Releases: airlock/microgateway
4.2.4
Version 4.2.4
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-4462 Go updated to 1.22.5, Envoy updated to 1.29.7, google.golang.org/grpc to v1.65.0, Base images updated
4.2.3
Version 4.2.3
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security, regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-4345 Go updated to 1.22.4, Envoy updated to 1.29.5, Base images updated
4.2.2
Version 4.2.2
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security, regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-4292 Go updated to 1.22.3, Base images updated
4.2.1
Version 4.2.1
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-4242 Envoy updated to 1.29.4, Base images updated
- FIX: AM-4245 configuration of engine sidecar resources by annotations
4.2.0
Version 4.2.0
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
Main new features:
- Helm Chart
- ARM support
- Cilium support
- OIDC relying party (experimental)
- Deny Rule improvements
Action required:
- The licensing model has changed (see "Breaking changes"). Therefore, a new license file is file required to run Microgateway 4.2. Request and deploy a new license file:
- Community edition: Request a new license through https://airlock.com/microgateway-community
- Premium edition: Contact Airlock sales
- Uninstall previous installations of Airlock Microgateway CNI and Operator which were done with plain Kubernetes manifest files to ensure a smooth upgrade path in the future.
Note: In case that Airlock Microgateway CNI has been installed with Helm, it should be possible to perform a helm upgrade instead. - The Airlock Microgateway CNI must be installed before the Airlock Microgateway Operator.
- The configuration to protect a Pod has switched from annotation to label (see "Breaking changes"). To migrate the existing Pods that are protected by Microgateway, do the following:
- Before upgrading: Label the Pod with "sidecar.microgateway.airlock.com/inject=true". Note: It is very important that this step is performed before the upgrade!
- After upgrading: In order to upgrade the sidecar to the new version, restart the Pod (run "rollout restart" of the Deployment/StatefulSet/DaemonSet).
- See Microgateway Upgrade for more detailed upgrade instructions.
Breaking changes:
The following changes are breaking:
- The DockerHub repositories docker.io/ergon/* have been moved to quay.io/airlock/*. From Airlock Microgateway 4.2 onward all images are hosted at quay.io/airlock.
- The licensing model has changed from "requests per second" to "requests per month" to resolve the issues with request bursts.
- The configuration steps to instruct the Microgateway Operator to inject the Engine container in a web application Pod have changed:
- In 4.1: Annotate the Pod with "sidecar.microgateway.airlock.com/inject"
-> In 4.2: Label the Pod with "sidecar.microgateway.airlock.com/inject"
- In 4.1: Annotate the Pod with "sidecar.microgateway.airlock.com/inject"
- The following metrics have been removed because the licensing has changed:
- Engine: airlock_microgateway_engine_license_ratelimit_requests_total
- Engine: airlock_microgateway_engine_license_ratelimit_requests_allowed_within_limit_total
- Engine: airlock_microgateway_engine_license_ratelimit_requests_allowed_service_error_total
- Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_service_error_total
- Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_over_limit_total
- Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_unlicensed_total
- License guard: airlock_microgateway_license_guard_current_requests_per_second
- License guard: airlock_microgateway_license_guard_config_load_success_total
- License guard: airlock_microgateway_license_guard_config_load_error_total
- License guard: airlock_microgateway_license_guard_grpc_ratelimit_requests_total
- License guard: airlock_microgateway_license_guard_response_time_seconds
- License guard: airlock_microgateway_license_guard_errors_total
- Operator: airlock_microgateway_license_max_requests_per_second
- Operator: airlock_microgateway_license_rate_limiting_enforced
- The Engine metrics have been renamed to fulfill Prometheus best practices and simplify additional metrics:
- In 4.1: airlock_microgateway_engine_triggered_limit_total
-> In 4.2: microgateway_http_downstream_rq_limit_total - In 4.1: airlock_microgateway_engine_triggered_deny_rule_total
-> In 4.2: microgateway_http_downstream_rq_deny_rule_total - In 4.1: airlock_microgateway_engine_http_requests_blocked_total
-> In 4.2: microgateway_http_downstream_rq_blocked_total (for blocked requests)
-> In 4.2: microgateway_http_downstream_rs_blocked_total (for blocked responses) - In 4.1: airlock_microgateway_engine_build_info
-> In 4.2: microgateway_build_info
- In 4.1: airlock_microgateway_engine_triggered_limit_total
- The Operator metrics have been renamed to fulfill Prometheus best practices and simplify additional metrics:
- In 4.1: airlock_microgateway_sidecars
-> In 4.2: microgateway_sidecars - In 4.1: airlock_microgateway_license_max_sidecars
-> In 4.2: microgateway_license_max_sidecars - In 4.1: airlock_microgateway_license_valid
-> In 4.2: microgateway_license_valid - In 4.1: airlock_microgateway_license_is_premium
-> In 4.2: microgateway_license_is_premium - In 4.1: airlock_microgateway_license_expiry_timestamp_seconds
-> In 4.2: microgateway_license_expiry_timestamp_seconds
- In 4.1: airlock_microgateway_sidecars
Licensing:
In the Community edition, if the real throughput exceeds the licensed throughput, requests are blocked. In the Premium edition, no requests are blocked.
Helpful links:
Changelog
- NEW: AM-1860 Microgateway images are signed with cosign (no longer with Docker Content Trust)
- NEW: AM-2671 Default values of header actions are documented in the API reference
- NEW: AM-2780 Engine runs on ARM plattform
- NEW: AM-3101 Introduce new experimental IdentityPropagation CRD
- NEW: AM-3128 Helm Chart for Airlock Microgateway Operator
- NEW: AM-3147 Deny rules extended to apply rules to path segments
- NEW: AM-3171 CRD Parser extended to configure multipart parsing
- NEW: AM-3264 Operator version available in new metric
- NEW: AM-3311 WebSocket proxying support added
- NEW: AM-3458 Added startup/readiness probes to CNI plugin installer DaemonSet reflecting plugin installation status
- NEW: AM-3516 Operator now actively releases leader lock upon termination
- NEW: AM-3578 CRD Limits allows to configure name and value length exceptions
- NEW: AM-3699 JSONPath syntax errors lead to config rejection
- NEW: AM-3741 Introduced new experimental AccessControl CRD
- NEW: AM-3742 Add new condition indicating the license status on pods with an injected Microgateway Engine
- NEW: AM-3748 Introduced new experimental CRDs OIDCProvider and OIDCRelyingParty
- NEW: AM-3792 Helm Chart allows optional
global
property invalues.json
- NEW: AM-3794 Introduce new metric to count requests for license compliance
- NEW: AM-3813 Authentication information in engine access_log
- NEW: AM-3829 add property for update strategy of operator deployment to Helm Chart
- NEW: AM-3870 Claims from ID token are stored in the metadata
- NEW: AM-4037 Helm Chart allows configuration of resource limits and requests for the Engine container
- FIX: AM-3254 Complex OpenAPI validators have not been applied to paths
- FIX: AM-3291 OpenAPI serialization bug in path parameters
- FIX: AM-3472 Operator logs were logged to stderr instead of stdout
- CHG: AM-1935 CRD HeaderRewrite extended with response header built-in rule PermissionsPolicy
- CHG: AM-2990 Reduced memory consumption by limiting watch to Pods with an inject label
- CHG: AM-3125 CRDs are now distributed with the Helm chart
- CHG: AM-3287 Move from inject annotation to inject label (sidecar.microgateway.airlock.com/inject)
- CHG: AM-3387 Engine metrics renamed to fulfill Prometheus best practices
- CHG: AM-3474 Operator metrics renamed to fulfill Prometheus best practices
- CHG: AM-3570 CRD HeaderRewrite request header allow list extended with header Content-Length
- CHG: AM-3585 Move publishing images and Helm charts from DockerHub to quay.io
- CHG: AM-3596 Helm Chart improvements for Airlock Microgateway CNI
- CHG: AM-3615 Remove obsolete license metrics and add new metric for licensed request count per month
- CHG: AM-3622 Removed obsolete license-guard and license-guard-redis components
- CHG: AM-3743 Operator support for new license format
- CHG: AM-3832 Dynamic configuration errors in the Microgateway CRs (e.g. invalid references) now also lead to a failing envoy-config-valid condition on the affected Pods
- CHG: AM-3902 Write Microgateway Engine application logs to Standard Output (Stdout)
- UPD: AM-3382 Update Envoy to 1.28.0
- UPD: AM-3544 Update jsoncons to 0.172.0
- UPD: AM-3728 Update Envoy to 1.29.1
4.1.7
Version 4.1.7
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security, regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-3978 Base images updated, Go updated to 1.22.2, Envoy updated to 1.27.4
4.1.6
Version 4.1.6
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security, regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-3861 Base images updated, Go updated to 1.22.1
4.1.5
Version 4.1.5
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security, regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-3721 Base images updated, Go updated to 1.22, Redis updated to 7.2.4
4.2.0-alpha1
Version 4.2.0-alpha1
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
Main new features:
- Helm Chart
- Deny Rule improvements
Action required:
- Uninstall previous installations of Airlock Microgateway CNI and Operator which were done with plain Kubernetes manifest files to ensure a smooth upgrade path in the future.
Note: In case that Airlock Microgateway CNI has been installed with Helm, it should be possible to perform a helm upgrade instead. - The Airlock Microgateway CNI must be installed before the Airlock Microgateway Operator.
- The configuration to protect a Pod has switched from annotation to label (see "Breaking changes"). To migrate the existing Pods that are protected by Microgateway, do the following:
- Label the Pod with "sidecar.microgateway.airlock.com/inject: true".
- In order to upgrade the sidecar to the new version, restart the Pod (run "rollout restart" of the Deployment/StatefulSet/DaemonSet).
Breaking changes:
The following changes are breaking:
- The configuration steps to instruct the Microgateway Operator to inject the Engine container in a web application Pod have changed:
- In 4.1: Annotate the Pod with "sidecar.microgateway.airlock.com/inject"
-> In 4.2: Label the Pod with "sidecar.microgateway.airlock.com/inject"
- In 4.1: Annotate the Pod with "sidecar.microgateway.airlock.com/inject"
- The Engine metrics have been renamed to fulfill Prometheus best practices and simplify additional metrics:
- In 4.1: airlock_microgateway_engine_license_ratelimit_*
-> In 4.2: envoy_license_ratelimit_* - In 4.1: airlock_microgateway_engine_triggered_limit_total
-> In 4.2: envoy_http_downstream_rq_limit_total - In 4.1: airlock_microgateway_engine_triggered_deny_rule_total
-> In 4.2: envoy_http_downstream_rq_deny_rule_total - In 4.1: airlock_microgateway_engine_http_requests_blocked_total
-> In 4.2: envoy_http_downstream_rq_blocked_total (for blocked requests)
-> In 4.2: envoy_http_downstream_rs_blocked_total (for blocked responses) - In 4.1: airlock_microgateway_engine_build_info
-> In 4.2: envoy_build_info
- In 4.1: airlock_microgateway_engine_license_ratelimit_*
Licensing:
Microgateway Engine containers report the current usage to the Microgateway License Guard service. In the Community edition, if the real throughput exceeds the licensed throughput, a percentage of requests are blocked. In the Premium edition, no requests are blocked but this behavior might change in the future.
Helpful links:
Changelog
- NEW: AM-2671 Default values of header actions are documented in the API reference
- NEW: AM-3128 Helm Chart for Airlock Microgateway Operator
- NEW: AM-3147 Deny rules extended to apply rules to path segments
- NEW: AM-3171 CRD Parser extended to configure multipart parsing
- NEW: AM-3516 Operator now actively releases leader lock upon termination
- NEW: AM-3578 CRD Limits allows to configure name and value length exceptions
- FIX: AM-3254 Complex OpenAPI validators have not been applied to paths
- FIX: AM-3291 OpenAPI serialization bug in path parameters
- FIX: AM-3472 Operator logs were logged to stderr instead of stdout
- CHG AM-3287: Move from inject annotation to inject label (sidecar.microgateway.airlock.com/inject)
- CHG: AM-3387 Engine metrics renamed to fulfill Prometheus best practices
- CHG: AM-3596 Helm Chart improvements for Airlock Microgateway CNI
- UPD: AM-3382 Update Envoy to 1.28.0
- UPD: AM-3544 Update jsoncons to 0.172.0
4.1.4
Version 4.1.4
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security, regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-3721 Base images updated, Go updated to 1.21.6, Redis updated to 7.2.4
- FIX: AM-3625 Streaming JSON parser may sometimes fail to parse certain payloads