4.2.0
Version 4.2.0
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
Main new features:
- Helm Chart
- ARM support
- Cilium support
- OIDC relying party (experimental)
- Deny Rule improvements
Action required:
- The licensing model has changed (see "Breaking changes"). Therefore, a new license file is file required to run Microgateway 4.2. Request and deploy a new license file:
- Community edition: Request a new license through https://airlock.com/microgateway-community
- Premium edition: Contact Airlock sales
- Uninstall previous installations of Airlock Microgateway CNI and Operator which were done with plain Kubernetes manifest files to ensure a smooth upgrade path in the future.
Note: In case that Airlock Microgateway CNI has been installed with Helm, it should be possible to perform a helm upgrade instead. - The Airlock Microgateway CNI must be installed before the Airlock Microgateway Operator.
- The configuration to protect a Pod has switched from annotation to label (see "Breaking changes"). To migrate the existing Pods that are protected by Microgateway, do the following:
- Before upgrading: Label the Pod with "sidecar.microgateway.airlock.com/inject=true". Note: It is very important that this step is performed before the upgrade!
- After upgrading: In order to upgrade the sidecar to the new version, restart the Pod (run "rollout restart" of the Deployment/StatefulSet/DaemonSet).
- See Microgateway Upgrade for more detailed upgrade instructions.
Breaking changes:
The following changes are breaking:
- The DockerHub repositories docker.io/ergon/* have been moved to quay.io/airlock/*. From Airlock Microgateway 4.2 onward all images are hosted at quay.io/airlock.
- The licensing model has changed from "requests per second" to "requests per month" to resolve the issues with request bursts.
- The configuration steps to instruct the Microgateway Operator to inject the Engine container in a web application Pod have changed:
- In 4.1: Annotate the Pod with "sidecar.microgateway.airlock.com/inject"
-> In 4.2: Label the Pod with "sidecar.microgateway.airlock.com/inject"
- In 4.1: Annotate the Pod with "sidecar.microgateway.airlock.com/inject"
- The following metrics have been removed because the licensing has changed:
- Engine: airlock_microgateway_engine_license_ratelimit_requests_total
- Engine: airlock_microgateway_engine_license_ratelimit_requests_allowed_within_limit_total
- Engine: airlock_microgateway_engine_license_ratelimit_requests_allowed_service_error_total
- Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_service_error_total
- Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_over_limit_total
- Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_unlicensed_total
- License guard: airlock_microgateway_license_guard_current_requests_per_second
- License guard: airlock_microgateway_license_guard_config_load_success_total
- License guard: airlock_microgateway_license_guard_config_load_error_total
- License guard: airlock_microgateway_license_guard_grpc_ratelimit_requests_total
- License guard: airlock_microgateway_license_guard_response_time_seconds
- License guard: airlock_microgateway_license_guard_errors_total
- Operator: airlock_microgateway_license_max_requests_per_second
- Operator: airlock_microgateway_license_rate_limiting_enforced
- The Engine metrics have been renamed to fulfill Prometheus best practices and simplify additional metrics:
- In 4.1: airlock_microgateway_engine_triggered_limit_total
-> In 4.2: microgateway_http_downstream_rq_limit_total - In 4.1: airlock_microgateway_engine_triggered_deny_rule_total
-> In 4.2: microgateway_http_downstream_rq_deny_rule_total - In 4.1: airlock_microgateway_engine_http_requests_blocked_total
-> In 4.2: microgateway_http_downstream_rq_blocked_total (for blocked requests)
-> In 4.2: microgateway_http_downstream_rs_blocked_total (for blocked responses) - In 4.1: airlock_microgateway_engine_build_info
-> In 4.2: microgateway_build_info
- In 4.1: airlock_microgateway_engine_triggered_limit_total
- The Operator metrics have been renamed to fulfill Prometheus best practices and simplify additional metrics:
- In 4.1: airlock_microgateway_sidecars
-> In 4.2: microgateway_sidecars - In 4.1: airlock_microgateway_license_max_sidecars
-> In 4.2: microgateway_license_max_sidecars - In 4.1: airlock_microgateway_license_valid
-> In 4.2: microgateway_license_valid - In 4.1: airlock_microgateway_license_is_premium
-> In 4.2: microgateway_license_is_premium - In 4.1: airlock_microgateway_license_expiry_timestamp_seconds
-> In 4.2: microgateway_license_expiry_timestamp_seconds
- In 4.1: airlock_microgateway_sidecars
Licensing:
In the Community edition, if the real throughput exceeds the licensed throughput, requests are blocked. In the Premium edition, no requests are blocked.
Helpful links:
Changelog
- NEW: AM-1860 Microgateway images are signed with cosign (no longer with Docker Content Trust)
- NEW: AM-2671 Default values of header actions are documented in the API reference
- NEW: AM-2780 Engine runs on ARM plattform
- NEW: AM-3101 Introduce new experimental IdentityPropagation CRD
- NEW: AM-3128 Helm Chart for Airlock Microgateway Operator
- NEW: AM-3147 Deny rules extended to apply rules to path segments
- NEW: AM-3171 CRD Parser extended to configure multipart parsing
- NEW: AM-3264 Operator version available in new metric
- NEW: AM-3311 WebSocket proxying support added
- NEW: AM-3458 Added startup/readiness probes to CNI plugin installer DaemonSet reflecting plugin installation status
- NEW: AM-3516 Operator now actively releases leader lock upon termination
- NEW: AM-3578 CRD Limits allows to configure name and value length exceptions
- NEW: AM-3699 JSONPath syntax errors lead to config rejection
- NEW: AM-3741 Introduced new experimental AccessControl CRD
- NEW: AM-3742 Add new condition indicating the license status on pods with an injected Microgateway Engine
- NEW: AM-3748 Introduced new experimental CRDs OIDCProvider and OIDCRelyingParty
- NEW: AM-3792 Helm Chart allows optional
global
property invalues.json
- NEW: AM-3794 Introduce new metric to count requests for license compliance
- NEW: AM-3813 Authentication information in engine access_log
- NEW: AM-3829 add property for update strategy of operator deployment to Helm Chart
- NEW: AM-3870 Claims from ID token are stored in the metadata
- NEW: AM-4037 Helm Chart allows configuration of resource limits and requests for the Engine container
- FIX: AM-3254 Complex OpenAPI validators have not been applied to paths
- FIX: AM-3291 OpenAPI serialization bug in path parameters
- FIX: AM-3472 Operator logs were logged to stderr instead of stdout
- CHG: AM-1935 CRD HeaderRewrite extended with response header built-in rule PermissionsPolicy
- CHG: AM-2990 Reduced memory consumption by limiting watch to Pods with an inject label
- CHG: AM-3125 CRDs are now distributed with the Helm chart
- CHG: AM-3287 Move from inject annotation to inject label (sidecar.microgateway.airlock.com/inject)
- CHG: AM-3387 Engine metrics renamed to fulfill Prometheus best practices
- CHG: AM-3474 Operator metrics renamed to fulfill Prometheus best practices
- CHG: AM-3570 CRD HeaderRewrite request header allow list extended with header Content-Length
- CHG: AM-3585 Move publishing images and Helm charts from DockerHub to quay.io
- CHG: AM-3596 Helm Chart improvements for Airlock Microgateway CNI
- CHG: AM-3615 Remove obsolete license metrics and add new metric for licensed request count per month
- CHG: AM-3622 Removed obsolete license-guard and license-guard-redis components
- CHG: AM-3743 Operator support for new license format
- CHG: AM-3832 Dynamic configuration errors in the Microgateway CRs (e.g. invalid references) now also lead to a failing envoy-config-valid condition on the affected Pods
- CHG: AM-3902 Write Microgateway Engine application logs to Standard Output (Stdout)
- UPD: AM-3382 Update Envoy to 1.28.0
- UPD: AM-3544 Update jsoncons to 0.172.0
- UPD: AM-3728 Update Envoy to 1.29.1