We've been working as busy bees to present to you Kyma 2.8. We packed this release with upgrades, updates, and improvements, as well as some changes to prepare the ground for the features to come. For example, we introduced support for response rewriting in Application Gateway, and improved Secret rotation for LogPipelines, but there's much more!

While we get back to beeing busy with what's next, you go and explore what we've prepared for you.

API Gateway

Exposing workloads in multiple Namespaces with one APIRule

This Kyma release comes with an update to the APIRule CR that lets you expose and secure services in multiple Namespaces. Now it’s possible to specify the service Namespace either on the spec.service level or individually for each service in spec.rules. This new field is optional. If you do not specify it, the default APIRule Namespace is used.

For more details, see the APIRule CR documentation.
Check out also our new tutorial on how to expose workloads in multiple Namespaces with a single APIRule definition.

Application Connectivity

Response rewriting in Application Gateway

From this release, Application Gateway in Kyma supports redirects for the HTTP requests in which the URL host remains unchanged.

With this functionality, the HTTP client has the option to resolve redirects within the scope of the same API.
If so configured, the HTTP client that originally called Application Gateway follows redirects through the Gateway, passing authorization, custom headers, URL parameters, and the body.

For more details, see Application Gateway details.

Status codes returned by Application Gateway

In this release, we also updated the HTTP status codes that Application Gateway returns in the following cases:

• When the Application specified in the path does not exist.
• When the Application, service or entry is not passed in the path.
• When a call to target API times out.

For more details, see Status codes for errors returned by Application Gateway.

Observability

Jaeger

In preparation for the bigger changes planned in the Tracing area, we updated the Jaeger stack to version 1.37, and enabled OTLP support.

At the same time, the Serverless engine switched to OTLP as well, and is ready for the awesome future.

Monitoring

In this release, we also updated the Prometheus node-exporter to version 1.4.0, and kube-state-metrics to version 2.6.0.

For more details, see the release notes for node-exporter and kube-state-metrics.

Logging

Yet another update that we made in this release is bumping Fluent Bit to version 1.9.9.

We also improved Secret rotation support for LogPipelines. A rotated Secret is now detected instantly.

NOTE: Mind that with Kyma 2.6, the Fluent Bit part of the Logging component was replaced by the new Telemetry component. This Fluent Bit part will be removed with the next Kyma release. If you have not adopted the change yet, do so now.

Deprecation of Kiali

The Kyma Observability feature was shifted in the direction of integration and openness to enable enterprise-grade qualities based on external services.
See the blog post on Observability strategy for more details.
As a consequence, Kiali will be removed in Kyma 2.10. See the blog post on Kiali deprecation.

Worry not, though, as you can still integrate it on your own.
We've got you covered, and we've prepared a tutorial on how to install custom Kiali in Kyma.

Security

Istio upgraded to 1.15.0

In this Kyma release, Istio was upgraded to version 1.15.0.

For more details on the changes, read the official Istio 1.15.0 release notes.

Istio CNI plugin

Breaking changes

This Kyma version introduces the Istio CNI plugin. The plugin replaces the istio-init container, and it provides the same networking functionality, but it doesn't require Istio users to have elevated Kubernetes RBAC permission.

To learn more, read about the Istio CNI plugin.

If initContainers starting in a Pod with sidecar injection enabled need to have networking capabilities, you must follow one of the these migration guides:

• Set the UID of the initContainer to 1337 using runAsUser. 1337 is the UID used by the sidecar proxy. The traffic sent by this UID is not captured by the Istio's iptables rule. Application container traffic is captured as usual.

• Set the traffic.sidecar.istio.io/excludeOutboundIPRanges annotation to disable. It disables redirecting traffic to any CIDRs that the init containers communicate with.

• Set the traffic.sidecar.istio.io/excludeOutboundPorts annotation to disable. It disables redirecting traffic to the specific outbound ports that the initContainers use.

Serverless

Serverless engine switched to OTLP

Following the changes in Observability and opening new OTLP-compliant endpoints in Jaeger, the Serverless engine now configures Functions to send trace data to this new endpoint.
Functions built before releasing Kyma 2.8 will continue sending trace data to the previous endpoint.

For more information, see the Environment variables in Serverless.

Changelog

2.8.0-rc2 (2022-10-19)

Eventing

• #15846 Update nats server (#15727) (@marcobebway)

Committers: 1

• Marco Bebway (@marcobebway)

2.8.0-rc1 (2022-10-17)

Api Gateway

• #15694 Multiple path test (@barchw)
• #15661 Bump api-gateway to 1.1.0 (@videlov)

Application Connector

• #15780 Application Gateway readme update regarding new error codes (@mvshao)
• #15717 Align status codes for errors in Application Gateway (@mvshao)
• #15757 Bump AC images (@franpog859)
• #15750 Add a section on Response rewriting to Application Gateway details (@majakurcius)
• #15470 Implement redirects in application gateway (@VOID404)
• #15119 Cra test gql to compass (@koala7659)
• #15571 Fix the command to add the workloads to Service Mesh (@majakurcius)

Serverless

• #15792 Bring back jaegerServiceEndpoint ENV for backward compatibility (@kwiatekus)
• #15767 Fix logged stateFn name (@moelsayed)
• #15576 Fix conflicting Serverless scaling options (@moelsayed)
• #15778 Revert logLevel overrides for profiles files (@pPrecel)
• #15774 Propagate Content-type header from inner response object in python runtime (@kwiatekus)
• #15671 Use OPTL exporters in serverless function runtimes (@kwiatekus)
• #15648 Dynamic logging config (@pPrecel)
• #15595 Add a few debug logs to the function-controller (@pPrecel)

Eventing

• #15804 Update Eventing images (@marcobebway)
• #15728 add missing enum fields in backend crd (@raypinto)
• #15738 Remove sleep as it is not required (@nachtmaar)
• #15673 Propagate maxInFlight config changes to the consumer for v1alpha1 Subscription version (@VladislavPaskar)
• #15649 Added EventMesh reconciler for Subscription v1alpha2 CRD (@mfaizanse)
• #15647 JetStream handler version v1alpha2 (@raypinto)
• #15596 Added EventMesh backend/handler for Subscription v1alpha2 (@mfaizanse)
• #15665 add sink validator and crd for subscription v1alpha2 (@raypinto)
• #15664 Restructure test files in eventing-controller controllers (@friedrichwilken)
• #15651 Restructure test files ec (@friedrichwilken)
• #15670 fix gomod issue with api-gateway (@raypinto)
• #15583 Add Subscription conversion logic v1alpha1 to v1alpha2 and backwards (@VladislavPaskar)
• #15609 Fix the Eventing publisher proxy lint issues (@marcobebway)
• #15556 Create feature flag for v1alpha2 subscription CRD version (@raypinto)
• #15469 Bump NATS image to 2.9.0 (@mfaizanse)

Service Mesh

• #15644 Update istio charts with istio 1.15.0 and cni (@barchw)

Monitoring

• #15812 update kiwigrid sidecar to newer python version (@a-thaler)
• #15691 update to node-exporter 1.4.0 (@a-thaler)
• #15683 Update to grafana 7.5.17 (@rakesh-garimella)

Logging

• #15648 Dynamic logging config (@pPrecel)
• #15692 update to fluent bit 1.9.9 (@a-thaler)
• #15696 fixed broken rendering of telemetry docs (@a-thaler)
• #15683 Update to grafana 7.5.17 (@rakesh-garimella)
• #15652 updated golang version for loki image (@a-thaler)
• #15617 update to fluent-bit 1.9.8 (@a-thaler)
• #15568 Improve Log Pipeline controller syncer (@skhalash)

Tracing

• #15792 Bring back jaegerServiceEndpoint ENV for backward compatibility (@kwiatekus)
• #15671 Use OPTL exporters in serverless function runtimes (@kwiatekus)
• #15620 updated to fixed image for jaeger-operator (@a-thaler)
• #15528 Updated jaeger to version 1.37.0 (@a-thaler)

Documentation

• #15780 Application Gateway readme update regarding new error codes (@mvshao)
• #15782 Fix a broken link to the Grafana documentation on gauge (@majakurcius)
• #15781 Correcting input param name (@IwonaLanger)
• #15773 Fix a broken link to documentation on Kubernetes operators (@majakurcius)
• #15750 Add a section on Response rewriting to Application Gateway details (@majakurcius)
• #15571 Fix the command to add the workloads to Service Mesh (@majakurcius)

Committers: 35

• Aleksei Chernyshov (@Teneroy)
• Andreas Thaler (@a-thaler)
• Arkadiusz Galwas (@akgalwas)
• Bartosz Chwila (@barchw)
• Benjamin Lindner (@lindnerby)
• Christoph Kleineweber (@chrkl)
• Damian Badura (@dbadura)
• Filip Strózik (@pPrecel)
• Franciszek Pogodziński (@franpog859)
• Friedrich (@friedrichwilken)
• Hamza Masood (@HamzaMasood1)
• Iwona Langer (@IwonaLanger)
• Kamil Kasperski (@Ressetkk)
• Karol Szwaj (@cnvergence)
• Korbinian Stoemmer (@k15r)
• Krzysztof Kwiatosz (@kwiatekus)
• Maja Szostok (@majakurcius)
• Mansur Uralov (@muralov)
• Marcin Dobrochowski (@anoipm)
• Marco Bebway (@marcobebway)
• Michał Kalke (@MichalKalke)
• Mohamed Elsayed (@moelsayed)
• Muhammad Faizan (@mfaizanse)
• Nils Seip (@nachtmaar)
• Nina Hingerl (@NHingerl)
• Przemyslaw Golicz (@koala7659)
• Rafal Foks (@mvshao)
• Rakesh Garimella (@rakesh-garimella)
• Raymond Pinto (@raypinto)
• Stanislav Khalash (@skhalash)
• Vladimir Videlov (@videlov)
• Wojciech Nawa (@VOID404)
• @Abirdcfly
• @VladislavPaskar
• @dariusztutaj