Skip to content

4.2.0

Compare
Choose a tag to compare
@airlockgithubci airlockgithubci released this 17 Apr 13:42
· 11 commits to main since this release

Version 4.2.0

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

Main new features:

  • Helm Chart
  • ARM support
  • Cilium support
  • OIDC relying party (experimental)
  • Deny Rule improvements

Action required:

  • The licensing model has changed (see "Breaking changes"). Therefore, a new license file is file required to run Microgateway 4.2. Request and deploy a new license file:
  • Uninstall previous installations of Airlock Microgateway CNI and Operator which were done with plain Kubernetes manifest files to ensure a smooth upgrade path in the future.
    Note: In case that Airlock Microgateway CNI has been installed with Helm, it should be possible to perform a helm upgrade instead.
  • The Airlock Microgateway CNI must be installed before the Airlock Microgateway Operator.
  • The configuration to protect a Pod has switched from annotation to label (see "Breaking changes"). To migrate the existing Pods that are protected by Microgateway, do the following:
    1. Before upgrading: Label the Pod with "sidecar.microgateway.airlock.com/inject=true". Note: It is very important that this step is performed before the upgrade!
    2. After upgrading: In order to upgrade the sidecar to the new version, restart the Pod (run "rollout restart" of the Deployment/StatefulSet/DaemonSet).
  • See Microgateway Upgrade for more detailed upgrade instructions.

Breaking changes:
The following changes are breaking:

  • The DockerHub repositories docker.io/ergon/* have been moved to quay.io/airlock/*. From Airlock Microgateway 4.2 onward all images are hosted at quay.io/airlock.
  • The licensing model has changed from "requests per second" to "requests per month" to resolve the issues with request bursts.
  • The configuration steps to instruct the Microgateway Operator to inject the Engine container in a web application Pod have changed:
    • In 4.1: Annotate the Pod with "sidecar.microgateway.airlock.com/inject"
      -> In 4.2: Label the Pod with "sidecar.microgateway.airlock.com/inject"
  • The following metrics have been removed because the licensing has changed:
    • Engine: airlock_microgateway_engine_license_ratelimit_requests_total
    • Engine: airlock_microgateway_engine_license_ratelimit_requests_allowed_within_limit_total
    • Engine: airlock_microgateway_engine_license_ratelimit_requests_allowed_service_error_total
    • Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_service_error_total
    • Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_over_limit_total
    • Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_unlicensed_total
    • License guard: airlock_microgateway_license_guard_current_requests_per_second
    • License guard: airlock_microgateway_license_guard_config_load_success_total
    • License guard: airlock_microgateway_license_guard_config_load_error_total
    • License guard: airlock_microgateway_license_guard_grpc_ratelimit_requests_total
    • License guard: airlock_microgateway_license_guard_response_time_seconds
    • License guard: airlock_microgateway_license_guard_errors_total
    • Operator: airlock_microgateway_license_max_requests_per_second
    • Operator: airlock_microgateway_license_rate_limiting_enforced
  • The Engine metrics have been renamed to fulfill Prometheus best practices and simplify additional metrics:
    • In 4.1: airlock_microgateway_engine_triggered_limit_total
      -> In 4.2: microgateway_http_downstream_rq_limit_total
    • In 4.1: airlock_microgateway_engine_triggered_deny_rule_total
      -> In 4.2: microgateway_http_downstream_rq_deny_rule_total
    • In 4.1: airlock_microgateway_engine_http_requests_blocked_total
      -> In 4.2: microgateway_http_downstream_rq_blocked_total (for blocked requests)
      -> In 4.2: microgateway_http_downstream_rs_blocked_total (for blocked responses)
    • In 4.1: airlock_microgateway_engine_build_info
      -> In 4.2: microgateway_build_info
  • The Operator metrics have been renamed to fulfill Prometheus best practices and simplify additional metrics:
    • In 4.1: airlock_microgateway_sidecars
      -> In 4.2: microgateway_sidecars
    • In 4.1: airlock_microgateway_license_max_sidecars
      -> In 4.2: microgateway_license_max_sidecars
    • In 4.1: airlock_microgateway_license_valid
      -> In 4.2: microgateway_license_valid
    • In 4.1: airlock_microgateway_license_is_premium
      -> In 4.2: microgateway_license_is_premium
    • In 4.1: airlock_microgateway_license_expiry_timestamp_seconds
      -> In 4.2: microgateway_license_expiry_timestamp_seconds

Licensing:
In the Community edition, if the real throughput exceeds the licensed throughput, requests are blocked. In the Premium edition, no requests are blocked.

Helpful links:

Changelog

  • NEW: AM-1860 Microgateway images are signed with cosign (no longer with Docker Content Trust)
  • NEW: AM-2671 Default values of header actions are documented in the API reference
  • NEW: AM-2780 Engine runs on ARM plattform
  • NEW: AM-3101 Introduce new experimental IdentityPropagation CRD
  • NEW: AM-3128 Helm Chart for Airlock Microgateway Operator
  • NEW: AM-3147 Deny rules extended to apply rules to path segments
  • NEW: AM-3171 CRD Parser extended to configure multipart parsing
  • NEW: AM-3264 Operator version available in new metric
  • NEW: AM-3311 WebSocket proxying support added
  • NEW: AM-3458 Added startup/readiness probes to CNI plugin installer DaemonSet reflecting plugin installation status
  • NEW: AM-3516 Operator now actively releases leader lock upon termination
  • NEW: AM-3578 CRD Limits allows to configure name and value length exceptions
  • NEW: AM-3699 JSONPath syntax errors lead to config rejection
  • NEW: AM-3741 Introduced new experimental AccessControl CRD
  • NEW: AM-3742 Add new condition indicating the license status on pods with an injected Microgateway Engine
  • NEW: AM-3748 Introduced new experimental CRDs OIDCProvider and OIDCRelyingParty
  • NEW: AM-3792 Helm Chart allows optional global property in values.json
  • NEW: AM-3794 Introduce new metric to count requests for license compliance
  • NEW: AM-3813 Authentication information in engine access_log
  • NEW: AM-3829 add property for update strategy of operator deployment to Helm Chart
  • NEW: AM-3870 Claims from ID token are stored in the metadata
  • NEW: AM-4037 Helm Chart allows configuration of resource limits and requests for the Engine container
  • FIX: AM-3254 Complex OpenAPI validators have not been applied to paths
  • FIX: AM-3291 OpenAPI serialization bug in path parameters
  • FIX: AM-3472 Operator logs were logged to stderr instead of stdout
  • CHG: AM-1935 CRD HeaderRewrite extended with response header built-in rule PermissionsPolicy
  • CHG: AM-2990 Reduced memory consumption by limiting watch to Pods with an inject label
  • CHG: AM-3125 CRDs are now distributed with the Helm chart
  • CHG: AM-3287 Move from inject annotation to inject label (sidecar.microgateway.airlock.com/inject)
  • CHG: AM-3387 Engine metrics renamed to fulfill Prometheus best practices
  • CHG: AM-3474 Operator metrics renamed to fulfill Prometheus best practices
  • CHG: AM-3570 CRD HeaderRewrite request header allow list extended with header Content-Length
  • CHG: AM-3585 Move publishing images and Helm charts from DockerHub to quay.io
  • CHG: AM-3596 Helm Chart improvements for Airlock Microgateway CNI
  • CHG: AM-3615 Remove obsolete license metrics and add new metric for licensed request count per month
  • CHG: AM-3622 Removed obsolete license-guard and license-guard-redis components
  • CHG: AM-3743 Operator support for new license format
  • CHG: AM-3832 Dynamic configuration errors in the Microgateway CRs (e.g. invalid references) now also lead to a failing envoy-config-valid condition on the affected Pods
  • CHG: AM-3902 Write Microgateway Engine application logs to Standard Output (Stdout)
  • UPD: AM-3382 Update Envoy to 1.28.0
  • UPD: AM-3544 Update jsoncons to 0.172.0
  • UPD: AM-3728 Update Envoy to 1.29.1