Announcing Gloo Edge 1.9 with FIPS, last good config, canary testing, and UI improvements
Today, the Solo team released Gloo Edge 1.9, our latest version of the popular Kubernetes-native, Envoy Proxy-based API gateway. The raft of new features are focused on further enhancing the reliability, security, and usability for our customers. Solo leads the community in making Envoy Proxy the smart choice to handle connectivity and ingress to distributed microservices in the cloud and on-premises. We typically have two kinds of customers: 1/ classic large enterprises that prioritize meticulous testing, separation of roles, and conservatively run older versions of software, and 2/ newer and smaller enterprises that are using GitOps everywhere to move fast and quickly adopt the latest versions of software. There’s something for everyone in this release!
Here are just some of the new features, grouped by the benefits they provide you.
Last good configuration – Upgrading your control plane configuration shouldn’t be scary, but when you are directing mission-critical traffic through your Envoy API gateways it’s good to be cautious. We have implemented the xDS replicas as an option in your Helm chart as a mechanism to safeguard your configuration changes and give you the ability to roll-back to the last know good configuration if necessary. This separates the lifecycle of Gloo Edge from the xDS cache proxies. For example, a failure during a Helm upgrade will not cause the loss of the last valid xDS state. Read more in the docs about using xDS-relay.
Canary upgrades of Gloo Edge – In version 1.9.0 or later, you can upgrade your Gloo Edge or Gloo Edge Enterprise deployments with a canary model. In the canary model, you have two different deployments in your data plane and can check that the deployment at the latest version handles traffic as you expect before upgrading to run at the latest version. This is another great way to make sure your upgrades are reliable during production upgrades. Read more about canary updates.
Other reliability guardrails include:
- Added Pod Disruption Budgets (PDBs) to Helm templates to improve upgrade processes on Kubernetes
- Webhook validation of Gloo Edge upstreams to prevent bad configuration outages
- Scale testing to prove out the new versions
FIPS-compliant data plane software – We know you want software that’s been validated to meet strict security requirements, such as FIPS 140-2. FIPS-compliant cryptography modules have been certified by the National Institute of Standards and Technology and meet the security standards required for use in government settings. Using FIPS-compliant cryptography libraries is a requirement for getting FIPS certification for your application. Gloo Edge Enterprise binaries now have images available that were built with FIPS compliant crypto libraries. Read more about installing FIPS-compliant images.
Nested JWT claims in RBAC – JSON Web Tokens (JWT) are used to pass along credentials with secrets or keys to provide secure, authenticated role-based access controls (RBAC). By default, matching has been supported for only top-level claims of the JWT. Now you can also enable matching against nested claims, or claims that are passed on as children of top-level claims, in accordance with your RBAC policies. Read how to managed nest JWT claims here.
Other security improvements include:
- HTTPS REST passthrough expanded for external authentication and authorization beyond gRPC
- Added enterprise code to escrow for SOC1 and other compliance requirements
User interface (UI) improvements – We always want to make our products easier to use! Gloo Edge no longer requires usage of Gloo Fed. Gloo Edge now includes automated registering of clusters when installed and simpler management of route tables.
Other usability enhancements include:
- AWS Lambda integration improvements
- Migration to v1 CRDs so you can run Gloo Edge on the newest versions of Kubernetes (1.22+)
Try Gloo Edge today!
Many of the enhancements above came from customer requests, so if you have ideas of other things you’d like to see, reach out to us on the #gloo-edge channel on the Solo.io Slack.
You can request a free trial of Gloo Edge today here.
Watch a deep-dive demo of Gloo Edge.
See a comparison of Gloo Edge editions and open source Envoy Proxy.