diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d30de7ed9..1ac7027a6a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,12 +2,177 @@ ## Table of Contents +- [v0.4.0-rc1](#v040-rc1) - [v0.3.0](#v030) - [v0.2.0](#v020) - [v0.1.0](#v010) - [v0.1.0-rc2](#v010-rc2) - [v0.1.0-rc1](#v010-rc1) + +## v0.4.0-rc1 + +API version: v1alpha2 + +The working group expects that this release candidate is quite close to the final +v1alpha2 API. However, breaking API changes are still possible. + +This release candidate is suitable for implementors, but the working group does +not recommend shipping products based on a release candidate API due to the +possibility of incompatible changes prior to the final release. + +### Major Changes + +* The Gateway API APIGroup has moved from `networking.x-k8s.io` to +`gateway.networking.k8s.io`. This means that, as far as the apiserver is +concerned, this version is wholly distinct from v1alpha1, and automatic conversion +is not possible. As part of this process, Gateway API is now subject to Kubernetes +API review, the same as changes made to core API resources. More details in +[#780](https://github.com/kubernetes-sigs/gateway-api/pull/780) and [#716](https://github.com/kubernetes-sigs/gateway-api/issues/716). + +* Gateway-Route binding changes: +[GEP-724](https://gateway-api.sigs.k8s.io/geps/gep-724/). Currently, Gateways +choose which Routes are attached using a combination of object and namespace +selectors, with the option of also specifying object names. This has made a very +complex config, that's easy to misinterpret. As part of v1alpha2, we're changing to: + * Gateways *may* specify what kind of Routes they support (defaults to same + protocol if not specified), and where those Routes can be (defaults to same + namespace). + * Routes *must* directly reference the Gateways the want to attach to, this is + a list, so a Route can attach to more than one Gateway. + * The Route becomes attached only when the specifications intersect. + + We believe this is quite a bit easier to understand, and still gives good + flexibility for most use cases. + GEP added in [#725](https://github.com/kubernetes-sigs/gateway-api/pull/725). + Implemented in [#754](https://github.com/kubernetes-sigs/gateway-api/pull/754). + Further documentation was added in [#762](https://github.com/kubernetes-sigs/gateway-api/pull/762). + + +* Safer cross-namespace references: +([GEP-709](https://gateway-api.sigs.k8s.io/geps/gep-709/)): This concerns +(currently), references from Routes to Backends, and Gateways to Secrets. The +new behavior is: + * By default, references across namespaces are not permitted; creating a + reference across a namespace (like a Route referencing a Service in another + namespace) must be rejected by implementations. + * These references can be accepted by creating a ReferencePolicy in the + referent (target) namespace, that specifies what Kind is allowed to accept + incoming references, and from what namespace and Kind the references may be. + + The intent here is that the owner of the referent namespace must explicitly + accept incoming references, otherwise we can run into all sorts of bad things + from breaking the namespace security model. + Implemented in [#741](https://github.com/kubernetes-sigs/gateway-api/pull/741). + +* Attaching Policy to objects: +[GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/): This has been added +so that we have an extensible mechanism for adding a cascading set of policy to +Gateway API objects. + + What policy? Well, it's kind of up to the implementations, but the best example + to begin with is timeout policy. + + Timeout policy for HTTP connections is highly depedent on how the underlying + implementation handles policy - it's very difficult to extract commonalities. + + This is intended to allow things like: + * Attach a policy that specifies the default connection timeout for backends + to a GatewayClass. All Gateways that are part of that Class will have Routes + get that default connection timeout unless they specify differently. + * If a Gateway that's a member of the GatewayClass has a different default + attached, then that will beat the GatewayClass (for defaults, more specific + object beats less specific object). + * Alternatively, a Policy that mandates that you can't set the client timeout + to "no timeout" can be attached to a GatewayClass as an override. An override + will always take effect, with less specific beating more specific. + + This one is a bit complex, but will allow implementations to solve some things + that currently require tools like admission control. + Implemented in [#736](https://github.com/kubernetes-sigs/gateway-api/pull/736). + +* As part of GEP-713, `BackendPolicy` has been removed, as its functionality is +now better handled using that mechanism. [#732](https://github.com/kubernetes-sigs/gateway-api/pull/732). + +* Removal of certificate references from HTTPRoutes: +[GEP-746](https://gateway-api.sigs.k8s.io/geps/gep-746/): + In v1alpha1, HTTPRoute objects have a stanza that allows referencing a TLS + keypair, intended to allow people to have a more self-service model, where an + app owner can provision a TLS keypair inside their own namespace, attach it to + a HTTPRoute they control, and then have that used to secure their app. + When implementing this, however, there are a large number of edge cases that + are complex, hard to handle, and poorly defined - about checking SNI, hostname, + and overrides, that made even writing a spec on how to implement this very + difficult, let alone actually implementing it. + + In removing certificate references from HTTPRoute, we're using the + ReferencePolicy from GEP-709 to allow Gateways to securely create a + cross-namespace reference to TLS keypairs in app namespaces. + We're hopeful that this will hit most of the self-service use case, and even + if not, provide a basis to build from to meet it eventually. + GEP added in [#749](https://github.com/kubernetes-sigs/gateway-api/pull/749). + Implemented in [#768](https://github.com/kubernetes-sigs/gateway-api/pull/768). + +* The `RouteForwardTo` (YAML: `routeForwardTo`) struct/stanza has been reworked +into the `BackendRef` (YAML: `backendRef`) struct/stanza, +[GEP-718](https://gateway-api.sigs.k8s.io/geps/gep-718/). As part of this change, +the `ServiceName` (YAML: `serviceName`) field has been removed, and Service +references must instead now use the `BackendRef`/`backendRef` struct/stanza. + +### Other changes +* HTTP Method matching is now added into HTTPRoute, with Extended support: +[#733](https://github.com/kubernetes-sigs/gateway-api/pull/733). + +* GatewayClass now has a 'Description' field that is printed as a column in +`kubectl get` output. You can now end up with output that looks like this: + ```shell + $> kubectl get gatewayclass + NAME CONTROLLER DESCRIPTION + internal gateway-controller-internal For non-internet-facing Gateways. + external gateway-controller-external For internet-facing Gateways. + ``` + See [#610](https://github.com/kubernetes-sigs/gateway-api/issues/610) and + [#653](https://github.com/kubernetes-sigs/gateway-api/pull/653) for the details. + +* [#671](https://github.com/kubernetes-sigs/gateway-api/pull/671): Controller is +now a required field in Gateway references from Route status. Fixes +[#669](https://github.com/kubernetes-sigs/gateway-api/pull/671). + +* [#657](https://github.com/kubernetes-sigs/gateway-api/pull/657): and +[#681](https://github.com/kubernetes-sigs/gateway-api/pull/681) Header Matching, +Query Param Matching, and HTTPRequestHeaderFilter now use named subobjects +instead of maps. + +* [#796](https://github.com/kubernetes-sigs/gateway-api/pull/796) API Review suggestions: + * listener.routes has been renamed to listener.allowedRoutes + * The `NoSuchGatewayClass` has been removed after it was deprecated in v1alpha1 + * `*` is no longer a valid hostname. Instead, leaving hostname unspecified is interpreted as `*`. + +### Documentation Updates +* [#782](https://github.com/kubernetes-sigs/gateway-api/pull/782) : Restructure docs and split into versioned and unversioned +* [#777](https://github.com/kubernetes-sigs/gateway-api/pull/777) : Fix typo +* [#765](https://github.com/kubernetes-sigs/gateway-api/pull/765) : document multi-value headers as undefined +* [#761](https://github.com/kubernetes-sigs/gateway-api/pull/761) : minor improvements to navigation on docs site +* [#760](https://github.com/kubernetes-sigs/gateway-api/pull/760) : Remove references of vendor configurations in GatewayTLSConfig +* [#756](https://github.com/kubernetes-sigs/gateway-api/pull/756) : Clarify docs on invalid serviceName +* [#755](https://github.com/kubernetes-sigs/gateway-api/pull/755) : Document the supported kubernetes versions +* [#745](https://github.com/kubernetes-sigs/gateway-api/pull/745) : Remove RouteTLSConfig requirement for gateway TLS passthrough. +* [#744](https://github.com/kubernetes-sigs/gateway-api/pull/744) : automate nav for GEPs +* [#743](https://github.com/kubernetes-sigs/gateway-api/pull/743) : Add READY and ADDRESS to gateway printer columns +* [#742](https://github.com/kubernetes-sigs/gateway-api/pull/742) : Moving method match to v1alpha2 example +* [#729](https://github.com/kubernetes-sigs/gateway-api/pull/729) : Adding suggested reasons for when conditions are healthy +* [#728](https://github.com/kubernetes-sigs/gateway-api/pull/728) : Fixing wording in enhancement template +* [#723](https://github.com/kubernetes-sigs/gateway-api/pull/723) : Clarifying Redirect Support levels +* [#756](https://github.com/kubernetes-sigs/gateway-api/pull/756) : Clarify docs on invalid serviceName + +### Tooling and infra updates +* [#766](https://github.com/kubernetes-sigs/gateway-api/pull/766) : comment out the GEP notice +* [#758](https://github.com/kubernetes-sigs/gateway-api/pull/758) : bump up mkdocs and deps +* [#751](https://github.com/kubernetes-sigs/gateway-api/pull/751) : bump up deps to k8s v1.22 +* [#748](https://github.com/kubernetes-sigs/gateway-api/pull/748) : fix kustomize to install v1a2 crds +* [#747](https://github.com/kubernetes-sigs/gateway-api/pull/747) : Cleaning up GEP Template + + ## v0.3.0 API Version: v1alpha1