This page documents production updates to Apigee hybrid in 2022 and later. We recommend that users periodically check this list for any new announcements, or subscribe to this page using a feed reader to get notifications of updates.
What is a feed reader?
Really simple syndication (RSS) feed readers aggregate content from websites that you specify.
Feed reader notifications can be email-, browser-, desktop-, or mobile-based. Some readers are free, or have free versions, and some require a subscription.
A few examples:
More information on RSS:
See also:
You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.
To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.
November 12, 2024
hybrid v1.13.2
On November 12, 2024 we released an updated version of the Apigee hybrid software, 1.13.2.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.13.2.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
373722434 | Fixed support for backups to GCS buckets with retention policies. |
361044374 | Fixes assign message not correctly highlighting the set payload action in the debug trace. |
355122464 | This release contains a few error-handling fixes for CSI backup and restore. |
237656263 | Fix added to make use of asynchronous ServiceCallout execution when the ServiceCallout policy <Response> element is not present.
Procedure:
|
Bug ID | Description |
---|---|
N/A | Security fixes for apigee-redis . This addresses the following vulnerabilities: |
November 01, 2024
hybrid v1.12.3
On November 1, 2024 we released an updated version of the Apigee hybrid software, 1.12.3.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.12.3.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
368646378 | Fixed an issue affecting control Plane connectivity testing in Guardrails. |
361044374 | Fixes assign message not correctly highlighting the set payload action in the debug trace. |
335357961 | Fixed an issue where Apigee hybrid could claim uploads of backups with the Cloud provider when no bucket had been configured |
181569113 | Fixed an issue in new debug session creation. |
Bug ID | Description |
---|---|
376104926 | Security fixes for apigee-kube-rbac-proxy . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-open-telemetry-collector . This addresses the following vulnerability: |
October 04, 2024
hybrid v1.13.1
On October 4, 2024 we released an updated version of the Apigee hybrid software, 1.13.1.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.13.1.
- For information on new installations, see The big picture.
Cassandra credential rotation in Vault
Starting in version v1.3.1, You can set up automatic Cassandra credential rotation when your credentials are stored in Hashicorp Vault. See Rotating Cassandra credentials in Hashicorp Vault.
New analytics and debug data pipeline for data residency-enabled orgs
Newly created Apigee hybrid v1.13.1 orgs created with data residency enabled can use a new data pipeline to collect analytics and debug data and allow various runtime components to write data directly to our control plane. You cannot use the new data pipeline with non data residency-enabled orgs; only new orgs created on hybrid v1.13.1 can use this new feature. For details, see Using data residency with Apigee hybrid.
Bug ID | Description |
---|---|
364282883 | Remove check for dc-expansion flag and add timeout to multi-region seed host connection test. |
362305438 | You can now add additional env variables to the runtime component. |
353527851 | WebSocket connection drops when using VerifyJwt or OAuthV2 VerifyJWTAccessToken operations. |
351440306 | An issue was fixed where trace could not be viewed in the UI for orgs with DRZ enabled. |
338638343 | An ID is now added at the end of apigee-env and virtualhost guardrails pods to make the pod names unique. |
Bug ID | Description |
---|---|
N/A | Security fixes for apigee-open-telemetry-collector . This addresses the following vulnerability: |
September 13, 2024
hybrid v1.12.2
On September 13, 2024 we released an updated version of the Apigee hybrid software, 1.12.2.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.12.2.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
362305438 | You can now add additional env variables to the runtime component. |
347798999 | You can now configure forward proxy for opentelemetry pods in Apigee hybrid. |
Bug ID | Description |
---|---|
N/A | Security fixes for apigee-cassandra-backup-utility and apigee-hybrid-cassandra . This addresses the following vulnerability: |
September 05, 2024
hybrid 1.13.0-hotfix.1
On September 5, 2024 we released an updated version of the Apigee hybrid software, 1.13.0-hotfix.1.
Apply this hotfix following the steps in Upgrading Apigee hybrid to version 1.13:
- For information on upgrading, see Upgrading Apigee hybrid to version 1.13.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
362690729 | Fix for aggressive scaling of runtime pods & cpu spike. |
362979563 | Fix for Ingress Health Check failure /healthz/ingress - route_not_found . |
August 23, 2024
hybrid v1.13.0
On August 23, 2024 we released an updated version of the Apigee hybrid software, v1.13.0.
- For information on upgrading, see Upgrading Apigee hybrid to version v1.13.0.
- For information on new installations, see The big picture.
Storing additional secrets in an external secret store
Starting in version v1.13, You can now store AX Hash Salt, Redis password, and Encryption keys in an external secret store like Hashicorp Vault. See Storing Secrets in Vault.
Apigee Operator now runs in the Apigee Kubernetes namespace
Starting in version v1.13, apigee-operator
runs in the same name space as the other Apigee hybrid components instead of the apigee-system
namespace. You can use apigee
or your own custom Apigee namespace. See Upgrading Apigee hybrid to version v1.13.0 and Step 3: Create the apigee namespace.
Improved backup and restore
Starting in version v1.13.0, Apigee hybrid introduces a new backup and restore system. The new system removes the need for pod exec permission and use of a Kubernetes ClusterRole, and requires fewer Kubernetes Service Accounts when using Workload Identity. The new system replaces use of the apigee-cassandra-backup-utility image by using the apigee-hybrid-cassandra-client image. The apigee-cassandra-backup-utility image will no longer be provided starting with this release. See Scheduling backups in a remote server.
Leader election enabled for apigee-watcher
component
Starting in version v1.13.0, leader election is enabled for the apigee-watcher
component. For proper functioning of the leader election, make sure that the apigee-watcher
component uses only one replica set.
Bug ID | Description |
---|---|
352070616 | Update Go language version. |
351868444 | Tolerations are now working for Redis's Envoy pod. (Fixed in 1.12.1-hotfix.1) |
347997965 | Upgrading to Apigee Hybrid 1.11.2 and 1.10.5 can cause missing metrics. (Fixed in 1.11.2-hotfix.1) |
347798999 | Fixed issue preventing configuration of forward proxy for opentelemetry pods. (Fixed in Apigee hybrid v 1.12.1) |
346589998 | Check Cassandra DNS hostname resolution during Hybrid region expansion. |
345501069 | Fixed issue with Hybrid Guardrails resource configuration preventing the Guardails pod from starting. (Fixed in Apigee hybrid v 1.12.1) |
341797795 | Autofill the Hybrid Guardrails checkpoint value if a checkpoint is not provided. (Fixed in Apigee hybrid v 1.12.1) |
340889560 | Added csi to the apigee-logger SCC. (Fixed in Apigee hybrid v 1.12.0-hotfix.1) |
340248314 | Added support for targetCPUUtilizationPercentage to apigeeIngressGateway and ingressGateways . The default value is 75. (Fixed in Apigee hybrid v 1.12.1) |
339849002 | Hashicorp Vault integration issues fixed for Google Service Account for Cassandra Backup/Restore. (Fixed in Apigee hybrid v 1.12.0-hotfix.1) |
324779388 | Improved error handling for backup and restore. (Fixed in Apigee hybrid v 1.12.1) |
311489774 | Removed inclusion of Java in Cassandra client image.. (Fixed in Apigee hybrid v 1.12.1) |
310338146 | Fixed invalid download directory output from the create-service-account tool. (Fixed in Apigee hybrid v 1.12.1) |
300135626 | Removed inclusion of Java in Cassandra Backup Utility image. (Fixed in Apigee hybrid v 1.12.1) |
297539870 | HTTPTargetConnection property io.timeout.millis is now honored correctly when using websockets. (Fixed in 1.11.2-hotfix.2) |
239523766 | Remove "Unable to evaluate jsonVariable, returning null" logging string from ExtractVariables Policy (Fixed in Apigee hybrid v 1.12.1) |
181569113 | Fixed an issue in new debug session creation. (Fixed in Apigee hybrid v 1.11.2) |
Bug ID | Description |
---|---|
N/A | Security fixes for apigee-asm-istiod . This addresses the following vulnerability: |
N/A | Security fixes for apigee-cassandra-backup-utility . This addresses the following vulnerability: |
N/A | Security fixes for apigee-connect-agent . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-envoy . This addresses the following vulnerability: |
N/A | Security fixes for apigee-fluent-bit . This addresses the following vulnerability: |
N/A | Security fixes for apigee-hybrid-cassandra . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-hybrid-cassandra-client . This addresses the following vulnerability: |
N/A | Security fixes for apigee-mart-server . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-mint-task-scheduler . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-operators . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-prom-prometheus . This addresses the following vulnerability: |
N/A | Security fixes for apigee-prometheus-adapter . This addresses the following vulnerability: |
N/A | Security fixes for apigee-redis . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-udca . This addresses the following vulnerability: |
N/A | Security fixes for apigee-watcher . This addresses the following vulnerability: |
N/A | Security fixes for cassandra-backup-utility . This addresses the following vulnerability: |
July 31, 2024
hybrid 1.11.2-hotfix.2
On July 31, 2024 we released an updated version of the Apigee hybrid software, 1.11.2-hotfix.2.
Note: This release reflects a change to the component images and not the Helm chart templates. If your hybrid installation is currently on Apigee hybrid v1.11.2, Apply this hotfix with the following steps:
In your overrides file, update the
image.url
andimage.tag
properties ofao
andruntime
:ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.11.2-hotfix.2" runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.11.2-hotfix.2"
Install the hotfix release:
For Helm-managed releases, update the
apigee-operator
with thehelm upgrade
command and your current overrides files:helm upgrade operator apigee-operator/ \ --namespace apigee-system \ --atomic \ -f overrides.yaml
For each environment in your Apigee org:
helm upgrade ENV_NAME apigee-env/ \ --namespace apigee \ --atomic \ -f overrides.yaml
For
apigeectl
-managed releases:install the hotfix release with
apigeectl init
using your updated overrides file:${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE --dry-run=client
Followed by:
${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE
Apply the hotfix release with
apigeectl apply
:${APIGEECTL_HOME}/apigeectl apply -f OVERRIDES_FILE --all-envs --dry-run=client
Followed by:
${APIGEECTL_HOME}/apigeectl apply -f OVERRIDES_FILE --all-envs
- For information on upgrading, see Upgrading Apigee hybrid to version 1.11.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
351868444 | Tolerations are now working for Redis's Envoy pod. |
297539870 | HTTPTargetConnection property io.timeout.millis is now honored correctly when using websockets. |
July 30, 2024
hybrid 1.12.1-hotfix.1
On July 30, 2024 we released an updated version of the Apigee hybrid software, 1.12.1-hotfix.1.
Note: This release reflects a change to the component images and not the Helm chart templates. If your hybrid installation is currently on Apigee hybrid v1.12.1, Apply this hotfix with the following steps:
In your overrides file, update the
ao.image.url
andao.image.tag
properties:ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.12.1-hotfix.1"
Install the hotfix release. Update the
apigee-operator
component with thehelm upgrade
command and your current overrides files:helm upgrade operator apigee-operator/ \ --namespace apigee-system \ --atomic \ -f overrides.yaml
- For information on upgrading, see Upgrading Apigee hybrid to version 1.12.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
351868444 | Tolerations are now working for Redis's Envoy pod. |
June 28, 2024
hybrid v1.12.1
On June 28, 2024 we released an updated version of the Apigee hybrid software, 1.12.1.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.12.1.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
347798999 | Fixed an issue preventing configuration of forward proxies for OpenTelemetry collector pods. |
345501069 | Fixed issue with Hybrid Guardrails resource configuration preventing the Guardails pod from starting. |
341797795 | Autofill the Hybrid Guardrails checkpoint value if a checkpoint is not provided. |
340248314 | Added support for targetCPUUtilizationPercentage to apigeeIngressGateway and ingressGateways . The default value is 75. |
324779388 | Improved error handling for backup and restore. |
311489774 | Removed inclusion of Java in Cassandra client image.. |
310338146 | Fixed invalid download directory output from the create-service-account tool. |
300135626 | Removed inclusion of Java in Cassandra Backup Utility image. |
239523766 | Remove "Unable to evaluate jsonVariable, returning null" logging string from ExtractVariables Policy |
Bug ID | Description |
---|---|
345791712 | Security fix for fluent-bit . This addresses the following vulnerability: |
335910066 | Security fixes for apigee-kube-rbac-proxy . This addresses the following vulnerability: |
335909737 | Security fixes for apigee-asm-ingress . This addresses the following vulnerabilities: |
335909397 | Security fixes for apigee-open-telemetry-collector . This addresses the following vulnerability: |
335908990 | Security fixes for apigee-asm-istiod . This addresses the following vulnerabilities: |
335908985 | Security fix for apigee-prometheus-adapter . This addresses the following vulnerabilities: . |
335908657 | Security fixes for apigee-prom-prometheus . This addresses the following vulnerabilities: |
335908139 | Security fix for fluent-bit . This addresses the following vulnerability: |
332821083 | Security fix for apigee-operators . This addresses the following vulnerability: |
317528509 | Security fixes for apigee-synchronizer . This addresses the following vulnerabilities: |
308835165 | Security fix for apigee-synchronizer . This addresses the following vulnerability: |
N/A | Security fixes for apigee-asm-ingress . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-asm-istiod . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-cassandra-backup-utility . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-fluent-bit . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-hybrid-cassandra . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-kube-rbac-proxy . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-prometheus-adapter . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-stackdriver-prometheus-sidecar . This addresses the following vulnerabilities:
|
hybrid 1.11.2-hotfix.1
On June 28, 2024 we released an updated version of the Apigee hybrid software, 1.11.2-hotfix.1.
Note: This release reflects a change to the Helm chart templates and not a change to the images. If your hybrid installation is currently on Apigee hybrid v1.11.2, Apply this hotfix with the following steps:
In your overrides file, update the
ao.image
url
andtag
:ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.11.2-hotfix.1"
Install the hotfix release:
For Helm-managed releases, update the
apigee-operator
with thehelm upgrade
command and your current overrides files:helm upgrade operator apigee-operator/ \ --namespace apigee-system \ --atomic \ -f overrides.yaml
For
apigeectl
-managed releases, install the hotfix release withapigeectl init
using your updated overrides files:${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE --dry-run=client
Followed by:
${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE
- For information on upgrading, see Upgrading Apigee hybrid to version 1.11.2-hotfix.1.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
347997965 | Upgrading to Apigee Hybrid 1.11.2 and 1.10.5 can cause missing metrics. |
hybrid 1.10.5-hotfix.1
On June 28, 2024 we released an updated version of the Apigee hybrid software, 1.10.5-hotfix.1.
Note: This release reflects a change to the Helm chart templates and not a change to the images. If your hybrid installation is currently on Apigee hybrid v1.10.5, Apply this hotfix with the following steps:
In your overrides file, update the
ao.image
url
andtag
:ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.10.5-hotfix.1"
Install the hotfix release with
apigeectl init
using your updated overrides files:${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE --dry-run=client
Followed by:
${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE
- For information on upgrading, see Upgrading Apigee hybrid to version 1.10.5-hotfix.1.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
347997965 | Upgrading to Apigee Hybrid 1.11.2 and 1.10.5 can cause missing metrics. |
June 17, 2024
hybrid v1.10.5
On June 17, 2024 we released an updated version of the Apigee hybrid software, 1.10.5.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.10.5.
- For information on new installations, see The big picture.
June 10, 2024
hybrid v1.11.2
On June 10, 2024 we released an updated version of the Apigee hybrid software, 1.11.2.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.11.2.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
340248314 | Added support for targetCPUUtilizationPercentage to apigeeIngressGateway and ingressGateways for hybrid installations managed with Helm. The default value is 75. Note: targetCPUUtilizationPercentage is not supported for apigeectl . |
324779388 | Improved error handling for backup and restore. |
311489774 | Removed inclusion of Java and Python installations in Cassandra client image. |
300135626 | Removed inclusion of Java and Python installations in Cassandra Backup Utility image. |
181569113 | Fixed an issue in new debug session creation. |
May 28, 2024
ANNOUNCEMENT
hybrid 1.12.0-hotfix.1
On May 28, 2024 we released an updated version of the Apigee hybrid software, 1.12.0-hotfix.1.
Note: This release reflects a change to the Helm chart templates and not a change to the images. If your hybrid installation is currently on Apigee hybrid v1.12.0, you can install this hotfix release by downloading the charts with the version tag 1.12.0-hotfix.1
and updating the apigee-operator
and apigee-datastore
charts with the helm upgrade
command and your current overrides files.
For example:
export CHART_REPO=oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts
export CHART_VERSION=1.12.0-hotfix.1
helm pull $CHART_REPO/apigee-operator --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-datastore --version $CHART_VERSION --untar
helm upgrade operator apigee-operator/ \
--namespace apigee-system \
--atomic \
-f overrides.yaml
helm upgrade datastore apigee-datastore/ \
--namespace apigee \
--atomic \
-f overrides.yaml
- For information on upgrading, see Upgrading Apigee hybrid to version 1.12.0-hotfix.1.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
340889560 | Added csi to the apigee-logger SCC. |
339849002 | Hashicorp Vault integration issues fixed for Google Service Account for Cassandra Backup/Restore. |
April 17, 2024
hybrid v1.12.0
On April 17, 2024 we released an updated version of the Apigee hybrid software, v1.12.0.
For information on upgrading, see Upgrading Apigee hybrid to version v1.12.0. For information on new installations, see The big picture.
A new suite of metrics for monitoring Apigee proxies and target endpoints is now available for Hybrid 1.12.
You can now add your own contractEncryptionKey
for new Apigee hybrid installations. For details, see Data encryption.
The JAR file dependencies required to create a Java callout are now hosted securely in Artifact Registry.
For more information on downloading the JAR dependencies from Artifact Regsitry, see Compile your code with Maven.
Hybrid 1.12 validates required conditions are satisfied before allowing Runtime services to be created. See Diagnosing issues with guardrails.
Apigee hybrid now supports Workload Identity Federation for component authentication on AKS and EKS installations. See Enabling Workload Identity Federation on AKS and EKS.
Hybrid v1.12 now supports storing service account keys in Hashicorp Vault. See Storing service account keys in Hashicorp Vault.
The apigeectl
command-line tool is deprecated. as of April 17, 2024. The apigeectl
tool is not supported for Apigee hybrid v1.12. Support for apigeectl
for hybrid v1.10 and v1.11 will end on April 17, 2025. For more information, see apigeectl deprecation.
The Proxyv2
and targetv2
metrics suite is deprecated. The Apigee hybrid v1.12 release supports the new proxy and target metrics by default. Support for Proxyv2
and targetv2
metrics in hybrid v 1.10 and v1.11 will end on April 17, 2025. For more information, see ProxyV2 and TargetV2 deprecation.
Bug ID | Description |
---|---|
284034011 | Modified Apigee Watcher and Apigee Ingress to leverage a sidecar instead of pod/exec for collecting ingress routing status. |
298202120 | The Datastore component now uses Cassandra 4. |
311705715 | Use a non-default service account for the remove-dc component. (Fixed in Apigee hybrid 1.10.3-hotfix.4, 1.10.4, and 1.11.1) |
306341401 | Fixed regression where virtualhost cipherSuites overrides weren't being used. (Fixed in Apigee hybrid 1.10.4 and 1.11.1) |
302186503 | Added the missing HTTP proxy template settings to the Apigee Hybrid Helm datastore component. (Fixed in Apigee hybrid 1.10.4) |
300542690 | Added dedicated service accounts for Apigee Connect, Redis, and UDCA to prevent Kubernetes from automatically injecting credentials for a specified Service Account or the default Service Account. (Fixed in Apigee hybrid 1.10.4) |
277353680 | Fixed issue causing target server HealthMonitors to continue beyond revision or deletion of the proxy. Target health checks are now terminated as soon as the proxy is removed from the runtime (undeployed or deleted). Note: There may be a delay between removal of the proxy and termination of the target server health checks. (Fixed in Apigee hybrid 1.10.4) |
These security bugs were fixed in Apigee hybrid v1.12.0
These security bugs were fixed in Apigee hybrid v1.10.4.
Bug ID | Description |
---|---|
315034009 | Security fixes: apigee-asm-ingress and apigee-asm-istiod (ingressgateway and ingressgateway-controller ) are upgraded to Service Mesh version 1.17.8-asm.4. This addresses the following vulnerabilities:
|
311167948 | A security issue was addressed. |
303460289 | Security fixes for apigee-prometheus-adapter . This addresses the following vulnerabilities: |
303459588 | Security fixes for apigee-prom-prometheus . This addresses the following vulnerabilities: |
300319489 | Security fixes for fluentd . This addresses the following vulnerabilities: |
294892189 | Security fixes for apigee-diagnostics-collector . This addresses the Guava vulnerability: |
N/A | Security fixes for apigee-cassandra-backup-utility and apigee-prom-prometheus . This addresses the following vulnerabilities:
|
N/A | Security fixes for apigee-fluent-bit . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-hybrid-cassandra and apigee-hybrid-cassandra-client . This addresses the following vulnerabilities:
|
N/A | Security fixes for apigee-installer , apigee-operators , and apigee-watcher . This addresses the following vulnerabilities:
|
N/A | Security fixes for apigee-kube-rbac-proxy . This addresses the following vulnerabilities: |
These security bugs were fixed in Apigee hybrid v1.11.1.
Bug ID | Description |
---|---|
315034009 | Security fixes: apigee-asm-ingress and apigee-asm-istiod (ingressgateway and ingressgateway-controller ) are upgraded to Service Mesh version 1.17.8-asm.4. This addresses the following vulnerabilities:
|
303460289 | Security fixes to apigee-prometheus-adapter . This addresses the following vulnerabilities: |
303459588 | Security fixes to apigee-prom-prometheus . This addresses the following vulnerabilities: |
303292806 | Restrict connections from the Cassandra backup utility to Cassandra server pods in the apigee namespace. |
N/A | Security fixes to apigee-cassandra-backup-utility . This addresses the following vulnerabilities: |
N/A | Security fixes to apigee-fluent-bit . This addresses the following vulnerabilities: |
N/A | Security fixes to apigee-hybrid-cassandra . This addresses the following vulnerabilities: |
N/A | Security fixes to apigee-hybrid-cassandra-client . This addresses the following vulnerabilities: |
N/A | Security fixes to apigee-kube-rbac-proxy . This addresses the following vulnerabilities: |
N/A | Security fixes to apigee-installer , apigee-operators , and apigee-watcher . This addresses the following vulnerabilities:
|
These security bugs were fixed in Apigee hybrid v1.11.1-hotfix.1.
Bug ID | Description |
---|---|
324460830 | Security fix for apigee-ingress. This addresses the following vulnerabilities: |
These security bugs were fixed in Apigee hybrid v1.10.4-hotfix.1.
Bug ID | Description |
---|---|
324460830 | Security fix for apigee-ingress. This addresses the following vulnerabilities: |
February 09, 2024
hybrid 1.11.1-hotfix.1
On February 9, 2024 we released an updated version of the Apigee hybrid software, v1.11.1-hotfix.1.
This release addresses the security concerns in GCP-2024-007 from Google Anthos Service Mesh.
- To install the hotfix, follow the instructions in Upgrading Apigee hybrid to version 1.11.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
324460830 | Security fix for apigee-ingress. This addresses the following vulnerabilities: |
hybrid 1.10.4-hotfix.1
On February 9, 2024 we released an updated version of the Apigee hybrid software, v1.10.4-hotfix.1.
This release addresses the security concerns in GCP-2024-007 from Google Anthos Service Mesh.
- To install the hotfix, follow the instructions in Upgrading Apigee hybrid to version 1.10.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
324460830 | Security fix for apigee-ingress. This addresses the following vulnerabilities: |
December 21, 2023
hybrid v1.11.1
On December 21, 2023 we released an updated version of the Apigee hybrid software, 1.11.1.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.11.1.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
311705715 | Use a non-default service account for the remove-dc component. |
306341401 | Fixed regression where virtualhost cipherSuites overrides weren't being used. |
Bug ID | Description |
---|---|
315034009 | Security fixes: apigee-asm-ingress and apigee-asm-istiod (ingressgateway and ingressgateway-controller ) are upgraded to Service Mesh version 1.17.8-asm.4. This addresses the following vulnerabilities:
|
303460289 | Security fixes to apigee-prometheus-adapter . This addresses the following vulnerabilities: |
303459588 | Security fixes to apigee-prom-prometheus . This addresses the following vulnerabilities: |
303292806 | Restrict connections from the Cassandra backup utility to Cassandra server pods in the apigee namespace. |
N/A | Security fixes to apigee-cassandra-backup-utility . This addresses the following vulnerabilities: |
N/A | Security fixes to apigee-fluent-bit . This addresses the following vulnerabilities: |
N/A | Security fixes to apigee-hybrid-cassandra . This addresses the following vulnerabilities: |
N/A | Security fixes to apigee-hybrid-cassandra-client . This addresses the following vulnerabilities: |
N/A | Security fixes to apigee-kube-rbac-proxy . This addresses the following vulnerabilities: |
N/A | Security fixes to apigee-installer , apigee-operators , and apigee-watcher . This addresses the following vulnerabilities:
|
December 18, 2023
hybrid v1.10.4
On December 18, 2023 we released an updated version of the Apigee hybrid software, 1.10.4.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.10.4.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
311705715 | Use a non-default service account for the remove-dc component. |
306341401 | Fixed regression where virtualhost cipherSuites overrides weren't being used. |
302186503 | Add the missing HTTP proxy template settings to the Apigee Hybrid Helm datastore component. |
300542690 | Added dedicated service accounts for Apigee Connect, Redis, and UDCA to prevent Kubernetes from automatically injecting credentials for a specified Service Account or the default Service Account. |
277353680 | Fixed issue causing target server HealthMonitors to continue beyond revision or deletion of the proxy. Target health checks are now terminated as soon as the proxy is removed from the runtime (undeployed or deleted). Note: There may be a delay between removal of the proxy and termination of the target server health checks. |
Bug ID | Description |
---|---|
315034009 | Security fixes: apigee-asm-ingress and apigee-asm-istiod (ingressgateway and ingressgateway-controller ) are upgraded to Service Mesh version 1.17.8-asm.4. This addresses the following vulnerabilities:
|
311167948 | A security issue was addressed. |
303460289 | Security fixes for apigee-prometheus-adapter . This addresses the following vulnerabilities: |
303459588 | Security fixes for apigee-prom-prometheus . This addresses the following vulnerabilities: |
300319489 | Security fixes for fluentd . This addresses the following vulnerabilities: |
294892189 | Security fixes for apigee-diagnostics-collector . This addresses the Guava vulnerability: |
N/A | Security fixes for apigee-cassandra-backup-utility and apigee-prom-prometheus . This addresses the following vulnerabilities:
|
N/A | Security fixes for apigee-fluent-bit . This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-hybrid-cassandra and apigee-hybrid-cassandra-client . This addresses the following vulnerabilities:
|
N/A | Security fixes for apigee-installer , apigee-operators , and apigee-watcher . This addresses the following vulnerabilities:
|
N/A | Security fixes for apigee-kube-rbac-proxy . This addresses the following vulnerabilities: |
December 01, 2023
hybrid 1.10.3-hotfix.4
On December 1, 2023 we released an updated version of the Apigee hybrid software, v1.10.3-hotfix.4.
- To install the hotfix, follow the instructions in Upgrading Apigee hybrid to version 1.10.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
311705715 | Mount a dedicated service account to the remove-dc component. |
Bug ID | Description |
---|---|
311167948 | A security issue was addressed. |
November 17, 2023
hybrid v1.11.0
On November 17, 2023 we released an updated version of the Apigee hybrid software, v1.11.0.
- For information on upgrading, see Upgrading Apigee hybrid to version v1.11.0.
- For information on new installations, see The big picture.
Helm charts management for Apigee hybrid
Starting in version v1.11.0, you have the choice of installing and managing your clusters with either Helm or apigeectl
. You cannot manage a cluster with both. Apigee recommends using Helm for new hybrid installations. See Apigee hybrid Helm charts reference.
Vault integration for Cassandra credentials (preview)
Starting in version v1.11.0, you can store Cassandra credentials in Hashicorp Vault.
Note: Using Vault requires Helm management of your Apigee installation.
See Storing Cassandra credentials in Hashicorp Vault.
Vault integration is in preview as of the Apigee hybrid 1.11.0 release.
Apigee Advance API Security Actions for Apigee hybrid
Advanced API Security's new Security Actions feature is now available in Apigee hybrid.
With this release, the HeaderName
element is available as a child element of Authentication
. This element appears in the ServiceCallout and ExternalCallout policies, and in the TargetEndpoint proxy configuration.
By default, when an Authentication
configuration is present, Apigee generates and injects a bearer token into the Authorization
header, in the message sent to the target system. The new HeaderName
element allows you to specify the name of a different header to hold that bearer token.
Bug ID | Description |
---|---|
295929616 | Installation of Hybrid 1.10.x would fail on OpenShift due to out of memory issues. (Fixed in Apigee hybrid v1.10.3) |
294069799 | Updated the security context settings for the Apigee Hybrid Backup and Restore pod. |
292571089 | An error with support for CSI backup and restore for Cassandra was fixed. (Fixed in Apigee hybrid v1.10.3) |
292118812 | Fixed UDCA regression in Hybrid 1.10.1 where UDCA would ignore forward proxy configuration. (Fixed in Apigee hybrid v1.10.2) |
289254725 | Implemented a fix to prevent failure of proxy deployments that include the OASValidation policy. (Fixed in Apigee hybrid v1.10.1) |
287321226 | Security context has been corrected for apigee-prom-prometheus to avoid privilege escalation. (Fixed in Apigee hybrid v1.10.3) |
277353680 | Fixed issue causing target server HealthMonitors to continue beyond revision or deletion of the proxy. Target health checks are now terminated as soon as the proxy is removed from the runtime (undeployed or deleted). Note: There may be a delay between removal of the proxy and termination of the target server health checks. (Fixed in Apigee X) |
240180122 | Disable privilege escalation on the cassandra container by moving the ulimit settings to the newly introduced initContainer "apigee-cassandra-ulimit-init". If you are using security controls with gatekeeper, ensure that apigee-cassandra-ulimit-init initContainer can runAs user, group as 0 and allow capabilities IPC_LOCK and SYS_RESOURCES. (Fixed in Apigee hybrid v1.11.0) |
205666368 | Fixed issue with default validation of TLS target endpoint certificates. To enable strict SSL on southbound connections to a proxy target endpoint, add the tag See About setting TLS options in a target endpoint or target server. See also Known Issue #205666368. (Fixed in Apigee hybrid v1.10.3-hotfix.1) |
158132963 | Added improvements to capture relevant target flow variables in trace and analytics in case of target timeouts. (Fixed in Apigee hybrid v1.10.2) |
Bug ID | Description |
---|---|
303292806 | Set backup utility to only connect to Cassandra server pods in the apigee namespace. (Fixed in Apigee hybrid v1.10.3-hotfix.3) |
300542690 | Added dedicated service accounts for Apigee Connect, Redis, and UDCA to prevent Kubernetes from automatically injecting credentials for a specified ServiceAccount or the default ServiceAccount. (Fixed in Apigee hybrid v1.10.3-hotfix.3) |
297938600, 297938559, 297938486, 294892344 |
Security fixes for apigee-diagnostics-collector . (Fixed in Apigee hybrid v1.10.3) This addresses the following vulnerabilities: |
297938498, 297938487 |
Security fixes for apigee-fluent-bit .(Fixed in Apigee hybrid v1.10.3) This addresses the following vulnerabilities: |
297938441 | Security fixes for apigee-runtime . (Fixed in Apigee hybrid v1.10.3) This addresses the following vulnerabilities: |
297286274 | Security fixes for apigee-installer . (Fixed in Apigee hybrid v1.10.3) This addresses the following vulnerabilities: |
296719459, 296719400, 296719348, 296719307, 296719306, 296719188, 296719187, 296719186, 296719115, 296719018, 296718937, 296718918, 296718917, 296718916, 296716670, 296716669, 296716472, 296716471, 296715155 |
Security fixes for apigee-hybrid-cassandra . (Fixed in Apigee hybrid v1.10.3) This addresses the following vulnerabilities: |
296717666, 296717283, 296716668, 296716667, 296716650, 296716635, 296716634, 296716633, 296716470, 296716234, 296715734, 296715733, 296715154, 296715153 |
Security fixes for apigee-hybrid-cassandra-client . (Fixed in Apigee hybrid v1.10.3) This addresses the following vulnerabilities: |
296717665, 296717664, 296717663, 296717662, 296717185, 296716666, 296716649, 296716632, 296716468, 296716467, 296716232, 296715152, 296715151, 296714218 |
Security fixes for apigee-cassandra-backup-utility . (Fixed in Apigee hybrid v1.10.3) This addresses the following vulnerabilities: |
295936113 | Security fixes for apigee-mart-server . (Fixed in Apigee hybrid v1.10.3) This addresses the following vulnerability: |
294906706 | Security fixes for apigee-prom-prometheus . (Fixed in Apigee hybrid v1.10.3) This addresses the following vulnerabilities:
|
293925856 | Security fixes for apigee-prometheus-adapter . (Fixed in Apigee hybrid v1.10.3) This addresses the following vulnerabilities: |
293348130 | Security fixes for apigee-udca . (Fixed in Apigee hybrid v1.10.2) This addresses the following vulnerabilities: |
291994501 | Security fixes for apigee-operator and apigee-watcher . (Fixed in Apigee hybrid v1.10.2) This addresses the following vulnerabilities: |
291994501 | Security fixes for apigee-installer . (Fixed in Apigee hybrid v1.10.2) This addresses the following vulnerabilities:
|
290829031 | Security fixes for apigee-hybrid-cassandra , apigee-cassandra-client , and cassandra-backup-utility . (Fixed in Apigee hybrid v1.10.2) This addresses the following vulnerabilities: |
290829028 | Security fixes for Apigee Connect and apigee-connect-agent and apigee-redis . (Fixed in Apigee hybrid v1.10.2) This addresses the following vulnerabilities: |
290068742 | Security fixes for apigee-udca . (Fixed in Apigee hybrid v1.10.1) This addresses the following vulnerability: |
290067464, 297938583 | Security fixes for apigee-stackdriver-logging-agent . (Fixed in Apigee hybrid v1.10.1) This addresses the following vulnerabilities: |
290065830 | Security fixes for apigee-udca . (Fixed in Apigee hybrid v1.10.1) This addresses the following vulnerability: |
281561243 | Security fixes for apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . (Fixed in Apigee hybrid v1.10.1) This addresses the following vulnerability: |
N/A | Security fixes for apigee-prometheus-adapter . (Fixed in Apigee hybrid hybrid v1.11) This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-prom-prometheus/master . (Fixed in Apigee hybrid v1.11) This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-kube-rbac-proxy . (Fixed in Apigee hybrid hybrid v1.11) This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-hybrid-cassandra . (Fixed in Apigee hybrid hybrid v1.11) This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-fluent-bit . (Fixed in Apigee hybrid hybrid v1.11) This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . (Fixed in Apigee hybrid hybrid v1.11) This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-cassandra-backup-utility , apigee-hybrid-cassandra-client , and apigee-connect-agent . (Fixed in Apigee hybrid v1.11) This addresses the following vulnerabilities: |
N/A | Security fixes for apigee-asm-ingress and apigee-asm-istiod . (Fixed in Apigee hybrid v1.11) This addresses the following vulnerabilities: |
October 17, 2023
hybrid v1.10.3-hotfix.3
On October 17, 2023 we released an updated version of the Apigee hybrid software, v1.10.3-hotfix.3.
- To install the hotfix, follow the instructions in Upgrading Apigee hybrid to version 1.10.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
303292806 | Set backup utility to only connect to Cassandra server pods in the apigee namespace. |
300542690 | Added dedicated service accounts for Apigee Connect, Redis, and UDCA to prevent Kubernetes from automatically injecting credentials for a specified ServiceAccount or the default ServiceAccount. |
October 13, 2023
hybrid v1.10.3-hotfix.2
On October 13, 2023 we released an updated version of the Apigee hybrid software, v1.10.3-hotfix.2.
- To install the hotfix, follow the instructions in Upgrading Apigee hybrid to version 1.10.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
304681330 | Security fix for apigee-ingress. This addresses the following vulnerability: CVE-2023-44487 |
305127632 | Security bulletin published. GCP-2023-032 |
hybrid v1.9.4-hotfix.1
On October 13, 2023 we released an updated version of the Apigee hybrid software, v1.9.4-hotfix.1.
- To install the hotfix, follow the instructions in Upgrading Apigee hybrid to version 1.9.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
304681330 | Security fix for apigee-ingress. This addresses the following vulnerability: CVE-2023-44487 |
305127632 | Security bulletin published. GCP-2023-032 |
Description
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the Apigee Ingress (Anthos Service Mesh) server used by Apigee hybrid. The vulnerability could lead to a DoS of Apigee API management functionality.
Affected Products
Apigee hybrid instances that allow HTTP/2 requests to reach the Apigee Ingress are affected. Customers should verify if the load balancers fronting their Apigee hybrid ingresses allow for HTTP/2 requests to reach the Apigee Ingress service.
What Should I Do?
Apigee hybrid customers will need to upgrade to one of the following patch versions:
- v1.10.3-hotfix.2 which will be released by Friday, October 13, 2023
- v1.9.4-hotfix.1 which will be released by Friday, October 13, 2023
What Vulnerabilities Are Addressed By These Patches?
The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Apigee ingresses.
September 14, 2023
hybrid 1.10.3-hotfix.1
On September 14, 2023 we released an updated version of the Apigee hybrid software, 1.10.3-hotfix.1.
- To install the hotfix, follow the instructions in Install 1.10.3-hotfix.1.
- For new installations, see The big picture and then apply the hotfix to the new installation with the instructions in Install 1.10.3-hotfix.1.
Bug ID | Description |
---|---|
205666368 | Fixed issue with default validation of TLS target endpoint certificates. To enable strict SSL on southbound connections to a proxy target endpoint, add the tag See About setting TLS options in a target endpoint or target server. See also Known Issue #205666368. |
August 31, 2023
hybrid v1.10.3
On August 31, 2023 we released an updated version of the Apigee hybrid software, v1.10.3.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.10.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
295929616 | Installation of Hybrid 1.10.x would fail on OpenShift due to out of memory issues. |
292571089 | An error with support for CSI backup and restore for Cassandra was fixed. |
287321226 | Security context has been corrected for apigee-prom-prometheus to avoid privilege escalation. |
Bug ID | Description |
---|---|
296717665, 296717664, 296717663, 296717662, 296717185, 296716666, 296716649, 296716632, 296716468, 296716467, 296716232, 296715152, 296715151, 296714218 |
Security fixes for apigee-cassandra-backup-utility . This addresses the following vulnerabilities: |
297938600, 297938559, 297938486, 294892344 |
Security fixes for apigee-diagnostics-collector . This addresses the following vulnerabilities: |
297938498, 297938487 |
Security fixes for apigee-fluent-bit . This addresses the following vulnerabilities: |
296719459, 296719400, 296719348, 296719307, 296719306, 296719188, 296719187, 296719186, 296719115, 296719018, 296718937, 296718918, 296718917, 296718916, 296716670, 296716669, 296716472, 296716471, 296715155 |
Security fixes for apigee-hybrid-cassandra . This addresses the following vulnerabilities: |
296717666, 296717283, 296716668, 296716667, 296716650, 296716635, 296716634, 296716633, 296716470, 296716234, 296715734, 296715733, 296715154, 296715153 |
Security fixes for apigee-hybrid-cassandra-client . This addresses the following vulnerabilities: |
297286274 | Security fixes for apigee-installer . This addresses the following vulnerabilities: |
295936113 | Security fixes for apigee-mart-server . This addresses the following vulnerability: |
297938441 | Security fixes for apigee-runtime . This addresses the following vulnerabilities: |
294906706 | Security fixes for apigee-prom-prometheus . This addresses the following vulnerabilities:
|
293925856 | Security fixes for apigee-prometheus-adapter . This addresses the following vulnerabilities: |
July 31, 2023
hybrid v1.10.2
On July 31, 2023 we released an updated version of the Apigee hybrid software, v1.10.2.
- To install the hotfix, follow the instructions in Upgrading Apigee hybrid to version 1.10.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
292118812 | Fixed UDCA regression in Hybrid 1.10.1 where UDCA would ignore forward proxy configuration. |
205666368 | Fixed issue with default validation of TLS target endpoint certificates. To enable strict SSL on southbound connections to a proxy target endpoint, add the tag See About setting TLS options in a target endpoint or target server. See also Known Issue #205666368. |
158132963 | Added improvements to capture relevant target flow variables in trace and analytics in case of target timeouts. |
Bug ID | Description |
---|---|
293348130 | Security fixes for apigee-udca . This addresses the following vulnerabilities: |
291994501 | Security fixes for apigee-operator and apigee-watcher . This addresses the following vulnerabilities: |
291994501 | Security fixes for apigee-installer . This addresses the following vulnerabilities:
|
290829031 | Security fixes for apigee-hybrid-cassandra , apigee-cassandra-client , and cassandra-backup-utility . This addresses the following vulnerabilities: |
290829028 | Security fixes for Apigee Connect and apigee-connect-agent and apigee-redis . This addresses the following vulnerabilities: |
July 21, 2023
hybrid v1.9.4
On July 21, 2023 we released an updated version of the Apigee hybrid software, v1.9.4.
- For information on upgrading, see Upgrading Apigee hybrid to version v1.9.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
289254725 | Implemented a fix to prevent failure of proxy deployments that include the OASValidation policy. |
279712107 | Added the ability to annotate apigee-ingressgateway-manager pods through overrides.yaml file. See istiod.annotations for details. |
272212164 | Cassandra CSI backup could clash with Azure default configuration. The CSI backup script has been fixed to prevent a resource naming issue that could cause backups to fail. |
158132963 | Added improvements to capture relevant target flow variables in trace and analytics in case of target timeouts. |
Bug ID | Description |
---|---|
290709899 | Security fixes for apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . This addresses the following vulnerability: |
290829028 | Security fixes for Apigee Connect and apigee-connect-agent and apigee-redis . This addresses the following vulnerabilities: |
July 13, 2023
hybrid v1.10.1
On July 13, 2023 we released an updated version of the Apigee hybrid software, v1.10.1.
- For information on upgrading, see Upgrading Apigee hybrid to version v1.10.1.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
289254725 | Implemented a fix to prevent failure of proxy deployments that include the OASValidation policy. |
Bug ID | Description |
---|---|
281561243 | Security fixes for apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . This addresses the following vulnerability: |
290067464 | Security fixes for apigee-stackdriver-logging-agent . This addresses the following vulnerability: |
290068742 | Security fixes for apigee-udca . This addresses the following vulnerability: |
290065830 | Security fixes for apigee-udca . This addresses the following vulnerability: |
June 30, 2023
hybrid v1.10
On June 30, 2023 we released an updated version of the Apigee hybrid software, v1.10.0.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.10.
- For information on new installations, see The big picture.
Pre-install Cluster Check Kubernetes job
Starting in version 1.10, Apigee hybrid offers a new tool that examines the hybrid cluster before you install the hybrid runtime. See Step 8: Check cluster readiness .
Automated Issue Surfacing (AIS)
Starting with Apigee hybrid 1.10, Apigee hybrid offers a new tool that examines the hybrid runtime and surfaces issues by running a kubectl
command. If the tool detects errors in the cluster, it returns a detailed error message. The error message contains a link to the troubleshooting guide for that specific error. See Automated issue surfacing and Configuration property reference, watcher
.
Support for AppGroups (preview)
Starting in version 1.10, Apigee hybrid supports AppGroups, which represent a relationship between one or more apps that are managed by the same set of people. For information, see Using AppGroups to organize app ownership.
AppGroups is in preview as of the Apigee hybrid 1.10 release. See the AppGroups preview launch announcement for details.
Support for environment-level scaling
Starting in version 1.9.3, Apigee hybrid added the following environment configuration properties that enable you to specify environment-specific scaling in the overrides.yaml
file:
envs[].runtime.replicaCountMax
envs[].runtime.replicaCountMin
envs[].synchronizer.replicaCountMax
envs[].synchronizer.replicaCountMin
envs[].udca.replicaCountMax
envs[].udca.replicaCountMin
Documentation: Environment-based scaling
Bug ID | Description |
---|---|
181569522 | You can now create a new environment with the same name as a deleted environment without needing to perform manual clean-up tasks first. (Fixed in Apigee hybrid v1.8.5 and v1.7.6) |
209509030 | Apigee Ingressgateway cannot access K8s secret from another namespace. |
218567150 | The ingress gateway is now configured to consistently preserve UUID in the x-request-id header. Note: This setting does have some impact on tracing in the ingress gateway. For more information, see pack_trace_reason in "UUID (proto)" in the envoy documentation. (Fixed in Apigee hybrid v1.7.6 and v1.8.3) |
223320630 | mTLS-related client variables are now set by the Apigee runtime. (Fixed in Apigee hybrid v1.8.6) |
245619397 | In Apigee hybrid, fluentbit support now includes the NO_PROXY environment variable. (Fixed in Apigee hybrid v1.8.5, v1.8.6, and v1.9.1) |
259264961 | Added support for ASM v1.15. Please see Known issue 266452840 (Fixed in Apigee hybrid v1.7.6) |
260342163 | Fixed a narrow scenario where threads in runtime pods ended up consuming 100% CPU. (Fixed in Apigee hybrid v1.9.1) |
260372012 | Requests failed with 500 response and keyvaluemap.service.ErrorDuringDecryption error after upgrade to Hybrid 1.8. Note: Fixed in Apigee hybrid 1.8.4 and newer. (Fixed in Apigee hybrid v1.8.5) |
262699558 | The watcher component no longer fails when using Kubernetes Secret to store hybrid service account secret. (Fixed in Apigee hybrid v1.7.6) |
263840644 | Fixed a conflict with an existing ASM on the cluster. (Fixed in Apigee hybrid v1.8.6) |
265374889 | Fixed an issue where in some circumstances the Java Callout would to fail due with the following error: Failed to execute JavaCallout. Could not initialize class org.jose4j.jwa.AlgorithmFactoryFactory2. (Fixed in Apigee hybrid v1.9.1) |
266411394 | Add support for Azure Front Door request headers to /healthz health check. (Fixed in Apigee hybrid v1.8.5 and v1.9.1) |
266594584 | Websocket was failing in asm 1.15. This was due to incompatible capitalization in variable names between the Anthos Service Mesh overlay.yaml file and the and the Envoy filter apigee-envoyfilter.yaml file. (Fixed in Apigee hybrid v1.8.5 and v1.9.1) |
266814873 | In certain circumstances, retrieving encrypted KVM entries could fail with an error. This fix ensures that MART will be able to successfully function for environment-scoped KVM entries, even if the encryption key is used in the Org Env configuration or when the keys contain non-UTF8 characters. There is no change to KVM data. (Fixed in Apigee hybrid v1.8.6 and v1.9.1) |
266989915 266919136 |
In some circumstances, Apigee could return incorrect developer credentials for an app, unless the specific app was selected when requesting the credentials. (Fixed in Apigee hybrid v1.9.1) |
267666187 | When using a custom Kubernetes service for the Apigee ingress gateway, you can disable the creation of a default load balancer. See Managing Apigee ingress gateway. (Fixed in Apigee hybrid v1.8.6 and v1.9.1) |
267691299 265295406 |
The Apigee controller uses a dedicated apigee-manager Kubernetes service account, instead of using the default SA. (Fixed in Apigee hybrid v1.8.6 and v1.9.1) |
268445095 | The validateOrg flag can be set to false to bypass upgrade validation errors when configuration includes HTTP Forward proxy. You can use this to avoid upgrade errors caused by HTTP proxy settings. (Fixed in Apigee hybrid v1.7.6) |
268696297 | Providing a Kubernetes secret for Cassandra and Redis components is now supported. See cassandra.auth.secret and redis.auth.secret in the Configuration properties reference. (Fixed in Apigee hybrid v1.9.1) |
269451743 | In certain circumstances, upgrading from Apigee hybrid v1.8.3 to v1.9.0 could fail with an error message when creating the virtual hosts. (Fixed in Apigee hybrid v1.9.1) |
269738951 | The example network policies are now included in the apigeectl/examples/network-policies directory. see Configuring Kubernetes network policies. (Fixed in Apigee hybrid v1.9.1) |
270371160 | In Apigee hybrid v1.8.7, we removed certain insecure TLS ciphers. Apigee hybrid supports the TLS cipher suites supported by the Boring FIPS build of Envoy. You can now specify specific cipher suites with the virtualhosts.cipherSuites configuration property in your overrides. (Fixed in Apigee hybrid v1.8.7) Note: Apigee hybrid only supports the RSA ciphers listed. ECDSA ciphers are not supported. |
270371160 | In Apigee hybrid v1.9.0, we removed certain insecure TLS ciphers. Apigee hybrid supports the TLS cipher suites supported by the Boring FIPS build of Envoy. You can now specify specific cipher suites with the virtualhosts.cipherSuites configuration property in your overrides. (Fixed in Apigee hybrid v1.9.2) Note: Apigee hybrid only supports the RSA ciphers listed. ECDSA ciphers are not supported. |
271266079 | Removed port 80 from the default Kubernetes service of Apigee Ingress Gateway. (Fixed in Apigee hybrid v1.8.6 and v1.9.1) |
272212164 | Cassandra CSI backup could clash with Azure default configuration. The CSI backup script has been fixed to prevent a resource naming issue that could cause backups to fail. (Fixed in Apigee hybrid v1.9.4 and v1.10.0) |
273561434 | Some projects were unable to run debug sessions. (Fixed in Apigee hybrid v1.8.8 and v1.9.3) |
274292101 | In certain circumstances, environment-scoped KVMs in hybrid could cause rollback issues for MART. (Fixed in Apigee hybrid v1.8.6) |
274999014 | Restrict watcher RBAC to a single K8s namespace |
278646149 | In certain circumstances, the logger.livenessProbe.timeoutSeconds configuration property was not working as expected. See logger.livenessProbe.timeoutSeconds in the Configuration property reference. (Fixed in Apigee hybrid v1.8.7 and v1.9.2) |
279053612 | x-forwarded-client-cert (XFCC) HTTP headers handled with the istiod.forwardClientCertDetails configuration property. (Fixed in Apigee hybrid v1.8.7 and v1.9.2) See the Configuration properties reference for details: |
279193831 | Envoy has been updated to v1.25.6.. (Fixed in Apigee hybrid v1.8.8) |
279712107 | Added the ability to annotate apigee-ingressgateway-manager pods through overrides.yaml file . (Fixed in Apigee hybrid v1.8.8) |
280544499 | Request headers were not seen in debug sessions. (Fixed in Apigee hybrid v1.8.8) |
284488296 | Removed an unneeded Workload Identity on the Cassandra Schema Validation cron job. (Fixed in Apigee hybrid v1.8.8 and v1.9.3) |
Bug ID | Description |
---|---|
270371160 | In Apigee hybrid v1.9.0, we removed certain insecure TLS ciphers. Apigee hybrid supports the TLS cipher suites supported by the Boring FIPS build of Envoy. Note: Apigee hybrid only supports the RSA ciphers listed. ECDSA ciphers are not supported. |
271266079 | Removed port 80 from the default Kubernetes service of Apigee Ingress Gateway. Port 80 is not supported by Apigee ingress gateway. If you are migrating from ASM to Apigee ingress gateway, and followed the instructions in the community post to enable Port 80, it will not work with Apigee Ingress gateway. (Fixed in Apigee hybrid v1.8.6 and v1.9.1) |
Bug ID | Description |
---|---|
262576079 | Security fix for for apigee-envoy . (Fixed in Apigee hybrid v1.10)This addresses the following vulnerability: |
273797045 | Security fix for for apigee-diagnostics-collector apigee-synchronizer apigee-udca . (Fixed in Apigee hybrid v1.8.8)This addresses the following vulnerability: |
273800345, 281572616 | Security fixes for apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , apigee-synchronizer , and apigee-udca . (Fixed in Apigee hybrid v1.8.8 and v1.9.3This addresses the following vulnerabilities: |
273800717 | Security fixes for apigee-emulator , apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-mock-server , apigee-runtime , and apigee-synchronizer . (Fixed in Apigee hybrid v1.8.7 and v1.9.2)This addresses the following vulnerabilities: |
273800965 | Security fix for apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . (Fixed in Apigee hybrid v1.8.7, v1.9.2, and v1.9.3)This addresses the following vulnerability: |
273801301 | Security fixes for apigee-mart-server and apigee-runtime .(Fixed in Apigee hybrid v1.8.8 and v1.9.3)This addresses the following vulnerability: |
274112103 | Security fixes to the Apigee Controller and Apigee Watcher. (Fixed in Apigee hybrid v1.8.6 and v1.9.1) This addresses the following vulnerabilities: |
275002360 | Security fixes for fluent-bit . (Fixed in Apigee hybrid v1.8.6 and v1.9.1)This addresses the following vulnerabilities: |
277367440 | Security fixes for Apigee Controller, Watcher, and apigeectl . (Fixed in Apigee hybrid v1.8.7 and v1.9.2)This addresses the following vulnerabilities: |
278313047 | Security fixes for apigee-stackdriver-logging-agent . (Fixed in Apigee hybrid v1.9.2)This addresses the following vulnerabilities: |
279194142 | Fixes build issues to achieve FIPS compliance. (Fixed in Apigee hybrid v1.8.7 and v1.9.2) |
281561243 | Security fix for apigee-diagnostics-collector , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . (Fixed in Apigee hybrid v1.8.8 and v1.9.3)This addresses the following vulnerability: |
283826216 | Security fixes for apigee-ingressgateway . (Fixed in Apigee hybrid v1.9.3)This addresses the following vulnerabilities: |
283826785 | Security fixes for istiod . (Fixed in Apigee hybrid v1.9.3)This addresses the following vulnerabilities: |
June 14, 2023
hybrid v1.8.8
On June 14, 2023 we released an updated version of the Apigee hybrid software, v1.8.8.
- For information on upgrading, see Upgrading Apigee hybrid to version v1.8.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
273561434 | Some projects were unable to run debug sessions.. |
279193831 | Envoy has been updated to v1.25.6.. |
279712107 | Added the ability to annotate apigee-ingressgateway-manager pods through overrides.yaml file . |
280544499 | Request headers were not seen in debug sessions. |
284488296 | Removed an unneeded Workload Identity on the Cassandra Schema Validation cron job. |
Bug ID | Description |
---|---|
281561243 | Security fix for apigee-diagnostics-collector , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . This addresses the following vulnerability: |
273797045 | Security fix for for apigee-diagnostics-collector apigee-synchronizer apigee-udca . This addresses the following vulnerability: |
273800345, 281572616 | Security fixes for apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , apigee-synchronizer , and apigee-udca . This addresses the following vulnerabilities: |
273801301 | Security fixes for apigee-mart-server and apigee-runtime . This addresses the following vulnerability: |
June 05, 2023
ANNOUNCEMENT
hybrid v1.9.3
On June 5, 2023 we released an updated version of the Apigee hybrid software, v1.9.3.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.9.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
284488296 | Removed an unneeded Workload Identity on the Cassandra Schema Validation cron job. |
273561434 | Some projects were unable to run debug sessions. |
Bug ID | Description |
---|---|
273800965 | Security fix for apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . This addresses the following vulnerability: |
273800345, 281572616 | Security fixes for apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , apigee-synchronizer , and apigee-udca . This addresses the following vulnerabilities: |
273801301 | Security fixes for apigee-mart-server and apigee-runtime . This addresses the following vulnerability: |
283826216 | Security fixes for apigee-ingressgateway . This addresses the following vulnerabilities: |
283826785 | Security fixes for istiod . This addresses the following vulnerabilities: |
281561243 | Security fix for apigee-diagnostics-collector , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . This addresses the following vulnerability: |
May 08, 2023
hybrid v1.8.7
On May 8, 2023 we released an updated version of the Apigee hybrid software, v1.8.7.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.8.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
279053612 | x-forwarded-client-cert (XFCC) HTTP headers handled with the istiod.forwardClientCertDetails configuration property. See istiod.forwardClientCertDetails in the Configuration properties reference for details. |
278646149 | In certain circumstances, the logger.livenessProbe.timeoutSeconds configuration property was not working as expected. See logger.livenessProbe.timeoutSeconds in the Configuration property reference. |
270371160 | In Apigee hybrid v1.8.7, we removed certain insecure TLS ciphers. Apigee hybrid supports the TLS cipher suites supported by the Boring FIPS build of Envoy. You can now specify specific cipher suites with the virtualhosts.cipherSuites configuration property in your overrides. Note: Apigee hybrid only supports the RSA ciphers listed. ECDSA ciphers are not supported. |
Bug ID | Description |
---|---|
279194142 | Fixes build issues to achieve FIPS compliance. |
277367440 | Security fixes for Apigee Controller, Watcher, and apigeectl . This addresses the following vulnerabilities: |
273800965 | Security fixes for apigee-diagnostics-collector , apigee-mart-server , apigee-runtime , and synchronizer . This addresses the following vulnerabilities: |
273800717 | Security fixes for apigee-emulator , apigee-diagnostics-collector , apigee-mart-serve , apigee-mint-task-scheduler , apigee-mock-server , apigee-runtime , and apigee-synchronizer . This addresses the following vulnerabilities: |
May 02, 2023
hybrid v1.9.2
On May 2, 2023 we released an updated version of the Apigee hybrid software, v1.9.2.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.9.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
279053612 | x-forwarded-client-cert (XFCC) HTTP headers handled with the istiod.forwardClientCertDetails configuration property. See istiod.forwardClientCertDetails in the Configuration properties reference for details. |
278646149 | In certain circumstances, the logger.livenessProbe.timeoutSeconds configuration property was not working as expected. See logger.livenessProbe.timeoutSeconds in the Configuration property reference. |
270371160 | In Apigee hybrid v1.9.0, we removed certain insecure TLS ciphers. Apigee hybrid supports the TLS cipher suites supported by the Boring FIPS build of Envoy. You can now specify specific cipher suites with the virtualhosts.cipherSuites configuration property in your overrides. Note: Apigee hybrid only supports the RSA ciphers listed. ECDSA ciphers are not supported. |
Bug ID | Description |
---|---|
279194142 | Fixes build issues to achieve FIPS compliance. |
278313047 | Security fixes for apigee-stackdriver-logging-agent . This addresses the following vulnerabilities: |
277367440 | Security fixes for Apigee Controller, Watcher, and apigeectl . This addresses the following vulnerabilities: |
273800965 | Security fixes for apigee-diagnostics-collector , apigee-mart-server , apigee-runtime , and synchronizer . This addresses the following vulnerabilities: |
273800717 | Security fixes for apigee-emulator , apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-mock-server , apigee-runtime , and apigee-synchronizer . This addresses the following vulnerabilities: |
April 03, 2023
hybrid v1.8.6
On April 3, 2023 we released an updated version of the Apigee hybrid software, v1.8.6.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.8.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
274292101 | In certain circumstances, environment-scoped KVMs in hybrid could cause rollback issues for MART. |
271266079 | Removed port 80 from the default Kubernetes service of Apigee Ingress Gateway. |
267691299 | The Apigee controller uses a dedicated apigee-manager Kubernetes service account, instead of using the default SA. |
267666187 | When using a custom Kubernetes service for the Apigee ingress gateway, you can disable the creation of a default load balancer. See Managing Apigee ingress gateway. |
266814873 | In certain circumstances, retrieving encrypted KVM entries could fail with an error. This fix ensures that MART will be able to successfully function for environment-scoped KVM entries, even if the encryption key is used in the Org Env configuration or when the keys contain non-UTF8 characters. There is no change to KVM data. |
263840644 | Fixed a conflict with an existing ASM on the cluster. |
245619397 | In Apigee hybrid, fluentbit support now includes the NO_PROXY environment variable. |
223320630 | mTLS-related client variables are now set by the Apigee runtime. |
Bug ID | Description |
---|---|
275002360 | Security fixes for fluent-bit . This addresses the following vulnerabilities: |
274112103 | Security fixes to the Apigee Controller and Apigee Watcher. This addresses the following vulnerabilities: |
Bug ID | Description |
---|---|
271266079 | Removed port 80 from the default Kubernetes service of Apigee Ingress Gateway. Port 80 is not supported by Apigee ingress gateway. If you are migrating from ASM to Apigee ingress gateway, and followed the instructions in the community post to enable Port 80, it will not work with Apigee Ingress gateway. |
March 27, 2023
hybrid v1.9.1
On March 27, 2023 we released an updated version of the Apigee hybrid software, v1.9.1.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.9.
- For information on new installations, see The big picture.
Bug ID | Description |
---|---|
269738951 | The example network policies are now included in the apigeectl/examples/network-policies directory. see Configuring Kubernetes network policies. |
271266079 | Removed port 80 from the default Kubernetes service of Apigee Ingress Gateway. |
269451743 | In certain circumstances, upgrading from Apigee hybrid v1.8.3 to v1.9.0 could fail with an error message when creating the virtual hosts. |
268696297 | Providing a Kubernetes secret for Cassandra and Redis components is now supported. See cassandra.auth.secret and redis.auth.secret in the Configuration properties reference. |
267691299 | The Apigee controller uses a dedicated apigee-manager Kubernetes service account, instead of using the default SA. |
267666187 | When using a custom Kubernetes service for the Apigee ingress gateway, you can disable the creation of a default load balancer. See Managing Apigee ingress gateway. |
266989915 266919136 |
In some circumstances, Apigee could return incorrect developer credentials for an app, unless the specific app was selected when requesting the credentials. |
266814873 | In certain circumstances, retrieving encrypted KVM entries could fail with an error. This fix ensures that MART will be able to successfully function for environment-scoped KVM entries, even if the encryption key is used in the Org Env configuration or when the keys contain non-UTF8 characters. There is no change to KVM data. |
266594584 | Websocket was failing in asm 1.15. This was due to incompatible capitalization in variable names between the Anthos Service Mesh overlay.yaml file and the and the Envoy filter apigee-envoyfilter.yaml file. |
266411394 | Added support for Azure Front Door request headers to /healthz health check. |
265374889 | Fixed an issue where in some circumstances the Java Callout would to fail due with the following error: Failed to execute JavaCallout. Could not initialize class org.jose4j.jwa.AlgorithmFactoryFactory2. |
260342163 | Fixed a narrow scenario where threads in runtime pods ended up consuming 100% CPU. |
245619397 | In Apigee hybrid, fluentbit support now includes the NO_PROXY environment variable. |
Bug ID | Description |
---|---|
275002360 | Security fixes for fluent-bit . This addresses the following vulnerabilities: |
274112103 | **Security fixes to the Apigee Controller and Apigee Watcher. This addresses the following vulnerabilities: |
Bug ID | Description |
---|---|
271266079 | Removed port 80 from the default Kubernetes service of Apigee Ingress Gateway. Port 80 is not supported by Apigee ingress gateway. If you are migrating from ASM to Apigee ingress gateway, and followed the instructions in the community post to enable Port 80, it will not work with Apigee Ingress gateway. |
February 24, 2023
hybrid v1.8.5
On February 24, 2023 we released an updated version of the Apigee hybrid software, v1.8.5.
For information on upgrading, see Upgrading Apigee hybrid to version 1.8.
Bug ID | Description |
---|---|
266594584 | Websocket was failing in asm 1.15. This was due to incompatible capitalization in variable names between the Anthos Service Mesh overlay.yaml file and the and the Envoy filter apigee-envoyfilter.yaml file. |
266411394 | Add support for Azure Front Door request headers to /healthz health check. |
260372012 | Requests failed with 500 response and keyvaluemap.service.ErrorDuringDecryption error after upgrade to Hybrid 1.8. Note: Fixed in Apigee hybrid 1.8.4 and newer. |
245619397 | In Apigee hybrid, fluentbit support now includes the NO_PROXY environment variable. |
181569522 | You can now create a new environment with the same name as a deleted environment without needing to perform manual clean-up tasks first. |
February 14, 2023
hybrid v1.7.6
On February 14, 2023 we released an updated version of the Apigee hybrid software, v1.7.6.
For information on upgrading, see Upgrading Apigee hybrid to version 1.7.
Bug ID | Description |
---|---|
268445095 | The validateOrg flag can be set to false to bypass upgrade validation errors when configuration includes HTTP Forward proxy. You can use this to avoid upgrade errors caused by HTTP proxy settings. |
262699558 | The watcher component no longer fails when using Kubernetes Secret to store hybrid service account secret. |
181569522 | You can now create a new environment with the same name as a deleted environment without needing to perform manual clean-up tasks first. |
218567150 | The ingress gateway is now configured to consistently preserve UUID in the x-request-id header. Note: This setting does have some impact on tracing in the ingress gateway. For more information, see pack_trace_reason in "UUID (proto)" in the envoy documentation. (Also fixed in Apigee hybrid v1.8.3) |
259264961 | Added support for ASM v1.15. Please see Known issue 266452840 |
February 01, 2023
hybrid v1.9.0
On February 1, 2023 we released an updated version of the Apigee hybrid software, v1.9.0.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.9.
- For information on new installations, see The big picture.
Kubernetes network policies
Starting in version 1.9, Apigee hybrid offers new Kubernetes network policies to secure Cassandra and Redis pods within an Apigee Hybrid cluster. See Configuring Kubernetes network policies.
CSI Backup and Restore
Starting with Apigee hybrid 1.9, you can back up and restore your hybrid data using CSI (Container Storage Interface) snapshots. CSI backup generates disk snapshots and stores them as encrypted data in cloud storage. See Cassandra CSI backup and restore.
Custom ingress access logs
Starting in version 1.9, Apigee hybrid offers custom log formats for the Apigee Ingress gateway. See Customize Ingress access logs.
Target separate ingress gateways to virtual hosts
Starting in version 1.9, Apigee hybrid you can control how separate Apigee Ingress gateways map to specific virtual hosts. See Targeting an Apigee ingress to a virtual host.
Support for customer-installed Anthos Service Mesh deprecated
Starting in version 1.9, Apigee hybrid only supports the Apigee Ingress gateway for ingress, and no longer supports customer-installed Anthos Service Mesh. See:
Bug ID | Description |
---|---|
266356206 | A jackson-databind library error was causing OAS Validation errors when loading applications. The jackson-databind libraries have been updated to correctly parse null vs NullMode values. (Fixed in Apigee hybrid v1.9.0) |
262616276 | Apigee hybrid v1.9 adds support for Kubernetes in AKS v1.24+. Also fixed in Apigee hybrid v1.8.4 and newer (Fixed in Apigee hybrid v1.9.0 and v1.8.4) |
260372012 | Requests failed with 500 response and keyvaluemap.service.ErrorDuringDecryption error after upgrade to Hybrid 1.8. Also fixed in Apigee hybrid v1.8.4 and newer (Fixed in Apigee hybrid v1.9.0 and v1.8.4) |
260324159 | Solved up to 30 minute delay proxy deployment due to socket closed error in synchronizer. (Fixed in Apigee hybrid v1.9.0) |
259738092 | Intermittent 404's were seen at the Apigee Ingress Gateway due to an inconsistent configuration delivery mechanism. (Fixed in Apigee hybrid v1.8.3) |
258699204 | The default memory requests and limits for metrics pods that were inadvertently changed in 1.8.x. have been fixed. Also fixed in Apigee hybrid v1.8.4 and newer (Fixed in Apigee hybrid v1.9.0 and v1.8.4) |
255677576 | In fresh installations with Apigee Ingress (instead of user-installed Anthos Service Mesh), the Apigee UI would sometimes show red (not working) status. This is because in certain circumstances Watcher did not send the correct deployment status due to using the wrong selector for the Apigee Ingress Gateway. (Fixed in Apigee hybrid v1.8.3) |
251435916 | Fixed an issue where in certain circumstances, MP pods would scale without traffic. (Fixed in Apigee hybrid v1.7.5) |
249144084 | Reuse existing target IPs if DNS resolution fail on DNS cache refresh. (Fixed in Apigee hybrid v1.8.1) |
245664917 | During the upgrade to Apigee hybrid 1.8.x, after running apigeectl init and confirming that check-ready succeeded, the Cassandra schema validation job was in an error state. Also fixed in Apigee hybrid v1.8.4 and newer (Fixed in Apigee hybrid v1.9.0 and v1.8.4) |
243880171 | Upgrade from Apigee hybrid v1.7 to v1.8 could fail when http_proxy was configured to DENY internal network traffic. (Fixed in Apigee hybrid v1.8.1) |
243717191 | Container restart no longer conflicts with the existing certificates. |
243599452 | Fixed indentation issue with ingress gateway annotations. (Fixed in Apigee hybrid v1.8.2) |
243167389 | Apigee now validates the length of ingressGateways[].name in overrides.yaml . TThe value of ingressGateways:name must meet the following requirements:
ingressGateways[].name in the Configuration property reference. (Fixed in Apigee hybrid v1.8.1) |
243158304 | 'ApigeeRouteConfig' no longer looks for a cert in the istio-system namespace. (Fixed in Apigee hybrid v1.9.0) |
241959053 | Fixed apigeectl parsing error for serviceaccountRef . (Fixed in Apigee hybrid v1.8.2) |
232529030 | Replaced the Logging fluentbit container environment variable http_proxy with HTTP__PROXY to maintain compatibility with fluentbit 1.8. (Fixed in Apigee hybrid v1.8.1) |
227212728 | Cassandra scripts now avoid writing data to the Pod Filesystem. (Fixed in Apigee hybrid v1.8.1) |
218567150 | The ingress gateway is now configured to consistently preserve UUID in the x-request-id header. This applies to both Apigee Ingress gateway and to the Istio ingress gateway when are using customer-installed Anthos Service Mesh. Note: This setting does have some impact on tracing in the ingress gateway. For more information, see pack_trace_reason in the "UUID (proto)" page in the envoy documentation. (Fixed in Apigee hybrid v1.8.3) |
Bug ID | Description |
---|---|
270371160 | In Apigee hybrid v1.9.0, we removed certain insecure TLS ciphers. Apigee hybrid supports the TLS cipher suites supported by the Boring FIPS build of Envoy. Note: Apigee hybrid only supports the RSA ciphers listed. ECDSA ciphers are not supported. |
Bug ID | Description |
---|---|
N/A | Upgraded to ASM 1.12.9 to address Istio and Go language vulnerabilities in an earlier version (CVE-2022-39278). For more information, see the Service Mesh security bulletin. (Fixed in Apigee hybrid v1.8.2) |
N/A | Upgraded to ASM 1.12.9 to address Istio and Go language vulnerabilities in an earlier version (CVE-2022-39278). For more information, see the Service Mesh security bulletin. (Fixed in Apigee hybrid v1.7.5) |
N/A | Miscellaneous Security updates and fixes. (Fixed in Apigee hybrid v1.7.4) |
262576073 | Security fix for apigee-watcher. Also fixed in Apigee hybrid v1.8.4 and newer (Fixed in Apigee hybrid v1.9.0 and v1.8.4) This addresses the following vulnerabilities: |
262574571 | Security fix for apigee-operators. Also fixed in Apigee hybrid v1.8.4 and newer (Fixed in Apigee hybrid v1.9.0 and v1.8.4) This addresses the following vulnerabilities: |
259290668 | Update Kubectl in the backup utility. (Fixed in Apigee hybrid v1.8.3) This addresses the following vulnerabilities:
|
256019598 | Security fix for Cassandra. Also fixed in Apigee hybrid v1.8.4 and newer (Fixed in Apigee hybrid v1.9.0 and v1.8.4) This addresses the following vulnerabilities: |
254862745, 249630685 | Security fix for apigee-diagnostics-runner and apigee-envoy . (Fixed in Apigee hybrid v1.8.3) This addresses the following vulnerabilities: |
254774193, 254773110 | Fix for vulnerability in apigee-diagnostics-collector , apigee-mart-server , and apigee-mint-task-scheduler . (Fixed in Apigee hybrid v1.8.3) This addresses the following vulnerability: |
254774167 | Fix for apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . (Fixed in Apigee hybrid v1.8.3) This addresses the following vulnerabilities: |
254773838, 254773636, 254772551, 254771693 | Fix for vulnerability in apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . (Fixed in Apigee hybrid v1.8.3) This addresses the following vulnerabilities: |
254770883, 249633275, 249629782 | Security fixes for apigee-diagnostics-collector , apigee-mart-server , apigee-runtime , and apigee-synchronizer . (Fixed in Apigee hybrid v1.8.3) This addresses the following vulnerabilities:
|
253693906 | Upgraded Prometheus to 2.39.1 to address vulnerabilities in an earlier version. (Fixed in Apigee hybrid v1.8.2) This addresses the following vulnerabilities: |
253498057 | Upgraded Fluent Bit to 1.9.9 to address vulnerabilities in an earlier version. (Fixed in Apigee hybrid v1.8.2) This addresses the following vulnerabilities: |
249635718, 249629771 | Security fixes for Apigee Connect and apigee-redis . (Fixed in Apigee hybrid v1.8.3) This addresses the following vulnerabilities: |
249633289 | Fix for apigee-prometheus-adapter . (Fixed in Apigee hybrid v1.8.3) This addresses the following vulnerabilities: |
248288668 | Fixes to address apigee-installer vulnerabilities. (Fixed in Apigee hybrid v1.8.2) |
247864229 | upgraded kube-rbac-proxy to v0.13.0 to address vulnerabilities in an earlier version. (Fixed in Apigee hybrid v1.8.2) |
240833499 | Security fix for gopkg.in/yaml.v3. (Fixed in Apigee hybrid v1.7.4) |
230369447 | Security fix for commons-codec (Fixed in Apigee hybrid v1.7.4) |
230368838 | Security fix for CVE-2018-10237, auto-value:guava. (Fixed in Apigee hybrid v1.7.4) |
230366823 | Security fix for jackson-databind. (Fixed in Apigee hybrid v1.7.4) |
230366589 | Security fix for CVE-2021-22696-cxf in cxf. (Fixed in Apigee hybrid v1.7.4) |
230366276 | Security fix for CVE-2021-22569. (Fixed in Apigee hybrid v1.7.4) |
229804717 | Security fix for apigee-envoy. (Fixed in Apigee hybrid v1.7.4) |
222772470, 220169963, 210116413 | Security fix for CVE-2021-38297: Updated Go language version. (Fixed in Apigee hybrid v1.8.1) |
222772341, 222772333, 222772261, 222771839 | Security fix for CVE-2022-23806: Updated Go language version. (Fixed in Apigee hybrid v1.8.2) |
202174499 | Fixed Vulnerability for protobuf-java and protobuf-java-util packages. (Fixed in Apigee hybrid v1.8.2) |
January 26, 2023
hybrid v1.8.4
On January 26, 2023 we released an updated version of the Apigee hybrid software, v1.8.4. For information on upgrading, see Upgrading Apigee hybrid to version 1.8.
Bug ID | Description |
---|---|
262699558 | The watcher component failed when using Kubernetes Secret to store hybrid service account secret. |
262616276 | Added support for Kubernetes v1.24 and v1.25 |
260372012 | Requests failed with 500 response and keyvaluemap.service.ErrorDuringDecryption error after upgrade to Hybrid 1.8. |
258699204 | The default memory requests and limits for metrics pods that were inadvertently changed in 1.8.x. have been fixed. |
245664917 | During the upgrade to Apigee hybrid 1.8.x, after running apigeectl init and confirming that check-ready succeeded, the Cassandra schema validation job was in an error state. |
Bug ID | Description |
---|---|
262576073 | Security fix for apigee-watcher. This addresses the following vulnerabilities: ∙ CVE-2022-41716 ∙ CVE-2022-41715 ∙ CVE-2022-2880 ∙ CVE-2022-2879 |
262574571 | Security fix for apigee-operators. This addresses the following vulnerabilities: ∙ CVE-2022-41716 |
December 05, 2022
hybrid v1.8.3
On December 5, 2022 we released an updated version of the Apigee hybrid software, v1.8.3.
For information on upgrading, see Upgrading Apigee hybrid to version 1.8.
Bug ID | Description |
---|---|
259738092 | Intermittent 404's were seen at the Apigee Ingress Gateway due to an inconsistent configuration delivery mechanism. |
255677576 | In fresh installations with Apigee Ingress (instead of user-installed Anthos Service Mesh), the Apigee UI would sometimes show red (not working) status. This is because in certain circumstances Watcher did not send the correct deployment status due to using the wrong selector for the Apigee Ingress Gateway. |
218567150 | The ingress gateway is now configured to consistently preserve UUID in the x-request-id header. This applies to both Apigee Ingress gateway and to the Istio ingress gateway when are using customer-installed Anthos Service Mesh. Note: This setting does have some impact on tracing in the ingress gateway. For more information, see pack_trace_reason in the "UUID (proto)" page in the envoy documentation. |
Bug ID | Description |
---|---|
259290668 | Update Kubectl in the backup utility. This addresses the following vulnerabilities: ∙ CVE-2022-42004 ∙ CVE-2022-42003 ∙ CVE-2022-32189 ∙ CVE-2022-30635 ∙ CVE-2022-30633 ∙ CVE-2022-30632 ∙ CVE-2022-30631 ∙ CVE-2022-30630 ∙ CVE-2022-30580 ∙ CVE-2022-28327 ∙ CVE-2022-28131 ∙ CVE-2022-27664 ∙ CVE-2022-25857 ∙ CVE-2022-24921 ∙ CVE-2022-24675 ∙ CVE-2022-23773 ∙ CVE-2022-23772 ∙ CVE-2022-23635 ∙ CVE-2022-0391 ∙ CVE-2021-39156 ∙ CVE-2021-39155 ∙ CVE-2021-37137 ∙ CVE-2021-37136 ∙ CVE-2021-29482 ∙ CVE-2021-20190 ∙ CVE-2021-3121 ∙ CVE-2020-36518 ∙ CVE-2020-36189 ∙ CVE-2020-36188 ∙ CVE-2020-36187 ∙ CVE-2020-36186 ∙ CVE-2020-36185 ∙ CVE-2020-36184 ∙ CVE-2020-36183 ∙ CVE-2020-36182 ∙ CVE-2020-36181 ∙ CVE-2020-36180 ∙ CVE-2020-36179 ∙ CVE-2020-35728 ∙ CVE-2020-35491 ∙ CVE-2020-35490 ∙ CVE-2020-29652 ∙ CVE-2020-25649 ∙ CVE-2020-24750 ∙ CVE-2020-24616 ∙ CVE-2020-17516 ∙ CVE-2020-16845 ∙ CVE-2020-14195 ∙ CVE-2020-14062 ∙ CVE-2020-14061 ∙ CVE-2020-14060 ∙ CVE-2019-16869 ∙ CVE-2019-9674 ∙ CVE-2019-0205 ∙ CVE-2018-1320 ∙ CVE-2017-18640 ∙ CVE-2016-5397 |
254862745, 249630685 | Security fix for apigee-diagnostics-runner and apigee-envoy . This addresses the following vulnerabilities: ∙ CVE-2021-3999 ∙ CVE-2022-2068 |
254774167 | Fix for apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . This addresses the following vulnerabilities: ∙ CVE-2022-42004 ∙ CVE-2022-42003 |
254773838, 254773636, 254772551, 254771693 | Fix for vulnerability in apigee-diagnostics-collector , apigee-mart-server , apigee-mint-task-scheduler , apigee-runtime , and apigee-synchronizer . This addresses the following vulnerabilities: ∙ CVE-2022-25857 ∙ CVE-2022-0239 ∙ CVE-2021-37136 ∙ CVE-2021-30468 ∙ CVE-2017-18640 |
254774193, 254773110 | Fix for vulnerability in apigee-diagnostics-collector , apigee-mart-server , and apigee-mint-task-scheduler . This addresses the following vulnerability: ∙ CVE-2022-2048 |
254770883, 249633275, 249629782 | Security fixes for apigee-diagnostics-collector , apigee-mart-server , apigee-runtime , and apigee-synchronizer . This addresses the following vulnerabilities: ∙ CVE-2022-42889 ∙ CVE-2022-42004 ∙ CVE-2022-42003 ∙ CVE-2022-40150 ∙ CVE-2022-40149 ∙ CVE-2022-38752 ∙ CVE-2022-38751 ∙ CVE-2022-38750 ∙ CVE-2022-38749 ∙ CVE-2022-25857 ∙ CVE-2022-3171 ∙ CVE-2022-2097 ∙ CVE-2022-2068 ∙ CVE-2022-2048 ∙ CVE-2022-2047 ∙ CVE-2022-1292 ∙ CVE-2021-31684 ∙ CVE-2021-29425 ∙ CVE-2021-27568 ∙ CVE-2020-13936 ∙ CVE-2020-8908 ∙ CVE-2019-18276 ∙ CVE-2018-10237 ∙ CVE-2017-18640 |
249635718, 249629771 | Security fixes for Apigee Connect and apigee-redis . This addresses the following vulnerabilities: ∙ CVE-2022-32189 ∙ CVE-2022-30635 ∙ CVE-2022-30633 ∙ CVE-2022-30632 ∙ CVE-2022-30631 ∙ CVE-2022-30630 ∙ CVE-2022-30580 ∙ CVE-2022-28327 ∙ CVE-2022-28131 ∙ CVE-2022-27664 ∙ CVE-2022-24921 ∙ CVE-2022-24675 ∙ CVE-2022-23773 ∙ CVE-2022-23772 |
249633289 | Fix for apigee-prometheus-adapter . This addresses the following vulnerabilities: ∙ CVE-2022-21698 ∙ CVE-2022-1996 |
November 02, 2022
hybrid v1.7.5
On November 2, 2022 we released an updated version of the Apigee hybrid software, v1.7.5.
For information on upgrading, see Upgrading Apigee hybrid to version 1.7.
Bug ID | Description |
---|---|
251435916 | Fixed an issue where in certain circumstances, MP pods would scale without traffic. |
241959053 | Fixed apigeectl parsing error for serviceaccountRef . |
Bug ID | Description |
---|---|
253693906 | Upgraded Prometheus to 2.39.1 to address vulnerabilities in an earlier version. This change addresses the following vulnerabilities: ∙ CVE-2022-24675 ∙ CVE-2022-27664 ∙ CVE-2022-28131 ∙ CVE-2022-28327 ∙ CVE-2022-30580 ∙ CVE-2022-30630 ∙ CVE-2022-30631 ∙ CVE-2022-30632 ∙ CVE-2022-30633 ∙ CVE-2022-30635 ∙ CVE-2022-32189 |
253498057 | Upgraded Fluent Bit to 1.9.9 to address vulnerabilities in an earlier version. This change addresses the following vulnerabilities: ∙ CVE-2022-1292 ∙ CVE-2022-2068 ∙ CVE-2021-3999 ∙ CVE-2022-23218 ∙ CVE-2022-23219 ∙ CVE-2022-25013 ∙ CVE-2021-33574 ∙ CVE-2018-12886 ∙ CVE-2022-0778 |
248288668 | Fixes to address apigee-installer vulnerabilities. |
247864229 | upgraded kube-rbac-proxy to v0.13.0 to address vulnerabilities in an earlier version. |
N/A | Upgraded to ASM 1.12.9 to address Istio and Go language vulnerabilities in an earlier version (CVE-2022-39278). For more information, see the Service Mesh security bulletin. |
October 27, 2022
hybrid v1.8.2
On October 27, 2022 we released an updated version of the Apigee hybrid software, v1.8.2.
For information on upgrading, see Upgrading Apigee hybrid to version 1.8.
Bug ID | Description |
---|---|
253693906 | Upgraded Prometheus to 2.39.1 to address vulnerabilities in an earlier version. This change addresses the following vulnerabilities: ∙ CVE-2022-24675 ∙ CVE-2022-27664 ∙ CVE-2022-28131 ∙ CVE-2022-28327 ∙ CVE-2022-30580 ∙ CVE-2022-30630 ∙ CVE-2022-30631 ∙ CVE-2022-30632 ∙ CVE-2022-30633 ∙ CVE-2022-30635 ∙ CVE-2022-32189 |
253498057 | Upgraded Fluent Bit to 1.9.9 to address vulnerabilities in an earlier version. This change addresses the following vulnerabilities: ∙ CVE-2022-1292 ∙ CVE-2022-2068 ∙ CVE-2021-3999 ∙ CVE-2022-23218 ∙ CVE-2022-23219 ∙ CVE-2022-25013 ∙ CVE-2021-33574 ∙ CVE-2018-12886 ∙ CVE-2022-0778 |
248288668 | Fixes to address apigee-installer vulnerabilities. |
247864229 | upgraded kube-rbac-proxy to v0.13.0 to address vulnerabilities in an earlier version. |
N/A | Upgraded to ASM 1.12.9 to address Istio and Go language vulnerabilities in an earlier version (CVE-2022-39278). For more information, see the Service Mesh security bulletin. |
October 01, 2022
hybrid new installation experience public preview
On September 30, 2022 we released the public preview of the new Apigee hybrid installation experience.
Overview
The new Apigee hybrid installation experience provides a Kubernetes way of installing Apigee components using kubectl
. The enhanced validations and visibility of the components being installed provides better debuggability and improves the overall install process.
An install script, apigee-hybrid-setup.sh
, provides an easy tool for basic installation. You can use that to create your hybrid installation and then modify it to fit your needs with kubectl
, or you can create your hybrid installation from scratch using kubectl
. All Apigee hybrid configuration properties are stored in yaml files, one for each major component. This allows much more granular control of your hybrid installation on your Kubernetes environment.
Links
Preview release
The new Apigee hybrid installation experience and its documentation are part of a preview release. Apigee does not warranty the software or the procedures in this preview. The software and documentation are subject to change without notice.
September 29, 2022
hybrid v1.8.1
On September 29, 2022 we released an updated version of the Apigee hybrid software, v1.8.1.
For information on upgrading, see Upgrading Apigee hybrid to version 1.8.
Bug ID | Description |
---|---|
249144084 | Reuse existing target IPs if DNS resolution fail on DNS cache refresh. |
243880171 | Upgrade from Apigee hybrid v1.7 to v1.8 could fail when http_proxy was configured to DENY internal network traffic. |
243717191 | Container restart no longer conflicts with the existing certificates. |
243599452 | Fixed indentation issue with ingress gateway annotations. |
243167389 | Apigee now validates the length of ingressGateways[].name in overrides.yaml . TThe value of ingressGateways:name must meet the following requirements:
ingressGateways[].name in the Configuration property reference. |
241959053 | Fixed apigeectl parsing error for serviceaccountRef . |
232529030 | Replaced the Logging fluentbit container environment variable http_proxy with HTTP__PROXY to maintain compatibility with fluentbit 1.8. |
227212728 | Cassandra scripts now avoid writing data to the Pod Filesystem. |
Bug ID | Description |
---|---|
222772470, 220169963, 210116413 | Security fix for CVE-2021-38297: Updated Go language version. |
222772341, 222772333, 222772261, 222771839 | Security fix for CVE-2022-23806: Updated Go language version. |
202174499 | Fixed Vulnerability for protobuf-java and protobuf-java-util packages. |
September 02, 2022
hybrid v1.7.4
On September 2, 2022 we released an updated version of the Apigee hybrid software, v1.7.4.
For information on upgrading, see Upgrading Apigee hybrid to version 1.7.
Bug ID | Description |
---|---|
232529030 | Replaced the Logging fluentbit container environment variable http_proxy with HTTP_PROXY to maintain compatibility with fluentbit 1.8. |
Bug ID | Description |
---|---|
240833499 | Security fix for gopkg.in/yaml.v3. |
230369447 | Security fix for commons-codec |
230368838 | Security fix for CVE-2018-10237, auto-value:guava. |
230366823 | Security fix for jackson-databind. |
230366589 | Security fix for CVE-2021-22696-cxf in cxf. |
230366276 | Security fix for CVE-2021-22569. |
229804717 | Security fix for apigee-envoy. |
N/A | Miscellaneous Security updates and fixes. |
August 22, 2022
hybrid v1.8.0
On August 22, 2022 we released an updated version of the Apigee hybrid software, v1.8.0.
For information on upgrading, see Upgrading Apigee hybrid to version 1.8.
Apigee Ingress gateway
Starting in version 1.8, Apigee hybrid offers a new feature to manage the ingress gateway for your hybrid installation, Apigee ingress gateway. Anthos Service Mesh is no longer a prerequisite for hybrid installation. With Apigee ingress gateway, Apigee will stop supplying routing configuration to Anthos Service Mesh. See Managing Apigee ingress.
ORG-level UDCA
Apigee hybrid now supports setting UDCA at the org level instead of at the environment level. See orgScopedUDCA
in the Configuration property reference.
Support for newer versions of Anthos, Anthos Service Mesh, and Kubernetes
Starting in version 1.8, Apigee hybrid supports Anthos version 1.12, Anthos Service Mesh version 1.13, and Kubernetes version 1.23 on specific platforms. See Apigee hybrid supported platforms and versions for details.
KVM pagination
The Key Value Map (KVM) CRUD APIs with pagination support are now available in Hybrid (introduced in Apigee X on March 10, 2022). See REST Resource: organizations.keyvaluemaps
and REST Resource: v1.organizations.environments.keyvaluemaps
.
apigeectl
now supports the --v
option to set the log verbosity level
Starting in version 1.8, apigeectl
includes a --v
option to set log verbosity levels in the format --v=int
, for example apigeectl apply --v=5
. This option replaces the --verbose
option (now deprecated). This is the same as the kubectl
--v
option. See apigeectl
for details.
tools/apigee-pull-push.sh
includes a –list
option to list all images
Starting in version 1.8, The tools/apigee-pull-push.sh
utility has a --list
or -l
option that will list all images in the gcr repo. See apigee-pull-push.sh
for details.
Bug ID | Description |
---|---|
239854141 | apigee-pull-push.sh now uses gcr source repositories. (Fixed in Apigee hybrid v1.8.0) |
238370197 | Fixed an issue where the timeTaken variable's value could sometimes be calculated incorrectly. (Fixed in Apigee hybrid v1.7.3) |
236399482 | Added support for ASM v1.13. (Fixed in Apigee hybrid v1.7.2) |
236129944 | Fixed the controller crashloopbackoff due to null pointer issue. (Fixed in Apigee hybrid v1.6.9) |
236129944 | Fixed the controller crashloopbackoff resulting from null pointer. (Fixed in Apigee hybrid v1.7.2) |
234620567 | Fix logger issue in Anthos BareMetal with CentOS. (Fixed in Apigee hybrid v1.6.9) |
234355351 | Fixed issue with message processor pods restarting frequently. Added backoff polling task for Cloud KMS key listener. The listener is paused only when the flush policy is met. (Fixed in Apigee X, June 21, 2022) |
233349518 | Fixed "Invalid Resource" error generated for job/apigee-resources-install . (Fixed in Apigee hybrid v1.7.1) |
233094108 | Fixed Stacktrace truncation in runtime containers to support proxy diagnosis. (Fixed in Apigee hybrid v1.7.2) |
232977937 | Fixed an issue where deployment would become stuck on "Applying routing changes on" for multiple ingress gateways. (Fixed in Apigee hybrid v1.7.1) |
231313050 | Fixed issue causing Apigee logger pod to remain in crashloopbackoff state. (Fixed in Apigee hybrid v1.7.2) |
229824389 | Fixed an issue in hybrid 1.7.0 where the output apigeectl init could be generated in the wrong order. (Fixed in Apigee hybrid v1.7.1) |
229804717 | Fixed upgrade envoy to use distroless v1.22.0. (Fixed in Apigee hybrid v1.7.1) |
229639530 | Fixed an error harmonizing the container process ID to use Apigee ID for Hybrid on OpenShift. (Fixed in Apigee hybrid v1.7.1) |
228855520 | Upgraded support for ASM version 1.13. (Fixed in Apigee X, May 9, 2022) |
227600373 | Fixed an installation issue with Cassandra. (Fixed in Apigee hybrid v1.6.7) |
227538469 | Fixed an issue where configuration actions would write logs to the pod file system. (Fixed in Apigee hybrid v1.7.1) |
226964206 | MART, runtime and synchronizer would write to the pod file system. (Fixed in Apigee hybrid v1.7.1) |
226464960 | Apigee hybrid fresh installations on OpenShift 4.6 and 4.8 would fail. (Fixed in Apigee hybrid v1.6.7) |
225939342 | Fixed an error where deployment status would show as "Applying routing changes on {env}". (Fixed in Apigee hybrid v1.7.1) |
225198475 | Fixed an issue where resource reference changes could not be detected. (Fixed in Apigee hybrid v1.7.1) |
225169066 | Cassandra database backup and restore was not working when http_proxy is enabled under certain circumstances. (Fixed in Apigee hybrid v1.5.10) |
225081332 | Fixed allow privileged pods issue. (Fixed in Apigee hybrid v1.7.1) |
224620542 | On some Kubernetes platforms, logging would fail without adding an empty directory for the logs. (Fixed in Apigee hybrid v1.6.7) |
223081301 | Fixed organization-level UDCA incorrect http-proxy secret name. (Fixed in Apigee hybrid v1.6.7) |
222649295 | Organization-level UDCA would hang. (Fixed in Apigee hybrid v1.6.7) |
221885751 | Hybrid logging functionality has been reworked. This should resolve issues with excessive log volume generation, frequent logger restarts, and ensure correct logger functionality with both docker and containerd runtimes. (Fixed in Apigee hybrid v1.5.8) |
221292104 | Fix to address failure to capture requests in Debug sessions involving PostClientFlow ServiceCallouts. (Fixed in Apigee X, May 9, 2022) |
221266789 | Hybrid logging functionality has been reworked. This should resolve issues with excessive log volume generation, frequent logger restarts, and ensure correct logger functionality with both docker and containerd runtimes. (Fixed in Apigee hybrid v1.6.7) |
219622478 | Fixed the CPS property token so that when set to true , it will allow the instance to shutdown and reboot when cassandra connection failures occur. (Fixed in Apigee hybrid v1.7.3) |
216018530 | Fixed an issue where the apigee-logger-apigee-telemetry DaemonSet could still be left running after turning off logger. (Fixed in Apigee hybrid v1.7.1) |
213261445 | Fixed reliance on keystore generated by cert manager for metrics endpoint and removed the need for a custom generate_cert script. (Fixed in Apigee hybrid v1.6.7) |
211716827 | Fixed an issue where a non-default gateway could cause routing errors in certain circumstances. (Fixed in Apigee hybrid v1.7.1) |
205616792 | Fixed core dump on running user schema setup. (Fixed in Apigee hybrid v1.7.1) |
202950533 | Remove the server header from all responses. This will be consistent with CG SaaS and OPDK. (Fixed in Apigee hybrid v1.8.0) |
202403896 | Upgrade to Apigee hybrid v1.6 from v1.5 could fail due to annotation size. (Fixed in Apigee hybrid v1.5.8) |
Bug ID | Description |
---|---|
230369447 | Security fix for commons-codec (Fixed in Apigee hybrid v1.8) |
230368838 | Security fix for CVE-2018-10237, auto-value:guava (Fixed in Apigee hybrid v1.8) |
230366823 | Security fix for jackson-databind (Fixed in Apigee hybrid v1.8) |
230366589 | Security fix for CVE-2021-22696-cxf in cxf (Fixed in Apigee hybrid v1.8) |
229804717 | Security fix for CVE-2021-3711 (Fixed in Apigee hybrid v1.8, v1.7, v1.6) |
229804942 | Security fix for CVE-2022-0778 (Fixed in Apigee hybrid v1.8) |
N/A | Miscellaneous Security updates and fixes. |
The apigeectl
--verbose
option has been deprecated. It is replaced with the --v
option which lets you specify the log verbosity level in the format --v=int
, for example apigeectl apply --v=5
. See apigeectl
for details.
July 29, 2022
hybrid v1.7.3
On July 29, 2022 we released an updated version of the Apigee hybrid software, v1.7.3.
For information on upgrading, see Upgrading Apigee hybrid to version 1.7.
Bug ID | Description |
---|---|
219622478 | Fixed the CPS property token so that when set to true , it will allow the instance to shutdown and reboot when cassandra connection failures occur. |
238370197 | Fixed an issue where the timeTaken variable's value could sometimes be calculated incorrectly. |
Bug ID | Description |
---|---|
N/A | Security fix for CVE-2022-22963. |
July 08, 2022
hybrid v1.6.9
On July 8, 2022 we released an updated version of the Apigee hybrid software, v1.6.9.
For information on upgrading, see Upgrading Apigee hybrid to version 1.6.
Bug ID | Description |
---|---|
236129944 | Fixed the controller crashloopbackoff due to null pointer issue. |
234620567 | Fix logger issue in Anthos BareMetal with CentOS. |
231313050 | Fixed issue causing Apigee logger pod to remain in crashloopbackoff state. |
233094108 | Fixed Stacktrace truncation in runtime containers to support proxy diagnosis. |
June 24, 2022
hybrid v1.7.2
On June 24, 2022 we released an updated version of the Apigee hybrid software, v1.7.2.
For information on upgrading, see Upgrading Apigee hybrid to version 1.7.
Bug ID | Description |
---|---|
233094108 | Fixed Stacktrace truncation in runtime containers to support proxy diagnosis. |
236129944 | Fixed the controller crashloopbackoff resulting from null pointer. |
231313050 | Fixed issue causing Apigee logger pod to remain in crashloopbackoff state. |
236399482 | Added support for ASM v1.13. |
June 02, 2022
hybrid v1.7.1
On June 2, 2022 we released an updated version of the Apigee hybrid software, v1.7.1.
For information on upgrading, see Upgrading Apigee hybrid to version 1.7.
Bug ID | Description |
---|---|
233349518 | Fixed "Invalid Resource" error generated for job/apigee-resources-install . |
232977937 | Fixed an issue where deployment would become stuck on "Applying routing changes on" for multiple ingress gateways. |
216018530 | Fixed an issue where the apigee-logger-apigee-telemetry DaemonSet could still be left running after turning off logger. |
226964206 | MART, runtime and synchronizer would write to the pod file system. |
211716827 | Fixed an issue where a non-default gateway could cause routing errors in certain circumstances. |
225198475 | Fixed an issue where resource reference changes could not be detected. |
225939342 | Fixed an error where deployment status would show as "Applying routing changes on {env}". |
229824389 | Fixed an issue in hybrid 1.7.0 where the output apigeectl init could be generated in the wrong order. |
229639530 | Fixed an error harmonizing the container process ID to use Apigee ID for Hybrid on OpenShift |
229804717 | Fixed upgrade envoy to use distroless v1.22.0. |
227538469 | Fixed an issue where configuration actions would write logs to the pod file system. |
205616792 | Fixed core dump on running user schema setup. |
225081332 | Fixed allow privileged pods issue. |
May 31, 2022
hybrid v1.6.8
On May 31, 2022 we released an updated version of the Apigee hybrid software, v1.6.8.
For information on upgrading, see Upgrading Apigee hybrid to version 1.6.
Bug ID | Description |
---|---|
233349518 | Fixed "Invalid Resource" error generated for job/apigee-resources-install . |
225939342 | Fixed an error where deployment status would show as "Applying routing changes on {env}". |
225198475 | Fixed an issue where resource reference changes could not be detected. |
232977937 | Fixed an issue where deployment would become stuck on "Applying routing changes on" for multiple ingress gateways. |
229804717 | Fixed upgrade envoy to use distroless v1.22.0. |
May 11, 2022
hybrid v1.6.7
On May 11, 2022 we released an updated version of the Apigee hybrid v1.6.7 software.
For information on upgrading, see Upgrading Apigee hybrid to version 1.6.
Bug ID | Description |
---|---|
227600373 | Fixed an installation issue with Cassandra. |
227538469 | Configuration actions would write logs to the pod file system. |
226964206 | MART, runtime and synchronizer would write to the pod file system. |
226464960 | Apigee hybrid fresh installations on OpenShift 4.6 and 4.8 would fail. |
225081332 | Allow privileged pods issue. |
224620542 | On some Kubernetes platforms, logging would fail without adding an empty directory for the logs. |
223081301 | Fixed organization-level UDCA incorrect http-proxy secret name. |
222649295 | Organization-level UDCA would hang. |
221266789 | Hybrid logging functionality has been reworked. This should resolve issues with excessive log volume generation, frequent logger restarts, and ensure correct logger functionality with both docker and containerd runtimes. |
213261445 | Fixed reliance on keystore generated by cert manager for metrics endpoint and removed the need for a custom generate_cert script. |
205616792 | Fixed core dump on running user schema setup. |
May 10, 2022
hybrid v1.6.7/1.5.10/1.7.0
Known Issue: 231758700 - Apigee Hybrid Dockerhub customers unable to pull images with Docker Content Trust enabled
April 22, 2022
hybrid v1.5.10
On April 22, 2022 we released an updated version of the Apigee hybrid v1.5.10 software.
For information on upgrading, see Upgrading Apigee hybrid to version 1.5.
Bug ID | Description |
---|---|
225169066 | Cassandra database backup and restore was not working when http_proxy is enabled under certain circumstances. |
221885751 | Hybrid logging functionality has been reworked. This should resolve issues with excessive log volume generation, frequent logger restarts, and ensure correct logger functionality with both docker and containerd runtimes. |
202403896 | Upgrade to Apigee hybrid v1.6 from v1.5 could fail due to annotation size. |
221885751 | Multiple issues with the Hybrid logging functionality have been addressed. |
April 18, 2022
Apigee hybrid v1.7.0
On April 18, 2022 we released Apigee hybrid v1.7.0.
For information on upgrading, see Upgrading Apigee hybrid to version 1.7.
mTLS communication between Cassandra clients and Cassandra nodes
Apigee hybrid now supports mTLS communication between Cassandra clients (MART, Sync, and MP) and Cassandra nodes. For related ports used, see feedbackSecure ports usage. (Implemented in Apigee hybrid v1.7.0)
Custom metrics scaling
Apigee hybrid v1.7.0 now supports custom metrics scaling using the metrics:appStackdriverExporter
and metrics:proxyStackdriverExporter
configuration properties. See metrics in the Configuration properties reference. (Implemented in Apigee hybrid v1.7.0)
OAuth JWT access tokens
Apigee hybrid v1.7.0 now supports JWT operations that allow the OAuthV2 policy to generate, verify, and refresh access tokens that conform to the JWT token standard. See Using JWT OAuth tokens. (Implemented in Apigee hybrid v1.7.0)
Cloud Logging
Apigee hybrid v1.7.0 now supports the <CloudLogging>
element in the MessageLogging policy that lets you log messages to Cloud Logging. (Implemented in Apigee hybrid v1.7.0)
PublishMessage policy
Apigee hybrid v1.7.0 now supports the PublishMessage policy that lets you publish your API proxy flow information to a Google Cloud Pub/Sub topic.
Policy document: PublishMessage policy
(Implemented in Apigee hybrid v1.7.0)
GraphQL policy now supports JSON-encoded payloads. (Implemented in Apigee X, March 15, 2022)
Bug ID | Description |
---|---|
224577096 | Support Added for Anthos Service Mesh 1.12 (Fixed in Apigee hybrid v1.6.6) |
219523719 | Fix to address CPU and memory consumption when debug-session is enabled with response-status as the filtering criteria. (Fixed in Apigee X, March 15, 2022) |
217386412 | Change the property set logging level to fine when property is not found. (Fixed in Apigee hybrid v1.6.5) |
215773113 | Setting the securityPolicy appeared to have no effect for specific configurations. (Fixed in Apigee hybrid v1.6.5) |
214960081 | HTTPS endpoints could be called as HTTP resulting in an "EOF unexpected" error. (Fixed in Apigee hybrid v1.6.4) |
211787541 | Errors displayed in synchronizer logs for stale contracts. (Fixed in Apigee hybrid v1.6.5) |
210590135 | Invalid protocol in proxy.url flow variable in Apigee X. The proxy.url flow variable could show as http even when the request is https . (Fixed in Apigee hybrid v1.6.4) |
210314786 | The backup utility did not work with workload identity. (Fixed in Apigee hybrid v1.6.4) |
209622008 | Dynamic updates to rate in spike arrest are now reflected immediately. (Fixed in Apigee X, March 15, 2022) |
209484701 | Invalid client IP sent to analytics. (Fixed in Apigee hybrid v1.6.5) |
209097822 | Fixed and issue where SpikeArrest was not reflecting updated rate (Fixed in Apigee hybrid v1.6.3) |
208474799 | Apigee hybrid now supports ASM version 1.12. See Supported platforms for ASM version support for each supported version of Apigee Hybrid. (Fixed in Apigee hybrid v1.7.0) |
208322185 | Apigee hybrid Cassandra backup and restore can now use either a user-provided custom secret or a generated secret (Fixed in Apigee hybrid v1.6.3) |
207762842 | Hybrid logging functionality has been reworked. This should resolve issues with excessive log volume generation, frequent logger restarts, and ensure correct logger functionality with both docker and containerd runtimes.(Fixed in Apigee hybrid v1.7.0) |
207618262 | Fixed an issue where SpikeArrest opened too many connections to redis-envoy. (Fixed in Apigee hybrid v1.6.3) |
207400645 | Allow direct reads from API server to API client when enabled. (Fixed in Apigee hybrid v1.6.3) |
205820658 | Fixed an issue where Apigee X/hybrid Debug could show the authorization header. (Fixed in Apigee hybrid v1.6.3) |
205810988 | Resolve suspension dialog displayed "user not authorized" message for regions other than US This has been fixed. Location information is now added into the suspension URL from Apigee. (Fixed in Apigee X, December 02,2021) |
205732137 | Handle Quota correctly when the Operation group is set with empty string params (Fixed in Apigee hybrid v1.6.3) |
205148816 | Product Level Quota Info now available in Proxy. (Fixed in Apigee hybrid v1.6.3) |
204943895 | Quota Policy in Shared Flow now working properly. (Fixed in Apigee hybrid v1.6.3) |
204943880 | Fixed issue where SpikeArrest in Shared Flow did not have context of API Proxy. (Fixed in Apigee hybrid v1.6.3) |
204905727 | GenerateResponse was hanging on response flow when enabled=true . (Fixed in Apigee hybrid v1.6.5) |
204368970 | TLS variables are now set by Apigee Runtime. (Fixed in Apigee hybrid v1.6.3) |
204146857 | Fixed an issue where new environments were not created in Apigee hybrid deployment. (Fixed in Apigee hybrid v1.6.3) |
203785814 | A transient error could occur when calling conversion webhook for Apigee Telemetry. The error would occur when Apigee CRD is installed too early in the sequence. The installer job now checks for the correct sequence. (Fixed in Apigee hybrid v1.6.4) |
203468593 | Corrected the storageclass property name. (Fixed in Apigee hybrid v1.5.5) |
203462573 | The StorageClass set in overrides was not honored. (Fixed in Apigee hybrid v1.6.1) |
202560276 | AKS - containerd broke apigee-logger . (Fixed in Apigee hybrid v1.6.1) |
202309278 | Monetization: Eliminated a race condition that could make a prepaid developer's balance appear incorrect. (Fixed in Apigee hybrid v1.6.2) |
202299966 | Added new remote-address-related headers and modified the headers to be RFC compliant. (Fixed in Apigee hybrid v1.6.3) |
200918549 | There was an issue when using forward proxy with the ApigeeConnect agent. (Fixed in Apigee hybrid v1.6.1) |
200700375 | Fixed API products sorting issue in UI. Previously, sorting was disabled on the API products page. Sorting is now enabled. (Fixed in Apigee X, September 23, 2021) |
200648523 | Trace Variable, is_request_blocked, was showing incorrect information. (Fixed in Apigee hybrid v1.6.2) |
199952038 | The apigeectl command uses the new --restore flag to restore Cassandra to a previously saved snapshot. For more information, see Restoring in a single region. (Fixed in Apigee hybrid v1.6.6) |
199807323 | Updating Developer would reset the Developer billing type attribute (Fixed in Apigee hybrid v1.6.2) |
199541025 | Transaction ID is now required to be unique when used with prepaid developer balance credit API. (Fixed in Apigee hybrid v1.6.2) |
198549304, 197730687, 196937143, 188370635, 187890034 | Error state for conflicting dates is now correct. (Fixed in Apigee hybrid v1.6.2) |
198036824 | The securityContext was empty when it should have been populated. (Fixed in Apigee hybrid v1.6.1) |
197945951 | Stale DNS record in MP memory could cause an outage for a proxy. (Fixed in Apigee hybrid v1.6.4) |
197910247 | SetDialogflowResponse Policy - JSONPath expressions were not working. (Fixed in Apigee hybrid v1.6.1) |
197711066 | Cluster upgrade failed due to PDB (PodDisruptionBudget) policy not being met. (Fixed in Apigee hybrid v1.6.1) |
196095557 | Fixed proxy high response times. (Fixed in Apigee hybrid v1.5.4) |
196024622 | Hybrid images contained keys. (Fixed in Apigee hybrid v1.6.1) |
196024483 | Hybrid images did not set USER instruction when building the container. (Fixed in Apigee hybrid v1.6.1) |
193799009 | Fixed wrong status code shown on trace with ServiceCallout in PostClientflow. (Fixed in Apigee hybrid v1.5.4) |
193520269 | Fixed Apigee UI not showing the trace UI. (Fixed in Apigee hybrid v1.5.4) |
193041253 | Cassandra upgraded to v3.11.9 The Cassandra database in Apigee hybrid v1.7.0 has been upgraded to version 3.11.9. (Fixed in Apigee hybrid v1.7.0) |
192987085 | Fixed the ApiProductNotFound exception, which occurred when you deleted an API product but the deletion of associated rate plans was pending. (Fixed in Apigee X Monetization, November 3, 2021) |
191853747 | Apigee Workload Identities not working for specific configurations. (Fixed in Apigee hybrid v1.6.5) |
190679584 | There was an Incorrect error message on deploying AssertCondition policy with invalid condition. (Fixed in Apigee hybrid v1.6.1) |
189341334 | Fixed an issue to eliminate the potential for connection leaks for the watcher component. (Fixed in Apigee hybrid v1.6.3) |
188407113 | Invalid value in the ConsumptionPricingType during rate plan creation displayed the 500 status code. Now the status code for an invalid value is 4xx. (Fixed in Apigee X Monetization, November 3, 2021) |
181259284 | Fixed unresolved flow variables system.region.name and system.pod.name . (Fixed in Apigee hybrid v1.5.4) |
180672249 | FlowCallout succeeded, although SharedFlow had errors in deployment. (Fixed in Apigee hybrid v1.6.1) |
173738907 | Fixed support resource request/limit in override.yaml in apigee-metrics . (Fixed in Apigee hybrid v1.5.4) |
173566787 | Reuse existing target IPs if DNS resolution fail on DNS cache refresh. (Fixed in Apigee hybrid v1.6.5) |
111777025 | LookupCache: cachehit was shown false in trace when the actual value was true. (Fixed in Apigee hybrid v1.6.5)N/A |
N/A | If there is more than one SpikeArrest policy in a bundle, 502 errors will occur. (Fixed in Apigee X, December 12, 2021) |
N/A | If ServiceCallout is "fire and forget" (no tag), a race condition can occur if there is another policy that occurs after it. (Fixed in Apigee X, December 12, 2021) |
N/A | Fix bug delete dialog does not open Previously, on click of delete dialog, the dialog was not appearing, this fixes it (Fixed in Apigee X, October 05, 2021) |
N/A | Dynamic updates to rate in SpikeArrest may not reflect immediately. (Fixed in Apigee X, December 12, 2021) |
Bug ID | Description |
---|---|
217743790 | ** Cassandra backup would run as privileged.** |
204994504 | Container Vulnerability fixed: CVE-2018-12934. (Fixed in Apigee hybrid v1.6.5) |
N/A | Multiple security fixes including CVE-2019-5021. (Fixed in Apigee hybrid v1.6.5) |
N/A | Miscellaneous Security updates and fixes. (Fixed in Apigee X, December 12, 2021) |
205820658 | A security issue was addressed. (Fixed in Apigee hybrid v1.6.2-hotfix.1) |
"Apigee Deployer" role deprecated and replaced by "Apigee Environment Admin" The environment role "Apigee Deployer" has been deprecated, and replaced by "Apigee Environment Admin". (Implemented in Apigee X, December 2, 2022)
March 24, 2022
hybrid v1.6.6
On March 24, 2022 we released an updated version of the Apigee hybrid v1.6.6 software.
For information on upgrading, see Upgrading Apigee hybrid to version 1.6.
Bug ID | Description |
---|---|
224577096 | Support Added for Anthos Service Mesh 1.12 |
204368970 | Fixed a bug in TLS variables population |
199952038 | The apigeectl command uses the new --restore flag to restore Cassandra to a previously saved snapshot. For more information, see Restoring in a single region. |
hybrid v1.5.9
On March 24, 2022 we released an updated version of the Apigee hybrid v1.5.9 software.
For information on upgrading, see Upgrading Apigee hybrid to version 1.5.
Bug ID | Description |
---|---|
224577096 | Support Added for Anthos Service Mesh 1.12 |
204368970 | Fixed the bug in TLS variables population |
March 01, 2022
hybrid v1.5.8
On March 1, 2022 we released an updated version of the Apigee hybrid v1.5.8 software.
For information on upgrading, see Upgrading Apigee hybrid to version 1.5.
Bug ID | Description |
---|---|
219523719 | Fix to address the CPU and memory consumption when debug-session is enabled with response-status as the filtering criteria. |
217386412 | Change the property set logging level to fine when property is not found. |
215773113 | Setting the securityPolicy appeared to have no effect for specific configurations. |
209484701 | Invalid client IP sent to analytics. |
189233354 | Distributed tracing with Jaeger would error out. |
Bug ID | Description |
---|---|
N/A | Multiple security fixes including CVE-2019-5021. |
February 28, 2022
hybrid v1.6.5
On February 28, 2022 we released an updated version of the Apigee hybrid v1.6.5 software.
For information on upgrading, see Upgrading Apigee hybrid to version 1.6.
Bug ID | Description |
---|---|
217386412 | Change the property set logging level to fine when property is not found. |
215773113 | Setting the securityPolicy appeared to have no effect for specific configurations. |
211787541 | Errors displayed in synchronizer logs for stale contracts. |
209484701 | Invalid client IP sent to analytics. |
204905727 | GenerateResponse was hanging on response flow when enabled=true . |
191853747 | Apigee Workload Identities not working for specific configurations. |
173566787 | Reuse existing target IPs if DNS resolution fail on DNS cache refresh. |
111777025 | LookupCache: cachehit was shown false in trace when the actual value was true. |
Bug ID | Description |
---|---|
217743790 | ** Cassandra backup would run as privileged.** |
204994504 | Container Vulnerability fixed: CVE-2018-12934. |
N/A | Multiple security fixes including CVE-2019-5021. |
January 31, 2022
hybrid v1.6.4
On January 31, 2022 we released an updated version of the Apigee hybrid v1.6.4 software
For information on upgrading, see Upgrading Apigee hybrid to version 1.6.
Bug ID | Description |
---|---|
214960081 | HTTPS endpoints could be called as HTTP resulting in an "EOF unexpected" error. |
210590135 | Invalid protocol in proxy.url flow variable in Apigee X. The proxy.url flow variable could show as http even when the request is https . |
203785814 | A transient error could occur when calling conversion webhook for Apigee Telemetry. The error would occur when Apigee CRD is installed too early in the sequence. The installer job now checks for the correct sequence. |
197945951 | Stale DNS record in MP memory could cause an outage for a proxy. |
210314786 | The backup utility did not work with workload identity. |
January 28, 2022
hybrid v1.5.7
On January 28, 2022 we released an updated version of the Apigee hybrid v1.5.7 software
For information on upgrading, see Upgrading Apigee hybrid to version 1.5.
Bug ID | Description |
---|---|
214960081 | HTTPS endpoints could be called as HTTP resulting in an EOF unexpected error. |
204368970 | TLS variables were not being set by Apigee Runtime. |
189341334 | Fixed potential connection leaks for watcher component. |