Apigee Adapter for Envoy release notes

v1.4.0

On Wednesday, December 16, 2020, we released the version 1.4.0 of Apigee Adapter for Envoy.

Supported platforms

We publish binaries for MacOS, Linux, and Windows.

We publish docker images from Google's distroless, Ubuntu, and Ubuntu with Boring Crypto.

In this version we support the following platforms:

  • Apigee hybrid version 1.3.x, 1.4.x (release date pending), Apigee Edge for Public Cloud, Apigee Edge for Private Cloud, and Apigee on Google Cloud
  • Istio versions 1.5, 1.6, 1.7, 1.8
  • Envoy versions 1.14, 1.15, 1.16

Features and improvements

Feature Description
The remote-service proxy no longer requires association with an API product that uses Remote Service Targets.

Because this association is no longer required, note the following changes:

  • A remote-service API product is no longer created during provisioning.
  • The bindings verify CLI command is no longer relevant and has been deprecated.
The Apigee Organization Admin role is no longer required for provisioning.

Rather than require the org admin permission for provisioning, you can now use the IAM roles API Creator and Deployer instead. You must grant both of these roles to successfully provision.
(Applies to Apigee on Google Cloud and Apigee hybrid only)

Other issues and fixes

  • An issue was fixed where re-provisioning Apigee without the --rotate option exited with an error.
  • The provisioning CLI now reads and reuses the analytics service account credentials from a given config.yaml file (Issue #133).

v1.3.0

On Monday, November 23, we released the version 1.3.0 of Apigee Adapter for Envoy.

Supported platforms

We publish binaries for MacOS, Linux, and Windows.

We publish docker images from Google's distroless, Ubuntu, and Ubuntu with Boring Crypto.

In this version we support the following platforms:

  • Apigee hybrid version 1.3.x, 1.4.x (release date pending), Apigee Edge for Public Cloud, Apigee Edge for Private Cloud, and Apigee on Google Cloud
  • Istio versions 1.5, 1.6, 1.7, 1.8
  • Envoy versions 1.14, 1.15, 1.16

Features and improvements

Feature Description
Support for API product OperationGroups. OperationGroups bind the resources and associated quota enforcement in a proxy or remote service with HTTP methods.
(Applies to Apigee on Google Cloud and Apigee hybrid only)
Remove support for dynamic forward proxy from samples generation. Because of this change, clients must include the HOST header if the hostname is different from the remote service target host that is set in the API product. For example:
curl -i http://localhost:8080/httpbin/headers -H "HOST:httpbin.org"

See Create an API product.

Support service accounts and Workload Identity. To allow analytics data to be uploaded to Apigee when running the adapter outside an Apigee hybrid cluster, you must use the analytics-sa parameter with the apigee-remote-service-cli provision command. In addition, the adapter now supports Workload Identity on Google Kubernetes Engine (GKE). See Provision command.
(Applies to Apigee on Google Cloud and Apigee hybrid only)
New jwt_provider_key configuration attribute. This key is added to the config file. It represents the JWT provider's payload_in_metadata key in Envoy config or the RequestAuthentication JWT issuer in Istio config.
KeepAliveMaxConnectionAge configuration attribute now defaults to 1 minute. The previous default was 10 minutes. This change allows smoother scaling. This value is also used for the access log stream lifetime. See config file.
Removed CLI commands. The following CLI commands have been deprecated. We recommend that you use the Edge APIs instead to update remote service targets for API products:
  • apigee-remote-service-cli bindings add
  • apigee-remote-service-cli bindings remove
Added new CLI command. The command:
apigee-remote-service-cli samples templates

lists the available options that you can use with the --template flag in the samples create command. See CLI reference.

Changed existing CLI command. A change was made to the apigee-remote-service-cli samples create command. Flags specific to Envoy or Istio templates are strictly checked, and errors are returned on wrongly used flags. The native template option is deprecated. To get a list of available templates, use the apigee-remote-service-cli samples templates command. See also CLI reference.
The /token endpoint response now follows the OAuth2 spec. The access_token parameter was added to the response, and the token parameter is deprecated.

v1.2.0

On Wednesday, September 30, we released the version 1.2.0 of Apigee Adapter for Envoy.

Supported platforms

We publish binaries for MacOS, Linux, and Windows.

We publish docker images from Google's distroless, Ubuntu, and Ubuntu with Boring Crypto.

In this version we support the following platforms:

  • Apigee hybrid version 1.3.x
  • Istio versions 1.5, 1.6, 1.7
  • Envoy versions 1.14, 1.15

Features and improvements

Feature Description
Support for Apigee on Google Cloud You can now use Apigee Adapter for Envoy with Apigee on Google Cloud. You can run the adapter in its own cluster or by running the Remote Service for Envoy as a native binary or in a container. Provision the adapter on Apigee using the provision command.
Direct upload for analytics data You can now configure the Apigee Adapter to upload analytics data to Apigee directly. If you are using Apigee hybrid, this new feature makes it possible to deploy the adapter to its own Kubernetes cluster, outside of the cluster where Apigee hybrid is installed. To enable direct upload, use the new --analytics-sa flag with the provision command. See provision command.
Health check returns "Ready" after API product data is loaded from Apigee The Kubernetes health check will not return "Ready" until the API product data is loaded from Apigee. This change helps with scaling and upgrading, because no traffic will be sent to the newly instantiated adapter until it is ready.

Other issues and fixes

  • An issue was fixed to address a potential quota sync deadlock (Issue #17).
  • Prometheus annotations were moved to pod spec (Issue #69).
  • An issue was fixed to address improperly emitted verify errors (Issue #62).

v1.1.0

On Wednesday, August 26, we released the version 1.1.0 of Apigee Adapter for Envoy.

Supported platforms

We publish binaries for MacOS, Linux, and Windows.

We publish docker images from Google's distroless, Ubuntu, and Ubuntu with Boring Crypto.

In version 1.1.0 we support the following platforms:

  • Apigee hybrid version 1.3
  • Istio versions 1.5, 1.6, 1.7
  • Envoy versions 1.14, 1.15

Features and improvements

Feature Description
Verify bindings A new command apigee-remote-service-cli bindings verify was added to the CLI. This command verifies that the specified bound API product and its associated developer apps also have a remote service product associated with them. See Verify a binding.
Generate samples A new command apigee-remote-service-cli samples create was added to the CLI. This command creates sample configuration files for native Envoy or Istio deployments. The config files you generate with this command replace the sample files that were installed with the Adapter for Envoy in previous versions. See Samples command.
OAuth2 authentication The adapter now uses OAuth2 authentication when multi-factor auth (MFA) is enabled for Apigee Edge. Use the --mfa flag whenever you use the --legacy flag.
Distroless container The adapter now uses Google's distroless (gcr.io/distroless/base) image instead of scratch for the default Docker image base.

Other issues and fixes

  • A CLI issue was fixed for bindings commands in OPDK. (#29)
  • Quota could become stuck when connection lost (apigee/apigee-remote-service-envoy. (#31)
  • Docker images are now built with non-root user (999).
  • Kubernetes samples enforce the user must not be root.
  • The --http1.1 is no longer needed for curl commands against proxy endpoints. The flag has been removed from examples.

v1.0.0

On Friday, July 31, we released the GA version of Apigee Adapter for Envoy.

Supported platforms

We publish binaries for MacOS, Linux, and Windows.

We publish docker images from scratch, Ubuntu, and Ubuntu with Boring Crypto.

In version 1.0.0 we support the following platforms:

  • Apigee hybrid version 1.3
  • Istio versions 1.5, 1.6
  • Envoy versions 1.14, 1.15

Additions and changes

Between the v1.0-beta4 release and GA, the following additions changes were made to the adapter:

  • Go Boring builds

    A new build is now available that uses FIPS compliant Go BoringSSL libraries.

  • Log level flag changes

    The logging level flags for the apigee-remote-service-envoy service have been changed for consistency:

    Old flag New flag
    log_level log-level
    json_log json-log
  • New CLI flags

    New flags were added to the CLI token commands:

    Flag Description
    --legacy Set this flag if you are using Apigee Edge Cloud.
    --opdk Set this flag if you are using Apigee Edge for Private Cloud.