Configuration:
JWT
Filter now has arealm
setting to configure the realm mentioned inWWW-Authenticate
of error responses.- Feature:
JWT
Filter now has a FilterPolicy argumentscope
to preformdraft-ietf-oauth-token-exchange
-compatible Scope validation. - Feature:
OAuth2
Filter now has a.insteadOfRedirect.filters
FilterPolicy argument that lets you provide a list of filters to run; as if you were listing them directly in a FilterPolicy. - Feature:
OAuth2
Filter now has aextraAuthorizationParameters
setting to manually pass extra parameters to the IDP's authorization endpoint. - Feature:
OAuth2
Filter now has aaccessTokenJWTFilter
setting to use aJWT
filter for access token validation whenaccessTokenValidation: jwt
oraccessTokenValidation: auto
.
Behavior:
- Feature:
JWT
Filter now generates RFC 6750-compliant responses with theWWW-Authenticate
header set.
Other:
- Update Ambassador Core from Ambassador 0.85.0 (Envoy 1.11+half-way-to-1.12) to 0.86.0 (Envoy 1.12.2)
Configuration:
- Feature:
FilterPolicy
may now setifRequestHeader
to only apply aFilter
to requests with appropriate headers. - Feature:
FilterPolicy
may now setonDeny
andonAllow
to modify howFilter
s chain together. - Feature:
JWT
FilterinjectRequestHeaderse
templates can now read the incoming HTTP request headers. - Feature:
JWT
FiltererrorResponse
can now set HTTP headers of the error response. - Beta feature:
OAuth2
Filter can now be configured to receive OAuth client credentials in the HTTP request header, and use them to obtain a client credentials grant. This is only currently tested with Okta.
Behavior:
- The
OAuth2
filter's XSRF protection now works differently. You should use theambassador_xsrf.{name}.{namespace}
cookie instead of theambassador_session.{name}.{namespace}
cookie for XSRF-protection purposes.
Configuration:
- The
JWT
andOAuth2
Filter types supportrenegotiateTLS
- The
JWT
Filter now has anerrorResponse
argument that allows templating the filter's error response.
Other:
- Update Ambassador Core from Ambassador 0.83.0 to 0.85.0
Configuration
- The
OAuth2
filter now has a FilterPolicy argumentinsteadOfRedirect
that can specify a different action to perform than redirecting to the IDP.
Behavior:
- Feature: Developer portal URL can be changed by the user. Adjust the
ambassador-pro-devportal
Mapping
CRD (or annotation) by changing theprefix
to desired prefix and changing therewrite
to/docs/
. Theambassador-pro-devportal-api
can not be adjusted yet. - Feature: The
OAuth2
filter can now perform OIDC-session RP-initiated logout when used with an identity provider that supports it. - Bugfix: Properly return a 404 for unknown paths in the amb-sidecar; instead of serving the index page; this could happen if the devportal Mapping is misconfigured.
- Bugfix: Fix the "loaded filter" log info message.
- Bugfix: Don't publish the "dev-portal-server" Docker image; it was obviated by "amb-sidecar" in 0.8.0.
- Bugfix: The
JWT
Filter is no longer case-sensitive with the auth-scheme (Bearer
vsbearer
) - Bugfix: The
JWT
Filter no longer accepts authorizations that are missing an auth-scheme
Other:
- Update Ambassador Core from Ambassador 0.75.0 to 0.83.0
- Incorporate the Envoy 1.11.2 security patches in Ambassador Core
- Fast iteration on Developer Portal styling and content using a docker image inside a local checkout of Developer Portal content repo (see reference doc for usage guide)
Configuration:
amb-sidecar
now takes additional configuration related to the developer portal.
Behavior:
- Feature: The developer portal is now in "beta", and incorporated into amb-sidecar.
- Bugfix: The
External
Filter no longer erroneously follows redirects. - Bugfix: Fixed a case-folding bug causing the
JWT
Filter to be inoperable. - Enhancement: Errors in
Filter
resource definitions are now recorded and included in error messages.
Configuration:
amb-sidecar
: The default value ofUSE_STATSD
has changed fromtrue
tofalse
.- Bump license key schema v0 → v1. The developer portal requires a v1 license with the "devportal" feature enabled. Some future version of the other functionality will drop support for v0 license keys.
- The
JWT
Filter can now inject HTTP request headers; configured with theinjectRequestHeaders
field.
Behavior:
- Fixed a resource leak in dev-portal-server
Other:
- There is now a build of Ambassador with Certified Envoy named "amb-core".
Configuration:
- The CRD field
ambassador_id
may now be a single string instead of a list of strings (this should have always been the case, but there was a bug in the parser). - Everything is now on one port:
APRO_HTTP_PORT
, which defaults to8500
. LOG_LEVEL
no longer exists; everything obeysAPP_LOG_LEVEL
.- The meaning of
REDIS_POOL_SIZE
has changed slightly; there are no longer separate connection pools for ratelimit and filtering; the maximum number of connections is nowREDIS_POOL_SIZE
instead of 2×REDIS_POOL_SIZE
. - The
amb-sidecar
RateLimitService can now report to statsd, and attempts to do so by default (USE_STATSD
,STATSD_HOST
,STATSD_PORT
,GOSTATS_FLUSH_INTERVAL_SECONDS
).
Behavior:
- Now also handles gRPC requests for
envoy.service.auth.v2
, in addition toenvoy.service.auth.v2alpha
. - Log a stacktrace at log-level "debug" whenever the HTTP client encounters an error.
- Fix bug where the wrong key was selected from a JWKS.
- Everything in amb-sidecar now runs as a single process.
Configuration:
- Redis is now always required to be configured.
- The
amb-sidecar
environment variables$APRO_PRIVATE_KEY_PATH
and$APRO_PUBLIC_KEY_PATH
are replaced by a Kubernetes secret and the$APRO_KEYPAIR_SECRET_NAME
and$APRO_KEYPAIR_SECRET_NAMESPACE
environment variables. - If the
$APRO_KEYPAIR_SECRET_NAME
Kubernetes secret (above) does not exist,amb-sidecar
now needs the "create" permission for secrets in its ClusterRole. - The
OAuth2
Filter now ignores theaudience
field setting. I expect it to make a come-back in 0.5.1 though. - The
OAuth2
Filter now acts as if theopenid
scope value is always included in the FilterPolicy'sscopes
argument. - The
OAuth2
Filter can verify Access Tokens with several different methods; configured with theaccessTokenValidation
field.
Behavior:
- The
OAuth2
Filter is now strictly compliant with OAuth 2.0. It is verified to work properly with:- Auth0
- Azure AD
- Keycloak
- Okta
- UAA
- The
OAuth2
Filter browser cookie has changed:- It is now named
ambassador_session.{{filter_name}}.{{filter_namespace}}
instead ofaccess_token
. - It is now an opaque string instead of a JWT Access Token. The Access Token is still available in the injected
Authorization
header.
- It is now named
- The
OAuth2
Filter will no longer consider a user-agent-providedAuthorization
header, it will only consider the cookie. - The
OAuth2
Filter now supports Refresh Tokens; they must be requested by listingoffline_access
in thescopes
argument in the FilterPolicy. - The
OAuth2
Filter's/callback
endpoint is no longer vulnerable to XSRF attacks - The Developer Portal file descriptor leak is fixed.
Other:
- Open Source dependency license compliance is now automated as part of the release machinery. Source releases for the Docker images are now present in the images themselves at
/*.opensource.tar.gz
.
- Add the Developer Portal (experimental; no documentation available yet)
apictl traffic initialize
: Correctly handle non-default
namespacesapp-sidecar
: Respect theAPP_LOG_LEVEL
environment variable, same asamb-sidecar
- Turn down liveness and readiness probe logging from "info" to "debug"
- Add liveness and readiness probes
-
Moved all of the default sidecar ports around; YAML will need to be adjusted (hence 0.4.0 instead of 0.3.2). Additionally, all of the ports are now configurable via environment variables
Purpose Variable Old New Auth gRPC APRO_AUTH_PORT 8082 8500 RLS gRPC GRPC_PORT 8081 8501 RLS debug (HTTP) DEBUG_PORT 6070 8502 RLS HTTP ??? PORT 7000 8503 -
apictl
no longer sets an imagePullSecret when deploying Pro things to the cluster (since the repo is now public)
- Support running the Ambassador sidecar as a non-root user
- New Filter type
External
- Request IDs in the Pro logs are the same as the Request IDs in the Ambassador logs
OAuth2
Filter type supportssecretName
andsecretNamespace
- Switch to using Ambassador OSS gRPC API
- No longer necessary to set
allowed_request_headers
orallowed_authorization_headers
forPlugin
Filters - RLS logs requests as
info
instead ofwarn
- Officially support Okta as an IDP
(0.3.0 was initially tagged as 0.2.5)
JWT
andOAuth2
Filter types supportinsecureTLS
OAuth2
now handles JWTs with ascope
claim that is a JSON list of scopes, instead of a JSON string containing a whitespace-separated list of scopes (such as those generated by UAA)
- Consul Connect integration no longer requires a license key
- Fix Consul certificate rotation
- Move the AuthService from port 8080 to 8082, and make it configurable with
APRO_AUTH_PORT
- Have everything require license keys
- Differentiate between components when phoning-home to Scout
- Phone-home to kubernaut.io/scout, not metriton.datawire.io/scout
- Fix bug where
apictl traffic inject
wiped existingimagePullSecrets
- Support
AMBASSADOR_ID
,AMBASSADOR_SINGLE_NAMESPACE
, andAMBASSADOR_NAMESPACE
- Log format changed
- OIDC support
- Replace
Tenant
andPolicy
CRDs withFilter
andFilterPolicy
CRDs - Add JWT validation filter
- Add
apro-plugin-runner
(previously was in a separate OSS git repo)
- More readable logs in the event of a crash
apictl traffic
setsimagePullSecret
- Have
apictl
also look for the license key in~/.config/
as a fallback on macOS. The paths it now looks in, from highest to lowest precedence, are:$HOME/Library/Application Support/ambassador/license-key
(macOS only)${XDG_CONFIG_HOME:-$HOME/.config}/ambassador/license-key
$HOME/.ambassador.key
- First release with combined rate-limiting and authentication.