Skip to content

Security and Observability: Expose TLS/DTLS settings via the Gateway API + Monitoring with Prometheus and Grafana

Compare
Choose a tag to compare
@rg0now rg0now released this 23 Jan 15:47
· 349 commits to main since this release

We are proud to present STUNner v0.13.0. STUNner is the Kubernetes media gateway for WebRTC from l7mp.io.

News

We are happy to announce that we have completed two actual milestones with this release: the milestones v0.12: Security: Expose TLS/DTLS settings via the Gateway API and v0.13: Observability: Prometheus + Grafana dashboard are now both released in a single package. Thus, there's no v0.12, we immediately jump to v0.13!

The most important changes include full support for TURN over TLS/DTLS to improve security, a Prometheus metric exporter to gain real-time visibility into media traffic, and new tutorials describing how to use Jitsi and LiveKit with STUNner. As a major usability upgrade, STUNner can now reconcile most control-plane updates without having to restart the underlying TURN server and disconnect active sessions. Apart from the milestones, this release also sports the usual assortment of documentation updates, tests and CI/CD improvements all around the place.

Enjoy STUNner and don't forget to support us if you like it!

Breaking changes

This is a massive release and there are inevitably some intrusive changes that may break your WebRTC application. Upgrade at your own risk.

  • Automatically created LB services now use the same name as the Gateway being exposed. This improves consistency with the rest of the Gateway API implementations.
  • STUNner listeners are now named as <Gateway-namespace>/<Gateway-name>/<listener-name>.
  • All listeners of a Gateway are now exposed in a single LB Service (i.e., a single exteraal IP). Multi-protocol LBs are still not supported, this is to arrive in the next release.

Major changes/features

  • Add TLS/DTLS support to the control plane and the datplane.
  • Track only a single node to obtain an external IP for NodePort fallback.
  • Add manual public IP setting to Gateways.
  • Expose health-check settings in the GatewayConfig.
  • Fallback to LB Service Status.Hostname when no Status.IP is available.
  • Disambiguate listener and cluster names.
  • Protocol names (UDP/TCP/...) now stringify to upper case.
  • Mask sensitive info (usernames, passwords and TLS certs) in the logging output.
  • Configurable telemetry collection.
  • Maintain a separate TURN server per listener.
  • Cluster.Protocol support for a future TCPRoute implementation.
  • Implement liveness and readiness check and full stunnerd lifecycle.
  • Implement a dry-run mode to suppress side-effects.
  • Support coturn use-auth-secret TURN authentication mode.
  • Add a simple benchmark script.
  • Handle FQDNs in TURN URIs.
  • New tutorials (Jitsi and LiveKit).