2021 Wrap-Up: Announcing Emissary-ingress 2.1, Telepresence 2.4.9

I’m excited to introduce myself as the new VP of Engineering at Ambassador Labs. I joined the team just a few months ago and am so impressed by the community that has rallied around Telepresence and Emissary-ingress. The community empowers our engineering teams to build better products through testing, feedback, and constant iteration. In the next year, I’m looking forward to getting to know more of our community and enabling our product teams to ship the best tools to help you code, ship, and run services faster on Kubernetes.

As 2021 comes to a close, we’re excited to share the latest updates on Emissary-ingress and Telepresence and thank our awesome open source community for their contributions over the last year.

Emissary-ingress 2.1, now backwards-compatible with 1.x

Earlier this year we released the Emissary-ingress 2.x series in developer preview. The 2.x series builds on the lessons we learned from thousands of production deployments of 1.x, and introduces usability, reliability, and security enhancements. We also used the opportunity of 2.x to make a number of breaking changes to our API which unfortunately made it hard for our existing user base to upgrade.

We’re excited today to announce Emissary-ingress 2.1 and Edge Stack 2.1.0, which adds backwards compatibility with 1.x series configuration. These releases add support for the getambassador.io/v2 CRDs concurrent with the getambassador.io/v3alpha1 apiVersions enabling a simplified migration strategy.

The 2.1 release also includes the following fixes and enhancements:

• Support for both getambassadorio/v3alpha1 and getambassador.io/v2 apiVersions, to simplify migration through the emissary-ingress-apiext service. For more details, see the migration documentation.
• Support the Access Log REST Bridge (ARB), which enables REST services to access the Envoy Access Log Service (by default, the Access Log Services is only accessible over gRPC).
• Fix the incremental reconfiguration cache when multiple Mappings had the same prefix.
• Fix erroneous error logging when using Kubernetes Secrets to store ACME private keys. (This was a bug in logging, not in functionality).
• Fix: When using gzip compression, upstream services will no longer ceived compressed data. This fixes a regression introduced in 1.14.0, and restores the default behavior of not sending compressed data to upstream services.
• Security: Update to busybox 1.34.1 to resolve CVE-2021–28831, CVE-2021–42378, CVE-2021–42379, CVE-2021–42380, CVE-2021–42381, CVE-2021–42382, CVE-2021–42383, CVE-2021–42384, CVE-2021–42385, and CVE-2021–42386.
• Security: Update Python dependencies to resolve CVE-2020–28493 (jinja2), CVE-2021–28363 (urllib3), and CVE-2021–33503 (urllib3).
• Security: Previous built images included some Python packages used only for test. These have now been removed, resolving CVE-2020–29651.

In addition, 2.1 includes all the fixes and enhancements from the 2.0.x series, including:

• Setting circuit_breakers for AuthServices, enabling you to configure your AuthService to handle more than 1024 concurrent requests
• You can now set dns_type between strict_dns and logical_dns in a Mapping to configure the Service Discovery Type.
• You can now set the dns_type in the AmbassadorMapping to configure how Envoy will use the DNS for the service.
• You can now set respect_dns_ttl to true to force the DNS refresh rate for a Mapping to be set to the record’s TTL obtained from DNS resolution.
• You can now set buffer_limit_bytes in the ambassador Module to to change the size of the upstream read and write buffers. The default is 1MiB.

And, of course, if you haven’t seen it, you should check out the automated configuration analysis capability supported in 2.x that protects you from shipping many types of accidental misconfigurations into production!

To learn more about the 2.x series, watch Flynn’s talk from EnvoyCon, “Four Years with Emissary-ingress and Envoy”, or sign up to join a Migration Office Hours session with an expert from our team– dates will be announced in the new year.

Access Log REST Bridge

Emissary-ingress and Ambassador Edge Stack both support the Envoy Access Log Service (ALS) for handing access logs to an external service (the ALS). The ALS speaks a gRPC protocol with Envoy; the Access Log Service REST Bridge (ARB) provides a bridge to allow REST services to use the access logs too.

ARB is a separate service, deployed independently of Emissary-ingress or Ambassador Edge Stack. Multiple ARBs can be deployed if desired. As log entries arrive from Envoy, they are batched within ARB, then dispatched in parallel to one or more upstream REST services. If a REST call fails with a 5YZ status, ARB will retry, with a configurable backoff between retries, up to a configurable maximum number of retries. For other errors, ARB will not retry, though it will log the error.

Normally, ARB uses an internal circular buffer with a fixed maximum size to batch requests: if the upstream services are not able to keep up with the rate of incoming messages, ARB will drop the oldest messages in the buffer. If messages are dropped, ARB will log a warning every five minutes to that effect. The size of this circular buffer is configurable, and if the size is set to 0, the queue will simply grow without bound (which risks ARB running out of memory and crashing).

You can learn more about the ARB on GitHub.

Telepresence Updates — VPN diagnostics, Apple Silicon, and more

Thanks to contributions and feedback from the community, Telepresence 2.4.9 is available now and includes a number of new features and bug fixes that improve usability and stability.

• VPN diagnostics. A new subcommand test-vpn helps you diagnose connectivity with your VPN
• Easier automation. Set ingress parameters in corresponding flags to skip the ingress dialogue
• Now available for Apple silicon. Use Telepresence CLI for Apple silicon including M-series chips
• Better message filtering. A RESTful API service was added to help determine if messages with a set of headers should be consumed or not from a message queue.
• Increased stability. Thanks to the community for many contributed bug reports and fixes to help increase stability.

Special shout outs to Andrey Nazarov, Daniel Marquez, Eli Goldberg, Tomer Lev, Konstantin Nesterov, Rafal Krzewski, and all of the community members who contributed to the latest Telepresence releases. For more details on Telepresence releases, check out the release notes page.

Thanks to Our Community for a Great 2021!

2021 was a busy year, and we couldn’t have done it without the overwhelming support of our awesome community! We wanted to take a chance to look back at all the things we are able to achieve this year thanks to all of your help.

The Inaugural Class of Ambassador Community Advocates

In July, we inducted our first class of Ambassador Community Advocates — top members of our community that regularly help other users by sharing their knowledge and support. Over the last year, our Community Advocates have had a voice in our product development journey, by helping us beta test, creating content and contributing code. We’re super grateful to have gotten to know the advocates throughout the year and are looking forward to growing the community with their help in 2022!

Hundreds of Application Developers Learn Kubernetes through the First Summer of Kubernetes Program

This summer, we launched our Summer of Kubernetes program where individuals were able to sharpen and enhance their Kubernetes skills by working closely with our community of experts. Broken into three-month chapters, participants learned to code, ship, and run applications on Kubernetes faster and easier to use than ever before. We were able to work closely together with our partners, such as DigitalOcean, CodeFresh, Buoyant, and more through joint sessions. The Summer of Kubernetes not only allowed us to engage with our community, but allowed those who participated to interact with other developers around the world.

In response to the positive feedback we got on the Summer of Kubernetes, we then launched the Kubernetes Developer Learning Center so you can learn Kubernetes on your own time, any time of year.

KubeCon & Our Community Together IRL

After attending KubeCon EU virtually in May, we were super grateful to have been able to meet many of you in person at KubeCon NA 2021 this year! This year’s KubeCon event took place in Los Angeles, where adopters, technologists and developers came together to share their products and services with the rest of the community. It was great to connect with many of the community in person over ice cream and we hope to see more of you in 2022!

The First Dev House — a Virtual Conference for K8s Application Developers

Alongside attending KubeCon, Ambassador Labs launched an all-virtual event: Dev House. Dev House was a virtual Kubernetes event for application developers that are looking to find different ways to improve how they code, ship and run their applications. Through our workshops, tech talks and expert panels, the Ambassador Labs community had the opportunity to supercharge their cloud-native developer experience. Our speakers for Dev House were those among our Community Advocate program, partners, users and those from Ambassador Labs itself. Dev House not only let us connect with our community, but allowed our community to connect with each other.

See You in 2022!

We are so excited for another year with our awesome community and we can’t wait to share all the things we have planned in 2022. One thing’s for sure — we’ll always be here to support you on your Kubernetes learning journey!

Start Learning & Win a Free Pluralsight Subscription

If learning new things is a resolution of yours for 2022, enter now to win a free Pluralsight class from Ambassador Labs! To enter, follow these steps.

1. Create or sign in to an Ambassador Cloud account
2. Intercept a service with Telepresence
3. Follow @ambassadorlabs on Twitter
4. Tweet a screenshot of your intercepts page and tag @ambassadorlabs.

After the New Year, we’ll announce the lucky winner on Twitter. See you then!