From e8ca65046a853e5aeed32fa125748387c0039813 Mon Sep 17 00:00:00 2001 From: Sekar Saravanan Date: Wed, 3 Jul 2024 09:41:51 +0530 Subject: [PATCH 1/3] issue-5714 - incorrect _cache_key generation fixed Signed-off-by: Sekar Saravanan --- CHANGELOG.md | 6 ++++++ python/ambassador/ir/irhttpmapping.py | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9be426e008..2144c53fd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -135,6 +135,12 @@ it will be removed; but as it won't be user-visible this isn't considered a brea starting. This will help address some of the intermittent issues seen during install and upgrades. +- Bugfix: _cache_key is getting generated incorrectly for mappings in ir.json, when using header + with regex in mapping. Always, It should be in the format of {kind}-{version}-{name}-{namespace}. + But header name is getting updated in the place of mapping name, if we created mapping with regex + header. + + ## [3.8.0] August 29, 2023 [3.8.0]: https://github.com/emissary-ingress/emissary/compare/v3.7.2...v3.8.0 diff --git a/python/ambassador/ir/irhttpmapping.py b/python/ambassador/ir/irhttpmapping.py index 700fe071ae..7eea649cc5 100644 --- a/python/ambassador/ir/irhttpmapping.py +++ b/python/ambassador/ir/irhttpmapping.py @@ -241,8 +241,8 @@ def __init__( if "regex_headers" in kwargs: # DON'T do anything special with a regex :authority match: we can't # do host-based filtering within the IR for it anyway. - for name, value in kwargs.get("regex_headers", {}).items(): - hdrs.append(KeyValueDecorator(name, value, regex=True)) + for hdr_name, hdr_value in kwargs.get("regex_headers", {}).items(): + hdrs.append(KeyValueDecorator(hdr_name, hdr_value, regex=True)) if "host" in kwargs: # It's deliberate that we'll allow kwargs['host'] to silently override an exact :authority From d04280e3a8da03e4a28f3756c361097c2dc2555e Mon Sep 17 00:00:00 2001 From: Flynn Date: Fri, 5 Jul 2024 14:52:09 -0400 Subject: [PATCH 2/3] Move the changelog comment into `releaseNotes.yml` as required by the build process. Signed-off-by: Flynn --- CHANGELOG.md | 6 ++++++ docs/releaseNotes.yml | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2144c53fd4..06b6c2c975 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -103,6 +103,12 @@ it will be removed; but as it won't be user-visible this isn't considered a brea - Change: Upgraded Emissary-ingress to the latest release of Golang as part of our general dependency upgrade process. +- Bugfix: Emissary-ingress was incorrectly caching Mappings with regex headers using the header name + instead of the Mapping name, which could reduce the cache's effectiveness. This has been fixed so + that the correct key is used. ([Incorrect Cache Key for Mapping]) + +[Incorrect Cache Key for Mapping]: https://github.com/emissary-ingress/emissary/issues/5714 + ## [3.9.0] November 13, 2023 [3.9.0]: https://github.com/emissary-ingress/emissary/compare/v3.8.0...v3.9.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 9967263079..692343b68a 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -58,6 +58,16 @@ items: Upgraded $productName$ to the latest release of Golang as part of our general dependency upgrade process. + - title: Fix internal keying for regex Mappings + type: bugfix + body: >- + $productName$ was incorrectly caching Mappings with regex headers + using the header name instead of the Mapping name, which could + reduce the cache's effectiveness. This has been fixed so that the + correct key is used. + github: + - title: "Incorrect Cache Key for Mapping" + link: https://github.com/emissary-ingress/emissary/issues/5714 - version: 3.9.0 prevVersion: 3.8.0 From 642c78428c53b9502063cb878f5982b522ad483f Mon Sep 17 00:00:00 2001 From: Flynn Date: Fri, 5 Jul 2024 14:52:37 -0400 Subject: [PATCH 3/3] Whitespace changes from my editor cleaning up YAML files... Signed-off-by: Flynn --- CHANGELOG.md | 31 ++++++++++++------------------- docs/releaseNotes.yml | 37 ++++++++++++++++++------------------- 2 files changed, 30 insertions(+), 38 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 06b6c2c975..3b5388391d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -91,7 +91,7 @@ it will be removed; but as it won't be user-visible this isn't considered a brea ### Emissary-ingress and Ambassador Edge Stack - Feature: This upgrades Emissary-ingress to be built on Envoy v1.28.0 which provides security, - performance and feature enhancements. You can read more about them here: Envoy Proxy 1.28.0 Release Notes @@ -115,37 +115,30 @@ it will be removed; but as it won't be user-visible this isn't considered a brea ### Emissary-ingress and Ambassador Edge Stack - Feature: This upgrades Emissary-ingress to be built on Envoy v1.27.2 which provides security, - performance and feature enhancements. You can read more about them here: Envoy Proxy 1.27.2 Release Notes -- Feature: By default, Emissary-ingress will return an `UNAVAILABLE` code when a request using gRPC +- Feature: By default, Emissary-ingress will return an `UNAVAILABLE` code when a request using gRPC is rate limited. The `RateLimitService` resource now exposes a new - `grpc.use_resource_exhausted_code` field that when set to `true`, Emissary-ingress will return a - `RESOURCE_EXHAUSTED` gRPC code instead. Thanks to Jerome + `grpc.use_resource_exhausted_code` field that when set to `true`, Emissary-ingress will return a + `RESOURCE_EXHAUSTED` gRPC code instead. Thanks to Jerome Froelich for contributing this feature! - Feature: Envoy runtime fields that were provided to mitigate the recent HTTP/2 rapid reset - vulnerability can now be configured via the Module resource so the configuration will persist - between restarts. This configuration is added to the Envoy bootstrap config, so restarting - Emissary is necessary after changing these fields for the configuration to take effect. + vulnerability can now be configured via the Module resource so the configuration will persist + between restarts. This configuration is added to the Envoy bootstrap config, so restarting + Emissary is necessary after changing these fields for the configuration to take effect. - Change: APIExt would previously allow for TLS 1.0 connections. We have updated it to now only use - a minimum TLS version of 1.3 to resolve security concerns. + a minimum TLS version of 1.3 to resolve security concerns. - Change: - Update default image to Emissary-ingress v3.9.0.
- Bugfix: The APIExt server provides CRD conversion between the stored version v2 and the version - watched for by Emissary-ingress v3alpha1. Since this component is required to operate - Emissary-ingress, we have introduced an init container that will ensure it is available before - starting. This will help address some of the intermittent issues seen during install and - upgrades. - -- Bugfix: _cache_key is getting generated incorrectly for mappings in ir.json, when using header - with regex in mapping. Always, It should be in the format of {kind}-{version}-{name}-{namespace}. - But header name is getting updated in the place of mapping name, if we created mapping with regex - header. - + watched for by Emissary-ingress v3alpha1. Since this component is required to operate + Emissary-ingress, we have introduced an init container that will ensure it is available before + starting. This will help address some of the intermittent issues seen during install and upgrades. ## [3.8.0] August 29, 2023 [3.8.0]: https://github.com/emissary-ingress/emissary/compare/v3.7.2...v3.8.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 692343b68a..98172ee72f 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -35,15 +35,15 @@ items: - version: 3.10.0-dev prevVersion: 3.9.0 date: 'TBD' - notes: + notes: - title: Upgrade to Envoy 1.30.2 type: feature body: >- - This upgrades $productName$ to be built on Envoy v1.28.0 which provides security, performance - and feature enhancements. You can read more about them here: + This upgrades $productName$ to be built on Envoy v1.28.0 which provides security, performance + and feature enhancements. You can read more about them here: Envoy Proxy 1.28.0 Release Notes docs: https://www.envoyproxy.io/docs/envoy/v1.28.0/version_history/version_history - + - title: Remove Ambassador Agent from published YAML Manifest type: change body: >- @@ -51,12 +51,11 @@ items: This is an optional component that provides additional features on top of $productName$ and we recommend installing it using the instructions found in the Ambassador Agent Repo. docs: https://github.com/datawire/ambassador-agent - + - title: Update to golang 1.22.4 type: change body: >- Upgraded $productName$ to the latest release of Golang as part of our general dependency upgrade process. - - title: Fix internal keying for regex Mappings type: bugfix @@ -76,34 +75,34 @@ items: - title: Upgrade to Envoy 1.27.2 type: feature body: >- - This upgrades $productName$ to be built on Envoy v1.27.2 which provides security, performance - and feature enhancements. You can read more about them here: + This upgrades $productName$ to be built on Envoy v1.27.2 which provides security, performance + and feature enhancements. You can read more about them here: Envoy Proxy 1.27.2 Release Notes docs: https://www.envoyproxy.io/docs/envoy/v1.27.2/version_history/version_history - title: Added support for RESOURCE_EXHAUSTED responses to grpc clients when rate limited type: feature body: >- - By default, $productName$ will return an UNAVAILABLE code when a request using gRPC - is rate limited. The RateLimitService resource now exposes a new grpc.use_resource_exhausted_code - field that when set to true, $productName$ will return a RESOURCE_EXHAUSTED gRPC code instead. + By default, $productName$ will return an UNAVAILABLE code when a request using gRPC + is rate limited. The RateLimitService resource now exposes a new grpc.use_resource_exhausted_code + field that when set to true, $productName$ will return a RESOURCE_EXHAUSTED gRPC code instead. Thanks to Jerome Froelich for contributing this feature! - title: Added support for setting specific Envoy runtime flags in the Module type: feature body: >- - Envoy runtime fields that were provided to mitigate the recent HTTP/2 rapid reset vulnerability - can now be configured via the Module resource so the configuration will persist between restarts. - This configuration is added to the Envoy bootstrap config, so restarting Emissary is necessary after + Envoy runtime fields that were provided to mitigate the recent HTTP/2 rapid reset vulnerability + can now be configured via the Module resource so the configuration will persist between restarts. + This configuration is added to the Envoy bootstrap config, so restarting Emissary is necessary after changing these fields for the configuration to take effect. - title: Update APIExt minimum TLS version type: change body: >- - APIExt would previously allow for TLS 1.0 connections. We have updated it to now only use a minimum + APIExt would previously allow for TLS 1.0 connections. We have updated it to now only use a minimum TLS version of 1.3 to resolve security concerns. docs: https://www.tenable.com/plugins/nessus/104743 - + - title: Shipped Helm chart v8.9.0 type: change body: >- @@ -113,9 +112,9 @@ items: - title: Ensure APIExt server is available before starting Emissary-ingress type: bugfix body: >- - The APIExt server provides CRD conversion between the stored version v2 and the version watched for - by $productName$ v3alpha1. Since this component is required to operate $productName$, we have - introduced an init container that will ensure it is available before starting. This will help address + The APIExt server provides CRD conversion between the stored version v2 and the version watched for + by $productName$ v3alpha1. Since this component is required to operate $productName$, we have + introduced an init container that will ensure it is available before starting. This will help address some of the intermittent issues seen during install and upgrades. docs: https://artifacthub.io/packages/helm/datawire/edge-stack/$emissaryChartVersion$