Skip to content

4.6.0
Compare
Choose a tag to compare
@airlockgithubci airlockgithubci released this 22 May 09:40
· 1 commit to main since this release
4.6.0
f6897e9

Version 4.6.0

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

Main new features:

  • OAuth2 Token Exchange
  • JWT Authentication
  • Grafana Dashboards improvements

Explore the Release Overview to learn more about all the new features.

Action required:


  • If your upstream service requires HTTP/2 (h2c), e.g., plaintext gRPC, you must now configure it explicitly:
    • Sidecar data plane mode: Use the upstream.protocol field in the SidecarGateway CRD to explicitly configure http2: {}.
    • Sidecarless (Gateway API) data plane mode: Set appProtocol: kubernetes.io/h2c on the Kubernetes application service for all service ports associated with the Gateway API rule.

Breaking changes:
The following changes are breaking:

  • Behavior for selecting the HTTP protocol to connect to the upstream service without using TLS.
    • Previous behavior (prior to 4.6):
      • The upstream protocol implicitly followed the downstream protocol
      • As a result, HTTP/2 (h2c) could be used automatically, even when it was not explicitly configured.
    • New behavior (from 4.6 onward):
      • If no TLS is configured for the upstream connection (applies to both sidecar and sidecarless data plane modes), the Microgateway will now default to HTTP/1.1 for the upstream connection regardless of the protocol used for the downstream connection.

Licensing:
In the Community edition, if the real throughput exceeds the licensed throughput, requests are blocked. In the Premium edition, no requests are blocked.

Helpful links:

Changelog

  • NEW: AM-3249 Helm chart OCI artifacts are now also signed with cosign
  • NEW: AM-3533 Added support for JWT authentication
  • NEW: AM-5288 Token Exchange caching added
  • NEW: AM-5296 Log Dashboards can be filtered by Operator, Gateway Kind, and Gateway Name
  • NEW: AM-5300 Implemented support for OAuth2 Token Exchange
  • NEW: AM-5304 Added Identity Propagation support for JWT
  • NEW: AM-5305 Added support for authorization based on JWT claims
  • NEW: AM-5391 New dashboards for upstream and downstream connection and request metrics
  • NEW: AM-5392 Dashboard for system metrics (CPU, memory, network I/O)
  • NEW: AM-5494 Grafana dashboards are published on github as part of a release
  • NEW: AM-5556 Support of HTTP path modifiers in HTTPRoute Redirect Filter for Kubernetes Gateway API
  • NEW: AM-5569 Support of the HTTPRoute CORS Filter for Kubernetes Gateway API
  • FIX: AM-5385 Corrected that HTTPRoute parent status shows wrong error reason in certain scenarios
  • FIX: AM-5386 Corrected that attaching different OIDCRelyingParty CRs with same name but in different namespaces to the same Gateway can lead to a broken configuration
  • FIX: AM-5387 Corrected Gateway controller ignoring parentRef namespace when deciding whether to attach a HTTPRoute to a listener in certain scenarios
  • FIX: AM-5388 Cleanup orphaned ancestor references for HTTPRoute and Policies
  • FIX: AM-5461 Allow null values when schema does not specify a type (CASE-35991)
  • FIX: AM-5462 Corrected CNI behavior to prevent container creation for Pods with an inject label but no engine sidecar
  • FIX: AM-5482 Assign correct datasource to all dashboard variables
  • FIX: AM-5503 Unparsed request bodies are no longer blocked when marked as required by the OpenAPI schema
  • FIX: AM-5537 Corrected SidecarGateway status when selected Pods have injection enabled but don't contain an engine container (e.g. created before operator installed)
  • FIX: AM-5542 Trim trailing slash from server URLs in OpenAPI spec
  • CHG: AM-2411 Better support for parameter types in deny rules
  • CHG: AM-5324 Added more details to OIDC error messages in the access log
  • CHG: AM-5349 All referenced claims are listed in the access-logs for OIDC, "missing_claims" list removed
  • CHG: AM-5589 Changed behavior of HTTP protocol selection for upstream without TLS
  • UPD: AM-5518 Upgrade to Kubernetes Gateway API Version v1.3.0
  • UPD: AM-5550 Update RapidJSON to commit 24b5e7a8b2
  • UPD: AM-5558 Updated Envoy to v1.34.1
  • CHG: AM-5091 Changed deny rule execution order
Assets 3
Loading