Security and Observability: Expose TLS/DTLS settings via the Gateway API + Monitoring with Prometheus and Grafana
We are proud to present STUNner v0.13.0. STUNner is the Kubernetes media gateway for WebRTC from l7mp.io.
News
We are happy to announce that we have completed two actual milestones with this release: the milestones v0.12: Security: Expose TLS/DTLS settings via the Gateway API and v0.13: Observability: Prometheus + Grafana dashboard are now both released in a single package. Thus, there's no v0.12, we immediately jump to v0.13!
The most important changes include full support for TURN over TLS/DTLS to improve security, a Prometheus metric exporter to gain real-time visibility into media traffic, and new tutorials describing how to use Jitsi and LiveKit with STUNner. As a major usability upgrade, STUNner can now reconcile most control-plane updates without having to restart the underlying TURN server and disconnect active sessions. Apart from the milestones, this release also sports the usual assortment of documentation updates, tests and CI/CD improvements all around the place.
Enjoy STUNner and don't forget to support us if you like it!
Breaking changes
This is a massive release and there are inevitably some intrusive changes that may break your WebRTC application. Upgrade at your own risk.
- Automatically created LB services now use the same name as the Gateway being exposed. This improves consistency with the rest of the Gateway API implementations.
- STUNner listeners are now named as
<Gateway-namespace>/<Gateway-name>/<listener-name>
. - All listeners of a Gateway are now exposed in a single LB Service (i.e., a single exteraal IP). Multi-protocol LBs are still not supported, this is to arrive in the next release.
Major changes/features
- Add TLS/DTLS support to the control plane and the datplane.
- Track only a single node to obtain an external IP for NodePort fallback.
- Add manual public IP setting to Gateways.
- Expose health-check settings in the GatewayConfig.
- Fallback to LB Service
Status.Hostname
when noStatus.IP
is available. - Disambiguate listener and cluster names.
- Protocol names (UDP/TCP/...) now stringify to upper case.
- Mask sensitive info (usernames, passwords and TLS certs) in the logging output.
- Configurable telemetry collection.
- Maintain a separate TURN server per listener.
- Cluster.Protocol support for a future TCPRoute implementation.
- Implement liveness and readiness check and full
stunnerd
lifecycle. - Implement a dry-run mode to suppress side-effects.
- Support coturn use-auth-secret TURN authentication mode.
- Add a simple benchmark script.
- Handle FQDNs in TURN URIs.
- New tutorials (Jitsi and LiveKit).