATION should also be set for maximum benefit.

Ambassador API Gateway only

  • Bugfix: Fixes regression in 1.5.1 that caused it to not correctly know its own version number, leading to notifications about an available upgrade despite being on the most recent version.

Ambassador Edge Stack only

  • Feature: DevPortal can now discover OpenAPI documentation from Mappings that set host and headers
  • Feature: edgectl install will automatically enable Service Preview with a Preview URL on the Host resource it creates.
  • Feature: Service Preview will inject an x-service-preview-path header in filtered requests with the original request prefix to allow for context propagation.
  • Feature: Service Preview can intercept gRPC requests using the --grpc flag on the edgectl intercept add command and the getambassador.io/inject-traffic-agent-grpc: "true" annotation when using automatic Traffic-Agent injection.
  • Feature: The TracingService Zipkin config now supports setting collector_endpoint_version to tell Envoy to use Zipkin v2.
  • Feature: You can now inject request and/or response headers from a RateLimit.
  • Bugfix: Don’t crash during startup if Redis is down.
  • Bugfix: Service Preview correctly uses the Host default Path value for the spec.previewUrl.type field.
  • Bugfix: The JWT, OAuth2, and other Filters are now better about reusing connections for outgoing HTTP requests.
  • Bugfix: Fixed a potential deadlock in the HTTP cache used for fetching JWKS and such for Filters.
  • Bugfix: Fixed insecure route action behavior. Host security policies no longer affect other Hosts.
  • Bugfix: Internal Ambassador data is no longer exposed to the /.ambassador-internal/ endpoints used by the DevPortal.
  • Bugfix: Problems with license key limits will no longer trigger spurious HTTP 429 errors. Using the RateLimit resource beyond 5rps without any form of license key will still trigger 429 responses, but now with a X-Ambassador-Message header indicating that's what happned.
  • Bugfix: When multiple RateLimits overlap, it is supposed to enforce the strictest limit; but the strictness comparison didn't correctly handle comparing limits with different units.

Get Started Today

The Ambassador Edge Stack is a complete superset of the open-source Ambassador API Gateway, with integrated support for rate limiting, authentication, filter management, and more. You can install the Ambassador Edge Stack in a few steps with the quick start.

Installing and Upgrading to 1.7

The latest versions of Ambassador are now available here:

You can also install it with Helm.

# Add repository and create namespace
helm repo add datawire https://www.getambassador.io# Helm 3
kubectl create namespace ambassador && helm install ambassador — namespace ambassador datawire/ambassador# Helm 2
kubectl create namespace ambassador && helm install — name ambassador — namespace ambassador datawire/ambassador

To install the Ambassador Edge Stack, follow the quick start.

Upgrading

If you are upgrading your existing Ambassador API Gateway or Ambassador Edge Stack installation, you should apply our updated CRD configuration. This is true whether you use YAML or Helm installation — Helm will not upgrade existing CRDs. Type:

kubectl apply -f https://www.getambassador.io/yaml/aes-crds.yaml

Then, upgrade normally by changing the version in your image to 1.7.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Sign up for free

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Try for $5/month
Envoy Proxy
Docker
Api Gateway
Release Notes
Kubernetes

--

--

Ambassador Labs
Ambassador Labs
Follow

Published in Ambassador Labs

2.8K Followers
Last published Nov 15, 2023

Code, ship, and run apps for Kubernetes faster and easier than ever — powered by Ambassador’s industry-leading developer experience.

Follow
Richard Li
Richard Li
Follow

Written by Richard Li

1.5K Followers
44 Following

CEO, Amorphous Data. Formerly: Ambassador Labs, Duo Security, Rapid7, Red Hat.

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech