Skip to content

Latest commit

 

History

History
625 lines (457 loc) · 46.6 KB

CHANGELOG.md

File metadata and controls

625 lines (457 loc) · 46.6 KB

Change Log

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Unreleased

3.5.0 - 2019-05-07

3.5.0-beta1 was considered final and became 3.5.0.

3.5.0-beta1 - 2019-03-12

Changed

  • Improve startup time by improving templating performance and caching filesystem access PR #964
  • Liquid default filter now does not override false values PR #964

Fixed

  • Fix 3scale Batcher policy failing to cache and report requests containing app ID only PR #956, THREESCALE-1515
  • Auths against the 3scale backend are now retried when using the 3scale batching policy PR #961
  • Fix timeouts when proxying POST requests to an HTTPS upstream using HTTPS_PROXY PR #978, THREESCALE-1781
  • The APIcast policy now ensures that its post-action phase only runs when its access phase ran. Not ensuring this was causing a bug that was triggered when combining the APIcast policy with some policies that can deny the request, such as the IP check one. In certain cases, APIcast reported to the 3scale backend in its post-action phase even when other policies denied the request with a 4xx error. PR #985

Added

  • "Matches" operation that can be used when defining conditionals PR #975
  • New routing policy that selects an upstream based on the request path, a header, a query argument, or a jwt claim PR #976, PR #983, PR #984, THREESCALE-1709
  • Added "last" attribute in the mapping rules. When set to true indicates that, if the rule matches, APIcast should not try to match the rules placed after this one PR #982, THREESCALE-1344
  • Added TLS Validation policy to verify TLS Client Certificate against a whitelist. PR #966, THREESCALE-1671
  • New CLI command "push_policy" that pushes a policy schema to the 3scale admin portal PR #986, PR #992, THREESCALE-871
  • Added support for experimental standalone YAML configuration PR #926
  • Environment files now can use global context variable to share data PR #964
  • Added service id and service name headers in debug context PR #987

Changed

  • The modules used to build conditions have been extracted from the conditional policy so they can be used from other policies PR #974.

3.4.0 - 2018-12-11

3.4.0-rc2 was considered final and became 3.4.0.

3.4.0-rc2 - 2018-11-16

Fixed

  • Fix bug in the Default credentials policy. It was using the default credentials in some cases where it should not PR #954, THREESCALE-1547

3.4.0-rc1 - 2018-11-13

Fixed

  • Fix "nil" being added to the end of URL Path in some cases when using http_proxy PR #946

3.4.0-beta1 - 2018-10-24

Fixed

  • Fix APICAST_PROXY_HTTPS_PASSWORD_FILE and APICAST_PROXY_HTTPS_SESSION_REUSE parameters for Mutual SSL PR #927
  • The "allow" mode of the caching policy now accepts the request when it's authorization is not cached PR #934, THREESCALE-1396
  • When using SSL certs with path-based routing enabled, now APIcast falls backs to host-based routing instead of crashing PR #938, THREESCALE-1430
  • Fixed error that happened when loading certain configurations that use OIDC PR #940, THREESCALE-1289
  • The port is now included in the Host header when the request is proxied PR #942

Added

Changed

  • The threescale_backend_calls Prometheus metric now includes the response (used to be in backend_response) and also the kind of call (auth, authrep, report) PR #919, THREESCALE-1383
  • Performance improvement: replaced some varargs in hot paths PR #937

3.3.0 - 2018-10-05

3.3.0-cr2 was considered final and became 3.3.0.

  • The configuration schema of the rate-limit policy has changed from 3.2.0 so if you were using it, please adapt your configuration file accordingly.
  • The Native OAuth 2.0 flow is deprecated. Please consider using the OIDC integration instead.
  • The new conditional policy is considered experimental. The way conditions are expressed might change in future releases.

3.3.0-cr2 - 2018-09-25

Fixed

3.3.0-cr1 - 2018-09-14

Fixed

  • Set default errlog level when APICAST_LOG_LEVEL is empty PR #868
  • Correct JWT validation according to RFC 7523 Section 3. Like not required nbf claim. THREESCALE-583
  • Mismatch in OIDC issuer when loading configuration through a configuration file PR #872
  • When the 3scale referrer filters was enabled, cached requests were not handled correctly PR #875
  • Invalid SNI when connecting to 3scale backend over HTTPS THREESCALE-1269
  • Fix handling --pid and --signal on the CLI PR #880
  • Some policies did not have access to the vars exposed when using Liquid (uri, path, etc.) PR #891
  • Fix error when loading certain configurations that use OIDC PR #893
  • Fix error that appeared when combining the liquid context debug policy with policies that contain liquid templates PR #895
  • Thread safety issues when rendering Liquid templates PR #896

Added

  • Expose http_method in Liquid PR #888
  • Print error message when OIDC configuration is missing for a request PR #894
  • Print whole stderr in 4k chunks when executing external commands PR #894

3.3.0-beta2 - 2018-09-03

Fixed

  • Capture permission errors when searching for files on filesystem PR #865

3.3.0-beta1 - 2018-08-31

Added

Changed

  • THREESCALE_PORTAL_ENDPOINT and THREESCALE_CONFIG_FILE are not required anymore PR #702
  • The scope of the Rate Limit policy is service by default PR #704
  • Decoded JWTs are now exposed in the policies context by the APIcast policy PR #718
  • Upgraded OpenResty to 1.13.6.2, uses OpenSSL 1.1 PR #733
  • Use forked resty.limit.count that uses increments instead of decrements PR #758, PR 843
  • Rate Limit policy to take into account changes in the config PR #703
  • The regular expression for mapping rules has been changed, so that special characters are accepted in the wildcard values for path PR #714
  • Call init and init_worker on all available policies regardless they are used or not PR #770
  • Cache loaded policies. Loading one policy several times will use the same instance PR #770
  • Load all policies into cache when starting APIcast master process. PR #770
  • init and init_worker phases are executed on the policy module, not the instance of a policy with a configuration PR #770
  • timer_resolution set only in development environment PR #815
  • The rate-limit policy, when redis_url is empty, now applies per-gateway limits instead of trying to use a localhost Redis PR #842
  • Changed the display name of some policies. This only affects how the name shows in the UI THREESCALE-1232

Fixed

  • Do not crash when initializing unreachable/invalid DNS resolver PR #730
  • Reporting only 50% calls to 3scale backend when using OIDC PR #774, THREESCALE-1080
  • Building container image on OpenShift 3.9 PR #810, THREESCALE-1138
  • Rate Limit policy to define multiple limiters of the same type PR #825
  • Fix exclusiveMinimum field for conn property in the rate-limit JSON schema PR #832
  • Skip invalid policies in the policy chain PR #854

3.2.1 - 2018-06-26

Changed

  • APICAST_BACKEND_CACHE_HANDLER environment variable is now deprecated. Use caching policy instead. APICAST_CUSTOM_CONFIG, APICAST_MODULE environment variables are now deprecated. Use policies instead. PR #746, THREESCALE-1034
  • Path routing feature enabled by the APICAST_PATH_ROUTING environment variable is not considered experimental anymore.

Fixed

  • Reporting only 50% calls to 3scale backend when using OIDC PR #779

3.2.0 - 2018-06-04

3.2.0-rc2 was considered final and became 3.2.0.

3.2.0-rc2 - 2018-05-11

Added

  • Default value for the caching_type attribute of the caching policy config schema #691, THREESCALE-845

Fixed

  • Fixed set of valid values for the exit param of the Echo policy PR #684

Changed

  • The schema of the rate-limit policy has been adapted so it can be rendered by react-jsonschema-form, a library used in the 3scale UI. This is a breaking change. PR #696, THREESCALE-888
  • The upstream policy now performs the rule matching in the rewrite phase. This allows combining it with the URL rewriting policy – upstream policy regex will be matched against the original path if upstream policy is placed before URL rewriting in the policy chain, and against the rewritten path otherwise PR #690, THREESCALE-852

3.2.0-rc1 - 2018-04-24

Added

Fixed

  • export() now works correctly in policies of the local chain PR #673
  • caching policy now works correctly when placed after the apicast policy in the chain PR #674
  • OpenTracing support PR #669

Changed

  • descriptions in oneOfs in policy manifests have been replaced with titles PR #663
  • resty.balancer doesn't fall back to the port 80 by default. If the port is missing, apicast.balancer sets the default port for the scheme of the proxy_pass URL PR #662

3.2.0-beta3 - 2018-03-20

Fixed

  • ljsonschema is only used in testing but was required in production also PR #660

3.2.0-beta2 - 2018-03-19

Added

  • New property summary in the policy manifests PR #633
  • OAuth2.0 Token Introspection policy PR #619
  • New metrics phase that runs when prometheus is collecting metrics PR #629
  • Validation of policy configs both in integration and unit tests PR #646
  • Option to avoid refreshing the config when using the lazy loader with APICAST_CONFIGURATION_CACHE < 0 PR #657

Fixed

  • Error loading policy chain configuration JSON with null value PR #626
  • Splitted resolv.conf in lines,to avoid commented lines PR #618
  • Avoid nameserver repetion from RESOLVER variable and resolv.conf file PR #636
  • Bug in URL rewriting policy that ignored the commands attribute in the policy manifest PR #641
  • Skip comentaries after search values in resolv.conf PR #635
  • Bug that prevented using CONFIGURATION_CACHE_LOADER=boot without specifying APICAST_CONFIGURATION_CACHE in staging PR #651, THREESCALE-756.
  • typ is verified when it's present in keycloak tokens PR #658

Changed

  • summary is now required in policy manifests PR #655

3.2.0-beta1 - 2018-02-20

Added

  • Definition of JSON schemas for policy configurations PR #522, PR #601
  • URL rewriting policy PR #529, THREESCALE-618
  • Liquid template can find files in current folder too PR #533
  • bin/apicast respects APICAST_OPENRESTY_BINARY and TEST_NGINX_BINARY environment PR #540
  • Caching policy PR #546, PR #558, THREESCALE-587, THREESCALE-550
  • New phase: content for generating content or getting the upstream response PR #535
  • Upstream policy PR #562, THREESCALE-296
  • Policy JSON manifest PR #565
  • SOAP policy PR #567, THREESCALE-553
  • Ability to set custom directories to load policies from PR #581
  • CLI is running with proper log level set by APICAST_LOG_LEVEL PR #585
  • 3scale configuration (staging/production) can be passed as -3 or --channel on the CLI PR #590
  • APIcast CLI loads environments defined by APICAST_ENVIRONMENT variable PR #590
  • Endpoint in management API to retrieve all the JSON manifests of the policies PR #592
  • Development environment (--dev) starts with Echo policy unless some configuration is passed PR #593
  • Added support for passing whole configuration as Data URL PR #593
  • More complete global environment when loading environment policies PR #596
  • Support for Client Certificate authentication with upstream servers PR #610, THREESCALE-328

Fixed

  • Detecting local rover installation from the CLI PR #519
  • Use more command instead of which to work in plain shell PR #521
  • Fixed rockspec so APIcast can be installed by luarocks PR #523, PR #538
  • Fix loading renamed APIcast code PR #525
  • Fix apicast command when installed from luarocks PR #527
  • Fix lua docs formatting in the CORS policy PR #530
  • post_action phase not being called in the policy_chain PR #539
  • Failing to execute libexec/boot on some systems PR #544
  • Detect number of CPU cores in containers by using nproc PR #554
  • Running with development config in Docker PR #555
  • Fix setting twice the headers in a pre-flight request in the CORS policy PR #570
  • Fix case where debug headers are returned without enabling the option PR #577
  • Fix errors loading openresty libraries when rover is active PR #598
  • Passthrough "invalid" headers PR #612, THREESCALE-630
  • Fix using relative path for access and error log THREESCALE-1090

Changed

  • Consolidate apicast-0.1-0.rockspec into apicast-scm-1.rockspec PR #526
  • Deprecated Configuration.extract_usage in favor of Service.get_usage PR #531
  • Extract Test::APIcast to own package on CPAN PR #528
  • Load policies by the APIcast loader instead of changing load path PR #532, PR #536
  • Add src directory to the Lua load path when using CLI PR #533
  • Move rejection reason parsing from CacheHandler to Proxy PR #541
  • Propagate full package.path and cpath from the CLI to Nginx PR #538
  • post_action phase now shares ngx.ctx with the main request PR #539
  • Decrease nginx timer resolution to improve performance and enable PCRE JIT PR #543
  • Moved proxy_pass into new internal location @upstream PR #535
  • Split 3scale authorization to rewrite and access phase PR #556
  • Extract mapping_rule module from the configuration module PR #571
  • Renamed apicast/policy/policy.lua to apicast/policy.lua PR #569
  • Sandbox loading policies PR #566
  • Extracted usage and mapping_rules_matcher modules so they can be used from policies PR #580
  • Renamed all apicast/policy/*/policy.lua to apicast/policy/*/init.lua to match Lua naming PR #579
  • Environment configuration can now define the configuration loader or cache PR #590.
  • APIcast starts with "boot" configuration loader by default (because production is the default environment) PR #590.
  • Deprecated APICAST_SERVICES in favor of APICAST_SERVICES_LIST but provides backwards compatibility PR #549
  • Deprecated APICAST_PATH_ROUTING_ENABLED in favor of APICAST_PATH_ROUTING but provides backwards compatibility PR #549

3.2.0-alpha2 - 2017-11-30

Added

  • New policy chains system. This allows users to write custom policies to configure what Apicast can do on each of the Nginx phases PR #450, THREESCALE-553
  • Resolver can resolve nginx upstreams PR #478
  • Add resolver directive in the nginx configuration PR #508
  • Calls 3scale backend with the 'no_body' option enabled. This reduces network traffic in cases where APIcast does not need to parse the response body PR #483
  • Methods to modify policy chains PR #505
  • Ability to load several environment configurations PR #504
  • Ability to configure policy chain from the environment configuration PR #496
  • Load environment variables defined in the configuration PR #507
  • Allow configuration of the echo/management/fake backend ports PR #506
  • Headers policy PR #497, THREESCALE-552
  • CORS policy PR #487, THREESCALE-279
  • Detect number of CPU shares when running on Kubernetes PR #600

Changed

  • Namespace all APIcast code in apicast folder. Possible BREAKING CHANGE for some customizations. PR #486
  • CLI ignores environment variables that are empty strings PR #504

Fixed

  • Loading installed luarocks from outside rover PR #503
  • Support IPv6 addresses in /etc/resolv.conf PR #511
  • Fix possible 100% CPU usage when starting APIcast and manipulating filesystem PR #547

3.2.0-alpha1

Added

  • Experimental option for true out of band reporting (APICAST_REPORTING_WORKERS) PR #290, THREESCALE-365
  • /status/info endpoint to the Management API PR #290
  • /_threescale/healthz endpoint returns a success status code, this is used for health checking in kubernetes environments PR #285
  • Usage limit errors are now configurable to distinguish them from other authorization errors PR #453, THREESCALE-638.
  • Templating nginx configuration with liquid. PR #449

Changed

  • Upgraded to OpenResty 1.11.2.5-1 PR #428
  • /oauth/token endpoint returns an error status code, when the access token couldn't be stored in 3scale backend PR #436]
  • URI params in POST requests are now taken into account when matching mapping rules PR #437
  • Increased number of background timers and connections in the cosocket pool PR #290
  • Make OAuth tokens TTL configurable PR #448
  • Detect when being executed in Test::Nginx and use default backend accordingly PR #458
  • Update the s2i-openresty image to have the same path (/opt/app-root/src) in all images PR #460
  • Launcher scripts are now Perl + Lua instead of Shell PR #449
  • Unify how to connect to 3scale backend PR #456
  • Upgraded OpenResty to 1.13.6.1 PR #480, THREESCALE-362

Fixed

  • Request headers are not passed to the backend, preventing sending invalid Content-Type to the access token store endpoint PR #433, THREESCALE-372
  • Live and ready endpoints now set correct Content-Type header in the responsePR #441, THREESCALE-377

3.1.0 - 2017-10-27

  • 3.1.0-rc2 was considered final and became 3.1.0.

3.1.0-rc2 - 2017-09-29

Fixed

  • Request headers are not passed to the backend, preventing sending invalid Content-Type to the access token store endpoint PR #433

3.1.0-rc1 - 2017-09-14

Added

  • Support for extending APIcast location block with snippets of nginx configuration PR #407

Fixed

  • Crash on empty OIDC Issuer endpoint PR #408
  • Handle partial credentials PR #409
  • Crash when configuration endpoint was missing PR #417
  • Fix double queries to not fully qualified domains PR #419
  • Fix caching DNS queries with scope (like on OpenShift) PR #420

Changed

  • THREESCALE_DEPLOYMENT_ENV defaults to production PR #406
  • OIDC is now used based on settings on the API Manager PR #405
  • No limit on body size from the client sent to the server PR #410
  • Print module loading errors only when it failed to load PR #415
  • bin/busted rewritten to support different working directories PR #418
  • dnsmasq started in docker will not forward queries without domain PR #421

3.1.0-beta2 - 2017-08-21

Added

  • Ability to configure how to cache backend authorizations PR #396

Fixed

3.1.0-beta1 - 2017-07-21

Fixed

Changed

  • APIcast module balancer method now accepts optional balancer PR #362
  • Extracted lua-resty-url PR #384
  • Extracted lua-resty-env PR #386
  • Do not load all services when APICAST_SERVICES is set PR #388

Added

Removed

  • Keycloak / RH SSO integration replaced with OIDC PR #382

3.1.0-alpha1 - 2017-05-05

Changed

Added

  • Experimental caching proxy to the http client PR #357

Changed

  • Print better errors when module loading fails PR #360

3.0.0 - 2017-04-04

Added

  • Support for loading configration from custom URL PR #323
  • Turn on SSL/TLS validation by OPENSSL_VERIFY environment variable PR #332
  • Load trusted CA chain certificates PR #332
  • Support HTTP Basic authentication for client credentials when authorizing with RH-SSO PR #336
  • Show more information about the error when the module load fails PR #348

Changed

  • Use RESOLVER before falling back to resolv.conf PR #324
  • Improve error logging when failing to download configuration PR #335
  • Service hostnames are normalized to lower case PR #336
  • Don't attempt to perform post_action when request was handled without authentication PR #343
  • Store authorization responses with a ttl, if sent PR #341

Fixed

  • Do not return stale service configuration when new one is available PR #333
  • Memory leak in every request PR #339
  • Remove unnecessary code and comments PR #344
  • JWT expiry not taken into account in authorization response cache PR #283 / Issue #309 / Fixed by PR #341
  • Memory leak in round robin balancer PR #345
  • Error when trying to determine status of failed request when downloading configuration PR #350

3.0.0-beta3 - 2017-03-20

Changed

  • Use per request configuration when cache is disabled PR #289
  • Automatically expose all environment variables starting with APICAST_ or THREESCALE_ to nginx PR #292
  • Error log to show why downloading configuration failed PR #306

Added

  • Backend HTTP client that uses cosockets PR #295
  • Ability to customize main section of nginx configuration (and expose more env variables) PR #292
  • Ability to lock service to specific configuration version PR #293
  • Ability to use Redis DB and password via REDIS_URL PR #303
  • Ability to Authenticate against API using RHSSO and OpenID Connect PR #283

Fixed

  • http_ng client supports auth passsed in the url, and default client options if the request options are missing for methods with body (POST, PUT, etc.) PR #310
  • Fixed lazy configuration loader to recover from failures PR #313
  • Fixed undefined variable p in post_action PR #316
  • Fixed caching of negative ttl by dnsmasq PR #318

Removed

  • Removed support for sending Request logs PR #296
  • Support for parallel DNS query PR #311

Known Issues

  • JWT expiry not taken into account in authorization response cache PR #283 / Issue #309

3.0.0-beta2 - 2017-03-08

Fixed

  • Reloading of configuration with every request when cache is disabled PR #287
  • Auth caching is not used when OAuth method is used PR #304

3.0.0-beta1 - 2017-03-03

Changed

  • Lazy load DNS resolver to improve performance PR #251
  • Execute queries to all defined nameservers in parallel PR #260
  • RESOLVER ENV variable overrides all other nameservers detected from /etc/resolv.conf PR #260
  • Use stale DNS cache when there is a query in progress for that record PR #260
  • Bump s2i-openresty to 1.11.2.2-2 PR #260
  • Echo API on port 8081 listens accepts any Host PR #268
  • Always use DNS search scopes PR #271
  • Reduce use of global objects PR #273
  • Configuration is using LRU cache PR #274
  • Management API not opened by default PR #276
  • Management API returns ready status with no services PR #

Added

  • Danger bot to check for consistency in Pull Requests PR #265
  • Start local caching DNS server in the container PR #260
  • Management API to show the DNS cache PR #260
  • Extract correct Host header from the backend endpoint when backend host not provided PR #267
  • APICAST_CONFIGURATION_CACHE environment variable PR #270
  • APICAST_CONFIGURATION_LOADER environment variable PR #270

Removed

  • Support for downloading configuration via curl PR #266
  • AUTO_UPDATE_INTERVAL environment variable PR #270
  • APICAST_RELOAD_CONFIG environment variable PR #270
  • APICAST_MISSING_CONFIGURATION environment variable PR #270

3.0.0-alpha2 - 2017-02-06

Added

  • A way to override backend endpoint PR #248

Changed

  • Cache all calls to os.getenv via custom module PR #231
  • Bump s2i-openresty to 1.11.2.2-1 PR #239
  • Use resty-resolver over nginx resolver for HTTP PR #237
  • Use resty-resolver over nginx resolver for Redis PR #237
  • Internal change to reduce global state PR #233

Fixed

  • [OAuth] Return correct state value back to client

Removed

  • Nginx resolver directive auto detection. Rely on internal DNS resolver PR #237

3.0.0-alpha1 - 2017-01-16

Added

  • A CHANGELOG.md to track important changes
  • User-Agent header with APIcast version and system information PR #214
  • Try to load configuration from V2 API PR #193

Changed

  • Require openresty 1.11.2 PR #194
  • moved development from v2 branch to master PR #209
  • X-3scale-Debug HTTP header now uses Service Token PR #217

2.0.0 - 2016-11-29

Changed

  • Major rewrite using JSON configuration instead of code generation.