diff --git a/CHANGELOG.md b/CHANGELOG.md
index 47b8088949..9c42a10f62 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -85,15 +85,37 @@ it will be removed; but as it won't be user-visible this isn't considered a brea
## RELEASE NOTES
-## [3.9.0] TBD
+## [3.9.0] November 13, 2023
[3.9.0]: https://github.com/emissary-ingress/emissary/compare/v3.8.0...v3.9.0
### Emissary-ingress and Ambassador Edge Stack
+- Feature: This upgrades Emissary-ingress to be built on Envoy v1.27.2 which provides security,
+ performance and feature enhancements. You can read more about them here: Envoy Proxy
+ 1.27.2 Release Notes
+
+- Feature: By default, Emissary-ingress will return an `UNAVAILABLE` code when a request using gRPC
+ is rate limited. The `RateLimitService` resource now exposes a new
+ `grpc.use_resource_exhausted_code` field that when set to `true`, Emissary-ingress will return a
+ `RESOURCE_EXHAUSTED` gRPC code instead. Thanks to Jerome
+ Froelich for contributing this feature!
+
- Feature: Envoy runtime fields that were provided to mitigate the recent HTTP/2 rapid reset
- vulnerability can now be configured via the Module resource so the configuration will persist
- between restarts. This configuration is added to the Envoy bootstrap config, so restarting
- Emissary is necessary after changing these fields for the configuration to take effect.
+ vulnerability can now be configured via the Module resource so the configuration will persist
+ between restarts. This configuration is added to the Envoy bootstrap config, so restarting
+ Emissary is necessary after changing these fields for the configuration to take effect.
+
+- Change: APIExt would previously allow for TLS 1.0 connections. We have updated it to now only use
+ a minimum TLS version of 1.3 to resolve security concerns.
+
+- Change: - Update default image to Emissary-ingress v3.9.0.
+
+- Bugfix: The APIExt server provides CRD conversion between the stored version v2 and the version
+ watched for by Emissary-ingress v3alpha1. Since this component is required to operate
+ Emissary-ingress, we have introduced an init container that will ensure it is available before
+ starting. This will help address some of the intermittent issues seen during install and
+ upgrades.
## [3.8.0] August 29, 2023
[3.8.0]: https://github.com/emissary-ingress/emissary/compare/v3.7.2...v3.8.0
diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml
index 887424db29..f282681042 100644
--- a/docs/releaseNotes.yml
+++ b/docs/releaseNotes.yml
@@ -34,16 +34,53 @@ changelog: https://github.com/emissary-ingress/emissary/blob/$branch$/CHANGELOG.
items:
- version: 3.9.0
prevVersion: 3.8.0
- date: 'TBD'
+ date: '2023-11-13'
notes:
+ - title: Upgrade to Envoy 1.27.2
+ type: feature
+ body: >-
+ This upgrades $productName$ to be built on Envoy v1.27.2 which provides security, performance
+ and feature enhancements. You can read more about them here:
+ Envoy Proxy 1.27.2 Release Notes
+ docs: https://www.envoyproxy.io/docs/envoy/v1.27.2/version_history/version_history
+
+ - title: Added support for RESOURCE_EXHAUSTED responses to grpc clients when rate limited
+ type: feature
+ body: >-
+ By default, $productName$ will return an UNAVAILABLE code when a request using gRPC
+ is rate limited. The RateLimitService resource now exposes a new grpc.use_resource_exhausted_code
+ field that when set to true, $productName$ will return a RESOURCE_EXHAUSTED gRPC code instead.
+ Thanks to Jerome Froelich for contributing this feature!
+
+ - title: Added support for setting specific Envoy runtime flags in the Module
+ type: feature
+ body: >-
+ Envoy runtime fields that were provided to mitigate the recent HTTP/2 rapid reset vulnerability
+ can now be configured via the Module resource so the configuration will persist between restarts.
+ This configuration is added to the Envoy bootstrap config, so restarting Emissary is necessary after
+ changing these fields for the configuration to take effect.
+
+ - title: Update APIExt minimum TLS version
+ type: change
+ body: >-
+ APIExt would previously allow for TLS 1.0 connections. We have updated it to now only use a minimum
+ TLS version of 1.3 to resolve security concerns.
+ docs: https://www.tenable.com/plugins/nessus/104743
+
+ - title: Shipped Helm chart v8.9.0
+ type: change
+ body: >-
+ - Update default image to $productName$ v3.9.0.
+ docs: https://github.com/emissary-ingress/emissary/blob/master/charts/emissary-ingress/CHANGELOG.md
- - title: Added support for setting specific Envoy runtime flags in the Module
- type: feature
- body: >-
- Envoy runtime fields that were provided to mitigate the recent HTTP/2 rapid reset
- vulnerability can now be configured via the Module resource so the configuration will
- persist between restarts. This configuration is added to the Envoy bootstrap config, so
- restarting Emissary is necessary after changing these fields for the configuration to take effect.
+ - title: Ensure APIExt server is available before starting Emissary-ingress
+ type: bugfix
+ body: >-
+ The APIExt server provides CRD conversion between the stored version v2 and the version watched for
+ by $productName$ v3alpha1. Since this component is required to operate $productName$, we have
+ introduced an init container that will ensure it is available before starting. This will help address
+ some of the intermittent issues seen during install and upgrades.
+ docs: https://artifacthub.io/packages/helm/datawire/edge-stack/$emissaryChartVersion$
- version: 3.8.0
prevVersion: 3.7.2