Emissary - open source Kubernetes-native API gateway for microservices built on the Envoy Proxy

Overview

Emissary-ingress

Version Docker Repository Join Slack Core Infrastructure Initiative: Best Practices


Emissary-Ingress is an open-source Kubernetes-native API Gateway + Layer 7 load balancer + Kubernetes Ingress built on Envoy Proxy. Emissary-ingress is an CNCF incubation project (and was formerly known as Ambassador API Gateway.)

Emissary-ingress enables its users to:

See the full list of features here.

Architecture

Emissary is configured via Kubernetes CRDs, or via annotations on Kubernetes Services. Internally, it uses the [Envoy Proxy] to actually handle routing data; externally, it relies on Kubernetes for scaling and resiliency. For more on Emissary's architecture and motivation, read this blog post.

Getting Started

You can get Emissary up and running in just three steps. Follow the instructions here: https://www.getambassador.io/docs/emissary/latest/tutorials/getting-started/

If you are looking for a Kubernetes ingress controller, Emissary provides a superset of the functionality of a typical ingress controller. (It does the traditional routing, and layers on a raft of configuration options.) This blog post covers Kubernetes ingress.

For other common questions, view this FAQ page.

You can also use Helm to install Emissary. For more information, see the instructions in the Helm installation documentation

Community

Emissary-ingress is a CNCF Incubating project, and welcomes any and all contributors. To get started:

If you're interested in contributing, here are some ways:

The Ambassador Edge Stack is a superset of Emissary-ingress that provides additional functionality including OAuth/OpenID Connect, advanced rate limiting, Swagger/OpenAPI support, integrated ACME support for automatic TLS certificate management, and a cloud-based UI. For more information, visit https://www.getambassador.io/editions/.

Comments
  • Ambassador not working on fresh installed kubernetes

    Ambassador not working on fresh installed kubernetes

    Describe the bug The Ambassador container within ambassador pod does not spawn up properly on a local cluster with kubernetes 1.10.2

    To Reproduce Steps to reproduce the behavior: A fresh install of kubernetes 1.10.2 on a local cluster. Follow the guidance to install ambassador-no-rbac.

    Expected behavior expect ambassador to spawn up. but it give error code 137. Both liveness probe and Readiness probe failed with getsockopt: connection refused.

    ambassador-6c7dd7799b-2mjzx   1/2       CrashLoopBackOff   13         37m
    

    Versions (please complete the following information):

    • Ambassador: 0.32.1
    • Kubernetes environment: local cluster installed using kubeadm. Configured with calico.
    • Version 1.10.2
    • Ubuntu 16.04

    Additional context Someone @richarddli suggested this is due to a dns problem, but local dns (/etc/resolve.conf) is configured using 8.8.8.8 and 8.8.4.4, I am sure at least I can access google website. (By deploying a busybox into my cluster, I checked my busybox container can ping google.com, but not sure for others.) Here are some extra log for debugging

    [email protected]:~/my-kubeflow$ kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name) -c kubedns
    I0503 10:46:23.833551       1 dns.go:48] version: 1.14.8
    I0503 10:46:23.862220       1 server.go:71] Using configuration read from directory: /kube-dns-config with period 10s
    I0503 10:46:23.862374       1 server.go:119] FLAG: --alsologtostderr="false"
    I0503 10:46:23.862433       1 server.go:119] FLAG: --config-dir="/kube-dns-config"
    I0503 10:46:23.862466       1 server.go:119] FLAG: --config-map=""
    I0503 10:46:23.862485       1 server.go:119] FLAG: --config-map-namespace="kube-system"
    I0503 10:46:23.862504       1 server.go:119] FLAG: --config-period="10s"
    I0503 10:46:23.862532       1 server.go:119] FLAG: --dns-bind-address="0.0.0.0"
    I0503 10:46:23.862551       1 server.go:119] FLAG: --dns-port="10053"
    I0503 10:46:23.862592       1 server.go:119] FLAG: --domain="cluster.local."
    I0503 10:46:23.862621       1 server.go:119] FLAG: --federations=""
    I0503 10:46:23.862648       1 server.go:119] FLAG: --healthz-port="8081"
    I0503 10:46:23.862668       1 server.go:119] FLAG: --initial-sync-timeout="1m0s"
    I0503 10:46:23.862688       1 server.go:119] FLAG: --kube-master-url=""
    I0503 10:46:23.862742       1 server.go:119] FLAG: --kubecfg-file=""
    I0503 10:46:23.862761       1 server.go:119] FLAG: --log-backtrace-at=":0"
    I0503 10:46:23.862794       1 server.go:119] FLAG: --log-dir=""
    I0503 10:46:23.862815       1 server.go:119] FLAG: --log-flush-frequency="5s"
    I0503 10:46:23.862835       1 server.go:119] FLAG: --logtostderr="true"
    I0503 10:46:23.862854       1 server.go:119] FLAG: --nameservers=""
    I0503 10:46:23.862872       1 server.go:119] FLAG: --stderrthreshold="2"
    I0503 10:46:23.862891       1 server.go:119] FLAG: --v="2"
    I0503 10:46:23.862911       1 server.go:119] FLAG: --version="false"
    I0503 10:46:23.862953       1 server.go:119] FLAG: --vmodule=""
    I0503 10:46:23.863269       1 server.go:201] Starting SkyDNS server (0.0.0.0:10053)
    I0503 10:46:23.864231       1 server.go:220] Skydns metrics enabled (/metrics:10055)
    I0503 10:46:23.864282       1 dns.go:146] Starting endpointsController
    I0503 10:46:23.864363       1 dns.go:149] Starting serviceController
    I0503 10:46:23.901849       1 logs.go:41] skydns: ready for queries on cluster.local. for tcp://0.0.0.0:10053 [rcache 0]
    I0503 10:46:23.901936       1 logs.go:41] skydns: ready for queries on cluster.local. for udp://0.0.0.0:10053 [rcache 0]
    I0503 10:46:24.364803       1 dns.go:170] Initialized services and endpoints from apiserver
    I0503 10:46:24.364871       1 server.go:135] Setting up Healthz Handler (/readiness)
    I0503 10:46:24.364935       1 server.go:140] Setting up cache handler (/cache)
    I0503 10:46:24.364962       1 server.go:126] Status HTTP port 8081
    I0504 04:33:43.169511       1 dns.go:555] Could not find endpoints for service "tf-hub-0" in namespace "kubeflow". DNS records will be created once endpoints show up.
    I0515 01:02:23.572540       1 dns.go:555] Could not find endpoints for service "tf-hub-0" in namespace "kubeflow". DNS records will be created once endpoints show up.
    
    [email protected]:~/my-kubeflow$ kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name) -c dnsmasq
    I0503 10:46:24.860136       1 main.go:76] opts: {{/usr/sbin/dnsmasq [-k --cache-size=1000 --no-negcache --log-facility=- --server=/cluster.local/127.0.0.1#10053 --server=/in-addr.arpa/127.0.0.1#10053 --server=/ip6.arpa/127.0.0.1#10053] true} /etc/k8s/dns/dnsmasq-nanny 10000000000}
    I0503 10:46:24.870496       1 nanny.go:94] Starting dnsmasq [-k --cache-size=1000 --no-negcache --log-facility=- --server=/cluster.local/127.0.0.1#10053 --server=/in-addr.arpa/127.0.0.1#10053 --server=/ip6.arpa/127.0.0.1#10053]
    I0503 10:46:25.334307       1 nanny.go:116] dnsmasq[12]: started, version 2.78 cachesize 1000
    I0503 10:46:25.334618       1 nanny.go:116] dnsmasq[12]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
    I0503 10:46:25.334632       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain ip6.arpa
    I0503 10:46:25.334638       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain in-addr.arpa
    I0503 10:46:25.334643       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain cluster.local
    I0503 10:46:25.334651       1 nanny.go:116] dnsmasq[12]: reading /etc/resolv.conf
    I0503 10:46:25.334657       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain ip6.arpa
    I0503 10:46:25.334662       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain in-addr.arpa
    I0503 10:46:25.334668       1 nanny.go:116] dnsmasq[12]: using nameserver 127.0.0.1#10053 for domain cluster.local
    I0503 10:46:25.334672       1 nanny.go:116] dnsmasq[12]: using nameserver 8.8.8.8#53
    I0503 10:46:25.334678       1 nanny.go:116] dnsmasq[12]: using nameserver 8.8.4.4#53
    I0503 10:46:25.334716       1 nanny.go:116] dnsmasq[12]: read /etc/hosts - 7 addresses
    I0503 10:46:25.334851       1 nanny.go:119]
    W0503 10:46:25.334861       1 nanny.go:120] Got EOF from stdout
    
    [email protected]:~/my-kubeflow$ kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name) -c sidecar
    I0503 10:46:25.240827       1 main.go:51] Version v1.14.8
    I0503 10:46:25.240868       1 server.go:45] Starting server (options {DnsMasqPort:53 DnsMasqAddr:127.0.0.1 DnsMasqPollIntervalMs:5000 Probes:[{Label:kubedns Server:127.0.0.1:10053 Name:kubernetes.default.svc.cluster.local. Interval:5s Type:33} {Label:dnsmasq Server:127.0.0.1:53 Name:kubernetes.default.svc.cluster.local. Interval:5s Type:33}] PrometheusAddr:0.0.0.0 PrometheusPort:10054 PrometheusPath:/metrics PrometheusNamespace:kubedns})
    I0503 10:46:25.240906       1 dnsprobe.go:75] Starting dnsProbe {Label:kubedns Server:127.0.0.1:10053 Name:kubernetes.default.svc.cluster.local. Interval:5s Type:33}
    I0503 10:46:25.240992       1 dnsprobe.go:75] Starting dnsProbe {Label:dnsmasq Server:127.0.0.1:53 Name:kubernetes.default.svc.cluster.local. Interval:5s Type:33}
    W0503 10:46:25.241374       1 server.go:64] Error getting metrics from dnsmasq: read udp 127.0.0.1:58432->127.0.0.1:53: read: connection refused
    

    Can anyone help me have a look? Many thanks in advance!

    opened by jiaanguo 41
  • Regression: Ambassador does not route insecure requests

    Regression: Ambassador does not route insecure requests

    Description

    This bug has already been fixed in the past and it came back when updating the Helm Chart from 6.5.5 to 6.5.6 (or Ambassador 1.7.1 to 1.7.2).

    Even if one follows the documentation for ClearText support, Ambassador categorically refuses to forward non HTTP requests and always forces redirection (HTTP 301).

    ---
    apiVersion: getambassador.io/v2
    kind: Module
    metadata:
      name: ambassador
      namespace: ambassador
    spec:
      config:
        enable_grpc_web: true
        use_proxy_proto: false
        use_remote_address: true
        x_forwarded_proto_redirect: false
    ...
    apiVersion: getambassador.io/v2
    kind: Host
    metadata:
      name: ambassador
      namespace: ambassador
    spec:
      hostname: "*.example.com"
      acmeProvider:
        authority: none
      requestPolicy:
        insecure:
          action: Route
          additionalPort: -1
    ...
    
    t:bug 
    opened by srheaume 37
  • build(deps): bump k8s.io/api from 0.21.9 to 0.24.4

    build(deps): bump k8s.io/api from 0.21.9 to 0.24.4

    Bumps k8s.io/api from 0.21.9 to 0.24.4.

    Commits
    • 44d27eb Update dependencies to v0.24.4 tag
    • 0bf1867 Revert "Introduce APIs to support multiple ClusterCIDRs (#108290)"
    • 2de6996 Merge pull request #109241 from ravisantoshgudimetla/sts-ar-optional
    • 7734d26 [sts] api: Make available replicas optional
    • 38ec09a [sts] Generated: Make available replicas optional
    • ec84bcb Merge pull request #109178 from liggitt/openapi-master
    • e3797f2 Drop enum tag from certificate request condition
    • 02c2207 Merge pull request #109151 from Argh4k/r-101566
    • 1eb735b Revert "Field status.hostIPs added for Pod (#101566)"
    • 290a349 Introduce APIs to support multiple ClusterCIDRs (#108290)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 30
  • build(deps): bump k8s.io/apimachinery from 0.21.9 to 0.24.4

    build(deps): bump k8s.io/apimachinery from 0.21.9 to 0.24.4

    Bumps k8s.io/apimachinery from 0.21.9 to 0.24.4.

    Commits
    • 97e5df2 fix remove implicit copy of a lock
    • 6550efd Merge pull request #109102 from liggitt/darwin-tls
    • 00f0711 Merge pull request #109031 from Jefftree/openapiv3beta
    • 53a85ef Tolerate additional error messages in TLS unit tests
    • 9b5b68c generated: Update kube-openapi and vendor
    • 31e52c9 Merge pull request #108126 from sanposhiho/doc/generatedname
    • 3b8fb46 Merge pull request #108713 from jiahuif-forks/feature/openapi/intstr-any-of
    • dd2f21c fix the doc about generateName conflict
    • 2866f23 oneOf types for IntOrString
    • 7b6c37e oneOf types for Quantity
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 30
  • Host header may include port

    Host header may include port

    Describe the bug If the Host header provided in a request includes the port, Ambassador responds with a 404 where there is an otherwise valid route.

    To Reproduce Steps to reproduce the behavior:

    1. Setup a Host and Mapping
    2. curl https://myhostname.com will work because curl sends Host: myhostname.com
    3. curl https://myhostname.com -H "Host: myhostname.com:443" will return a 404 with an empty body

    Expected behavior Ambassador should ignore the port portion of the Host header, or at least treat the default ports as equivalent to the absence of a port.

    Versions (please complete the following information):

    • Ambassador: AES 1.1.0
    • Kubernetes environment: Digital Ocean Managed Kubernetes
    • Version: 1.16.2-do.3

    Additional context Our client is using Qt's QNetworkAccessManager to send requests, but upon testing Ambassador I have found that requests were failing from our client (but working from browsers, curl, etc.) Initially I assumed this was a bug in Qt, but the RFC states that the Host header may include a port.

    pinned t:bug 
    opened by james-emerton 30
  • 503 and 403 errors when using more than 1 ambassador pod

    503 and 403 errors when using more than 1 ambassador pod

    Describe the bug

    When talking to a service through ambassador that has an auth service, was getting what appeared to be random responses between 200, 503, and 403. Had replica of 3 set for the ambassador deployment. Upon looking at the logs, one pod was always giving 200 responses, another 503, and another 403. Tried restarting the trouble pods with no luck.

    As a workaround I made my deployment to just replica 1 and now only seem to be getting 200 responses. Only saw this bug when I upgraded to 0.53.1. Was previously on version 0.50.3.

    Versions (please complete the following information):

    • Ambassador: 0.53.1
    • Kubernetes environment (bare metal)
    • Version 1.13.1
    stale 
    opened by robertrbruno 29
  • grpc hello world example does not work clean ambassador edge install on kubeadm

    grpc hello world example does not work clean ambassador edge install on kubeadm

    Describe the bug

    We had clean install of ambassador edge on aws instance running kubeadm 1.17.0. Then we deployed grpc hello world example but executing greeter_client.py result in an error. Also, grpc example pod log has some strange error

    sudo docker logs 0a6f7953d987 -f E0129 08:00:33.483639279 9 http_server_filter.cc:299] GET request without QUERY E0129 08:01:33.479603017 9 http_server_filter.cc:299] GET request without QUERY E0129 08:02:33.482634173 9 http_server_filter.cc:299] GET request without QUERY

    and running greeter_client.py with ambassador host and port give and error:

    python greeter_client.py Traceback (most recent call last): File "greeter_client.py", line 38, in run() File "greeter_client.py", line 32, in run response = stub.SayHello(helloworld_pb2.HelloRequest(name='you')) File "/home/ubuntu/.local/lib/python2.7/site-packages/grpc/_channel.py", line 824, in call return _end_unary_response_blocking(state, call, False, None) File "/home/ubuntu/.local/lib/python2.7/site-packages/grpc/_channel.py", line 726, in _end_unary_response_blocking raise _InactiveRpcError(state) grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with: status = StatusCode.UNIMPLEMENTED details = "unknown service edge_stack_ui/helloworld.Greeter" debug_error_string = "{"created":"@1580285513.750873999","description":"Error received from peer ipv4:172.31.79.169:80","file":"src/core/lib/surface/call.cc","file_line":1056,"grpc_message":"unknown service edge_stack_ui/helloworld.Greeter","grpc_status":12}"

    To Reproduce Steps to reproduce the behavior:

    1. Clean install ambassador edge
    2. configure host and certificate
    3. download and deploy grpc example hello world
    4. lanch greeter_client.py with ambassador host and port

    Expected behavior expected a reply $ python greeter_client.py Greeter client received: Hello, you!

    Versions (please complete the following information):

    • Ambassador Ede stack : [1.0.0]
    • Kubernetes environment: Kubeadm
    • Version [1.17.0]

    Additional context Add any other context about the problem here.

    stale 
    opened by cogmeta 28
  • TLS redirect_cleartext_from doesn't preserve path

    TLS redirect_cleartext_from doesn't preserve path

    Describe the bug url path is not preserved with redirect_cleartext_from set

    To Reproduce

    1. Follow TLS Termination documentation to create cert and store as kubernetes secret

    2. Deploy ambassador with helm chart 2.2.1 with values:

    service:
      annotations:
        getambassador.io/config: |
          ---
          apiVersion: ambassador/v1
          kind: Module
          name: tls
          config:
            server:
              enabled: True
              secret: ambassador-certs
              redirect_cleartext_from: 8080
    
    1. Deploy httpbin service to test redirect
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: httpbin
      annotations:
        getambassador.io/config: |
          ---
          apiVersion: ambassador/v1
          kind:  Mapping
          name:  httpbin_mapping
          prefix: /httpbin/
          service: httpbin.org:80
          host_rewrite: httpbin.org
    spec:
      ports:
      - name: httpbin
        port: 80
    
    1. curl the endpoint using http
    curl -Li http://hostname/httpbin/
    
    1. Result: path is not preserved on redirect
    HTTP/1.1 301 Moved Permanently
    location: https://hostname/
    date: Wed, 24 Apr 2019 20:12:19 GMT
    server: envoy
    content-length: 0
    
    HTTP/2 404 
    date: Wed, 24 Apr 2019 20:12:19 GMT
    server: envoy
    

    Expected behavior Path should be preserved and redirect to https://hostname/httpbin/

    Versions (please complete the following information):

    • Ambassador: [0.60.0] (using Helm chart 2.2.1)
    • Kubernetes environment: [AKS]
    • Version [1.12.7]

    Additional context

    opened by bpehling 27
  • v0.50.1 AuthService drops all but one `set-cookie` response header

    v0.50.1 AuthService drops all but one `set-cookie` response header

    Describe the bug When AuthService returns a non-200 response to Ambassador, only one set-cookie header can be sent back to the client, all other set-cookie headers are stripped. All cookies have the same domain, max_age, etc.

    To Reproduce Steps to reproduce the behavior:

    1. Setup a v1 (0.50.1) AuthService that adds more than one set-cookie header on auth responses
    2. Send a non-200 response (302 in this case so that the request does not continue upstream) from AuthService with >1 set-cookie header on response
    3. Verify all set-cookie headers are present on response from AuthService as the response passes back through Ambassador; there should be >1 set-cookie header on the response from the AuthService and only 1 set-cookie header on the response that Ambassador filters and sends back to the client

    Expected behavior We expect all set-cookie headers to be returned by Ambassador when the AuthService returns a response. Rolling the service back to Ambassador v0.40.2 results in the expected behavior.

    Versions (please complete the following information):

    • Ambassador: [e.g. 0.32.1]
    • Kubernetes environment [e.g. Minikube, bare metal, Google Kubernetes Engine]
    • Version [e.g. 1.8.1]

    Additional context Here is logging we captured of the issue. Notice that x-request-destination is preserved but session is removed in the final response.

    [2019-02-07 20:41:58.736][000059][debug][http] [source/common/http/async_client_impl.cc:96] async http request response headers (end_stream=false):
    ':status', '302'
    'server', 'nginx/1.15.0'
    'date', 'Thu, 07 Feb 2019 20:41:58 GMT'
    'content-type', 'text/html; charset=utf-8'
    'content-length', '941'
    'connection', 'keep-alive'
    'location', 'https://dev-syapse.auth0.com/authorize?response_type=code&client_id=Y4EF4s3mw3IvLKFUUggL9Xgz64g0pH6h&redirect_uri=https%3A%2F%2Fambassador.dev.syapse.com%2Fauthz%2Fv1%2Fauth0%2Fcomplete&scope=openid+profile+email+user_metadata+app_metadata&state=u63YpJcjSweLIFyOQpqfFL1ZvRSLxI&audience=https%3A%2F%2Fdev-syapse.auth0.com%2Fuserinfo&prompt=none'
    'set-cookie', 'x-request-destination=https://oncology-web-2.dev.syapse.com/; Domain=.syapse.com; Path=/'
    'vary', 'Cookie'
    'set-cookie', 'session=.eJyrVopPLC3JMACTOZlJ8cmJOTlJicnZ8UpWShklJQXFVvr6iblJicXFiSn5RXopqWV6xZWJBcWpesn5ufogXVX6ZYZghoE-UKggJ7UkVUkH3djiksSSVJCZpWbGkQVeyVnB5ak-nm6V_oEFhWluPoZRZUHBPhWeSrUAJe00QQ.XFyYFg.8BzD07RYRXiRz8Iz2s-9U3S3XUg; Domain=.syapse.com; HttpOnly; Path=/'
    'x-content-type-options', 'nosniff'
    'x-frame-options', 'SAMEORIGIN'
    'x-xss-protection', '1; mode=block'
    'strict-transport-security', 'max-age=15768000; includeSubDomains'
    'x-envoy-upstream-service-time', '27'
    
    [2019-02-07 20:41:58.740][000059][debug][client] [source/common/http/codec_client.cc:95] [C141708] response complete
    [2019-02-07 20:41:58.740][000059][debug][filter] [source/extensions/filters/http/ext_authz/ext_authz.cc:177] [C141707][S17486080943075874799] ext_authz rejected the request
    [2019-02-07 20:41:58.740][000059][debug][http] [source/common/http/conn_manager_impl.cc:1096] [C141707][S17486080943075874799] encoding headers via codec (end_stream=false):
    ':status', '302'
    'content-length', '941'
    'content-type', 'text/plain'
    'location', 'https://dev-syapse.auth0.com/authorize?response_type=code&client_id=Y4EF4s3mw3IvLKFUUggL9Xgz64g0pH6h&redirect_uri=https%3A%2F%2Fambassador.dev.syapse.com%2Fauthz%2Fv1%2Fauth0%2Fcomplete&scope=openid+profile+email+user_metadata+app_metadata&state=u63YpJcjSweLIFyOQpqfFL1ZvRSLxI&audience=https%3A%2F%2Fdev-syapse.auth0.com%2Fuserinfo&prompt=none'
    'set-cookie', 'x-request-destination=https://oncology-web-2.dev.syapse.com/; Domain=.syapse.com; Path=/'
    'date', 'Thu, 07 Feb 2019 20:41:58 GMT'
    'server', 'envoy'
    
    [2019-02-07 20:41:58.741][000059][debug][pool] [source/common/http/http1/conn_pool.cc:209] [C141708] response complete
    [2019-02-07 20:41:58.741][000059][debug][pool] [source/common/http/http1/conn_pool.cc:247] [C141708] moving to ready[2019-02-07 20:41:58.736][000059][debug][http] [source/common/http/async_client_impl.cc:96] async http request response headers (end_stream=false):
    ':status', '302'
    'server', 'nginx/1.15.0'
    'date', 'Thu, 07 Feb 2019 20:41:58 GMT'
    'content-type', 'text/html; charset=utf-8'
    'content-length', '941'
    'connection', 'keep-alive'
    'location', 'https://dev-syapse.auth0.com/authorize?response_type=code&client_id=Y4EF4s3mw3IvLKFUUggL9Xgz64g0pH6h&redirect_uri=https%3A%2F%2Fambassador.dev.syapse.com%2Fauthz%2Fv1%2Fauth0%2Fcomplete&scope=openid+profile+email+user_metadata+app_metadata&state=u63YpJcjSweLIFyOQpqfFL1ZvRSLxI&audience=https%3A%2F%2Fdev-syapse.auth0.com%2Fuserinfo&prompt=none'
    'set-cookie', 'x-request-destination=https://oncology-web-2.dev.syapse.com/; Domain=.syapse.com; Path=/'
    'vary', 'Cookie'
    'set-cookie', 'session=.eJyrVopPLC3JMACTOZlJ8cmJOTlJicnZ8UpWShklJQXFVvr6iblJicXFiSn5RXopqWV6xZWJBcWpesn5ufogXVX6ZYZghoE-UKggJ7UkVUkH3djiksSSVJCZpWbGkQVeyVnB5ak-nm6V_oEFhWluPoZRZUHBPhWeSrUAJe00QQ.XFyYFg.8BzD07RYRXiRz8Iz2s-9U3S3XUg; Domain=.syapse.com; HttpOnly; Path=/'
    'x-content-type-options', 'nosniff'
    'x-frame-options', 'SAMEORIGIN'
    'x-xss-protection', '1; mode=block'
    'strict-transport-security', 'max-age=15768000; includeSubDomains'
    'x-envoy-upstream-service-time', '27'
    
    [2019-02-07 20:41:58.740][000059][debug][client] [source/common/http/codec_client.cc:95] [C141708] response complete
    [2019-02-07 20:41:58.740][000059][debug][filter] [source/extensions/filters/http/ext_authz/ext_authz.cc:177] [C141707][S17486080943075874799] ext_authz rejected the request
    [2019-02-07 20:41:58.740][000059][debug][http] [source/common/http/conn_manager_impl.cc:1096] [C141707][S17486080943075874799] encoding headers via codec (end_stream=false):
    ':status', '302'
    'content-length', '941'
    'content-type', 'text/plain'
    'location', 'https://dev-syapse.auth0.com/authorize?response_type=code&client_id=Y4EF4s3mw3IvLKFUUggL9Xgz64g0pH6h&redirect_uri=https%3A%2F%2Fambassador.dev.syapse.com%2Fauthz%2Fv1%2Fauth0%2Fcomplete&scope=openid+profile+email+user_metadata+app_metadata&state=u63YpJcjSweLIFyOQpqfFL1ZvRSLxI&audience=https%3A%2F%2Fdev-syapse.auth0.com%2Fuserinfo&prompt=none'
    'set-cookie', 'x-request-destination=https://oncology-web-2.dev.syapse.com/; Domain=.syapse.com; Path=/'
    'date', 'Thu, 07 Feb 2019 20:41:58 GMT'
    'server', 'envoy'
    
    [2019-02-07 20:41:58.741][000059][debug][pool] [source/common/http/http1/conn_pool.cc:209] [C141708] response complete
    [2019-02-07 20:41:58.741][000059][debug][pool] [source/common/http/http1/conn_pool.cc:247] [C141708] moving to ready
    

    Here's the AuthService annotation that we are using:

      annotations:
        getambassador.io/config: |
          ---
          apiVersion: ambassador/v1
          kind: AuthService
          name: authentication
          auth_service: {auth-service-url-and-port}
          path_prefix: "/v1/validate"
          allowed_authorization_headers:
          - "set-cookie"
          - "session"
          ---
          apiVersion: ambassador/v1
          kind: Mapping
          name: authz_mapping
          prefix: /authz/
          service: {auth-service-url-and-port}
          tls: true
    

    We also verified this behavior against normal non-AuthService request/response flows, and did not see Ambassador filtering any response headers.

    opened by mianelson 26
  • Set a capability to allow binding to low ports

    Set a capability to allow binding to low ports

    Description

    The cap_net_bind_service capability allows a process to bind to a low port without root. While Kubernetes lets you allow a capability in the pod spec, the effective capabilities are wiped when the root -> user transition is made.

    This change setcap's the binary so that it can assert that capability. e.g.

     securityContext:                                                                                                                                  |~
       capabilities:                                                                                                                                   |~
         add:                                                                                                                                          |~
           - NET_BIND_SERVICE
    

    (there is no CAP_ at the beginning; K8s seems to add that)

    If you don't want to bind to a low port, don't add the capability and we're back to the previous behavior. If you want to bind to a low port, add the capability and configure Ambassador appropriately.

    Related Issues

    This is a feature addition -- I want to be able to run this as a non root user but still bind to a low port.

    Testing

    Manual testing.

    Todos

    • [ ] Tests
    • [ ] Documentation
    opened by swalberg 25
  • Host CRD does not route insecure requests

    Host CRD does not route insecure requests

    Describe the bug Despite using the Host CRD for http-only in the docs, Ambassador refuses to route non-http requests and always forces 301 redirect.

    To Reproduce Use the following k8s yaml

    apiVersion: getambassador.io/v2
    kind: Host
    metadata:
      name: minimal-host
    spec:
      hostname: host.example.com
      acmeProvider:
        authority: none
    requestPolicy:
      insecure:
        action: route
    ---
    apiVersion: getambassador.io/v2
    kind: Mapping
    metadata:
      name: hello-world-mapping
    spec:
      prefix: /hello-world/
      service: hello-world
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: hello-world
    spec:
      selector:
        app: hello-world
      ports:
      - port: 80
        targetPort: 8080
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: hello-world
    spec:
      replicas: 1
      strategy:
        type: RollingUpdate
      selector:
        matchLabels:
          app: hello-world
      template:
        metadata:
          labels:
            app: hello-world
        spec:
          containers:
          - name: hello-world
            image: infrastructureascode/hello-world
    

    Curl to curl -v http://host.example.com:30845/hello-world/ See 301 redirect

    *   Trying 192.168.64.5...
    * TCP_NODELAY set
    * Connected to host.example.com (192.168.64.5) port 30845 (#0)
    > GET /hello-world/ HTTP/1.1
    > Host: host.example.com:30845
    > User-Agent: curl/7.54.0
    > Accept: */*
    >
    < HTTP/1.1 301 Moved Permanently
    < location: https://host.example.com:30845/hello-world/
    < date: Sun, 19 Jan 2020 15:15:13 GMT
    < server: envoy
    < content-length: 0
    <
    * Connection #0 to host host.example.com left intact
    

    Expected behavior Expect Host definition to allow http-only requests, no redirects.

    Versions (please complete the following information):

    • Image: quay.io/datawire/aes:1.0.0
    • Image ID: docker-pullable://quay.io/datawire/[email protected]:4a6577ca83178fbbfd8295d68312b2d92b6820dfd97e6a36e2ec1337ac4cf66b
    • minikube version: v1.6.2

    Additional context I review of the generated envoy.json file shows the vhost host.example.com has an entry for the /hello-world/ path, but it is set to redirect: true. Seems like the insecure-action route is not being recognized.

    t:bug 
    opened by daninthewoods 23
  • build(deps): bump importlib-metadata from 5.0.0 to 6.0.0 in /docker/test-shadow

    build(deps): bump importlib-metadata from 5.0.0 to 6.0.0 in /docker/test-shadow

    Bumps importlib-metadata from 5.0.0 to 6.0.0.

    Changelog

    Sourced from importlib-metadata's changelog.

    v6.0.0

    • #419: Declared Distribution as an abstract class, enforcing definition of abstract methods in instantiated subclasses. It's no longer possible to instantiate a Distribution or any subclasses unless they define the abstract methods.

      Please comment in the issue if this change breaks any projects. This change will likely be rolled back if it causes significant disruption.

    v5.2.0

    • #371: Deprecated expectation that PackageMetadata.__getitem__ will return None for missing keys. In the future, it will raise a KeyError.

    v5.1.0

    • #415: Instrument SimplePath with generic support.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 0
  • .github: remove x.y.z-dev tags from rc promotion

    .github: remove x.y.z-dev tags from rc promotion

    Description

    Cause more confusion than its worth.

    Checklist

    • [x] Does my change need to be backported to a previous release?

      • release/v3.4 (after GA)
      • release/v2.5
    • [ ] I made sure to update CHANGELOG.md.

      Remember, the CHANGELOG needs to mention:

      • Any new features
      • Any changes to our included version of Envoy
      • Any non-backward-compatible changes
      • Any deprecations
    • [ ] This is unlikely to impact how Ambassador performs at scale.

      Remember, things that might have an impact at scale include:

      • Any significant changes in memory use that might require adjusting the memory limits
      • Any significant changes in CPU use that might require adjusting the CPU limits
      • Anything that might change how many replicas users should use
      • Changes that impact data-plane latency/scalability
    • [ ] My change is adequately tested.

      Remember when considering testing:

      • Your change needs to be specifically covered by tests.
        • Tests need to cover all the states where your change is relevant: for example, if you add a behavior that can be enabled or disabled, you'll need tests that cover the enabled case and tests that cover the disabled case. It's not sufficient just to test with the behavior enabled.
      • You also need to make sure that the entire area being changed has adequate test coverage.
        • If existing tests don't actually cover the entire area being changed, add tests.
        • This applies even for aspects of the area that you're not changing – check the test coverage, and improve it if needed!
      • We should lean on the bulk of code being covered by unit tests, but...
      • ... an end-to-end test should cover the integration points
    • [ ] I updated DEVELOPING.md with any any special dev tricks I had to use to work on this code efficiently.

    • [ ] The changes in this PR have been reviewed for security concerns and adherence to security best practices.

    opened by haq204 0
  • Istio Multicluster Support?

    Istio Multicluster Support?

    Describe the bug We are running an Istio multi-cluster setup with 2 clusters. We are using Istio version 1.14.1 on all workloads, including emissary-ingress, which is injected with the istio-proxy sidecar via the istio.io/rev: 1-14-1 label on the emissary namespace; i.e. standard practice. This is all running on 2 GKE clusters running kubernetes versionv1.21.14-gke.4300

    We installed emissary-ingresss following this documentation - https://www.getambassador.io/docs/emissary/latest/howtos/istio

    If we exec into an emissary-ingress pod, we can communicate with workloads on the same cluster as expected. When we try to communicate with a workload on the remote cluster, we receive 504 Gateway Timeout responses. DNS resolution for remote services is working.

    Another non-emissary pod in the same namespace as the emissary-ingress pods, can communicate with the remote service without issue. This seems to point to emissary-ingress as being the problem is this case.

    Expected behavior To be able to communicate with remote services.

    Versions (please complete the following information):

    • emissary-ingress - 3.3.1
    • helm chart version emissary-ingress-8.3.1
    • Kubernetes environment - GKE
    • Version - v1.21.14
    opened by rixongary 0
  • Move CRDs and apiext to its own helm chart and add it as a dependency

    Move CRDs and apiext to its own helm chart and add it as a dependency

    Please describe your use case / problem. Currently apiext and the CRDs are kind of loosely managed from a helm user perspective. That means that as a helm user I have to manually delete and update the apiext deployment and the CRDs.

    Describe the solution you'd like As a helm user I would expect to maintain only the emissary-ingress helm release, which "ships" its CRDs and the apiext deployment. One solution would be to define the CRDs and apiext in seperate helm charts, which the emissary-ingress helm chart depends on.

    Describe alternatives you've considered Include the CRDs and the apiext deployment directly in the emissary-ingress chart as described here. That would work for the apiext deployment, but upgrading the CRDs would not be supported by it.

    Additional context Part of https://github.com/emissary-ingress/emissary/issues/4531

    opened by kharf 1
  • Introduction of default requests/limits for apiext deployment

    Introduction of default requests/limits for apiext deployment

    Please describe your use case / problem. One of the best practices of Kubernetes is to define resource requests and limits. Requests are what the container is guaranteed to get. If a container requests a resource, Kubernetes will only schedule it on a node that can give it that resource. Limits, on the other hand, make sure a container never goes above a certain value. Currently apiext does not have these requests and limits defined.

    Describe the solution you'd like Add resource requests and limits to the apiext deployment.

    Describe alternatives you've considered Documentation why it is not defined and explain how customers can define their own resource request and limits. (e.g. with Kustomize)

    Additional context Part of: https://github.com/emissary-ingress/emissary/issues/4531

    opened by kharf 2
  • How to use feature on ssl-passthrough in emissary

    How to use feature on ssl-passthrough in emissary

    Describe the bug How to use feature on ssl-passthrough in emissary

    To Reproduce Steps to reproduce the behavior: I am not sure how to use ssl passthrough in emissary? In one the issue I can see that TCPMapping can be used but I dont know how to use it and it didnt worked for me. please help me resolving the issue How to use feature on ssl-passthrough in emissary

    Expected behavior SSL passthrough must work

    Versions (please complete the following information):

    • Ambassador: [e.g. 0.32.1]
    • Kubernetes environment [e.g. Minikube, bare metal, Google Kubernetes Engine]
    • Version [e.g. 1.8.1]

    Additional context Add any other context about the problem here. Describe the bug A clear and concise description of what the bug is.

    To Reproduce Steps to reproduce the behavior:

    1. Go to '...'I am not sure how to use ssl passthrough in emissary? In one the issue I can see that TCPMapping can be used but I dont know how to use it and it didnt worked for me. please help me resolving the issue
    2. Click on '....'
    3. Scroll down to '....'
    4. See error

    Expected behavior A clear and concise description of what you expected to happen.

    Versions (please complete the following information):

    • Ambassador: [e.g. 0.32.1]
    • Kubernetes environment [e.g. Minikube, bare metal, Google Kubernetes Engine]
    • Version [e.g. 1.8.1]

    Additional context Add any other context about the problem here.

    opened by mohania17 0
Releases(v3.3.1)
  • v3.3.1(Dec 9, 2022)

    :tada: Emissary Ingress 3.3.1 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v3.3.1/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Security: Update Golang to release 1.19.4. Two CVE's were annouced in this z patch release. CVE-2022-41720 only affects Windows environments and Emissary-ingress runs in linux. The second one CVE-2022-41717 only affects HTTP/2 server connections exposed to external clients. Emissary-ingress does not expose any Golang http servers to outside clients. The data-plane of Envoy is not affected by either of these.
    Source code(tar.gz)
    Source code(zip)
  • v2.5.1(Dec 9, 2022)

    :tada: Emissary Ingress 2.5.1 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.5.1/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Feature: Support for the getambassador.io/v1 apiVersion has been re-introduced, in order to facilitate smoother migrations from Emissary-ingress 1.y. Previously, in order to make migrations possible, an "unserved" v1 version was declared to Kubernetes, but was unsupported by Emissary-ingress. That unserved v1 could cause an excess of errors to be logged by the Kubernetes Nodes (regardless of whether the installation was migrated from 1.y or was a fresh 2.y install); fully supporting v1 again should resolve these errors.

    • Security: Update Golang to release 1.19.4. Two CVE's were annouced in this z patch release. CVE-2022-41720 only affects Windows environments and Emissary-ingress runs in linux. The second one CVE-2022-41717 only affects HTTP/2 server connections exposed to external clients. Emissary-ingress does not expose any Golang http servers to outside clients. The data-plane of Envoy is not affected by either of these.

    • Security: Updated Golang to the latest z patch. We are not vulnerable to the CVE-2022-3602 that was released in 1.19.3 and you can read more about it here: https://medium.com/ambassador-api-gateway/ambassador-labs-security-impact-assessment-of-nov-1-openssl-golang-vulnerabilities-f11b5ec37a7e. Updating to the latest z patch as part of our normal dependency update process and this will help reduce the noise of security scanners.

    Source code(tar.gz)
    Source code(zip)
  • chart/v8.3.1(Dec 9, 2022)

    :tada: Emissary Ingress Chart 8.3.1 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    Source code(tar.gz)
    Source code(zip)
  • chart/v7.6.1(Dec 9, 2022)

    :tada: Emissary Ingress Chart 7.6.1 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    Source code(tar.gz)
    Source code(zip)
  • v2.5.0(Nov 3, 2022)

    :tada: Emissary Ingress 2.5.0 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.5.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Bugfix: If a Host or TLSContext contained a hostname with a : then when using the diagnostics endpoints ambassador/v0/diagd then an error would be thrown due to the parsing logic not being able to handle the extra colon. This has been fixed and Emissary-ingress will not throw an error when parsing envoy metrics for the diagnostics user interface.

    • Security: Bump Go from 1.17.12 to 1.19.2. This is to keep the Go version current.

    Source code(tar.gz)
    Source code(zip)
  • chart/v7.6.0(Nov 3, 2022)

    :tada: Emissary Ingress Chart 7.6.0 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    Source code(tar.gz)
    Source code(zip)
  • v3.3.0(Nov 2, 2022)

    :tada: Emissary Ingress 3.3.0 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v3.3.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Security: Updated Golang to 1.19.2 to address the CVEs: CVE-2022-2879, CVE-2022-2880, CVE-2022-41715.

    • Bugfix: By default Emissary-ingress adds routes for http to https redirection. When an AuthService is applied in v2.Y of Emissary-ingress, Envoy would skip the ext_authz call for non-tls http request and would perform the https redirect. In Envoy 1.20+ the behavior has changed where Envoy will always call the ext_authz filter and must be disabled on a per route basis. This new behavior change introduced a regression in v3.0 of Emissary-ingress when it was upgraded to Envoy 1.22. The http to https redirection no longer works when an AuthService was applied. This fix restores the previous behavior by disabling the ext_authz call on the https redirect routes. (#4620)

    • Bugfix: When an AuthService is applied in v2.Y of Emissary-ingress, Envoy would skip the ext_authz call for all redirect routes and would perform the redirect. In Envoy 1.20+ the behavior has changed where Envoy will always call the ext_authz filter so it must be disabled on a per route basis. This new behavior change introduced a regression in v3.0 of Emissary-ingress when it was upgraded to Envoy 1.22. The host_redirect would call an AuthService prior to redirect if applied. This fix restores the previous behavior by disabling the ext_authz call on the host_redirect routes. (#4640)

    • Bugfix: Previous versions of Emissary-ingress required a workaround using TLSContexts to find tls secrets referenced from Ingress resources. Now tls secrets referenced are properly detected without requiring an additional TLSContext to reference them. (Thanks to Ole Markus!).

    Source code(tar.gz)
    Source code(zip)
  • chart/v8.3.0(Nov 2, 2022)

    :tada: Emissary Ingress Chart 8.3.0 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    • Upgrade Emissary to v3.3.0 CHANGELOG

    • Change: By default, the Ambassador agent will report diagnostics to the Ambassador Cloud

    • Change: updated auto-scaling resource cpu and memory variable ordering to help with git-ops syncing. Also, adjusted memory and cpu settings to be more friendly so that they do not cause the HPA auto-scaling to trigger during start-up. Thanks to Ian Martin for the contribution!

    Source code(tar.gz)
    Source code(zip)
  • v2.4.1(Oct 10, 2022)

    :tada: Emissary Ingress 2.4.1 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.4.1/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Bugfix: If a Host or TLSContext contained a hostname with a : then when using the diagnostics endpoints ambassador/v0/diagd then an error would be thrown due to the parsing logic not being able to handle the extra colon. This has been fixed and Emissary-ingress will not throw an error when parsing envoy metrics for the diagnostics user interface.

    • Bugfix: The synthetic AuthService didn't correctly handle AmbassadorID, which was fixed in version 3.1 of Emissary-ingress. The fix has been backported to make sure the AuthService is handled correctly during upgrades.

    Source code(tar.gz)
    Source code(zip)
  • chart/v7.5.1(Oct 10, 2022)

    :tada: Emissary Ingress Chart 7.5.1 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    Source code(tar.gz)
    Source code(zip)
  • v3.2.0(Sep 27, 2022)

    :tada: Emissary Ingress 3.2.0 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v3.2.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Change: The envoy version included in Emissary-ingress has been upgraded from 1.22 to the latest patch release of 1.23. This provides Emissary-ingress with the latest security patches, performances enhancments, and features offered by the envoy proxy.

    • Change: Changes to label matching will change how Hosts are associated with Mappings. There was a bug with label selectors that was causing Hosts to be incorrectly being associated with more Mappings than intended. If any single label from the selector was matched then the Host would be associated with the Mapping. Now it has been updated to correctly only associate a Host with a Mapping if all labels required by the selector are present. This brings the mappingSelector field in-line with how label selectors are used in Kubernetes. To avoid unexpected behaviour after the upgrade, add all labels that Hosts have in their mappingSelector to Mappings you want to associate with the Host. You can opt-out of the new behaviour by setting the environment variable DISABLE_STRICT_LABEL_SELECTORS to "true" (default: "false"). (Thanks to Filip Herceg and Joe Andaverde!).

    • Feature: Previously the Host resource could only use secrets that are in the namespace as the Host. The tlsSecret field in the Host has a new subfield namespace that will allow the use of secrets from different namespaces.

    • Change: Set AMBASSADOR_EDS_BYPASS to true to bypass EDS handling of endpoints and have endpoints be inserted to clusters manually. This can help resolve with 503 UH caused by certification rotation relating to a delay between EDS + CDS. The default is false.

    • Bugfix: Distinct services with names that are the same in the first forty characters will no longer be incorrectly mapped to the same cluster. (#4354)

    • Feature: By default, when Envoy is unable to communicate with the configured RateLimitService then it will allow traffic through. The RateLimitService resource now exposes the failure_mode_deny option. Set failure_mode_deny: true, then Envoy will deny traffic when it is unable to communicate to the RateLimitService returning a 500.

    • Bugfix: Previously, setting the stats_name for the TracingService, RateLimitService or the AuthService would have no affect because it was not being properly passed to the Envoy cluster config. This has been fixed and the alt_stats_name field in the cluster config is now set correctly. (Thanks to Paul!)

    • Feature: The AMBASSADOR_RECONFIG_MAX_DELAY env var can be optionally set to batch changes for the specified non-negative window period in seconds before doing an Envoy reconfiguration. Default is "1" if not set.

    • Bugfix: If a Host or TLSContext contained a hostname with a : when using the diagnostics endpoints ambassador/v0/diagd then an error would be thrown due to the parsing logic not being able to handle the extra colon. This has been fixed and Emissary-ingress will not throw an error when parsing envoy metrics for the diagnostics user interface.

    • Feature: It is now possible to set custom_tags in the TracingService. Trace tags can be set based on literal values, environment variables, or request headers. (Thanks to Paul!) (#4181)

    • Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping that uses SNI, instead of using the hostname glob in the TCPMapping, uses the hostname glob in the Host that the TLS termination configuration comes from.

    • Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping that terminates TLS must have a corresponding Host that it can take the TLS configuration from. This was semi-intentional, but didn't make much sense. You can now use a TLSContext without a Hostas in Emissary-ingress 1.y releases, or a Host with or without a TLSContext as in prior 2.y releases.

    • Bugfix: Prior releases of Emissary-ingress had the arbitrary limitation that a TCPMapping cannot be used on the same port that HTTP is served on, even if TLS+SNI would make this possible. Emissary-ingress now allows TCPMappings to be used on the same Listener port as HTTP Hosts, as long as that Listener terminates TLS.

    • Security: Updated Golang to 1.19.1 to address the CVEs: CVE-2022-27664, CVE-2022-32190.

    Source code(tar.gz)
    Source code(zip)
  • chart/v8.2.0(Sep 27, 2022)

    :tada: Emissary Ingress Chart 8.2.0 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    • Upgrade Emissary to v3.2.0 CHANGELOG

    • Bugfix: The default Role configuration of the Ambassador Agent Deployment will allow it to correctly watch Secret resources for Ambassador Cloud tokens.

    Source code(tar.gz)
    Source code(zip)
  • v2.4.0(Sep 19, 2022)

    :tada: Emissary Ingress 2.4.0 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.4.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Feature: Previously the Host resource could only use secrets that are in the namespace as the Host. The tlsSecret field in the Host has a new subfield namespace that will allow the use of secrets from different namespaces.

    • Change: Set AMBASSADOR_EDS_BYPASS to true to bypass EDS handling of endpoints and have endpoints be inserted to clusters manually. This can help resolve with 503 UH caused by certification rotation relating to a delay between EDS + CDS. The default is false.

    • Bugfix: Previously, setting the stats_name for the TracingService, RateLimitService or the AuthService would have no affect because it was not being properly passed to the Envoy cluster config. This has been fixed and the alt_stats_name field in the cluster config is now set correctly. (Thanks to Paul!)

    • Feature: The AMBASSADOR_RECONFIG_MAX_DELAY env var can be optionally set to batch changes for the specified non-negative window period in seconds before doing an Envoy reconfiguration. Default is "1" if not set.

    • Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping that uses SNI, instead of using the hostname glob in the TCPMapping, uses the hostname glob in the Host that the TLS termination configuration comes from.

    • Bugfix: Emissary-ingress 2.0.0 introduced a bug where a TCPMapping that terminates TLS must have a corresponding Host that it can take the TLS configuration from. This was semi-intentional, but didn't make much sense. You can now use a TLSContext without a Hostas in Emissary-ingress 1.y releases, or a Host with or without a TLSContext as in prior 2.y releases.

    • Bugfix: Prior releases of Emissary-ingress had the arbitrary limitation that a TCPMapping cannot be used on the same port that HTTP is served on, even if TLS+SNI would make this possible. Emissary-ingress now allows TCPMappings to be used on the same Listener port as HTTP Hosts, as long as that Listener terminates TLS.

    Source code(tar.gz)
    Source code(zip)
  • chart/v7.5.0(Sep 19, 2022)

    :tada: Emissary Ingress Chart 7.5.0 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    Source code(tar.gz)
    Source code(zip)
  • v3.1.0(Aug 1, 2022)

    :tada: Emissary Ingress 3.1.0 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v3.1.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Feature: The agent is now able to parse api contracts using swagger 2, and to convert them to OpenAPI 3, making them available for use in the dev portal.

    • Feature: Adds a new command to the agent directive service to manage secrets. This allows a third party product to manage CRDs that depend upon a secret.

    • Feature: Add additional pprof endpoints to allow for profiling Emissary-ingress:

      • CPU profiles (/debug/pprof/profile)
      • tracing (/debug/pprof/trace)
      • command line running (/debug/pprof/cmdline)
      • program counters (/debug/pprof/symbol)
    • Change: In the standard published .yaml files, the Module resource enables serving remote client requests to the :8877/ambassador/v0/diag/ endpoint. The associated Helm chart release also now enables it by default.

    • Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure that all the nodes composing the emissary ingress cluster are reporting properly.

    • Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, CVE-2022-24921, CVE-2022-23772.

    • Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, CVE-2022-27780.

    • Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.

    • Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458

    Source code(tar.gz)
    Source code(zip)
  • v2.3.2(Aug 1, 2022)

    :tada: Emissary Ingress 2.3.2 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.3.2/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Bugfix: A regression was introduced in 2.3.0 causing the agent to miss some of the metrics coming from emissary ingress before sending them to Ambassador cloud. This issue has been resolved to ensure that all the nodes composing the emissary ingress cluster are reporting properly.

    • Security: Updated Golang to 1.17.12 to address the CVEs: CVE-2022-23806, CVE-2022-28327, CVE-2022-24675, CVE-2022-24921, CVE-2022-23772.

    • Security: Updated Curl to 7.80.0-r2 to address the CVEs: CVE-2022-32207, CVE-2022-27782, CVE-2022-27781, CVE-2022-27780.

    • Security: Updated openSSL-dev to 1.1.1q-r0 to address CVE-2022-2097.

    • Security: Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458

    Source code(tar.gz)
    Source code(zip)
  • chart/v8.1.0(Aug 1, 2022)

    :tada: Emissary Ingress Chart 8.1.0 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    Source code(tar.gz)
    Source code(zip)
  • chart/v7.4.2(Aug 1, 2022)

    :tada: Emissary Ingress Chart 7.4.2 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    • Update Emissary chart image to version v2.3.2 CHANGELOG
    Source code(tar.gz)
    Source code(zip)
  • v3.0.0(Jun 28, 2022)

    :tada: Emissary Ingress 3.0.0 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v3.0.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    Source code(tar.gz)
    Source code(zip)
  • chart/v8.0.0(Jun 28, 2022)

    :tada: Emissary Ingress Chart 8.0.0 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    • Change: The default for the module value has changed to disable the /ambassador/v0/127.0.0.1:8877 synthetic Mapping by default. We have long recommended to turn this off for production use; it is now off by default.

    • Bugfix: The default values no trigger the creation of an "emissary-test-ready" Pod. This Pod was meant to only be created when running the chart's test suite; it was not meant to be created in users' clusters.

    Source code(tar.gz)
    Source code(zip)
  • v1.14.4(Jun 13, 2022)

    :tada: Ambassador 1.14.4 :tada:

    Ambassador is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Security: We have backported patches from the Envoy 1.19.5 security update to Emissary-ingress's 1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. Emissary-ingress is not affected by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it does not support internal redirects, and does not use Envoy's built-in OAuth2 filter.
    Source code(tar.gz)
    Source code(zip)
  • chart/v6.9.5(Jun 13, 2022)

    :tada: Ambassador Chart 6.9.5 :tada:

    Upgrade Ambassador - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/datawire/ambassador/blob/master/charts/ambassador/CHANGELOG.md


    • Update Ambassador API Gateway chart image to version v1.14.4: CHANGELOG
    • Update Ambassador Edge Stack chart image to version v1.14.4: CHANGELOG
    Source code(tar.gz)
    Source code(zip)
  • v2.3.1(Jun 10, 2022)

    :tada: Emissary Ingress 2.3.1 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.3.1/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Bugfix: A regression was introduced in 2.3.0 that leaked zipkin default config fields into the configuration for the other drivers (lightstep, etc...). This caused Emissary-ingress to crash on startup. This issue has been resolved to ensure that the defaults are only applied when driver is zipkin (#4267)

    • Security: We have backported patches from the Envoy 1.19.5 security update to Emissary-ingress's 1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225. Emissary-ingress is not affected by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it does not support internal redirects, and does not use Envoy's built-in OAuth2 filter.

    Source code(tar.gz)
    Source code(zip)
  • chart/v7.4.1(Jun 10, 2022)

    :tada: Emissary Ingress Chart 7.4.1 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    Source code(tar.gz)
    Source code(zip)
  • v2.3.0(Jun 6, 2022)

    :tada: Emissary Ingress 2.3.0 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.3.0/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Security: Completely remove gdbm, pip, smtplib, and sqlite packages, as they are unused.

    • Feature: It is now possible to set propagation_modes in the TracingService config when using lightstep as the driver. (Thanks to Paul!) (#4179)

    • Feature: It is now possible to set crl_secret in Host and TLSContext resources to check peer certificates against a certificate revocation list. (#1743)

    • Feature: Previously, a LogService would always have Emissary-ingress communicate with the external log service using the envoy.service.accesslog.v2.AccessLogService API. It is now possible for the LogService to specify protocol_version: v3 to use the newer envoy.service.accesslog.v3.AccessLogService API instead. This functionality is not available if you set the AMBASSADOR_ENVOY_API_VERSION=V2 environment variable.

    • Bugfix: When CORS is specified (either in a Mapping or in the Ambassador Module), CORS processing will happen before authentication. This corrects a problem where XHR to authenticated endpoints would fail.

    • Bugfix: In 2.x releases of Emissary-ingress when there are multiple Mappings that have the same metadata.name across multiple namespaces, their old config would not properly be removed from the cache when their config was updated. This resulted in an inability to update configuration for groups of Mappings that share the same name until the Emissary-ingress pods restarted.

    • Bugfix: It is now possible for a TracingService to specify collector_endpoint_version: HTTP_JSON_V1 when using xDS v3 to configure Envoy (which has been the default since Emissary-ingress 1.14.0). The HTTP_JSON_V1 value configures Envoy to speak to Zipkin using Zipkin's old API-v1, while the HTTP_JSON value configures Envoy to speak to Zipkin using Zipkin's new API-v2. In previous versions of Emissary-ingress it was only possible to use HTTP_JSON_V1 when explicitly setting the AMBASSADOR_ENVOY_API_VERSION=V2 environment variable to force use of xDS v2 to configure Envoy.

    Source code(tar.gz)
    Source code(zip)
  • chart/v7.4.0(Jun 6, 2022)

    :tada: Emissary Ingress Chart 7.4.0 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    • Update change Emissary chart image to version v2.3.0 CHANGELOG
    • Add "lifecycle" option to main container. This can be used, for example, to add a lifecycle.preStop hook. Thanks to Eric Totten for the contribution!
    • Add ambassador_id to listener manifests rendered when using createDefaultListeners: true with AMBASSADOR_ID set in environment variables. Thanks to Jennifer Reed for the contribution!
    • Feature: Added configurable IngressClass resource to be compliant with Kubernetes 1.22+ ingress specification.
    Source code(tar.gz)
    Source code(zip)
  • v2.2.2(Feb 25, 2022)

    :tada: Emissary Ingress 2.2.2 :tada:

    Emissary Ingress is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/v2.2.2/CHANGELOG.md Get started with Emissary on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Change: You may now choose to enable TLS Secret validation by setting the AMBASSADOR_FORCE_SECRET_VALIDATION=true environment variable. The default configuration does not enforce secret validation.

    • Bugfix: Kubernetes Secrets that should contain an EC (Elliptic Curve) TLS Private Key are now properly validated. (4134)

    Source code(tar.gz)
    Source code(zip)
  • v1.14.3(Feb 25, 2022)

    :tada: Ambassador 1.14.3 :tada:

    Ambassador is an open source, Kubernetes-native microservices API gateway built on the Envoy Proxy.

    Upgrade Ambassador - https://www.getambassador.io/reference/upgrading.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/CHANGELOG.md Get started with Ambassador on Kubernetes - https://www.getambassador.io/user-guide/getting-started

    • Security: Upgraded Envoy to address security vulnerabilities CVE-2021-43824, CVE-2021-43825, CVE-2021-43826, CVE-2022-21654, and CVE-2022-21655.
    Source code(tar.gz)
    Source code(zip)
  • chart/v7.3.2(Feb 25, 2022)

    :tada: Emissary Ingress Chart 7.3.2 :tada:

    Upgrade Emissary - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md


    Source code(tar.gz)
    Source code(zip)
  • chart/v6.9.4(Feb 25, 2022)

    :tada: Ambassador Chart 6.9.4 :tada:

    Upgrade Ambassador - https://www.getambassador.io/reference/upgrading#helm.html View changelog - https://github.com/datawire/ambassador/blob/master/charts/ambassador/CHANGELOG.md


    • Update Ambassador API Gateway chart image to version v1.14.3: CHANGELOG
    • Update Ambassador Edge Stack chart image to version v1.14.3: CHANGELOG
    Source code(tar.gz)
    Source code(zip)
A cpp project template that uses CMake to build and Google Test / Github Actions to provide a CI

A cpp project template that uses CMake to build and Google Test / Github Actions to provide a CI

Martin Olivier 6 Nov 17, 2022
A Python Implementation for Git for learning

A pure Python implementation for Git based on Buliding Git

shidenggui 42 Jul 13, 2022
A Blazing fast Security Auditing tool for Kubernetes

A Blazing fast Security Auditing tool for kubernetes!! Basic Overview Kubestriker performs numerous in depth checks on kubernetes infra to identify th

Vasant Chinnipilli 934 Jan 04, 2023
HXVM - Check Host compatibility with the Virtual Machines

HXVM - Check Host compatibility with the Virtual Machines. Features | Installation | Usage Features Takes input from user to compare how many VMs they

Aman Srivastava 4 Oct 15, 2022
Project 4 Cloud DevOps Nanodegree

Project Overview In this project, you will apply the skills you have acquired in this course to operationalize a Machine Learning Microservice API. Yo

1 Nov 21, 2021
Ganeti is a virtual machine cluster management tool built on top of existing virtualization technologies such as Xen or KVM and other open source software.

Ganeti 3.0 =========== For installation instructions, read the INSTALL and the doc/install.rst files. For a brief introduction, read the ganeti(7) m

395 Jan 04, 2023
Ansible for DevOps examples.

Ansible for DevOps Examples This repository contains Ansible examples developed to support different sections of Ansible for DevOps, a book on Ansible

Jeff Geerling 6.6k Jan 08, 2023
DAMPP (gui) is a Python based program to run simple webservers using MySQL, Php, Apache and PhpMyAdmin inside of Docker containers.

DAMPP (gui) is a Python based program to run simple webservers using MySQL, Php, Apache and PhpMyAdmin inside of Docker containers.

Sehan Weerasekara 1 Feb 19, 2022
This projects provides the documentation and the automation(code) for the Oracle EMEA WLA COA Demo UseCase.

COA DevOps Training UseCase This projects provides the documentation and the automation(code) for the Oracle EMEA WLA COA Demo UseCase. Demo environme

Cosmin Tudor 1 Jan 28, 2022
Kubediff: a tool for Kubernetes to show differences between running state and version controlled configuration.

Kubediff: a tool for Kubernetes to show differences between running state and version controlled configuration.

Weaveworks 1.1k Dec 30, 2022
A little script and trick to make your heroku app run forever without being concerned about dyno hours.

A little script and trick to make your heroku app run forever without being concerned about dyno hours.

Tiararose Biezetta 152 Dec 25, 2022
Bash-based Python-venv convenience wrapper

venvrc Bash-based Python-venv convenience wrapper. Demo Install Copy venvrc file to ~/.venvrc, and add the following line to your ~/.bashrc file: # so

1 Dec 29, 2022
A lobby boy will create a VPS server when you need one, and destroy it after using it.

Lobbyboy What is a lobby boy? A lobby boy is completely invisible, yet always in sight. A lobby boy remembers what people hate. A lobby boy anticipate

226 Dec 29, 2022
Spinnaker is an open source, multi-cloud continuous delivery platform for releasing software changes with high velocity and confidence.

Welcome to the Spinnaker Project Spinnaker is an open-source continuous delivery platform for releasing software changes with high velocity and confid

8.8k Jan 07, 2023
CTF infrastructure deployment automation tool.

CTF infrastructure deployment automation tool. Focus on the challenges. Mirrored from

Fake News 1 Apr 12, 2022
🐳 RAUDI: Regularly and Automatically Updated Docker Images

🐳 RAUDI: Regularly and Automatically Updated Docker Images RAUDI (Regularly and Automatically Updated Docker Images) automatically generates and keep

SecSI 534 Dec 29, 2022
Caboto, the Kubernetes semantic analysis tool

Caboto Caboto, the Kubernetes semantic analysis toolkit. It contains a lightweight Python library for semantic analysis of plain Kubernetes manifests

Michael Schilonka 8 Nov 26, 2022
MicroK8s is a small, fast, single-package Kubernetes for developers, IoT and edge.

MicroK8s The smallest, fastest Kubernetes Single-package fully conformant lightweight Kubernetes that works on 42 flavours of Linux. Perfect for: Deve

Ubuntu 7.1k Jan 08, 2023
Self-hosted, easily-deployable monitoring and alerts service - like a lightweight PagerDuty

Cabot Maintainers wanted Cabot is stable and used by hundreds of companies and individuals in production, but it is not actively maintained. We would

Arachnys 5.4k Dec 23, 2022
Tools and Docker images to make a fast Ruby on Rails development environment

Tools and Docker images to make a fast Ruby on Rails development environment. With the production templates, moving from development to production will be seamless.

1 Nov 13, 2022