Docs for 1.18 LTS backport (#10476)

Co-authored-by: Nadine Spies <[email protected]>

Author: Nadine2016

changelog/v1.18.1/docs-prepare-1.18.yaml

@@ -0,0 +1,5 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >-
+      Prepare 1.18 docs.
+      skipCI-kube-tests:true

docs/active_versions.json

@@ -1,12 +1,12 @@
 {
-  "latest": "v1.17.x",
+  "latest": "v1.18.x",
   "versions": [
     "main",
-    "v1.17.x"
+    "v1.18.x"
   ],
   "oldVersions": [
+    "v1.17.x",
     "v1.16.x",
-    "v1.15.x",
-    "v1.14.x"
+    "v1.15.x"
   ]
 }

docs/content/operations/upgrading/faq.md

@@ -65,6 +65,50 @@ The Envoy dependency in Gloo Gateway 1.18 was upgraded from 1.29.x to 1.31.x. Th
 * **HTTP/2**: HTTP/2 colon prefixed headers are now sanitized by Envoy. Previously, sanitation was performed by the `nghttp2` library, which caused pseudo headers with upper case letters to fail validation. Now, these pseudo headers pass validation. You can temporarily revert this change by setting the runtime guard `envoy.reloadable_features.sanitize_http2_headers_without_nghttp2` to `false`. 
 * **Local ratelimit**: The token bucket implementation changed. Previously, a timer-based token bucket was used to assign tokens to connections. In Envoy 1.31.x, the new AtomicToken bucket is used that is no longer timer-based. Tokens are now automatically refilled when the token bucket is accessed. Because of this change, the `x-ratelimit-reset` header is no longer sent. You can temporarily revert this change by setting the runtime guard `envoy.reloadable_features.no_timer_based_rate_limit_token_bucket` to `false`.
 
+## New features
+
+### Watch namespace based on label 
+
+Previously, the namespaces that you wanted Gloo Gateway to watch for resources needed to be provided as a static list via the `watchNamespaces` setting in the Settings resource and had to be updated manually every time a namespace was added or deleted. Starting in 1.18.0, you can now define the namespaces that you want to watch by using the `WatchNamespaceSelectors` option on the Settings CR. This way, Gloo Gateway automatically includes new namespaces that have the required selectors. 
+
+Label selectors can use exact matches or an `In`, `NotIn`, `Exists`, or `DoesNotExist` expression. You can also chain label selectors to form logical `AND` or `OR` expressions as shown in the following example. 
+
+```yaml
+settings: 
+  watchNamespaceSelectors: 
+    - matchLabels: 
+        label: match
+    - matchLabels: 
+        label: and
+    - matchExpressions: 
+      - key: expression
+        operator: In
+        values: 
+          - and
+```
+        
+{{% notice note %}}
+If you specify both the `watchNamespaces` and `watchNamespaceSelectors` setting, the `watchNamespaces` setting takes precedence.  
+{{% /notice %}}
+
+For more information, see [Specify namespaces to watch for Kuberenetes services and Gloo Gateway CRs]({{% versioned_link_path fromRoot="/installation/advanced_configuration/multiple-gloo-installs/#specify-namespaces-to-watch-for-kuberenetes-services-and-gloo-gateway-crs " %}}).
+
+### ARM images
+
+In Gloo Gateway Enterprise, ARM images are now supported for Gloo Gateway components. An image that is tagged with -arm is compatible with ARM64 architectures. Note that ARM images are currently not published for VMs.
+
+### Kubernetes 1.30 and 1.31 support 
+
+Starting in version 1.18.0, Gloo Gateway can now run on Kubernetes 1.30 and 1.31. For more information about supported Kubernetes, Envoy, and Istio versions, see [Supported versions]({{% versioned_link_path fromRoot="/reference/support/" %}}).
+
+### Front channel logout
+
+You can configure a front channel logout path on an AuthConfig that configures OIDC authorization code for your apps.
+
+Front channel logout is a security mechanism that is used in the context of Single Sign-On (SSO) and Identity and Access Management (IAM) systems to ensure that when a user logs out of one app or service, they are also automatically logged out of the Identity Provider (IdP) and therefore all related apps and services in a secure and synchronized manner. Without front channel logout, the user is logged out of the requested app only.
+
+For more information, see [Front channel logout]({{% versioned_link_path fromRoot="/guides/security/auth/extauth/oauth/#front-channel-logout" %}}).
+
 
 <!-- ggv2-related changes:
 ggv2 - Disable Istio Envoy proxy from running by default and only rely on proxyless Istio agent mtls integration. Note: Although this is a change to the default behavior of the istio integration, this should not have any impact on most users as the sidecar proxy was unused in the data path. (https://github.com/solo-io/solo-projects/issues/5711)
@@ -184,7 +228,7 @@ New CRDs are automatically applied to your cluster when performing a `helm insta
 
 Review the following summary of important new, deprecated, or removed CRD updates. For full details, see the [changelogs](#changelogs).
 
-As part of the {{< readfile file="static/content/version_geoss_latest.md" markdown="true">}} release, no CLI changes were introduced.
+As part of the {{< readfile file="static/content/version_geoss_latest.md" markdown="true">}} release, no CRD changes were introduced.
 <!--
 **New and updated CRDs**:
 
@@ -200,13 +244,15 @@ N/A
 
 You must upgrade `glooctl` before you upgrade Gloo Gateway. Because `glooctl` can create resources in your cluster, such as with `glooctl add route`, you might have errors in Gloo Gateway if you create resources with an older version of `glooctl`.
 
-As part of the {{< readfile file="static/content/version_geoss_latest.md" markdown="true">}} release, no CLI changes were introduced.
-<!--
+
 Review the following summary of important new, deprecated, or removed CLI options. For full details, see the [changelogs](#changelogs).
 
 **New CLI commands or options**:
 
-* `glooctl create secret encryptionkey`: [Create encryption secrets]({{% versioned_link_path fromRoot="/reference/cli/glooctl_create_secret_encryptionkey/" %}}), such as to use in the `cipherConfig` field of the `ExtAuthConfig` resource.
+* `glooctl proxy snapshot`: [Create a snapshot of the current state in Envoy]({{% versioned_link_path fromRoot="/reference/cli/glooctl_proxy_snapshot/" %}}) for the purpose of simplified issue reporting and triaging.
+
+<!-->
+As part of the {{< readfile file="static/content/version_geoss_latest.md" markdown="true">}} release, no CLI changes were introduced.
 
 **Changed behavior**:-->
 

docs/content/reference/support.md

@@ -12,10 +12,10 @@ Gloo Gateway Enterprise offers `n-3` patching support for bug and critical secur
 
 | Gloo Gateway | Kubernetes | Envoy | Helm | Istio`†`    |
 |------|----------|---------|--------|-------------|
+| 1.18.x | 1.27 - 1.31 | v3 xDS API | >= 3.12 | 1.18 - 1.23 |
 | 1.17.x | 1.25 - 1.29 | v3 xDS API | >= 3.12 | 1.16 - 1.22 |
 | 1.16.x | 1.24 - 1.28 | v3 xDS API | >= 3.12 | 1.14 - 1.20 |
 | 1.15.x | 1.23 - 1.27 | v3 xDS API | >= 3.11 | 1.13 - 1.18 |
-| 1.14.x | 1.23 - 1.25 | v3 xDS API | >= 3.8 | 1.13 - 1.18 |
 
 {{% notice note %}}`†` **Istio versions**: Istio must run on a compatible version of Kubernetes. For example, Istio 1.22 is tested, but not supported, on Kubernetes 1.26. For more information, see the [Istio docs](https://istio.io/latest/docs/releases/supported-releases/). If you want hardened `n-4` versions of Istio for particular requirements such as FIPS, consider using [Gloo Mesh Enterprise](https://www.solo.io/products/gloo-mesh/), which includes ingress gateway and service mesh components.
 
@@ -52,7 +52,7 @@ You have two options for specifying the variant for a Gloo Gateway image in your
 
 Gloo Gateway Enterprise releases are built on the OSS codebase and typically follow the equivalent Gloo Gateway OSS release. The OSS version is always released as the latest build, while Enterprise version is always released as the first stable build of that version. For example, the latest build of Gloo Gateway OSS is {{< readfile file="static/content/version_geoss_latest.md" markdown="true">}}, while the latest stable build of Gloo Gateway Enterprise is {{< readfile file="static/content/version_gee_latest.md" markdown="true">}}.
 
-Stable builds for both Gloo Gateway Enterprise and OSS are released as minor versions approximately every three months. A stable branch for a minor version, such as 1.14, is tagged from `main`, and stable builds for both Enterprise and OSS are supported from that branch.
+Stable builds for both Gloo Gateway Enterprise and OSS are released as minor versions approximately every three months. A stable branch for a minor version, such as 1.18, is tagged from `main`, and stable builds for both Enterprise and OSS are supported from that branch.
 
 ## Release development
 
@@ -64,7 +64,7 @@ New features for Gloo Gateway Enterprise and OSS are always developed on `main`.
 
 Development of a quality stable release on `main` typically follows this process:
 1. New feature development is suspended on `main`.
-2. Release candidates are created, such as `1.14.0-rc1`, `1.14.0-rc2`, and so on.
+2. Release candidates are created, such as `1.18.0-rc1`, `1.18.0-rc2`, and so on.
 3. A full suite fo tests is performed for each release candidate. Testing includes all documented workflows, a test matrix of all supported platforms, and more.
 4. Documentation for that release is prepared, vetted, and staged.
 5. The stable minor version is released.

docs/content/static/content/version_gee_latest.md

@@ -1 +1 @@
-1.18.0-rc3
+1.18.0

docs/content/static/content/version_gee_n+1.md

@@ -1 +1 @@
-1.18.0-rc3
+1.18.0

docs/content/static/content/version_gee_n-1.md

@@ -1 +1 @@
-1.17.3
+1.17.4

docs/content/static/content/version_gee_n-1_oldpatch.md

@@ -1 +1 @@
-1.17.2
+1.17.3

docs/content/static/content/version_geoss_latest.md

@@ -1 +1 @@
-1.18.0-rc3
+1.18.0

docs/content/static/content/version_geoss_n+1.md

@@ -1 +1 @@
-1.18.0-rc3
+1.19.0-beta2

docs/content/static/content/version_geoss_n-1.md

@@ -1 +1 @@
-1.17.15
+1.17.16