This week brought significant infrastructure improvements and platform expansion to Unkey. The team completed a major migration from environment variables to file-based configuration across all services, deployed cross-region gossip messaging, added a powerful sentinel key verification middleware system, and made the platform more resilient with TLS-enabled-by-default deployments. Enhanced dashboard UI and deployment settings round out a week focused on operational maturity and security hardening.
Highlights
Struct-tag-driven configuration system across all services
A new pkg/config package replaces environment-variable-based configuration with file-based TOML/YAML/JSON support. Features struct-tag-driven validation with required/default/min/max/oneof constraints, environment variable expansion, and comprehensive error collection. All eight core services migrated: API, Vault, Ctrl, Krane, Frontline, Preflight, and Sentinel. This simplifies deployment and improves auditability across Kubernetes and Docker environments.
Cross-region gossip messaging for low-latency clustering
Gossip protocol implementation enables efficient message distribution across regions without requiring every node to know about every peer. Intra-cluster messages and cross-region broadcasts use separate membership lists, with designated ambassadors relaying messages between regions to minimize global latency. Reduces operational complexity for distributed deployments.
Sentinel key verification middleware engine
First production sentinel middleware adds API key authentication with configurable matching and policy engine. Verifies incoming requests against pre-configured policies before forwarding, enabling fine-grained access control at the gateway level. Includes error page improvements and middleware routing.
TLS-enabled-by-default with certificate manager support
Services now require explicit opt-out (tls.disabled=true) rather than opt-in for HTTPS. Intelligently uses certificate manager when available, falls back to static certificate files, and logs capability details for easier troubleshooting. Improves default security posture without configuration overhead.
Comprehensive deploy settings UI overhaul
New deployment settings interface organizes build, runtime, and advanced configuration into expandable grouped cards. Environment variable form supports drag-and-drop and copy-paste operations with visual feedback. GitHub integration, region/instance selection, health checks, custom domains, and command/port configuration now have dedicated UX components preparing for guided deployment onboarding.
More Updates
Features & Enhancements
- New deploy settings UI #5073 - Complete redesign of deployment configuration interface with GitHub integration, environment variables management, and custom domains support. (Author: @ogzhanolguncu)
- Config file system #5045 - Introduce file-based TOML/YAML/JSON configuration with struct-tag validation and environment variable expansion. (Author: @chronark)
- Gossip protocol implementation #5015 - Multi-region messaging with ambassador pattern and separate cluster/cross-region membership lists. (Author: @Flo4604)
- Sentinel key verification middleware #5079 - Gateway-level API key authentication with policy matching engine. (Author: @Flo4604)
- Generate RPC wrappers #5028 - Automated RPC wrapper generation and infrastructure cleanup. (Author: @Flo4604)
- Sentinel middleware RFC #5041 - Specification for sentinel middleware architecture and capabilities. (Author: @chronark)
Bug Fixes
- TLS certificate handling #5076 - Make TLS enabled by default; prefer cert manager over static files with fallback support. (Author: @Flo4604)
- Modals with combo box #5002 - Fix modal dialog interaction with combo box selectors. (Author: @perkinsjr)
- Proto type issues #5093 - Fix runtime exception from type mismatch and simplify deployment overview. (Author: @chronark)
- Identity slug copyability #5100 - Enable copy-to-clipboard for identity slugs in permissions table. (Author: @perkinsjr)
- No-data state display #5065 - Show appropriate messaging when analytics or dashboards have insufficient data. (Author: @perkinsjr)
- Deployment URL labels #4976 - Standardize display of deployment URLs and fix conversion errors. (Author: @vansh-commits)
- Cilium policy timing #5059 - Wait for cilium CRDs before applying network policies in cluster initialization. (Author: @ogzhanolguncu)
- Hubble UI deployment #5056 - Add retry logic for hubble-ui pod initialization. (Author: @Flo4604)
Infrastructure
- Prometheus metrics refactoring #5102 - Move metrics to scoped packages for better organization. (Author: @chronark)
- Remove chproxy routes #5101 - Clean up legacy routing infrastructure. (Author: @chronark)
- Sentinel middleware cleanup #5088 - Refactor after sentinel middleware implementation and fix error pages. (Author: @chronark)
- Release workflow rework #5044 - Streamline release process. (Author: @Flo4604)
- Gossip metrics #5107 - Monitoring and observability for gossip protocol operations. (Author: @Flo4604)
Performance Improvements
- Allow longer timeout configuration #5032 - Extend maximum timeout limits for slower operations. (Author: @Flo4604)
Testing
- Remove hand-holding validation #5108 - Streamline validation behavior in development workflows. (Author: @perkinsjr)
Documentation
- Remove orphaned SDK documentation #5033 - Clean up outdated Spring Boot, Rust, and Elixir SDK docs. (Author: @mintlify[bot] and @chronark)
- Cache store interface description #5037 - Add SEO metadata to cache store documentation. (Author: @mintlify[bot] and @chronark)
- Analytics feature documentation #5067 - Update copy to clarify analytics deletion capabilities. (Author: @mcstepp)
- Rate limiting benchmark links #5040 - Reference live performance benchmarks in rate limiting documentation. (Author: @perkinsjr)