Skip to content

4.5.0

Latest
Latest
Compare
Choose a tag to compare
@airlockgithubci airlockgithubci released this 03 Feb 15:33
4.5.0
d2fedd8

Version 4.5.0

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

Main new features:

  • RedHat OpenShift certification
  • Kubernetets Gateway API improvements
  • OIDC Token Introspection
  • Grafana Dashboards improvements

Action required:

  • Gateway API v1.2.1 support: Please upgrade Airlock Microgateway before upgrading Gateway API to v1.2.1.

Deprecation:

  • Referencing OpenAPI or GraphQL CR directly from ContentSecurity or ContentSecurityPolicy is deprecated. Use policies in APIProtection CRD instead.

Breaking changes:
The following changes are breaking:

  • PodMonitors are now managed by the operator and created in the application namespace per Gateway/SidecarGateway resource. Job labels on Airlock Microgateway Engine metrics are affected by this change.

Licensing:
In the Community edition, if the real throughput exceeds the licensed throughput, requests are blocked. In the Premium edition, no requests are blocked.

Helpful links:

Changelog

  • NEW: AM-2305 CSRF protection feature added
  • NEW: AM-3108 Added support for configuring token introspection endpoint in OIDCProvider CRD and introspection strategy in AccessControl CRD
  • NEW: AM-4543 Introduce new operator microgateway_config_resource metrics
  • NEW: AM-4558 Summary of SidecarGateway ressource status on overview dashboard
  • NEW: AM-4693 Enforce immutability of essential resource labels by ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding for K8s versions >= 1.30
  • NEW: AM-4707 New HTTPRoute Filter (ResponseHeaderModifier) and HeaderRewrites in ContentSecuirtyPolicy for Kubernetes Gateway API
  • NEW: AM-4710 Session Handling for Kubernetes Gateway API
  • NEW: AM-4725 Support for request conditions to select the applied OpenAPI schema used for verification
  • NEW: AM-4905 Add metric microgateway_license_health_probe_approx_rq_per_hour
  • NEW: AM-4935 RedHat certified variants of all Microgateway Images are now published with a -ubi tag suffix
  • NEW: AM-4942 Authentication Enforcement for HTTPRoutes of the Kubernetes Gateway API
  • NEW: AM-4943 Kubernetes Gateway API Upstream TLS support configured using a BackendTLSPolicy
  • NEW: AM-4962 Publish Airlock Microgateway Operator Bundle
  • NEW: AM-4974 GatewayParameters CRD to configure settings for deploying a Gateway, including options for logging, service type, and deployment strategy
  • NEW: AM-5012 Dashboards compatible with Gateway API deployments, new Request Logs and Access Control Logs Dashboards
  • NEW: AM-5031 Add support for compressed ConfigMaps
  • NEW: AM-5066 Added environment variables to operator deployment to configure application log level and Kubernetes Gateway API
  • NEW: AM-5072 New HTTPRoute Filter (URLRewrite) for Kubernetes Gateway API
  • NEW: AM-5095 PodMonitor for Gateway API metrics
  • NEW: AM-5111 Implement CNI repair mode
  • FIX: AM-4850 No OIDC authentication flow for favicon requests
  • FIX: AM-4971 Solve issue leading to multiple operators with label operator.microgateway.airlock.com/isLeader simultaneously set to true
  • FIX: AM-5062 Skip port and protcol validation for ExternalName Services if no ports are specified for Gateway API
  • FIX: AM-5099 Disable redis cluster connection retries
  • FIX: AM-5119 Corrected :scheme header in OIDC and JWKS service requests
  • FIX: AM-5280 Solve issue where CNI plugin is not handling serviceaccount tokens being rotated
  • FIX: AM-5294 Corrected unsupported CRD version handling for GatewayClass
  • FIX: AM-5328 Corrected microgateway_build_info metric
  • CHG: AM-3257 Add Startup Probe for Engine and Session Agent
  • CHG: AM-3943 Rotate internal TLS certificates when reaching 2/3 of their lifetime instead of a fixed time
  • CHG: AM-4471 Changed checks in helm test to not depend on an external curl image
  • CHG: AM-4934 Integrated network-validator into microgateway-engine image (helm value networkValidator.image is now deprecated)
  • CHG: AM-4998 In OpenAPI percent decode query parameter names
  • CHG: AM-5018 PodMonitor are now created by the SidecarGateway Controller. Generic PodMonitor by Helm chart is deprecated
  • CHG: AM-5098 Compile Engine on RHEL9 compatible image
  • CHG: AM-5269 Changed default behaviour of Client IP Detection to Connection IP
  • UPD: AM-4873 Upgrade to Kubernetes Gateway API Version v1.2.1
  • UPD: AM-4932 Update Envoy to v1.32
  • CHG: AM-5193 Fail closed mechanism for invalid Gateway API policies
Assets 2
Loading