Flex Gateway Release Notes Archive

1.7.2

August 27, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.7.2.

Fixed Issues

Issue Resolution	ID
Vulnerabilities detected by scanners are now fixed.	W-16188012
The JSON Threat Protection policy no longer fails on Windows systems when the payload contains escape characters.	W-16124513
Flex Gateway no longer crashes when an API instance name exceeds the 50 character limit.	W-15941334

Issue Resolution

Vulnerabilities detected by scanners are now fixed.

W-16188012

The JSON Threat Protection policy no longer fails on Windows systems when the payload contains escape characters.

W-16124513

Flex Gateway no longer crashes when an API instance name exceeds the 50 character limit.

W-15941334

1.7.1

June 26, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.7.1.

What’s New

Flex Gateway now supports SUSE Linux Enterprise 15 for x86_64 and IBM PowerPC (ppc64le) architectures.

For more information, refer to Downloading Flex Gateway.
The Message Logging policy now supports additional DataWeave expressions.

For more information, refer to Message Logging Policy DataWeave Support.
Configure the FLEX_FORWARD_CLIENT_CERT_DETAILS environment variable to handle x-forwarded-client-cert (XFCC) HTTP headers. Possible values include the following strings:
- SANITIZE
- FORWARD_ONLY
- APPEND_FORWARD
- SANITIZE_SET
- ALWAYS_FORWARD_ONLY
  
  The FLEX_FORWARD_CLIENT_CERT_DETAILS environment variable configuration applies to all API instances.
  
  For more information, refer to Envoy documentation.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Flex Gateway certificate renewal command no longer fails.	W-15870723
Flex Gateway no longer fails when an upstream uses the `P-384` or `P-521` ECDH curves.	W-15666251
Vulnerabilities detected by scanners are now fixed.	W-15895967
Flex Gateway running in Connected Mode no longer fails if an asset name is too long.	W-15941334
The severity level of the `Details are not recognized as violation` message is decreased from `WARN` to `DEBUG`.	W-15844673
Flex Gateway no longer supports the TLS_RSA_WITH_NULL_SHA cipher because Envoy stopped supporting the cipher.	W-16151550

Flex Gateway certificate renewal command no longer fails.

W-15870723

Flex Gateway no longer fails when an upstream uses the P-384 or P-521 ECDH curves.

W-15666251

Vulnerabilities detected by scanners are now fixed.

W-15895967

Flex Gateway running in Connected Mode no longer fails if an asset name is too long.

W-15941334

The severity level of the Details are not recognized as violation message is decreased from WARN to DEBUG.

W-15844673

Flex Gateway no longer supports the TLS_RSA_WITH_NULL_SHA cipher because Envoy stopped supporting the cipher.

W-16151550

1.7.0

May 6, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.7.0.

What’s New

Flex Gateway now supports RHEL 9 for IBM PowerPC (ppc64le) architecture.

For more information, refer to Downloading Flex Gateway.
Flex Gateway now supports Debian Bookworm and Amazon Linux 2023.
Flex Gateway no longer supports Amazon Linux 2.
Flex Gateway now supports the following container orchestration services:
- Amazon Elastic Container Service (Amazon ECS)
- Azure Container Service (ACS)
- Google Cloud Run
- AWS Fargate
The flexctl check connections command enables debugging issues with network and registration.

For more information, refer to Troubleshoot Platform Connections.
The flexctl check http command enables client URL requests.

For more information, refer to Troubleshooting Request Connection.
External Authorization policy now supports configuring upstream headers and timeouts.
Envoy is now updated to version 1.29.3.
Fluent Bit is now updated to version 2.0.11.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Flex Gateway now sends logs under Anypoint Platform downtime conditions.	W-14899674
Flex Gateway now sets the log lines date correctly in VMs.	W-14659532
OAuth policy no longer fails to initialize in the ABI WASM.	W-14388776
Client ID Enforcement policy no longer uses a different shared data partition when a new policy instance is added.	W-14584415
HTTP Caching policy no longer generates a duplicate serialization.	W-14557325
OAS policy no longer tries to deserialize non-YAML or non-JSON files.	W-15243907
Flex Gateway no longer fails when the same TLS context is used for inbound and outbound requests.	W-14328663
The default connection timeout is now increased to 5 seconds.	W-14865784
Vulnerabilities detected by scanners are now fixed.	W-14856151
The performance of config processing is improved.	W-14821830
Flex Gateway now properly handles removed contracts.	W-14920631
Schema Validation policy now returns a 404 status code for resources that do not exist in the API specification.	W-14801480
Rate Limit policy defined using a Selector in Local Mode no longer applies an incorrect quota when matching multiple APIs.	W-13797100
Message Logging policy now attempts to parse messages using Windows-1252 charset if it fails to parse messages as UTF-8.	W-14801403
Flex Gateway now blocks traffic when a policy can’t be applied.	W-14669249
Fixed vulnerabilities detected by security scanners.	W-14686172
Flex Gateway now prevents files from being automatically deleted during OS cleanup.	W-14583807
The `flexctl dump` command no longer shows an error when there are no resources to dump.	W-11194730
Healthcheck policy no longer fails if Flex Gateway is installed on a namespace other than `default`.	W-14506137
OAS policy no longer fails when attempting to define an `enum` for integers.	W-14496441
Healthcheck and JWT Validation policies no longer use HTTP for external requests when on TLS.	W-14389347
Logging policy now correctly handles DataWeave expressions with variables returning `null`.	W-14423354
Header Removal policy is now able to remove the `Accept` header.	W-14417832
Logging policy no longer fails when trying to print a log with non-utf8 characters.	W-14707180
Flex Gateway now force-kills Fluent Bit ten seconds after a term signal is sent.	W-14189688
Flex Gateway no longer sends empty log lines to the platform.	W-14658813
Flex Gateway no longer supports the TLS_RSA_WITH_NULL_SHA cipher because Envoy stopped supporting the cipher.	W-16151550

Flex Gateway now sends logs under Anypoint Platform downtime conditions.

W-14899674

Flex Gateway now sets the log lines date correctly in VMs.

W-14659532

OAuth policy no longer fails to initialize in the ABI WASM.

W-14388776

Client ID Enforcement policy no longer uses a different shared data partition when a new policy instance is added.

W-14584415

HTTP Caching policy no longer generates a duplicate serialization.

W-14557325

OAS policy no longer tries to deserialize non-YAML or non-JSON files.

W-15243907

Flex Gateway no longer fails when the same TLS context is used for inbound and outbound requests.

W-14328663

The default connection timeout is now increased to 5 seconds.

W-14865784

Vulnerabilities detected by scanners are now fixed.

W-14856151

The performance of config processing is improved.

W-14821830

Flex Gateway now properly handles removed contracts.

W-14920631

Schema Validation policy now returns a 404 status code for resources that do not exist in the API specification.

W-14801480

Rate Limit policy defined using a Selector in Local Mode no longer applies an incorrect quota when matching multiple APIs.

W-13797100

Message Logging policy now attempts to parse messages using Windows-1252 charset if it fails to parse messages as UTF-8.

W-14801403

Flex Gateway now blocks traffic when a policy can’t be applied.

W-14669249

Fixed vulnerabilities detected by security scanners.

W-14686172

Flex Gateway now prevents files from being automatically deleted during OS cleanup.

W-14583807

The flexctl dump command no longer shows an error when there are no resources to dump.

W-11194730

Healthcheck policy no longer fails if Flex Gateway is installed on a namespace other than default.

W-14506137

OAS policy no longer fails when attempting to define an enum for integers.

W-14496441

Healthcheck and JWT Validation policies no longer use HTTP for external requests when on TLS.

W-14389347

Logging policy now correctly handles DataWeave expressions with variables returning null.

W-14423354

Header Removal policy is now able to remove the Accept header.

W-14417832

Logging policy no longer fails when trying to print a log with non-utf8 characters.

W-14707180

Flex Gateway now force-kills Fluent Bit ten seconds after a term signal is sent.

W-14189688

Flex Gateway no longer sends empty log lines to the platform.

W-14658813

Flex Gateway no longer supports the TLS_RSA_WITH_NULL_SHA cipher because Envoy stopped supporting the cipher.

W-16151550

1.6.2

February 29, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.6.2.

What’s New

Flex Gateway now supports Debian Bookworm.

Fixed Issues

Issue Resolution	ID
The default connection timeout is now increased to 5 seconds.	W-14865784
Vulnerabilities detected by scanners are now fixed.	W-14856151
The performance of config processing is improved.	W-14821830
Flex Gateway now properly handles removed contracts.	W-14920631
Schema Validation policy now returns a 404 status code for resources that do not exist in the API specification.	W-14801480
Rate Limit policy defined using a Selector in Local Mode no longer applies an incorrect quota when matching multiple APIs.	W-13797100
Message Logging policy now attempts to parse messages using Windows-1252 charset if it fails to parse messages as UTF-8.	W-14801403
Flex Gateway no longer crashes when configuring the External Authentication policy’s Allowed headers parameter.	W-15058123

Issue Resolution

The default connection timeout is now increased to 5 seconds.

W-14865784

Vulnerabilities detected by scanners are now fixed.

W-14856151

The performance of config processing is improved.

W-14821830

Flex Gateway now properly handles removed contracts.

W-14920631

Schema Validation policy now returns a 404 status code for resources that do not exist in the API specification.

W-14801480

Rate Limit policy defined using a Selector in Local Mode no longer applies an incorrect quota when matching multiple APIs.

W-13797100

Message Logging policy now attempts to parse messages using Windows-1252 charset if it fails to parse messages as UTF-8.

W-14801403

Flex Gateway no longer crashes when configuring the External Authentication policy’s Allowed headers parameter.

W-15058123

1.6.1

January 10, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.6.1.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Flex Gateway now blocks traffic when a policy cannot be applied.	W-14669249
Fixed vulnerabilities detected by security scanners.	W-14686172
Flex Gateway now prevents files from being automatically deleted during OS cleanup.	W-14583807
The `flexctl dump` command no longer shows an error when there are no resources to dump.	W-11194730
Healthcheck policy no longer fails if Flex Gateway is installed on a namespace other than `default`.	W-14506137
OAS policy no longer fails when attempting to define an `enum` for integers.	W-14496441
Healthcheck and JWT Validation policies no longer use HTTP for external requests when on TLS.	W-14389347
Logging policy now correctly handles DataWeave expressions with variables returning `null`.	W-14423354
Header Removal policy is now able to remove the `Accept` header.	W-14417832
Logging policy no longer fails when trying to print a log with non-utf8 characters.	W-14707180
Flex Gateway now force-kills Fluent Bit ten seconds after a term signal is sent.	W-14189688
Flex Gateway no longer sends empty log lines to the platform.	W-14658813

Flex Gateway now blocks traffic when a policy cannot be applied.

W-14669249

Fixed vulnerabilities detected by security scanners.

W-14686172

Flex Gateway now prevents files from being automatically deleted during OS cleanup.

W-14583807

The flexctl dump command no longer shows an error when there are no resources to dump.

W-11194730

Healthcheck policy no longer fails if Flex Gateway is installed on a namespace other than default.

W-14506137

OAS policy no longer fails when attempting to define an enum for integers.

W-14496441

Healthcheck and JWT Validation policies no longer use HTTP for external requests when on TLS.

W-14389347

Logging policy now correctly handles DataWeave expressions with variables returning null.

W-14423354

Header Removal policy is now able to remove the Accept header.

W-14417832

Logging policy no longer fails when trying to print a log with non-utf8 characters.

W-14707180

Flex Gateway now force-kills Fluent Bit ten seconds after a term signal is sent.

W-14189688

Flex Gateway no longer sends empty log lines to the platform.

W-14658813

1.6.0

November 29, 2023

MuleSoft announces the release of Anypoint Flex Gateway 1.6.0.

What’s New

A Flex Gateway instance now supports 600 APIs.
The certificate that Flex Gateway uses to connect to Anypoint Platform expires January 15th, 2024. You can ensure the continued operation of your applications by renewing registration. Flex Gateway now includes two CLI commands:
- To renew your registration, use flexctl registration renew.
- To verify (inspect) the status of your registration certificate, use flexctl registration inspect.
For information about these CLI commands, refer to Renewing Flex Gateway Registration.
You can now configure Flex Gateway to send formatted runtime and access logs to a Dynatrace environment HTTP output.
- For Flex Gateway running in Connected Mode, refer to Configuring Flex Gateway Log Output for Third-Party Services.
- For Flex Gateway running in Local Mode, refer to Configuring External Logs for Flex Gateway in Local Mode.
You can now configure connection idle timeout through the FLEX_CONNECTION_IDLE_TIMEOUT_SECONDS environment variable.
Envoy is now updated to version 1.25.16.
Flex Gateway now supports configuring shared storage with Redis Sentinel.

For Flex Gateway running in Connected Mode, refer to Configuring Shared Storage for Flex Gateway in Connected Mode.

For Flex Gateway running in Local Mode, refer to Configuring Shared Storage for Flex Gateway in Local Mode.
You can now disable log forwarding to Anypoint Platform via the logging.runtimeLogs.outputs.default and logging.accessLogs.outputs.default options in the Configuration resource.

For more information, refer to Disabling Flex Gateway Log Output to Anypoint Platform.
Flex Gateway now supports forwarding incoming client HTTP requests to an external authentication service.

For more information, refer to External Authorization Policy
Flex Gateway now supports forwarding HTTP requests or responses to an external gRPC service, for applying transformations.

For more information, refer to External Processing Policy

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Policies making external HTTP requests now include a `User-Agent` header.	W-13824390
Upgrading Flex Gateway in a VM now correctly upgrades policies.	W-13837035
Downloading custom policies no longer fails when a forwarding proxy is used.	W-13887045
Fixed vulnerabilities detected by security scanners.	W-13804226
The Header Removal policy can now remove the `User-Agent` header.	W-1393110
Flex Gateway now supports configuring `stream_idle_timeout` through the `FLEX_STREAM_IDLE_TIMEOUT_SECONDS` environment variable.	W-13952107
Flex Gateway no longer fails when a long regex is used in path matching.	W-13969574
The Message Logging policy no longer freezes when the JSON payload is over a certain size.	W-13873251
Flex Gateway now uses legacy DNS resolver in Fluent Bit to reduce timeout errors.	W-14067930
Flex Gateway no longer fails due to corrupted Fluent Bit chunks.	W-14111714
The Fluent Bit process now only restarts when required.	W-14149240
The OAuth 2.0 Token Introspection policy no longer uses HTTP when on TLS and the authority now contains the port for external requests.	W-14337518
To work with legacy systems, the JWT Validation policy now accepts floats for the `exp` field.	W-14274716
The Header Removal policy is now able to remove the `x-forwarded-proto` header.	W-14262338
Flex Gateway now fails if an invalid regex is used while configuring routing conditions.	W-13966293
Flex Gateway no longer fails when defining an invalid policies list in the `ApiInstance` resource.	W-14162165
Flex Gateway no longer experiences downtime with Redis when the Redis configuration is unchanged.	W-13946014
Flex Gateway no longer fails when the Exchange asset name contains non-supported characters.	W-12720868
Flex Gateway now correctly fails when using a non-supported `apiVersion`.	W-13965772

Policies making external HTTP requests now include a User-Agent header.

W-13824390

Upgrading Flex Gateway in a VM now correctly upgrades policies.

W-13837035

Downloading custom policies no longer fails when a forwarding proxy is used.

W-13887045

Fixed vulnerabilities detected by security scanners.

W-13804226

The Header Removal policy can now remove the User-Agent header.

W-1393110

Flex Gateway now supports configuring stream_idle_timeout through the FLEX_STREAM_IDLE_TIMEOUT_SECONDS environment variable.

W-13952107

Flex Gateway no longer fails when a long regex is used in path matching.

W-13969574

The Message Logging policy no longer freezes when the JSON payload is over a certain size.

W-13873251

Flex Gateway now uses legacy DNS resolver in Fluent Bit to reduce timeout errors.

W-14067930

Flex Gateway no longer fails due to corrupted Fluent Bit chunks.

W-14111714

The Fluent Bit process now only restarts when required.

W-14149240

The OAuth 2.0 Token Introspection policy no longer uses HTTP when on TLS and the authority now contains the port for external requests.

W-14337518

To work with legacy systems, the JWT Validation policy now accepts floats for the exp field.

W-14274716

The Header Removal policy is now able to remove the x-forwarded-proto header.

W-14262338

Flex Gateway now fails if an invalid regex is used while configuring routing conditions.

W-13966293

Flex Gateway no longer fails when defining an invalid policies list in the ApiInstance resource.

W-14162165

Flex Gateway no longer experiences downtime with Redis when the Redis configuration is unchanged.

W-13946014

Flex Gateway no longer fails when the Exchange asset name contains non-supported characters.

W-12720868

Flex Gateway now correctly fails when using a non-supported apiVersion.

W-13965772

1.5.4

November 08, 2023

MuleSoft announces the release of Anypoint Flex Gateway 1.5.4.

What’s New

You can now configure connection idle timeout through the FLEX_CONNECTION_IDLE_TIMEOUT_SECONDS environment variable.
Envoy is now updated to version 1.25.3.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
The Fluent Bit process now only restarts when required.	W-14149240
Vulnerabilities detected by security scanners are fixed.	W-14355714
The OAuth 2.0 Token Introspection policy no longer uses HTTP when on TLS and the authority now contains the port for external requests.	W-14337518
To work with legacy systems, the JWT Validation policy now accepts floats for the `exp` field.	W-14274716
The Header Removal policy is now able to remove the `x-forwarded-proto` header.	W-14262338
The Message Logging policy no longer freezes when the JSON payload is over a certain size.	W-13873251
Flex Gateway now fails if an invalid regex is used while configuring routing conditions.	W-13966293
Flex Gateway no longer fails when defining an invalid policies list in the `ApiInstance` resource.	W-14162165
The `flexctl registration create` and `flexctl registration renew` commands no longer generate empty registration files on error.	W-14415582
Flex Gateway no longer experiences downtime with Redis when the Redis configuration is unchanged.	W-13946014

The Fluent Bit process now only restarts when required.

W-14149240

Vulnerabilities detected by security scanners are fixed.

W-14355714

The OAuth 2.0 Token Introspection policy no longer uses HTTP when on TLS and the authority now contains the port for external requests.

W-14337518

To work with legacy systems, the JWT Validation policy now accepts floats for the exp field.

W-14274716

The Header Removal policy is now able to remove the x-forwarded-proto header.

W-14262338

The Message Logging policy no longer freezes when the JSON payload is over a certain size.

W-13873251

Flex Gateway now fails if an invalid regex is used while configuring routing conditions.

W-13966293

Flex Gateway no longer fails when defining an invalid policies list in the ApiInstance resource.

W-14162165

The flexctl registration create and flexctl registration renew commands no longer generate empty registration files on error.

W-14415582

Flex Gateway no longer experiences downtime with Redis when the Redis configuration is unchanged.

W-13946014

1.5.3

October 04, 2023

MuleSoft announces the release of Anypoint Flex Gateway 1.5.3.

What’s New

The certificate that Flex Gateway uses to connect to Anypoint Platform expires January 15th, 2024. You can ensure the continued operation of your applications by renewing registration. Flex Gateway now includes two CLI commands:
- To renew your registration, use flexctl registration renew.
- To verify (inspect) the status of your registration certificate, use flexctl registration inspect.
For information about these CLI commands, refer to Renewing Flex Gateway Registration.
You can now configure Flex Gateway to send formatted runtime and access logs to a Dynatrace environment HTTP output.
- For Flex Gateway running in Connected Mode, refer to Configuring Flex Gateway Log Output for Third-Party Services.
- For Flex Gateway running in Local Mode, refer to Configuring External Logs for Flex Gateway in Local Mode.

Fixed Issues

Issue Resolution	ID
Flex Gateway no longer fails when a long regex is used in path matching.	W-13969574
The Message Logging policy no longer freezes when the JSON payload is over a certain size.	W-13873251
Flex Gateway now uses legacy DNS resolver in Fluent Bit to reduce timeout errors.	W-14067930
Flex Gateway no longer fails due to corrupted Fluent Bit chunks.	W-14111714

Issue Resolution

Flex Gateway no longer fails when a long regex is used in path matching.

W-13969574

The Message Logging policy no longer freezes when the JSON payload is over a certain size.

W-13873251

Flex Gateway now uses legacy DNS resolver in Fluent Bit to reduce timeout errors.

W-14067930

Flex Gateway no longer fails due to corrupted Fluent Bit chunks.

W-14111714

1.5.2

August 30, 2023

MuleSoft announces the release of Anypoint Flex Gateway 1.5.2.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Policies making external HTTP requests now include a `User-Agent` header.	W-13824390
Upgrading Flex Gateway in a VM now correctly upgrades policies.	W-13837035
Downloading custom policies no longer fails when a forwarding proxy is used.	W-13887045
Fixed vulnerabilities detected by security scanners.	W-13804226
The Header Removal policy can now remove the `User-Agent` header.	W-1393110
Flex Gateway now supports configuring `stream_idle_timeout` through the `FLEX_STREAM_IDLE_TIMEOUT_SECONDS` environment variable.	W-13952107

Policies making external HTTP requests now include a User-Agent header.

W-13824390

Upgrading Flex Gateway in a VM now correctly upgrades policies.

W-13837035

Downloading custom policies no longer fails when a forwarding proxy is used.

W-13887045

Fixed vulnerabilities detected by security scanners.

W-13804226

The Header Removal policy can now remove the User-Agent header.

W-1393110

Flex Gateway now supports configuring stream_idle_timeout through the FLEX_STREAM_IDLE_TIMEOUT_SECONDS environment variable.

W-13952107

1.5.1

July 24, 2023

MuleSoft announces the release of Anypoint Flex Gateway 1.5.1.

Fixed Issues

Issue Resolution	ID
Flex Gateway now correctly shows policy violations in Monitoring Center.	W-13804327

Issue Resolution

Flex Gateway now correctly shows policy violations in Monitoring Center.

W-13804327

1.5.0

July 20, 2023

MuleSoft announces the release of Anypoint Flex Gateway 1.5.0.

What’s New

Flex Gateway now supports conditional API routing from one proxy to multiple endpoints.
Flex Gateway now supports TLS for Redis-based shared storage.
Flex Gateway now supports the Podman container runtime.
- Download Flex Gateway
Fluent Bit is now updated to version 2.0.9.
Envoy is now updated to version 1.25.2.
Schema Validation policy now generates more verbose logs to help with troubleshooting.
Schema Validation policy now shows meaningful information on the response after schema validation failure.
Schema Validation policy now resolves references ($ref) in schemas, up to a 10-level depth.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
API Manager now correctly shows message logs for Flex Gateway running in Connected Mode.	W-12658860
Resource creation no longer fails due to a name length error for Flex Gateway running in Connected Mode.	W-12667439
The JSON Threat Protection policy no longer considers valid JSON payloads invalid.	W-12594181,W-12594229
API Manager and Monitoring Center now correctly format message logs for Flex Gateway running in Connected Mode.	W-12637178
Flex dump now includes Service policies.	W-12736424
OAS schema is now downloaded once.	W-12636298
Schema Validation Policy now returns a JSON response on failure.	W-12740457
Schema Validation Policy headers and query parameters validation is now case insensitive.	W-12636158
Rate Limiting: SLA-Based Policy now refreshes tiers correctly.	W-12651022
Flex Gateway no longer fails after deleting an API Instance with applied policies in Connected Mode.	W-11731962
The PolicyBinding `spec.targetRef` field is now correctly validated.	W-12347158
The Fluent Bit default buffer size has been increased.	W-12489632
ALPN is now respected when establishing a TLS connection to upstream services.	W-12285581
Ingress classes are now respected by the `Ingress.ingressClassName` field.	W-12726534
Already applied deployments from Connected Mode are no longer reprocessed.	W-12727484
OpenID Connect OAuth 2.0 Token Enforcement Policy no longer fails on token validation when used with a REST API in Connected Mode.	W-13091548
Flex Gateway no longer initiates a new connection when deployment parsing fails.	W-13039766
Flex Gateway no longer creates multiple replicas in Runtime Manager when there are changes in the networking configuration.	W-12976264
Flex Gateway pods in Kubernetes no longer freeze if the process crashes.	W-12289578
Schema Validation Policy no longer throws an invalid bad request error when another API is updated on the same port.	W-13081833, W-13080942
Flex Gateway no longer crashes due to a memory leak in Fluent Bit.	W-13071770
Forward Proxy with outbound TLS policies no longer crashes.	W-13498787
JWT Validation policy no longer fails when using a token with the `x5t` field.	W-13074446
Schema Validation policy no longer floods logs when failing to parse a specification.	W-12636271
Schema Validation policy no longer fails to match the correct path when similar paths are defined.	W-13599735
Schema Validation policy now correctly handles encoded paths and parameters.	W-13599735
Schema Validation policy now avoids re-fetching of specifications when possible.	W-13217895
Schema Validation policy no longer rejects requests with content types containing properties.	W-13639309
CORS policy now allows the `X-Forwarded-For` header for simple requests.	W-13603025
Flex Gateway stops properly after the exit signal is received if the registration file is missing or incorrect.	W-13636262
Custom policies in Connected Mode no longer fail with "invalid character '<' looking for beginning of value".	W-13736558

API Manager now correctly shows message logs for Flex Gateway running in Connected Mode.

W-12658860

Resource creation no longer fails due to a name length error for Flex Gateway running in Connected Mode.

W-12667439

The JSON Threat Protection policy no longer considers valid JSON payloads invalid.

W-12594181,W-12594229

API Manager and Monitoring Center now correctly format message logs for Flex Gateway running in Connected Mode.

W-12637178

Flex dump now includes Service policies.

W-12736424

OAS schema is now downloaded once.

W-12636298

Schema Validation Policy now returns a JSON response on failure.

W-12740457

Schema Validation Policy headers and query parameters validation is now case insensitive.

W-12636158

Rate Limiting: SLA-Based Policy now refreshes tiers correctly.

W-12651022

Flex Gateway no longer fails after deleting an API Instance with applied policies in Connected Mode.

W-11731962

The PolicyBinding spec.targetRef field is now correctly validated.

W-12347158

The Fluent Bit default buffer size has been increased.

W-12489632

ALPN is now respected when establishing a TLS connection to upstream services.

W-12285581

Ingress classes are now respected by the Ingress.ingressClassName field.

W-12726534

Already applied deployments from Connected Mode are no longer reprocessed.

W-12727484

OpenID Connect OAuth 2.0 Token Enforcement Policy no longer fails on token validation when used with a REST API in Connected Mode.

W-13091548

Flex Gateway no longer initiates a new connection when deployment parsing fails.

W-13039766

Flex Gateway no longer creates multiple replicas in Runtime Manager when there are changes in the networking configuration.

W-12976264

Flex Gateway pods in Kubernetes no longer freeze if the process crashes.

W-12289578

Schema Validation Policy no longer throws an invalid bad request error when another API is updated on the same port.

W-13081833, W-13080942

Flex Gateway no longer crashes due to a memory leak in Fluent Bit.

W-13071770

Forward Proxy with outbound TLS policies no longer crashes.

W-13498787

JWT Validation policy no longer fails when using a token with the x5t field.

W-13074446

Schema Validation policy no longer floods logs when failing to parse a specification.

W-12636271

Schema Validation policy no longer fails to match the correct path when similar paths are defined.

W-13599735

Schema Validation policy now correctly handles encoded paths and parameters.

W-13599735

Schema Validation policy now avoids re-fetching of specifications when possible.

W-13217895

Schema Validation policy no longer rejects requests with content types containing properties.

W-13639309

CORS policy now allows the X-Forwarded-For header for simple requests.

W-13603025

Flex Gateway stops properly after the exit signal is received if the registration file is missing or incorrect.

W-13636262

Custom policies in Connected Mode no longer fail with "invalid character '<' looking for beginning of value".

W-13736558

1.4.6

July 13, 2023

MuleSoft announces the release of Anypoint Flex Gateway 1.4.6.

Fixed Issues

Issue Resolution	ID
Custom policies in Connected Mode no longer fail with "invalid character '<' looking for beginning of value".	W-13736558

Issue Resolution

Custom policies in Connected Mode no longer fail with "invalid character '<' looking for beginning of value".

W-13736558

1.4.5

June 22, 2023

MuleSoft announces the release of Anypoint Flex Gateway 1.4.5.

What’s New

Schema Validation policy now generates more verbose logs to help with troubleshooting.
Schema Validation policy now shows meaningful information on the response after schema validation failure.
Schema Validation policy now resolves references ($ref) in schemas, up to a 10-level depth.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Forward Proxy with outbound TLS policies no longer crashes.	W-13498787
JWT Validation policy no longer fails when using a token with the `x5t` field.	W-13074446
Schema Validation policy no longer floods logs when failing to parse a specification.	W-12636271
Schema Validation policy no longer fails to match the correct path when similar paths are defined.	W-13599735
Schema Validation policy now correctly handles encoded paths and parameters.	W-13599735
Schema Validation policy now avoids re-fetching of specifications when possible.	W-13217895
Schema Validation policy no longer rejects requests with content types containing properties.	W-13639309
CORS policy now allows the `X-Forwarded-For` header for simple requests.	W-13603025
Flex Gateway stops properly after the exit signal is received if the registration file is missing or incorrect.	W-13636262

Forward Proxy with outbound TLS policies no longer crashes.

W-13498787

JWT Validation policy no longer fails when using a token with the x5t field.

W-13074446

Schema Validation policy no longer floods logs when failing to parse a specification.

W-12636271

Schema Validation policy no longer fails to match the correct path when similar paths are defined.

W-13599735

Schema Validation policy now correctly handles encoded paths and parameters.

W-13599735

Schema Validation policy now avoids re-fetching of specifications when possible.

W-13217895

Schema Validation policy no longer rejects requests with content types containing properties.

W-13639309

CORS policy now allows the X-Forwarded-For header for simple requests.

W-13603025

Flex Gateway stops properly after the exit signal is received if the registration file is missing or incorrect.

W-13636262

1.4.4

May 03, 2023

MuleSoft announces the release of Anypoint Flex Gateway 1.4.4.

What’s New

Fluent Bit is now updated to version 1.8.15.
Flex Gateway now configures a liveness probe in Kubernetes deployments.
- Configure a Liveness Check in Connected Mode
- Configure a Liveness Check in Local Mode
Flex Gateway now supports the PROXY Protocol.
- Configure PROXY Protocol in Connected Mode
- Configure PROXY Protocol in Local Mode
Flex Gateway now supports configuring an IngressClass to manage Ingress resources in Kubernetes.
- Configure Flex Gateway as an Ingress Controller in Local Mode
Disconnected replicas now display in the Runtime Manager UI for seven days.
The Flex Gateway Helm chart now uses the new HorizontalPodAutoscaler apiVersion (autoscaling/v2) in supported Kubernetes releases.
Anypoint Platform CLI 4.x now supports automating Flex Gateway workflows for all Flex Gateway versions.
- Anypoint Platform Command-Line Interface 4.x Release Notes
- Automate Flex Gateway with a Jenkins Pipeline

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
The Fluent Bit default buffer size has been increased.	W-12489632
ALPN is now respected when establishing a TLS connection to upstream services.	W-12285581
Ingress classes are now respected by the `Ingress.ingressClassName` field.	W-12726534
Already applied deployments from Connected Mode are no longer reprocessed.	W-12727484
OpenID Connect OAuth 2.0 Token Enforcement Policy no longer fails on token validation when used with a REST API in Connected Mode.	W-13091548
Flex Gateway no longer initiates a new connection when deployment parsing fails.	W-13039766
Flex Gateway no longer creates multiple replicas in Runtime Manager when there are changes in the networking configuration.	W-12976264
Flex Gateway pods in Kubernetes no longer freeze if the process crashes.	W-12289578
Schema Validation Policy no longer throws an invalid bad request error when another API is updated on the same port.	W-13081833, W-13080942
Flex Gateway no longer crashes due to a memory leak in Fluent Bit.	W-13071770

The Fluent Bit default buffer size has been increased.

W-12489632

ALPN is now respected when establishing a TLS connection to upstream services.

W-12285581

Ingress classes are now respected by the Ingress.ingressClassName field.

W-12726534

Already applied deployments from Connected Mode are no longer reprocessed.

W-12727484

OpenID Connect OAuth 2.0 Token Enforcement Policy no longer fails on token validation when used with a REST API in Connected Mode.

W-13091548

Flex Gateway no longer initiates a new connection when deployment parsing fails.

W-13039766

Flex Gateway no longer creates multiple replicas in Runtime Manager when there are changes in the networking configuration.

W-12976264

Flex Gateway pods in Kubernetes no longer freeze if the process crashes.

W-12289578

Schema Validation Policy no longer throws an invalid bad request error when another API is updated on the same port.

W-13081833, W-13080942

Flex Gateway no longer crashes due to a memory leak in Fluent Bit.

W-13071770

1.4.3

April 05, 2023

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Flex dump now includes Service policies.	W-12736424
OAS schema is now downloaded once.	W-12636298
Schema Validation Policy now returns a JSON response on failure.	W-12740457
Schema Validation Policy headers and query parameters validation is now case insensitive.	W-12636158
Rate Limiting: SLA-Based Policy now refreshes tiers correctly.	W-12651022
Flex Gateway no longer fails after deleting an API Instance with applied policies in Connected Mode.	W-11731962
The PolicyBinding `spec.targetRef` field is now correctly validated.	W-12347158

Flex dump now includes Service policies.

W-12736424

OAS schema is now downloaded once.

W-12636298

Schema Validation Policy now returns a JSON response on failure.

W-12740457

Schema Validation Policy headers and query parameters validation is now case insensitive.

W-12636158

Rate Limiting: SLA-Based Policy now refreshes tiers correctly.

W-12651022

Flex Gateway no longer fails after deleting an API Instance with applied policies in Connected Mode.

W-11731962

The PolicyBinding spec.targetRef field is now correctly validated.

W-12347158

1.4.2

March 15, 2023

Fixed Issues

Issue Resolution	ID
API Manager now correctly shows message logs for Flex Gateway running in Connected Mode.	W-12658860
Resource creation no longer fails due to a name length error for Flex Gateway running in Connected Mode.	W-12667439
The JSON Threat Protection policy no longer considers valid JSON payloads invalid.	W-12594181,W-12594229
API Manager and Monitoring Center now correctly format message logs for Flex Gateway running in Connected Mode.	W-12637178

Issue Resolution

API Manager now correctly shows message logs for Flex Gateway running in Connected Mode.

W-12658860

Resource creation no longer fails due to a name length error for Flex Gateway running in Connected Mode.

W-12667439

The JSON Threat Protection policy no longer considers valid JSON payloads invalid.

W-12594181,W-12594229

API Manager and Monitoring Center now correctly format message logs for Flex Gateway running in Connected Mode.

W-12637178

1.4.0

February 22, 2023

MuleSoft announces the release of Anypoint Flex Gateway 1.4.0.

What’s New

JSON Threat Protection Policy
Schema Validation Policy
Health Check policy for monitoring API upstream services

See the Health Check policy for more information.
Policy execution order in Connected Mode

See Reordering Policies for more information.
Forward proxy support:
- Configuring a Forward Proxy for Flex Gateway in Connected Mode
- Configuring a Forward Proxy for Flex Gateway in Local Mode
Configure TLS and mTLS contexts in Connected Mode.

See Configuring TLS Context for Flex Gateway in Connected Mode for more information.
Configure mTLS for API proxies to upstream services:
- Configuring TLS Context for Flex Gateway in Connected Mode
- Configuring TLS Context for Flex Gateway in Local Mode

Fixed Issues

Issue ID

Issue	ID
Requests with invalid upstream TLS certificates no longer automatically succeed. These requests will now result in 5xx errors. Add `skipValidation: true` to a `PolicyBinding` resource to skip the validation attempt of invalid certificates.	W-12526058
Configuring `"format": dataweaveExpression` in a custom policy schema file in Connected Mode no longer results in an error.	W-12175284

Requests with invalid upstream TLS certificates no longer automatically succeed. These requests will now result in 5xx errors. Add skipValidation: true to a PolicyBinding resource to skip the validation attempt of invalid certificates.

W-12526058

Configuring "format": dataweaveExpression in a custom policy schema file in Connected Mode no longer results in an error.

W-12175284

Known Issues

The Health Check policy does not work on Kubernetes when Flex Gateway is installed in a namespace other than default.

1.3.0

October 31, 2022

MuleSoft announces the release of Anypoint Flex Gateway 1.3.0.

What’s New

Flex Gateway now supports the following deployment targets:
- Amazon Linux 2
- CentOS 8
- RHEL 8
- RHEL 9
- OpenShift 4.8 or greater
Policies now support execution ordering in Local Mode via a new spec.order field in the PolicyBinding resource.
OAuth 2.0 Token Introspection Policy
Flex Gateway now supports inbound mutual authentication TLS (mTLS) via new requireClientCertificate and trustedCA fields in the PolicyBinding resource.

Fixed Issues

Issue	ID
Flex Gateway no longer crashes due to invalid status codes when collecting metrics or when using the HTTP Caching Policy.	W-11830114
Rate Limit Policy no longer fails when using reserved URL characters with selectors.	W-11956739

Issue

Flex Gateway no longer crashes due to invalid status codes when collecting metrics or when using the HTTP Caching Policy.

W-11830114

Rate Limit Policy no longer fails when using reserved URL characters with selectors.

W-11956739

1.2.0

September 28, 2022

MuleSoft announces the release of Anypoint Flex Gateway 1.2.0.

What’s New

Rate Limit and Rate Limit SLA policies can now be used in a distributed environment.

See Rate Limit Policy and Rate Limit SLA Policy.
HTTP Caching and LDAP policies performance is improved.
Envoy is updated to version v1.23.0.
Flex Gateway now supports port sharing across different API instances.

Fixed Issues

Issue ID

Issue	ID
The `Prefix` path type now works correctly in Kubernetes Ingress mode.	W-11554856
Missing permissions errors no longer occur when using Flex in Kubernetes Ingress mode.	W-11554823

The Prefix path type now works correctly in Kubernetes Ingress mode.

W-11554856

Missing permissions errors no longer occur when using Flex in Kubernetes Ingress mode.

W-11554823

1.1.0

Jul 31, 2022

MuleSoft announces the release of Anypoint Flex Gateway 1.1.0, which includes enhancements to the registration experience, and support for new policies.

Policies

Distributed support for the HTTP Caching policy and Shared Storage configuration.

See HTTP Caching Policy and Configuring Shared Storage for Flex Gateway in Local Mode.
LDAP Policy.
Support for the ES256 signature algorithm in the JWT Validation policy.

Enhancements

The Flex Gateway registration experience has been simplified.

The enhancements are backward compatible - the previous way to run Flex Gateway is supported.

For information about migrating to the new registration flow, refer to Registering and Running Flex Gateway in Connected Mode.
Added the ability to delete Flex Gateways via Runtime Manager. Refer to Delete a Flex Gateway.
Flex Gateway has new limits - a maximum of 200 APIs are now allowed in a Flex Gateway.

The logs display the following error when a deployment fails due to exceeding the API limit: limit of 200 API instances has already been reached.
Logging improvements:
- On startup, logs show [flex-gateway-agent][info] Gateway: Platform=https://anypoint.mulesoft.com OrgID=[org_id] EnvID=[env_id] Name=[name] Mode=offline ReplicaName=[replica_name].[namespace]
- Logs generated by policies now indicate the policy name and the associated API identifier.
- API logs are available for each API deployed in API Manager for 30 Days or 100MB.

Fixed issues

Flex Gateway now updates after changing a value in the Configuration resource. For example, adding quotes in a field: port: 443 to port: "443".
Fixed issue with Flex Gateway stopping when enabling/disabling policies in connected mode.
Fixed issue with attributes.queryString DataWeave expression returning null instead of the query string attribute.
Logs generated from certain policies now include a reference to the policy generating the log.

Known Issues

When the 200 APIs limit is reached, no message errors are displayed in API Manager. Error information is only available in the Flex Gateway logs.

1.0.1

Jun 16, 2022

Enhancements

Added distribution packages for Ubuntu Jammy.

Fixed issues

Fixed crash when PolicyBinding.spec.targetRef.selector was set to null.
Support resource-level policies with and without slash as a starting character.
Startup errors are logged less frequently when internal metrics are not ready to be sent. The "Failed to push internal metrics: http_connector: metrics service not available" Fluent Bit setup error appears less frequently.
Access to runtime properties are now cached, improving Flex reliability on long uninterrupted executions. A known issue has been identified and is described below with a workaround.
Fixed typo in payload response for rejected requests in rate limiting policies. "Too many request" was changed to "Too many requests".

Known Issues

In low-traffic environments, after disabling/enabling a policy and waiting ten minutes without applying/unapplying other policies, the next rejected request forces Flex Gateway to stop.

Workaround: Remove the policy instead of disabling it.

The issue does not occur when enabling and disabling the following policies: Client ID Enforcement, Open Id, JWT Validation and Rate Limiting - SLA based.
After disabling and then enabling a policy, the monitoring suite stops receiving data. The following message appears: "got policy violation but could not fetch policy ids context".

Workaround: Remove the policy instead of disabling it.

1.0.0

May 2, 2022

MuleSoft announces the release of Anypoint Flex Gateway 1.0.0.

Flex Gateway is an ultrafast API gateway designed to manage and secure APIs running anywhere. Built to seamlessly integrate with DevOps and CI/CD workflows, Flex Gateway delivers the performance required for the most demanding applications and microservices, while providing enterprise security and manageability across any environment.

See the Anypoint Flex Gateway documentation for more information about Flex Gateway.

Known Issues

Flex Gateway does not support adding APIs in the design environment. Use the sandbox or your production environment to add APIs.
When you apply the Rate Limiting policy to a Flex Gateway, the APIs are scoped to replicas and not to the gateway.
The Rate Limiting policy has a 24-day limit restriction.

For Rate Limiting in Connected Mode, the maximum windows size is 24 days. There is no window size limitation in Local Mode.
TLS configuration is currently supported at the API Gateway level and not at the API instance level.

Compatibility

Flex Gateway is supported on x86_64 and AMD64.