Announcing Gloo Edge 1.10 with enhanced AWS Lambda integrations, plus many security, reliability, and ease-of-use improvements

Gloo Edge 1.10

Today, the Solo team released Gloo Edge 1.10, our latest version of the popular Kubernetes-native, Envoy Proxy-based API gateway. The raft of new features are focused on tighter integration with AWS Lambda serverless functions, more observability metrics, security capabilities, and over 100 enhancements altogether. Solo leads the community in making Envoy Proxy the smart choice to handle connectivity and ingress to distributed microservices in the cloud and on-premises.

As a result, many customers are now scaling up to support tens of millions of API calls per day with Gloo Edge which translates to billions of calls per month. We’re also now seeing much greater adoption of Gloo Portal and cloud-native API management as customers move into wide scale production after the 1.0 release of Portal last summer. And our community continues to grow, now spanning 4500+ people in our Slack groups, with 2000+ in the Gloo Edge general discussion channel alone. 

Here are just some of the new features, grouped by the benefits they provide you.

Serverless Functions

AWS Lambda and Application Load Balancer – Gloo Edge customers have been enjoying AWS Lambda support in previous releases, but as they move all their services behind Gloo Edge they wanted Lambda to be more tightly integrated. Some of our customers have over 60% of their services now running in Lambda. Previously, they were using Amazon’s Application Load Balancer service (ALB) directly in front of Lambda but they wanted an easy way to drop in Gloo Edge for ALB  that would parse the same predefined response from Lambda. This approach would give them one API gateway for all their services (including on Kubernetes, Lambda, external services on instances, and other AWS-provided services). Now users can run Gloo Edge in an “ALB mode” as a direct replacement.

Addition enhancements around AWS Lambda include:

– The ability to disable Upstream Discovery Services (UDS) while still permitting Function Discovery Service (FDS), which is handy when you want to use FDS for Lambda serverless functions.

Correct handling of Lambda function timeouts with Envoy Proxy, to avoid misleading route timeout errors.

Improved logging of Envoy requests when Lambda functions are invoked.

Enabling AWS Lambda upstreams to call Gloo Edge, successfully translating the requests.

Observability and Reliability

Our customers often use glooctl check to look for errors in resources, but they would like to be able to get alerted when Gloo Edge isn’t able to process an object (for example a Virtual Service)in their monitoring system of choice. Now, you can get alerts when Gloo Edge resources aren’t being processed

In a similar vein we also added a Grafana dashboard for visibility of metrics on the Gloo Edge control plane components. 

These improvements build on our goals in the last release to make Gloo Edge bullet proof with guardrails that prevent you from making mistakes and xDS relay which ensures the last good configuration state for HA. 

Security

Authentication and authorization are critical security controls, and we’ve just made them better. On the identity provider (IdP) side, a user session can be revoked at any time. Previously, when the Refresh flow is triggered by the ExtAuth service, the IdP would return an invalid_grant error (to the Refresh grant query). Gloo Edge will now handle session revocation errors and delete the user sessions in these cases. Gloo Edge instead falls back with a redirection to the “afterLogoutUrl” for instance, making it more secure.

On the flip side, during OIDC, if the JSON Web Token (JWT) is expired, Gloo Edge used to execute a refresh flow and reject the connection request. However, if the JWT was not yet expired, it was accepted and the request was sent upstream. If that upstream validated the token separately, it should have validated that token, which was now expired. The effect is that the request was denied, even though there is a valid token. Gloo Edge 1.10 now refreshes the id_token to prevent edge cases where the id_token is about to expire (say, in the next 10ms), and the backend would incorrectly receive an expired token. You can now prevent timeout error with a threshold of a minimum acceptable TTL, that will trigger the refresh grant and allow the valid connection.

For air-gapped environments, you can now specify a Helm chart override for all images so that they can be redirected to a local registry. Here you can see how to define a global registry in the Helm chart and see some templates to define images using a Gloo helper.

Ease of Use

Gloo Edge 1.10 includes a new template for customizing discovered upstream resources to control the default configuration. This feature enables customers to create a single annotation which contains a JSON string of all the fields from the upstream spec to apply to the discovered upstream, e.g. {“useHttp2”: true, “sslConfig”: { “sds”: { “targetUri”: “blah” }}}.

Previously, UDS was only configurable on a per namespace basis (watchNamespaces). With Gloo Edge 1.10, you can now control upstream discovery via selectors (labels on Kubernetes services) giving you more granularity.

We’ve added a validation webhook to intercept all the deletion requests for Secrets and reject them if they are used by Gloo Edge. Deletion of these Kubernetes objects would otherwise unintentionally prevent Gloo Edge from creating valid snapshots until the objects were recreated.

For those using the latest Apple hardware, we have verified that our products work on Apple M1 processors with the newest version of Docker Desktop.

Try Gloo Edge today!

Many of the enhancements above came from customer requests, so if you have ideas of other things you’d like to see, reach out to us on the #gloo-edge channel on the Solo.io Slack.

You can request a free trial of Gloo Edge today here.

Watch a deep-dive demo of Gloo Edge.

See a comparison of Gloo Edge editions and open source Envoy Proxy.