Envoy Gateway recently reached its latest milestone with the release of version 0.5, a major step forward in usability and performance for the Envoy Proxy-based Gateway API implementation.The theme of v0.5 is observability and scale—with some important follow-ons from the previous theme to bolster usability.
New Observability Improvements
New in this release is the exposure of telemetry data—metrics, logs, and traces—from the Envoy data plane. Envoy’s rich set of telemetry data has been the cornerstone of the observability capabilities of service meshes like Istio that are now available in Envoy Gateway. Read the Proxy Observability Guide for more details.
New Usability Improvements
Envoy Gateway now supports direct configuration of Envoy proxies via Envoy Gateway’s EnvoyPatchPolicy API. This allows users familiar with Envoy xDS configuration to take advantage of the full set of Envoy capabilities—e.g., adding Envoy’s CORS filter—in Envoy Gateway ahead of official support in either the Gateway API or Envoy Gateway extensions.
While this is as yet an unstable API, it allows advanced users to leverage the full power of Envoy Proxy using functionality not exposed by Envoy Gateway APIs today.
Read the Envoy Patch Policy Guide for details and a quick start.
Notable Miscellanea
See the release notes and release announcement for full details, but a number of other improvements worth noting include:
- API updates: Upgraded to Gateway API v0.7.1
- Documentation updates: a new guide for Helm installation, using cert-manager for TLS termination, and a guide for generating certificates to terminate TLS for multiple FQDNs per listener.
- Installation updates: Added support for bring-your-own TLS certs, improved default Envoy Proxy CPU and memory configuration, support for configuring labels and annotations for the Envoy Gateway controller with Helm.
- Deployment configuration updates: Support for distinct rate limiting based on IP addresses, rate limiting based on JWT claims and support for configuring Envoy Proxy as a NodePort type service.
Coming Up
Watch this space in the coming weeks for hands-on articles currently in the works taking Envoy Gateway’s new capabilities through their paces, especially:
- Customizing Envoy Fleet Service Annotations to link the K8s Service with AWS Network Load Balancer (NLB)
- Envoy Fleet Pod Annotations: Envoy Gateway and Istio configuration with Gateway API in the same cluster, pairing Envoy Gateway ingress rate limiting and backend mTLS with Istio
- Using EnvoyPatchPolicy to implement powerful Envoy Proxy features like WASM plugins, CORS filter, etc.
- Highlighting Proxy Observability scenarios.
What to Look for in Envoy Gateway’s Next Release
The theme for the next release is “Preparation for GA.” In concert with the work of developing a general availability release, here’s a hint at select new features and capabilities:
- Multi-cluster routing using ServiceImport as a BackendRef
- Introduction of a TrafficPolicy API to support advanced features such as load balancing, CORS and retries
- Seamless control plane and data plane upgrades.
Stay tuned.
###
If you’re new to service mesh and Kubernetes security, we have a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
If you’re looking for a fast way to get to production with Istio, check out Tetrate Istio Distribution (TID). TID is Tetrate’s hardened, fully upstream Istio distribution, with FIPS-verified builds and support available. It’s a great way to get started with Istio knowing you have a trusted distribution to begin with, have an expert team supporting you, and also have the option to get to FIPS compliance quickly if you need to.
Once you have Istio up and running, you will probably need simpler ways to manage and secure your services beyond what’s available in Istio, that’s where Tetrate Service Bridge comes in. You can learn more about how Tetrate Service Bridge makes service mesh more secure, manageable, and resilient here, or contact us for a quick demo.