Aperture-py

Changelog

List of aperture PRs merged since 2.13.0 release. For the full list of changes, see [list of changes][changes]

PID Controller (2543)

- New Feature: Added a new `PIDController` component to the policy
language for closed-loop feedback control. This includes parameters such
as proportional gain, integral gain, derivative gain, sample period, and
reset duration.
- Documentation: Updated the configuration specification documentation
with detailed descriptions of the `PIDController`, its inputs, outputs,
and parameters. Also provided an overview of the PID controller
algorithm and its computation formula.
- Refactor: Renamed the field "Duration of EMA sampling window" to "EMA
window duration" in the `EMA` component for clarity.

Waiting room senario graceful js (2499)


- New Feature: Added PostgreSQL support to the demo app, including a new
API endpoint for slow queries.
- New Feature: Enhanced the UI with a `RequestMessagingInfo` component
for displaying request success, error, and retry information.
- Refactor: Updated ESLint configuration and improved code consistency
in the `useRequestToEndpoint` hook and `MonitorRequestItem` component.
- Refactor: Modified the `RequestRecord` and `MonitorRequestProps`
interfaces to handle Axios errors more effectively.
- Chore: Updated Tanka configurations to include PostgreSQL setup.
- Documentation: Updated blueprint documentation to reflect changes in
PostgreSQL load scheduling.

---------

Co-authored-by: Gurinder Singh <gurinder.rawalafluxninja.com>

Add support for printing templated manifest files in aperturectl (2538)

- New Feature: Introduced a `--dry-run` flag to the `aperturectl
install` command and its subcommands (`agent`, `controller`,
`istioconfig`). This option allows users to generate and preview the
installation manifests without actually executing the installation
process. This feature enhances user control and predictability during
the installation process.

[changes]: https://github.com/fluxninja/aperture/compare/releases/aperture-controller/v2.13.0...releases/aperture-controller/v2.14.0-rc.2

Changelog

List of aperture PRs merged since 2.13.0 release. For the full list of changes, see [list of changes][changes]

PID Controller (2543)

- New Feature: Added a new `PIDController` component to the policy
language for closed-loop feedback control. This includes parameters such
as proportional gain, integral gain, derivative gain, sample period, and
reset duration.
- Documentation: Updated the configuration specification documentation
with detailed descriptions of the `PIDController`, its inputs, outputs,
and parameters. Also provided an overview of the PID controller
algorithm and its computation formula.
- Refactor: Renamed the field "Duration of EMA sampling window" to "EMA
window duration" in the `EMA` component for clarity.

Waiting room senario graceful js (2499)


- New Feature: Added PostgreSQL support to the demo app, including a new
API endpoint for slow queries.
- New Feature: Enhanced the UI with a `RequestMessagingInfo` component
for displaying request success, error, and retry information.
- Refactor: Updated ESLint configuration and improved code consistency
in the `useRequestToEndpoint` hook and `MonitorRequestItem` component.
- Refactor: Modified the `RequestRecord` and `MonitorRequestProps`
interfaces to handle Axios errors more effectively.
- Chore: Updated Tanka configurations to include PostgreSQL setup.
- Documentation: Updated blueprint documentation to reflect changes in
PostgreSQL load scheduling.

---------

Co-authored-by: Gurinder Singh <gurinder.rawalafluxninja.com>

Add support for printing templated manifest files in aperturectl (2538)

- New Feature: Introduced a `--dry-run` flag to the `aperturectl
install` command and its subcommands (`agent`, `controller`,
`istioconfig`). This option allows users to generate and preview the
installation manifests without actually executing the installation
process. This feature enhances user control and predictability during
the installation process.

[changes]: https://github.com/fluxninja/aperture/compare/releases/aperture-controller/v2.13.0...releases/aperture-controller/v2.14.0-rc.1

Changelog

List of aperture PRs merged since 2.12.0 release. For the full list of changes, see [list of changes][changes]

Removed not-in check for StatusCode enum (2529)

Description of change

Removed the not-in check as by default enum sets the first field as
default and it fails the validation while uploading policy using API.

---
- Refactor: Simplified the validation rule for the
`denied_response_status_code` field in the `RateLimiter`, `Scheduler`,
`Sampler`, and `LoadRamp` messages within the `flowcontrol.proto` file.
This change enhances the maintainability of the code by reducing
complexity in the validation process.

Create empty compiledCircuit before returning from compilePolicyWrapper (2527)

Description of change

Checklist

- [x] Tested in playground or other setup
- [ ] Screenshot (Grafana) from playground added to PR for 15+ minute
run
- [ ] Documentation is changed or added
- [ ] Tests and/or benchmarks are included
- [ ] Breaking changes

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
Summary by CodeRabbit

"Refactor:
- Updated import statements and return formatting in `circuit.go` and
`tree.go` for better code readability.
- Renamed variable in `policy-service.go` to improve code clarity.
- Modified initialization of `compiledCircuit` in `policy.go` for
enhanced code consistency.
- Reordered statements in `validator.go` for improved logical flow.

These changes do not introduce any new features or alter existing
functionality, but they enhance the maintainability and readability of
the codebase."
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Added support to override HTTP response code per component (2524)

Resolves 2520

- New Feature: Introduced a new parameter `denied_response_status_code`
across various components. This allows users to override the default
HTTP status code (`503 Service Unavailable` or `429 Too Many Requests`)
that is returned when a request is denied, providing more flexibility in
handling rate limiting scenarios.
- Refactor: Updated decision-making logic in flow control services to
consider the new `denied_response_status_code` field when determining
the HTTP response code.
- Chore: Enhanced scripts and SDKs to support the newly added
`denied_response_status_code` field.

Changed default etcd log level to error (2515)


**Configuration Update:**
- Changed the default log level from "warn" to "error" in `EtcdConfig` struct, affecting the logging behavior of the `etcd` component across the system. This change is reflected in both agent and controller configurations.

> 🐇
> In the land of code, where logic intertwines,
> A rabbit hops, making changes in lines.
> From "warn" to "error", we elevate our sight,
> To catch only errors in our log's light.
> 🎉 Celebrate this shift, for it brings clarity,
> In our quest for flawless software parity! 🥕


Fixed helm template and config parsing issues (2513)

**Refactor:**
- Updated string parameters format and default values in `agent.md` and
`controller.md`.
- Added `omitempty` tag to `LogLevel` field in `LogConfig` struct
(`log.go`) and `Network` field in `ListenerConfig` struct
(`listener.go`), making these fields optional.

> 🐇💻
>
> In the land of code, where logic intertwines,
> A rabbit hops, leaving refactor signs.
> With each soft thump, a change takes form,
> Making our codebase far from norm.
> 'Omit if empty', a new chant we sing,
> To the tune of improvement, these changes bring. 🎉🥕

Actually restart etcd watcher after its cancellation (2502)

Also, initial bootstrap now happens in background instead of in OnStart.

Probably resolves: 2477
Part of: 2464

Switched to non-root user in aperture docker images (2501)

Description of change

We have seen some Vulnerabilities related to use of root users being
used in the docker images.

**Security Enhancement:**
- Added a new user with specific UID and GID in Dockerfiles for
`aperture-agent` and `aperture-controller`, improving container security
by running with reduced privileges.
- Updated default values and validation rules for `PodSecurityContext`
and `ContainerSecurityContext` in `common_types.go`.
- Introduced `RunAsGroup` field in the security context of agent daemon
set, controller deployment, and several containers to specify group ID.

**Test Update:**
- Adjusted tests to reflect changes in security context.

> 🎉 "In the land of code, where logic intertwines,
> A rabbit hopped forth, leaving tracks in the lines.
> With a twitch of its nose, and a flick of its ear,
> It enhanced security, banishing fear.
> Now each Docker runs with less privilege in sight,
> Making our software a much safer delight! 🐇💻🔒"

fix pre-commit (2504)

coderabbitai: ignore

[changes]: https://github.com/fluxninja/aperture/compare/releases/aperture-controller/v2.12.0...releases/aperture-controller/v2.13.0

Changelog

List of aperture PRs merged since 2.12.0 release. For the full list of changes, see [list of changes][changes]

Removed not-in check for StatusCode enum (2529)

Description of change

Removed the not-in check as by default enum sets the first field as
default and it fails the validation while uploading policy using API.

---
- Refactor: Simplified the validation rule for the
`denied_response_status_code` field in the `RateLimiter`, `Scheduler`,
`Sampler`, and `LoadRamp` messages within the `flowcontrol.proto` file.
This change enhances the maintainability of the code by reducing
complexity in the validation process.

Create empty compiledCircuit before returning from compilePolicyWrapper (2527)

Description of change

Checklist

- [x] Tested in playground or other setup
- [ ] Screenshot (Grafana) from playground added to PR for 15+ minute
run
- [ ] Documentation is changed or added
- [ ] Tests and/or benchmarks are included
- [ ] Breaking changes

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
Summary by CodeRabbit

"Refactor:
- Updated import statements and return formatting in `circuit.go` and
`tree.go` for better code readability.
- Renamed variable in `policy-service.go` to improve code clarity.
- Modified initialization of `compiledCircuit` in `policy.go` for
enhanced code consistency.
- Reordered statements in `validator.go` for improved logical flow.

These changes do not introduce any new features or alter existing
functionality, but they enhance the maintainability and readability of
the codebase."
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Added support to override HTTP response code per component (2524)

Resolves 2520

- New Feature: Introduced a new parameter `denied_response_status_code`
across various components. This allows users to override the default
HTTP status code (`503 Service Unavailable` or `429 Too Many Requests`)
that is returned when a request is denied, providing more flexibility in
handling rate limiting scenarios.
- Refactor: Updated decision-making logic in flow control services to
consider the new `denied_response_status_code` field when determining
the HTTP response code.
- Chore: Enhanced scripts and SDKs to support the newly added
`denied_response_status_code` field.

Changed default etcd log level to error (2515)


**Configuration Update:**
- Changed the default log level from "warn" to "error" in `EtcdConfig` struct, affecting the logging behavior of the `etcd` component across the system. This change is reflected in both agent and controller configurations.

> 🐇
> In the land of code, where logic intertwines,
> A rabbit hops, making changes in lines.
> From "warn" to "error", we elevate our sight,
> To catch only errors in our log's light.
> 🎉 Celebrate this shift, for it brings clarity,
> In our quest for flawless software parity! 🥕


Fixed helm template and config parsing issues (2513)

**Refactor:**
- Updated string parameters format and default values in `agent.md` and
`controller.md`.
- Added `omitempty` tag to `LogLevel` field in `LogConfig` struct
(`log.go`) and `Network` field in `ListenerConfig` struct
(`listener.go`), making these fields optional.

> 🐇💻
>
> In the land of code, where logic intertwines,
> A rabbit hops, leaving refactor signs.
> With each soft thump, a change takes form,
> Making our codebase far from norm.
> 'Omit if empty', a new chant we sing,
> To the tune of improvement, these changes bring. 🎉🥕

Actually restart etcd watcher after its cancellation (2502)

Also, initial bootstrap now happens in background instead of in OnStart.

Probably resolves: 2477
Part of: 2464

Switched to non-root user in aperture docker images (2501)

Description of change

We have seen some Vulnerabilities related to use of root users being
used in the docker images.

**Security Enhancement:**
- Added a new user with specific UID and GID in Dockerfiles for
`aperture-agent` and `aperture-controller`, improving container security
by running with reduced privileges.
- Updated default values and validation rules for `PodSecurityContext`
and `ContainerSecurityContext` in `common_types.go`.
- Introduced `RunAsGroup` field in the security context of agent daemon
set, controller deployment, and several containers to specify group ID.

**Test Update:**
- Adjusted tests to reflect changes in security context.

> 🎉 "In the land of code, where logic intertwines,
> A rabbit hopped forth, leaving tracks in the lines.
> With a twitch of its nose, and a flick of its ear,
> It enhanced security, banishing fear.
> Now each Docker runs with less privilege in sight,
> Making our software a much safer delight! 🐇💻🔒"

fix pre-commit (2504)

coderabbitai: ignore

[changes]: https://github.com/fluxninja/aperture/compare/releases/aperture-controller/v2.12.0...releases/aperture-controller/v2.13.0-rc.1

Changelog

List of aperture PRs merged since 2.12.2 release. For the full list of changes, see [list of changes][changes]

Create empty compiledCircuit before returning from compilePolicyWrapper (2527)

Description of change

Checklist

- [x] Tested in playground or other setup
- [ ] Screenshot (Grafana) from playground added to PR for 15+ minute
run
- [ ] Documentation is changed or added
- [ ] Tests and/or benchmarks are included
- [ ] Breaking changes

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
Summary by CodeRabbit

"Refactor:
- Updated import statements and return formatting in `circuit.go` and
`tree.go` for better code readability.
- Renamed variable in `policy-service.go` to improve code clarity.
- Modified initialization of `compiledCircuit` in `policy.go` for
enhanced code consistency.
- Reordered statements in `validator.go` for improved logical flow.

These changes do not introduce any new features or alter existing
functionality, but they enhance the maintainability and readability of
the codebase."
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Added support to override HTTP response code per component (2524)

Resolves 2520

- New Feature: Introduced a new parameter `denied_response_status_code`
across various components. This allows users to override the default
HTTP status code (`503 Service Unavailable` or `429 Too Many Requests`)
that is returned when a request is denied, providing more flexibility in
handling rate limiting scenarios.
- Refactor: Updated decision-making logic in flow control services to
consider the new `denied_response_status_code` field when determining
the HTTP response code.
- Chore: Enhanced scripts and SDKs to support the newly added
`denied_response_status_code` field.

[changes]: https://github.com/fluxninja/aperture/compare/releases/aperture-controller/v2.12.2...releases/aperture-controller/v2.12.3-rc.1

Changelog

List of aperture PRs merged since 2.12.1 release. For the full list of changes, see [list of changes][changes]

Changed default etcd log level to error (2515)


**Configuration Update:**
- Changed the default log level from "warn" to "error" in `EtcdConfig` struct, affecting the logging behavior of the `etcd` component across the system. This change is reflected in both agent and controller configurations.

> 🐇
> In the land of code, where logic intertwines,
> A rabbit hops, making changes in lines.
> From "warn" to "error", we elevate our sight,
> To catch only errors in our log's light.
> 🎉 Celebrate this shift, for it brings clarity,
> In our quest for flawless software parity! 🥕


Fixed helm template and config parsing issues (2513)

**Refactor:**
- Updated string parameters format and default values in `agent.md` and
`controller.md`.
- Added `omitempty` tag to `LogLevel` field in `LogConfig` struct
(`log.go`) and `Network` field in `ListenerConfig` struct
(`listener.go`), making these fields optional.

> 🐇💻
>
> In the land of code, where logic intertwines,
> A rabbit hops, leaving refactor signs.
> With each soft thump, a change takes form,
> Making our codebase far from norm.
> 'Omit if empty', a new chant we sing,
> To the tune of improvement, these changes bring. 🎉🥕

[changes]: https://github.com/fluxninja/aperture/compare/releases/aperture-controller/v2.12.1...releases/aperture-controller/v2.12.2