Tetrate Enterprise Gateway for Envoy (TEG)Version: v1.1.xRelease Announcement TEG 1.1
Date: 6th August 2024
Please ensure you upgrade to version 1.1 before November 9th 2024.
This distribution brings you a FIPS verified build of Envoy Gateway 1.1 that implements version 1.1 of the Kubernetes Gateway API. To view FIPS build installation steps, please refer to the FIPS installation documentation.
Please contact client support for help with use-case specific upgrade guidance.
New Feature Highlights
Below is a list of highlights of new features in Envoy Gateway 1.1, which TEG is a FIPS verified distribution of.
Refer to the Envoy Gateway Docs for details on how to configure Envoy Gateway.
For release notes of the Envoy components part of this release, refer to the following Release Notes:
Traffic Handling
- Increased flexibility in traffic handling with Backend Ref HTTP Filter support
- Reuse BackendTraffic policies by applying policies to multiple targetRefs on policies
- Improved service mesh integration by enabling routing to Service Cluster IP targets
- Use the new Backend API for routing traffic to FQDN, IP or Unix Domain Sockets
- Benefit from load balancing capabilities for TCP & UDP Listeners through ClientTrafficPolicy & BackendTrafficPolicy
- Improve performance and traffic handling logic with new Envoy HTTP filter re-ordering capabilities
- Gain better control of how client connects through new ClientTrafficPolicy settings:
- Connection Limit
- Buffer Limit
- HTTP2 settings
Security Controls
- Hide rate limit headers from clients by optionally removing
X-RateLimitHeaders - Leverage Allow/Deny IP Subnets for improved access control
- Simpler management of BackendPolicySupport CACerts in Secrets, where you can manage the cert via cert-manager
- Incrementally rollout mTLS for clients by making mTLS optional for Client/Downstream TLS (incremental mTLS)
- Improved security on ExtAuth callouts by adding support for mTLS to Ext Auth target
- TLS
- Support custom client settings for Gateway as a TLS Client (like ALPN, CA Cert)
- XFCC header Support
Observability
- Gain deeper insights into control plane performance
gateway-addon-helmChart (Grafana dashboard for CP and DP)
- Create insightful reports of traffic performance leveraging Route metadata (for example, by linking team ownership of routes to traffic)
- Reduce noise and cost of log storage with CEL filters for access logs
- Trace requests through the system with Zipkin support
- Integrate with a gRPC Access Log Service sink, optionally allowing you to post-process decorate the logs with relevant metadata.
Extensibility
- Extend Envoy with external processes though ExtProc, configured via Envoy Gateway.
- Extend Envoy Gateway with WASM for high performance customizations of traffic handling.
- OCI Support
- HTTP Support
Management
- Manage EnvoyProxy settings for specific Gateway resources by attaching EnvoyProxy resource to Gateways
- Note that this overrides any settings from EnvoyProxy resource attached to the GatewayClass
- Set a PodDisruptionBudget for Envoy Gateway (Control Plane) and Envoy Proxies (Data Plane)
- Run Envoy Proxy as a DaemonSet and benefit from improved scaling performance
- Change images more easily with an updated Helm chart, to reference, for example images, in private repositories, supporting air-gapped clusters and FIPS distributions for TEG
Upgrade Guidance
Gateway API 1.1
Unlike other Kubernetes APIs, you don't need to upgrade to the latest version of Kubernetes to get the latest version of Gateway API.
As long as you're running Kubernetes 1.26 or later, you'll be able to get up and running with this version of Gateway API.
TEG 1.1
SecurityPolicy translation failures will now cause routes referenced by the policy to return an immediate 500 response. Previously, the route would be allowed to proceed without the security policy applied. This change is intended to prevent routes from being exposed to unauthorized users when the security policy cannot be successfully applied.
Gateway API BackendTLSPolicy v1alpha3 is incompatible with previous versions of the CRD.
Any references to v1alpha2 BackendTLSPolicy fields will need to be updated to v1alpha3. Specific changes to fields include:
targetRef becomes targetRefs to allow a BackendTLSPolicy to attach to multiple targets
tlsbecomesvalidationtls.caCertRefsbecomesvalidation.caCertificateRefstls.wellKnownCACertsbecomesvalidation.wellKnownCACertificates
It's recommended to back up data and uninstall the v1alpha2 version before installing this newer version of the Gateway API.
Envoy Gateway xPolicy targetRefs can no longer specify a namespace, since Gateway-API v1.1.0 uses LocalPolicyTargetReferenceWithSectionName in Policy resources. This change is intended to simplify the configuration of xPolicy resources. If you are using xPolicy resources, you will need to update your configuration to remove the namespace field from targetRefs.
Manual Migration Steps from 1.0 to 1.1
Due to these breaking changes, some manual migration steps are required to upgrade TEG to v1.1.
1. Delete BackendTLSPolicy CRD (and resources)
kubectl delete crd backendtlspolicies.gateway.networking.k8s.io
2. Update Gateway-API and Envoy Gateway CRDs
helm pull oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.1.0 --untar
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/gatewayapi-crds.yaml
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/generated
3. Update your BackendTLSPolicy and GRPCRoute Resources
Follow instructions according to Gateway API v1.1 Upgrade Notes
4. Update your Envoy Gateway xPolicy resources
Remove the namespace section from targetRef.
5. Delete the Redis Deployment
Temporarily delete the demo Redis deployment since the spec.selector.matchLabels was updated which is immutable.
kubectl delete deployment/teg-redis -n envoy-gateway-system
6. Install Tetrate Enterprise Gateway v1.1.0
helm upgrade teg oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.1.0 -n envoy-gateway-system
Deprecated Fields
The following fields are deprecated and will be removed in a future release.
Please prepare by updating your configuration to use the new fields:
- xPolicy
targetRefis deprecated, usetargetRefsinstead - SecurityPolicy ExtAuth
BackendRefis deprecated, useBackendRefsinstead - OpenTelemetry Proxy Access Log Host and Port are deprecated, use
backendRefsinstead - OpenTelemetry Proxy Metrics Sink Host and Port are deprecated, use
backendRefsinstead - Proxy Tracing Provider Host and Port are deprecated, use
backendRefsinstead - Envoy Gateway Extension Server Host and Port are deprecated, use
BackendEndpointinstead