Introducing Gloo 1.4 – Enhanced Scalability, Kubernetes Ingress and Istio 1.6 Support, and Improved Dev to Ops Experience
Today we released version 1.4 of Gloo, our Envoy Proxy based API Gateway. In the past few months since our 1.3 release, we have been working with our end users and customers to deliver new functionality and enhance existing features to address a wider range of use cases. This release includes an update to both the open source and enterprise versions of Gloo.
Highlights of the release include:
- Improvements to system scalability
- Expanded support for Kubernetes Ingress
- Support for the latest Istio 1.6 release
- Security enhancements
- User experience enhancements for Dev and Ops
- Plus more options for configuring Gloo
Join us for a webinar on July 16th to learn more about this latest release, get a deep dive into the features and demos – Register today to save your seat. Meanwhile, keep reading to get an overview of the new release.
Improvements to System Scalability
In this release we’ve made updates to improve the scalability of Gloo including managing multiple data planes with the ability set granular per gateway level external authentication and rate limiting policies along with improved status reporting between the multiple instances, and the ability to use multiple instances of Gloo to partition Ingress objects within a single cluster.
Expanded Support for the Kubernetes Ingress
In addition to API Gateway, Gloo can be deployed as a Kubernetes Ingress Controller and in this release we’ve added configuration options including support for named ports on Kubernetes Ingress objects, ability to use multiple Gloo controllers to partition Ingress objects within a single cluster using the customIngressClass variable to the Gloo Helm Chart, and a fix to keep the Ingress Controller (ingress pod) processing Ingress updates even when a Ingress backend is incorrectly referencing a service port.
Support for Istio 1.6
Gloo seamlessly integrates with service mesh environments and provides mTLS between the ingress traffic to the rest of the cluster. In this release, Gloo has been tested and validated to work with the latest Istio 1.6 release. Additionally, Gloo now supports ALPN on the upstream for more granular control on defining which protocol to use and helps with the integration to the latest version of Istio. Try the Gloo and Istio integration tutorial here.
In this release we expanded security capabilities to protect the Gloo system and applications in the environment including supporting TLS in the external auth service instead of through an envoy sidecar to handle the TLS termination, the addition of audit logs for the Modsecurity Web Application Filter (WAF) as part of the access logs to assist debugging and auditing purposes, encrypted communication is now possible with mTLS between Gloo and Envoy instances for when these components are deployed to separate environments, and an update to the Gloo permissions reduces the surface area for risk by enabling it to run in a fully restricted Kubernetes environment.
User Experience Improvements for Developers and Operations
Across the CLI and Admin UI we’ve made a number of improvements to expand the functionality of glooctl, expand observability capabilities and error handling to resolve system issues.
- glooctl updates include extending the timeout period for port forwarding from 3 to 30 seconds before a connection refused errors is displayed improves how commands like glooctl check or glooctl proxy dump work in high latency environments with more time to finish, the glooctl add route command no longer creates a route table or virtual service with the –dry-run flag, and glooctl check now uses the default namespace if a specific namespace flag is not provided.
- The Admin UI has new tags in the Granfana dashboards for Envoy and Kubernetes and supports additional observailiby use cases with gRPC access logging service metrics.
- Better error handling by logging a clear message when the upstream port does not match the underlying Kubernetes service, report a status when an upstream points to a non-existent service, and an update to the error message display to only show the issue vs. the entire message.
- Enhancements to measuring and exposing proxy latency include allowing to measure the latency of the filter chain alone by adjusting proxy latency measurement to happen before a connection to the upstream is established and to expose proxy latency as a metric to accurately understand the time spent and cost of processing inside the proxy.
Expanded Configuration Options for Gloo
As a flexible control plane to Envoy Proxy, Gloo is built to support a wide range of deployment scenarios and use cases. In this release we’ve added a number of new options for the admins to customize the behavior of the Gloo environment and traffic handling.
- New Buffer Filter Improves Request Handling: Gloo now supports enabling the Envoy buffer filter which buffers the entire request before routing it to the service to process the request. This is important because it helps the system understand how big the request is (in case the request size is too big), which avoids having to deal with partial requests and high network latency. The buffer filter can be set by configuring spec.httpGateway.options.buffer of the desired gateway and can optionally configure the bytes limit on the upstream connection (default is 1MiB).
- Update to validation webhook: Now validates inja compilation syntax before accepting/rejecting virtual services that use transformations, allowing users to properly validate whether configurations are valid against live clusters before applying them
- SSL Configuration Update: Now allows for specifying empty SSL configurations for clients depending on the use case.
- Helm Chart Updates Expand Available Settings: They include two enhancements for Knative including the ability to assign a static IP to the Knative external proxy and to override the Service type as an alternative to Load Balancer for Ingress Proxy and Knative. Additionally, the nodeport numbers for the gateway proxy service can now be predefined in the values.yml. We also added a new value to disable the validation admission webhook for users who cannot use webhooks but still want to use the Gloo validation API, this value makes it more straightforward to implement.
- Improved heading formatting: The Envoy core.Http1ProtocolOptions.HeaderKeyFormat is available in the Gloo API as httpConnectionManager.http_protocol_options.proper_case_header_key_format which formats the header by proper casing which helps with validating the headers.
- Upstream reference by name: This allows virtual services, route tables, and upstreams to refer to an upstream by name only, without causing an error. Gloo will assume the upstream namespace is the namespace of the parent resource.
Give the latest Gloo release a try and we’d love to get your feedback in the community slack or file an issue/PR on Github. If you’re already using Gloo, get the upgrade instructions here and register for the upcoming webinar to learn more.