CHANGELOG-OLD.md
Looking for recent releases? Please see CHANGELOG.md instead.
kong version
command was incorrectOpenSSL from 1.1.1n to 1.1.1o
#8635ngx.timer.running_count() and
ngx.timer.pending_count()
#8387CLUSTERING_MAX_PAYLOAD is now configurable in kong.conf
Thanks, @andrewgkew!
#8337status
endpoint when Kong node is running in dbless or data-plane mode.
#8214
#8425.),
the dot will be ignored, since according to
RFC-3546
said dot is not part of the hostname.
#8269route.*:80) over wildcard-only routes (route.*),
which have less specificity
#8233.) domain
which can appear in /etc/resolv.conf in special cases like search .
#8307error log level
has been downgraded to the appropiate debug log level.
#8410next field in when paginating Upstreams
#8249kong.request.getrawbody was
big enough to be buffered into a temporary file, it would return an
an empty string.
#8390ConsumerSpec and AuthenticateArgs.
Thanks, @raptium!
#8280Vary: Origin header any more when
the header Access-Control-Allow-Origin is set to *.
Thanks, @jkla-dr!
#8401proxy_scheme config attribute for removal in 3.0
#8406X-Authenticated-UserId and
X-Authenticated-Scope headers when it configured in logical OR and
is used in conjunction with another authentication plugin.
#8422transformations
and shorthand_fields properties, which were previously only available for non-subschema entities.
#8146kong-plugin-session from 0.7.1 to 0.7.2
#7910resty.openssl from 0.7.4 to 0.7.5
#7909go-pdk used in tests from v0.6.0 to v0.7.1 #7964worker_consistency directive, and changed its default to eventual. Future versions of Kong will remove the option and act with eventual consistency only.In this release we continued our work on better performance:
pg_user and pg_password, and pg_ro_user and pg_ro_password now support
automatic secret rotation when used together with
Kong Secrets Management
vault references.
#8967kong.response.get_raw_body and kong.response.set_raw_body
#7887status and message.
#7728
Thanks timmkelley for the patch!distribution metric type.
#6231
Thanks onematchfox for the patch!service_tag, consumer_tag, and status_tag.
#6230
Thanks onematchfox for the patch!.proto files features.
#7950.proto files.
#8107redis_ssl (can be set to true or false), ssl_verify, and ssl_server_name.
#6737
Thanks gabeio for the patch!:).
#7977
Thanks beldahanit for reporting the issue!BasePlugin is deprecated and will be removed in a future version of Kong.
Porting tips in the documentationssl_cert and ssl_session_fetch phases.
#8161kong.log.inspect log level is now debug instead of warn. It also renders text
boxes more cleanly now #7815lua-pack from 1.0.5 to 2.0.0
#8004Release date: 2021/10/04
openresty from 1.19.3.2 to 1.19.9.1
#7430openssl from 1.1.1k to 1.1.1l
7767lua-resty-http from 0.15 to 0.16.1
#7797Penlight to 1.11.0
#7736lua-resty-http from 0.15 to 0.16.1
#7797lua-protobuf from 0.3.2 to 0.3.3
#7656lua-resty-openssl from 0.7.3 to 0.7.4
#7657lua-resty-acme from 0.6 to 0.7.1
#7658grpcurl from 1.8.1 to 1.8.2
#7659luasec from 1.0.1 to 1.0.2
#7750lua-resty-ipmatcher to 0.6.1
#7703
Thanks EpicEric for the patch!All Kong Gateway OSS plugins will be moved from individual repositories and centralized into the main Kong Gateway (OSS) repository. We are making a gradual transition. On this release:
mutually_exclusive. It accepts a list of fields. If more than 1 of those fields
is set simultaneously, the entity is considered invalid.
#7765On this release we've done some special efforts with regards to performance.
There's a new performance workflow which periodically checks new code additions against some typical scenarios #7030 #7547
In addition to that, the following changes were specifically included to improve performance:
ngx.var
#7840ngx.update_time
#7853get_phase in balancer
#7854dns_order as unsupported experimental feature. Please
give it a try and report back any issues
#7819.os.getenv
#6872.AWS_REGION and
AWS_DEFAULT_REGION environment variables (when not specified with the plugin configuration).
This allows to specify a 'region' on a per Kong node basis, hence adding the ability to invoke the
Lamda in the same region where Kong is located.
#7765host and port config options can be configured from environment variables
KONG_DATADOG_AGENT_HOST and KONG_DATADOG_AGENT_PORT. This allows to set different
destinations on a per Kong node basis, which makes multi-DC setups easier and in Kubernetes allows to
run the datadog agents as a daemon-set.
#7463
Thanks rallyben for the patch!data_plane_cluster_cert_expiry_timestamp is added to expose the Data Plane's cluster_cert expiry timestamp for improved monitoring in Hybrid Mode. #7800.Request Termination:
trigger config option, which makes the plugin only activate for any requests with a header or query parameter
named like the trigger. This can be a great debugging aid, without impacting actual traffic being processed.
#6744.request-echo config option was added. If set, the plugin responds with a copy of the incoming request.
This eases troubleshooting when Kong is behind one or more other proxies or LB's, especially when combined with
the new 'trigger' option.
#6744.GRPC-Gateway:
.google.protobuf.Timestamp on the gRPC side are now
transcoded to and from ISO8601 strings in the REST side.
#7538..?foo.bar=x&foo.baz=y are interpreted as structured
fields, equivalent to {"foo": {"bar": "x", "baz": "y"}}
#7564
Thanks git-torrent for the patch!:authority pseudo-header on balancer retries
#7725.Accept header could cause unexpected HTTP 500
#7757.Proxy-Authentication request header and Proxy-Authenticate response header
#7724.aws-lambda, grpc-web or request-termination plugins can now talk
with newer control planes by ignoring new plugin fields.
#7881kong config parse no longer crashes when there's a Go plugin server enabled
#7589.GET /upstreams/:upstreams/targets/:target no longer returns 404 when target weight is 0
#7758.kong.response.exit now uses customized "Content-Length" header when found
#7828.subsystem field
#7802.Release date: 2021/09/07
This is the first patch release in the 2.5 series. Being a patch release, it strictly contains bugfixes. There are no new features or breaking changes.
grpcurl from 1.8.1 to 1.8.2 #7659lua-resty-openssl from 0.7.3 to 0.7.4 #7657penlight from 1.10.0 to 1.11.0 #7736luasec from 1.0.1 to 1.0.2 #7750OpenSSL from 1.1.1k to 1.1.1l #7767/workspaces/workspace_name/meta endpoint would show counts for Consumers
and RBAC users, which prevented the workspace from being deleted. Now deleting entities correctly updates
the counts, allowing an empty workspace to be deleted. #7560handler.lua now gets the workspace ID from the request
and adds it to the upstream entity that will be used in the worker and cluster events. Before this change,
when posting balancer CRUD events, the workspace ID was lost and the balancer used the default
workspace ID as a fallback. #7778kong config parse
or kong config db_import from working as expected. #7589Release date: 2021-07-13
This is the final release of Kong 2.5.0, with no breaking changes with respect to the 2.x series.
This release includes Control Plane resiliency to database outages and the new
declarative_config_string config option, among other features and fixes.
openresty from 1.19.3.1 to 1.19.3.2 #7430luasec from 1.0 to 1.0.1 #7126luarocks from 3.5.0 to 3.7.0 #7043grpcurl from 1.8.0 to 1.8.1 #7128penlight from 1.9.2 to 1.10.0 #7127lua-resty-dns-client from 6.0.0 to 6.0.2 #7539kong-plugin-prometheus from 1.2 to 1.3 #7415kong-plugin-zipkin from 1.3 to 1.4 #7455lua-resty-openssl from 0.7.2 to 0.7.3 #7509lua-resty-healthcheck from 1.4.1 to 1.4.2 #7511hmac-auth from 2.3.0 to 2.4.0 #7522lua-protobuf to 0.3.2 (previously unpinned) #7079All Kong Gateway OSS plugins will be moved from individual repositories and centralized into the main Kong Gateway (OSS) repository. We are making a gradual transition, starting with the grpc-gateway plugin first:
cluster_cert(cluster_mtls=shared) or cluster_ca_cert(cluster_mtls=pki) into
lua_ssl_trusted_certificate when operating in Hybrid mode. Before, Hybrid mode users needed to configure
lua_ssl_trusted_certificate manually as a requirement for Lua to verify the Control Plane’s certificate.
See Starting Data Plane Nodes
in the Hybrid Mode guide for more information. #7044declarative_config_string option allows loading a declarative config directly from a string. See the
Loading The Declarative Configuration File
section of the DB-less and Declarative Configuration guide for more information.
#7379exit() function before calling it,
because passing the wrong argument type would break the request response.
#7082@request-target field in the signature
string. Before, the plugin used the request-line parameter, which contains the HTTP request method, request URI, and
the HTTP version number. The inclusion of the HTTP version number in the signature caused requests to the same target
but using different request methods(such as HTTP/2) to have different signatures. The newly added request-target field
only includes the lowercase request method and request URI when calculating the hash, avoiding those issues.
See the HMAC Authentication documentation for more information.
#7037data_plane_last_seen, data_plane_config_hash and data_plane_version_compatible. These
metrics can be useful for troubleshooting when data planes have inconsistent configurations across the cluster. See the
Available metrics section of the Prometheus plugin documentation
for more information. 98kong.route,kong.service_name and kong.route_name.
See the Spans section of the Zipkin plugin documentation for more information.
115select_by_cache_key now finds entities by using the provided field directly
in select_by_key and does not complete unnecessary cache reads. #7146init_worker handler fails, improving stability.
#7099certificate phase,
avoiding plugin mixups.#7102ngx.sleep implementation in init_worker phase now invokes update_time in order to prevent time-based deadlocks
#7532Proxy-Authorization header is removed when it is part of the original request or when a plugin sets it to the
same value as the original request
#7533HEAD requests don't provoke an error when a Plugin implements the response phase
#7535dao:crud events more strictly and has
a new cluster event, clustering:push_config for configuration pushes. These updates allow Kong to filter
invalidation events that do not actually require a database change. Furthermore, the clustering module does
not subscribe to the generic invalidations event, which has a more broad scope than database entity invalidations.
#7112weight=0, or disabled targets.
Before disabled targets were not included in the output when users attempted to list all targets. Then
when users attempted to add the targets again, they received an error message telling them the targets already existed.
#7094prefix argument in the kong stop command now takes precedence over environment variables, as it does in the kong start command.
#7080proxy_stream_access_log and proxy_stream_error_log
have been added to differentiate stream access log from the HTTP subsystem. See
proxy_stream_access_log
and proxy_stream_error in the Configuration
Property Reference for more information. #7046/?/init.lua is in the Lua path when doing migrations. Before, when users created
a custom plugin in a non-standard location and set lua_package_path = /usr/local/custom/?.lua, migrations failed.
Migrations failed because the Kong core file is init.lua and it is required as part of kong.plugins.<name>.migrations.
With this fix, migrations no longer expect init.lua to be a part of the path. #6993ALTER COLUMN operations in Apache Cassandra 4.0.
#7490kong.response.get_XXX() functions now work in the log phase on external plugins. Before
kong.response.get_XXX() functions required data from the response object, which was not accessible in the
post-log timer used to call log handlers in external plugins. Now these functions work by accessing the required
data from the set saved at the start of the log phase. See kong.response
in the Plugin Development Kit for more information. #7048instance_id of an external plugin changed, and the plugin instance attempted to reset and retry,
it was failing because of a typo in the comparison. #7153.
Thanks, ealogar!kong.log's phase checker now accounts for the existence of the new response pseudo-phase.
Before users may have erroneously received a safe runtime error for using a function out-of-place in the PDK.
#7109string.rep function. Before string.rep was sandboxed to disallow a single operation
from allocating too much memory. However, a single operation allocating too much memory is no longer an issue
because in LuaJIT there are no debug hooks and it is trivial to implement a loop to allocate memory on every single iteration.
Additionally, since the string table is global and obtainable by any sandboxed string, its sandboxing provoked issues on global state.
#7167kong.pdk.node function can now correctly iterates over all the shared dict metrics. Before this fix,
users using the kong.pdk.node function could not see all shared dict metrics under the Stream subsystem.
#7078BasePlugin class have to remove this inheritance.config.ldap_port parameter
that matches the documentation. Before the plugin documentation Parameters
section included a reference to a default value for the LDAP port; however, the default value was not included in the plugin schema.
#7438Released 2021/05/11
This is a patch release in the 2.4 series. Being a patch release, it strictly contains bugfixes. There are no new features or breaking changes.
405 is handled by Kong's error page.
#6933init_worker do not break Kong's worker initialization.
#7099kong start and kong stop prioritize CLI flag --prefix over environment
variable KONG_PREFIX.
#7080response phase is accounted for in phase checkers.
#7109kong.response.get_*
methods - e.g., kong.response.get_status.
#7048hmac-auth: enable JIT compilation of authorization header regex.
#7037Released 2021/04/06
This is the final release of Kong 2.4.0, with no breaking changes with respect to the 2.x series. This release includes JavaScript PDK, improved CP/DP updates and UTF-8 Tags, amongst other improvements and fixes.
Note: if you are not using one of our distribution packages and compiling OpenResty from source, you must still apply Kong's OpenResty patches (and, as highlighted above, compile OpenResty with the new lua-kong-nginx-module). Our kong-build-tools repository will allow you to do both easily.
ssl_certificate phase on plugins with stream module.
6873Host header is now updated between balancer retries, using the
value configured in the correct upstream entity.
6796Upgrade header is not cleared anymore when response Connection header
contains Upgrade.
6929kong.log methods
6701response phase is included on the list of public phases
6638Int.
6994Released 2021/03/05
This is a patch release in the 2.3 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes.
1.1.1i to 1.1.1j.
6859kong config
(previously it was possible only as a yaml string inside json). JSON declarative
config is now parsed with the cjson library, instead of with libyaml.
6852prng_seed from the Admin API and add PIDs instead.
6842kong.log.serialize properly calculates reported latencies.
6869Released 2021/02/09
This is a patch release in the 2.3 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes.
kong migrations now accepts a -p/--prefix flag.
#6819Released 2021/01/26
This is a patch release in the 2.3 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes.
Released 2021/01/08
This is a new release of Kong, with no breaking changes with respect to the 2.x series, with Control Plane/Data Plane version checks, UTF-8 names for Routes and Services, and a Plugin Servers.
kong-plugin-zipkin from 1.1 to 1.2.
#6576kong-plugin-request-transformer from 1.2 to 1.3.
#6542name field now support utf-8 characters.
#6557cert_alt and key_alt fields, used
to specify an alternative certificate and key pair.
#6536stderr and stdout are now written into Kong's
logs.
#6503kong.node.get_hostname method that returns current's
node host name.
#6613kong.cluster.get_id method that returns a unique ID
for the current Kong cluster. If Kong is running in DB-less mode
without a cluster ID explicitly defined, then this method returns nil.
For Hybrid mode, all Control Planes and Data Planes belonging to the
same cluster returns the same cluster ID. For traditional database
based deployments, all Kong nodes pointing to the same database will
also return the same cluster ID.
#6576kong.log.set_serialize_value, which allows for customizing
the output of kong.log.serialize.
#6646http-log: the plugin now has a headers configuration, so that
custom headers can be specified for the log request.
#6449key-auth: the plugin now has two additional boolean configurations:
key_in_header: if false, the plugin will ignore keys passed as
headers.key_in_query: if false, the plugin will ignore keys passed as
query arguments.
Both default to true.
#6590request-size-limiting: add new configuration require_content_length,
which causes the plugin to ensure a valid Content-Length header exists
before reading the request body.
#6660serverless-functions: introduce a sandboxing capability, and it has been
enabled by default, where only Kong PDK, OpenResty ngx APIs, and Lua standard libraries are allowed.
#32client_max_body_size and client_body_buffer_size, that previously
hardcoded to 10m, are now configurable through nginx_admin_client_max_body_size and nginx_admin_client_body_buffer_size.
#6597600 file system permission.
#6509ssl_cert, ssl_cert_key, admin_ssl_cert,
admin_ssl_cert_key, status_ssl_cert, and status_ssl_cert_key
is now an array: previously, only an RSA certificate was generated
by default; with this change, an ECDSA is also generated. On
intermediate and modern cipher suites, the ECDSA certificate is set
as the default fallback certificate; on old cipher suite, the RSA
certificate remains as the default. On custom certificates, the first
certificate specified in the array is used.
#6509kong user if it exists; it said user does not exist
in the system, the nobody user is used, as before.
#6421dao:delete_by:post hook.
#6567nil request context would lead to errors attempt to index local 'ctx' being shown in the logskong reload -c <config> would fail.
#6664tries field as an array when
empty, rather than an object.
#6632null in config anymore as they can
lead to runtime errors. #6710Released 2021/03/01
This is a patch release in the 2.2 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes.
serverless-functions: introduce a sandboxing capability, enabled by default,
where only Kong PDK, OpenResty ngx APIs, and some Lua standard libraries are
allowed. Read the documentation here.
#32Released 2020/12/01
This is a patch release in the 2.2 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes.
starting instance: nil error.
#6507http and https (and has
a hosts and snis match criteria) would fail to proxy http
requests, as it does not contain an SNI.
#6517kong.ctx.shared values
set by Lua plugins.
#6426:authority
pseudo-header in upstream requests.
#6603kong config db_import and kong config db_export
commands would fail if Go plugins were enabled.
#6596
Thanks daniel-shuy for the patch!Released 2020/10/23
This is a new major release of Kong, including new features such as UDP support, Configurable Request and Response Buffering, Dynamically Loading of OS Certificates, and much more.
1.1.1g to 1.1.1h.
#6382Note: if you are not using one of our distribution packages and compiling OpenResty from source, you must still apply Kong's OpenResty patches (and, as highlighted above, compile OpenResty with the new lua-kong-nginx-module). Our kong-build-tools repository will allow you to do both easily.
"udp" protocol is now accepted in the protocols
attribute of Routes and the protocol attribute of Services.
Load balancing and logging plugins support UDP as well.
#6215Route.request_buffering or Route.response_buffering
to true or false. Default behavior remains the same: buffering is enabled
by default for requests and responses.
#6057lua_ssl_trusted_certificate was extended to accept a
comma-separated list of certificate paths, as well as a special system
value, which expands to the "system default" certificates file installed
by the operating system. This follows a very simple heuristic to try to
use the most common certificate file in most popular distros.
#6342X-Forwarded-Path header: if a trusted source provides a
X-Forwarded-Path header, it is proxied as-is. Otherwise, Kong will set
the content of said header to the request's path.
#6251Upstream.client_certificate attribute can now be used from proxying:
This allows client_certificate setting used for mTLS handshaking with
the Upstream server to be shared easily among different Services.
However, Service.client_certificate will take precedence over
Upstream.client_certificate if both are set simultaneously.
In previous releases, Upstream.client_certificate was only used for
mTLS in active health checks.
#6348shorthand_fields top-level attribute in schema definitions, which
deprecates shorthands and includes type definitions in addition to the
shorthand callback.
#6364cluster_data_plane_purge_delay attribute, set to 14 days by default.
#6376/clustering/data-planes which returns complete
information about all Data Plane nodes that are connected to the Control
Plane cluster, regardless of the Control Plane node to which they connected.
#6308
/clustering/status endpoint is now deprecated, since it
returns only information about Data Plane nodes directly connected to the
Control Plane node to which the Admin API request was made, and is
superseded by /clustering/data-planes.headers configuration setting for
including or removing the Server header.
#6371kong.request.get_forwarded_prefix: returns the prefix path
component of the request's URL that Kong stripped before proxying to upstream,
respecting the value of X-Forwarded-Prefix when it comes from a trusted source.
#6251kong.response.exit now honors the headers configuration setting for
including or removing the Server header.
#6371kong.log.serialize function now can be called using the stream subsystem,
allowing various logging plugins to work under TCP and TLS proxy modes.
#6036multipart/form-data MIME type now can use the same part name
multiple times. #6054response in Lua plugins and Response in Go. Using it
automatically enables response buffering, which allows you to manipulate
both the response headers and the response body in the same phase.
This enables support for response handling in Go, where header and body
filter phases are not available, allowing you to use PDK functions such
as kong.Response.GetBody(), and provides an equivalent simplified
feature for handling buffered responses from Lua plugins as well.
#5991strip_path Route
attribute) to the upstream gRPC service.limit_by = "path" configuration attribute.
Thanks KongGuide for the patch!
#6286Released 2020/09/18
This is a patch release in the 2.0 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes.
WARN log that was seen in the Kong 2.1
series.
#6258skip_large_bodies config setting even when not using
AWS API Gateway compatibility.
#6379kong reload would occasionally leave stale workers locked
at 100% CPU.
#6300kong hybrid gen_cert now reports "permission denied" errors correctly
when it fails to write the certificate files.
#6368deny clause
was configured for a group that does not exist would cause a HTTP 401
when an authenticated plugin would match the anonymous consumer. The
behavior is now restored to that seen in Kong 1.x and 2.0.
#6354Released 2020/08/19
This is a patch release in the 2.0 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes.
X-Forwarded-Prefix header with stripped path prefixes:
the stripped portion of path is now added in X-Forwarded-Prefix,
except if it is / or if it is received from a trusted client.
#6222/config endpoint. It now waits for
the configuration to update across workers before returning, and returns
HTTP 429 on attempts to perform concurrent updates and HTTP 504 in case
of update timeouts.
#6121Released 2020/08/13
:white_check_mark: Update (2020/08/13): This release fixed a balancer
bug that may cause incorrect request payloads to be sent to unrelated
upstreams during balancer retries, potentially causing responses for
other requests to be returned. Therefore it is highly recommended
that Kong users running versions 2.1.0 and 2.1.1 to upgrade to this
version as soon as possible, or apply mitigation from the
2.1.0 section below.
kong.response.error PDK function respects gRPC related
content types.
#6214Released 2020/08/05
:red_circle: Post-release note (as of 2020/08/13): A faulty behavior
has been observed with this change. When Kong proxies using the balancer
and a request to one of the upstream Target fails, Kong might send the
same request to another healthy Target in a different request later,
causing response for the failed request to be returned.
This bug could be mitigated temporarily by disabling upstream keepalive pools. It can be achieved by either:
kong.conf, set upstream_keepalive_pool_size=0, orKONG_UPSTREAM_KEEPALIVE_POOL_SIZE=0 when starting
Kong with the CLI.Then restart/reload the Kong instance.
Thanks Nham Le (@nhamlh) for reporting it in #6212.
:white_check_mark: Update (2020/08/13): A fix to this regression has been released as part of 2.1.2. See the section of the Changelog related to this release for more details.
0.5.9.
#6148path attribute of the
Service entity.
#6183kong.node.get_memory_stats() PDK method would be incorrectly reported in kilobytes, rather than bytes, leading to inaccurate values in the /status Admin API endpoint (and other users of said PDK method).
#6170Released 2020/07/16
:red_circle: Post-release note (as of 2020/08/13): A faulty behavior
has been observed with this change. When Kong proxies using the balancer
and a request to one of the upstream Target fails, Kong might send the
same request to another healthy Target in a different request later,
causing response for the failed request to be returned.
This bug could be mitigated temporarily by disabling upstream keepalive pools. It can be achieved by either:
kong.conf, set upstream_keepalive_pool_size=0, orKONG_UPSTREAM_KEEPALIVE_POOL_SIZE=0 when starting
Kong with the CLI.Then restart/reload the Kong instance.
Thanks Nham Le (@nhamlh) for reporting it in #6212.
:white_check_mark: Update (2020/08/13): A fix to this regression has been released as part of 2.1.2. See the section of the Changelog related to this release for more details.
ca-certificates to the Alpine Docker image.
#3731.1.1f to 1.1.1g.
#58204.1.3
to 5.0.1.
#54990.2.4 to 0.2.5.
#59840.6.0 to 0.6.2.
#5941router_consistency and
router_update_frequency have been renamed to worker_consistency and
worker_state_update_frequency, respectively. The new properties allow for
configuring the consistency settings of additional internal structures, see
below for details.
#5325nginx_upstream_keepalive_* configuration properties have been
renamed to upstream_keepalive_*. This is due to the introduction of dynamic
upstream keepalive pools, see below for details.
#5771worker_state_update_frequency (previously
router_update_frequency) was changed from 1 to 5.
#5325allow and
deny as terms for access control. Previous nomenclature is deprecated and
support will be removed in Kong 3.0.
allow and deny instead of whitelist and blacklistallow and deny instead of whitelist and blacklistallow and deny instead of whitelist and blacklist
#6014:fireworks: Asynchronous upstream updates: Kong's load balancer is now able to update its internal structures asynchronously instead of onto the request/stream path.
This change required the introduction of new configuration properties and the deprecation of older ones:
worker_consistencyworker_state_update_frequencyrouter_consistencyrouter_update_frequencyThe new worker_consistency property is similar to router_consistency and accepts
either of strict (default, synchronous) or eventual (asynchronous). Unlike its
deprecated counterpart, this new property aims at configuring the consistency of all
internal structures of Kong, and not only the router.
#5325
:fireworks: Read-Only Postgres: Kong users are now able to configure a read-only Postgres replica. When configured, Kong will attempt to fulfill read operations through the read-only replica instead of the main Postgres connection. #5584
Introducing dynamic upstream keepalive pools. This change prevents virtual
host confusion when Kong proxies traffic to virtual services (hosted on the
same IP/port) over TLS.
Keepalive pools are now created by the upstream IP/upstream port/SNI/client certificate tuple instead of IP/port only. Users running Kong in front of
virtual services should consider adjusting their keepalive settings
appropriately.
This change required the introduction of new configuration properties and the deprecation of older ones:
upstream_keepalive_pool_sizeupstream_keepalive_max_requestsupstream_keepalive_idle_timeoutnginx_upstream_keepalivenginx_upstream_keepalive_requestsnginx_upstream_keepalive_timeoutAdditionally, this change allows for specifying an indefinite amount of max requests and idle timeout threshold for upstream keepalive connections, a capability that was previously removed by Nginx 1.15.3. #5771
The default certificate for the proxy can now be configured via Admin API
using the /certificates endpoint. A special * SNI has been introduced
which stands for the default certificate.
#5404
Add support for PKI in Hybrid Mode mTLS. #5396
Add X-Forwarded-Prefix to set of headers forwarded to upstream requests.
#5620
Introduce a _transform option to declarative configuration, which allows
importing basicauth credentials with and without hashed passwords. This change
is only supported in declarative configuration format version 2.1.
#5835
Add capability to define different consistency levels for read and write
operations in Cassandra. New configuration properties cassandra_write_consistency
and cassandra_read_consistency were introduced and the existing
cassandra_consistency property was deprecated.
Thanks Abhishekvrshny for the patch!
#5812
Introduce certificate expiry and CA constraint checks to Hybrid Mode
certificates (cluster_cert and cluster_ca_cert).
#6000
Introduce new attributes to the Services entity, allowing for customizations in TLS verification parameters: #5976
tls_verify: whether TLS verification is enabled while handshaking
with the upstream Servicetls_verify_depth: the maximum depth of verification when validating
upstream Service's TLS certificateca_certificates: the CA trust store to use when validating upstream
Service's TLS certificateIntroduce new attribute client_certificate in Upstreams entry, used
for supporting mTLS in active health checks.
#5838
--force flag to kong migrations bootstrap.
#5635db_cache_neg_ttl, allowing the configuration
of negative TTL for DB entities.
Thanks ealogar for the patch!
#5397kong.response.exit in Stream (L4) proxy mode.
#5524kong.request.get_forwarded_path method, which returns
the path component of the request's URL, but also considers
X-Forwarded-Prefix if it comes from a trusted source.
#5620kong.response.error method, that allows PDK users to exit with
an error while honoring the Accept header or manually forcing a content-type.
#5562kong.client.tls module, which provides the following methods for
interacting with downstream mTLS:
kong.client.tls.request_client_certificate(): request client to present its
client-side certificate to initiate mutual TLS authentication between server
and client.kong.client.tls.disable_session_reuse(): prevent the TLS session for the current
connection from being reused by disabling session ticket and session ID for
the current TLS connection.kong.client.tls.get_full_client_certificate_chain(): return the PEM encoded
downstream client certificate chain with the client certificate at the top
and intermediate certificates (if any) at the bottom.
#5890kong.log.serialize method.
#5995kong.service PDK module:
kong.service.set_tls_verify(): set whether TLS verification is enabled while
handshaking with the upstream Servicekong.service.set_tls_verify_depth(): set the maximum depth of verification
when validating upstream Service's TLS certificatekong.service.set_tls_verify_store(): set the CA trust store to use when
validating upstream Service's TLS certificatekong.ctx.shared.
#5496X-Credential-Identifier header to the following authentication plugins:
host configuration to allow for custom Lambda endpoints.
#35ca_certificates table would
fail to be created.
#5764PATCH on /upstreams/:upstreams/targets/:targetsAuthorization value from logged headers. Values are now shown as
REDACTED.
#5628.Released 2020/06/30
1.1.1f to 1.1.1g.
#58200.2.0 to 0.3.2, leveraging go-pdk 0.3.1.
See the go-pdk changelog.Cannot serialise table: excessively sparse array.
#5768config.anonymous from empty string to the ngx.null value.
#5906# character.
#5822PUT request on /upstreams/:upstreams/targets/:targets
would result in HTTP 500 Internal Server Error.
#6012kong.service.set_target() includes the port number if a non-default
port is used.
#5996Vary header; new values are now
added as additional Vary headers.
Thanks aldor007 for the patch!
#5794Released 2020/04/22
Released 2020/04/06
This is a patch release in the 2.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes.
dns_not_found_ttl and dns_error_ttl configuration
options.
#5684.lua_package_path option precedence over LUA_PATH environment
variable.
#5729.USR2 signal.
#5657.sni is duplicated error when sending multiple SNIs as body
arguments and an SNI on URL that matched one from the body.
#5660.Released 2020/02/27
This is a patch release in the 2.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes.
Released 2020/02/04
This is a patch release in the 2.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes.
Authorization headers with missing access_token correctly.
#5514.
Thanks, jeremyjpj0916!Released 2020/01/20
This is a new major release of Kong, including new features such as Hybrid mode, Go language support for plugins and buffered proxying, and much more.
Kong 2.0.0 removes the deprecated service mesh functionality, which was been retired in favor of Kuma, as Kong continues to focus on its core gateway capabilities.
Please note that Kong 2.0.0 also removes support for migrating from versions
below 1.0.0. If you are running Kong 0.x versions below 0.14.1, you need to
migrate to 0.14.1 first, and once you are running 0.14.1, you can migrate to
Kong 1.5.0, which includes special provisions for migrating from Kong 0.x,
such as the kong migrations migrate-apis command, and then finally to Kong
2.0.0.
Note: if you are not using one of our distribution packages and compiling OpenResty from source, you must still apply Kong's OpenResty patches (and, as highlighted above, compile OpenResty with the new lua-kong-nginx-module). Our kong-build-tools repository will allow you to do both easily.
transformations in DAO schemas now also support on_read,
allowing for two-way (read/write) data transformations between
Admin API input/output and database storage.
#5100threshold attribute for health checks
#5206stream_listen now supports the backlog option.
#5346kong.core_cache and kong.cache. The core_cache region is
used by the Kong core to store configuration data that doesn't
change often. The other region is used to store plugin
runtime data that is dependent on traffic pattern and user
behavior. This change should decrease the cache contention
between Kong core and plugins and result in better performance
overall.
mem_cache_size configuration option to set their size,
so when upgrading from a previous Kong version, the cache
memory consumption might double if this value is not adjusted
#5114kong config init now accepts a filename argument
#4451nginx_main_,
nginx_events and nginx_supstream_ (upstream in stream
mode).
#5390reuseport option in the listen directive by default
and allow specifying both reuseport and backlog=N in the
listener flags.
#5332lua_ssl_trusted_certificate at startup
#5345/upstreams/<id>/health?balancer_health=1 attribute for
detailed information about balancer health based on health
threshold configuration
#5206kong.service.request.enable_buffering,
kong.service.response.get_raw_body and
kong.service.response.get_body for use with buffered proxying
#5315authenticated_groups support
#5108size_unit configuration option.
#5214conf.message before sending
response back with body object included.
#5202X-Credential-Identifier header in response --
Thanks davinwang for the patch!
#4993url shorthand
#5315tls are now supported in stream mode by adding an
entry in stream_listen with the ssl keyword enabled.
#5346service = null when creating a route for use with
serverless plugins such as aws-lambda, or request-termination.
#5353origins property which was used for service mesh.
#5351transparent property which was used for service mesh.
#5350nginx_optimizations property; the equivalent settings
can be performed via Nginx directive injections.
#5390nginx_http_upstream_
and nginx_http_status_ were renamed to nginx_upstream_ and
nginx_status_ respectively.
#5390Released 2020/02/19
This is a patch release over 1.5.0, fixing a minor issue in the kong migrations migrate-apis
command, which assumed execution in a certain order in the migration process. This now
allows the command to be executed prior to running the migrations from 0.x to 1.5.1.
kong migrations migrate-apis
#5572Released 2020/01/20
Kong 1.5.0 is the last release in the Kong 1.x series, and it was designed to
help Kong 0.x users upgrade out of that series and into more current releases.
Kong 1.5.0 includes two features designed to ease the transition process: the
new kong migrations migrate-apis commands, to help users migrate away from
old apis entities which were deprecated in Kong 0.13.0 and removed in Kong
1.0.0, and a compatibility flag to provide better router compatibility across
Kong versions.
path_handling attribute in Routes entities, which selects the behavior
the router will have when combining the Service Path, the Route Path, and
the Request path into a single path sent to the upstream. This attribute
accepts two values, v0 or v1, making the router behave as in Kong 0.x or
Kong 1.x, respectively. #5360kong migrations migrate-apis, which converts any existing
apis from an old Kong 0.x installation and generates Route, Service and
Plugin entities with equivalent configurations. The converted routes are
set to use path_handling = v0, to ensure compatibility.
#5176Released 2020/01/09
:warning: This release includes a security fix to address potentially sensitive information being written to the error log file. This affects certain uses of the Admin API for DB-less mode, described below.
This is a patch release in the 1.4 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes.
error.log when posting it with /config and using _format_version
as a top-level parameter (instead of embedded in the config parameter).
#5411Released 2019/12/10
This is another patch release in the 1.4 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes.
Released 2019/12/03
This is a patch release in the 1.4 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes.
preserve_host behavior for gRPC routes
#5225kong config db_export when reading
entities that are ttl-enabled and whose ttl value is null.
#5185Released on 2019/10/22
.all. / .noarch. to be
architecture specific namely .arm64. and .amd64.cassandra_refresh_frequency to set
the frequency that Kong will check for Cassandra cluster topology changes,
avoiding restarts when Cassandra nodes are added or removed.
#5071transformations property in DAO schemas, which allows adding functions
that run when database rows are inserted or updated.
#5047hostname has been added to upstreams entities. This
attribute is used as the Host header when proxying requests through Kong
to servers that are listening on server names that are different from the
names to which they resolve.
#4959X-Kong-Admin-Latency, reporting the time
taken by Kong to process an Admin API request.
#4966service_mesh which enables or disables
the Service Mesh functionality. The Service Mesh is being deprecated and
will not be available in the next releases of Kong.
#5124router_update_frequency that allows setting the
frequency that router and plugins will be checked for changes. This new
option avoids performance degradation when Kong routes or plugins are
frequently changed. #4897local policy counters expire using the shared
dictionary's TTL, avoiding to keep unnecessary counters in memory. Thanks
cb372 for the patch!
#5029proxy_ssl* directives, so it is being discontinued in the next
major release of Kong. In this release it is disabled by default, avoiding
this issue, and it can be enabled as aforementioned in the configuration
section. #5124cluster_events in high-changing scenarios were fixed.
#5118# characters in parsed KONG_*
environment variables. #5062Released on 2019/08/21
Kong 1.3 is the first version to officially support gRPC proxying!
Following our vision for Kong to proxy modern Web services protocols, we are excited for this newest addition to the family of protocols already supported by Kong (HTTP(s), WebSockets, and TCP). As we have recently stated in our latest Community Call, more protocols are to be expected in the future.
Additionally, this release includes several highly-requested features such as
support for upstream mutual TLS, header-based routing (not only
Host), database export, and configurable upstream keepalive
timeouts.
Note: if you are not using one of our distribution packages and compiling OpenResty from source, you must still apply Kong's OpenResty patches (and, as highlighted above, compile OpenResty with the new lua-kong-nginx-module). Our new openresty-build-tools repository will allow you to do both easily.
upstream_keepalive configuration property is deprecated, and
replaced by the new nginx_http_upstream_keepalive property. Its behavior is
almost identical, but the notable difference is that the latter leverages the
injected Nginx
directives
feature added in Kong 0.14.0.
In future releases, we will gradually increase support for injected Nginx
directives. We have high hopes that this will remove the occasional need for
custom Nginx configuration templates.
#4382grpc and
grpcs correspond to gRPC over h2c and gRPC over h2. They can be specified
on a Route or a Service's protocol attribute (e.g. protocol = grpcs).
When an incoming HTTP/2 request matches a Route with a grpc(s) protocol,
the request will be handled by the
ngx_http_grpc_module,
and proxied to the upstream Service according to the gRPC protocol
specifications. :warning: Note that not all Kong plugins are compatible with
gRPC requests yet. #4801client_certificate attribute, which is a foreign key
to a Certificate entity. If specified, Kong will use the Certificate as a
client TLS cert during the upstream TLS handshake.
#4800Host). The Route entity now
has a new headers attribute, which is a map of headers names and values.
E.g. { "X-Forwarded-Host": ["example.org"], "Version": ["2", "3"] }.
#4758algorithm attribute
has been added to the Upstream entity. It can be set to "round-robin"
(default), "consistent-hashing", or "least-connections".
#4528/ca_certificates Admin API endpoint. CA Certificates entities
will be used as CA trust store by Kong. Certificates stored by this entity
need not include their private key.
#4798kong.conf file describes injected Nginx
directives
(added to Kong 0.14.0) and specifies a few default ones.
In future releases, we will gradually increase support for injected Nginx
directives. We have high hopes that this will remove the occasional need for
custom Nginx configuration templates.
#4382nginx_http_upstream_keepalive_requests and
nginx_http_upstream_keepalive_timeout respectively control the maximum
number of proxied requests and idle timeout of an upstream connection.
#4382*_listen properties: deferred, bind,
and reuseport.
#4692kong config db_export CLI
command. This command will export the configuration present in the database
Kong is connected to (Postgres or Cassandra) as a YAML file following Kong's
declarative configuration syntax. This file can thus be imported later on
in a DB-less Kong node or in another database via kong config db_import.
#4809/services/:services/routes/:routes is now a valid API
endpoint.
#4713form-urlencoded payloads with deeply nested data
structures. Previously, it was only possible to send such data structures
via JSON payloads.
#4768config.ldaps property allows configuring the plugin to
connect to the LDAP server via TLS. It provides LDAPS support instead of only
relying on STARTTLS.
#4743header_names property accepts an array of header names
the JWT plugin should inspect when authenticating a request. It defaults to
["Authorization"].
#4757kong.service.set_tls_cert_key(). This functions sets the
client TLS certificate used while handshaking with the upstream service.
#4797Upgrade header.
#4780hosts attribute shadowing another Route's wildcard
hosts attribute. Details of the issue can be seen in
01b1cb8.
#4775kong restart and Kong was not running,
causing stdout/stderr logging to turn off.
#4772kong.response.add_header works in the rewrite phase.
#4888Released on 2019/08/14
:warning: This release includes patches to the NGINX core (1.13.6) fixing vulnerabilities in the HTTP/2 module (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516).
This is a patch release in the 1.2 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes.
Released on 2019/06/26
This is a patch release in the 1.2 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes.
Upgrade response header.
#4719/config endpoint when configuring
Upstream entities. This issue was mostly observed by users of the Kong
Ingress Controller.
#4733LOCAL_SERIAL when a
datacenter-aware load balancing policy is in use. This fixes unavailability
exceptions sometimes experienced when connecting to a multi-datacenter
cluster with cross-datacenter connectivity issues.
#4734false in some schema rules, such a { type = "boolean", eq = false }.
#4708
#4727cassandra_local_datacenter configuration property is specified
when a datacenter-aware Cassandra load balancing policy is in use.
#4734Released on: 2019/06/07
This release brings improvements to reduce long latency tails, consolidates declarative configuration support, and comes with newly open sourced plugins previously only available to Enterprise customers. It also ships with new features improving observability and usability.
This release includes database migrations. Please take a few minutes to read the 1.2 Upgrade Path for more details regarding changes and migrations before planning to upgrade your Kong cluster.
kong-community-edition-* to kong-*.kong-community-edition
to kong.For more details about the updated installation, please visit the official docs: https://konghq.com/install.
ssl_certificate_by_lua phase and the stream preread phase) is now able to
match a client hello SNI against any registered wildcard SNI. This is
particularly helpful for deployments serving a certificate for multiple
subdomains.
#4457snis Route
attribute (previously only available for tls Routes) can now be set for
https Routes and is evaluated by the HTTP router.
#4633https_redirect_status_code attribute specifying the status code to send
back to the client if a plain text request was sent to an https Route.
#4424tcp and tls Routes.
#4333router_consistency accepts two possible values: strict and eventual.
The former is the default setting and makes router rebuilds highly
consistent between Nginx workers. It can result in long tail latency if
frequent Routes and Services updates are expected. The latter helps
preventing long tail latency issues by instructing Kong to rebuild the router
asynchronously (with eventual consistency between Nginx workers).
#4639db_cache_warmup_entities)
was introduced, allowing users to specify which entities should be preloaded.
DB cache warmup allows for ahead-of-time DNS resolution for Services with a
hostname. This feature reduces first requests latency, improving the overall
P99 latency tail.
#4565pg_max_concurrent_queries sets the maximum number of
concurrent queries to the database, and pg_semaphore_timeout allows for
tuning the timeout when acquiring access to a database connection. The
default behavior remains the same, with no concurrency limitation.
#4551/config endpoint now
accepts a check_hash query argument. Hash checking only happens if this
argument's value is set to 1.
#4609/schemas/:entity_name/validate can be used to validate an instance
of any entity type in Kong without creating the entity itself.
#4413/status endpoint. The response
now includes a memory field, which contains the lua_shared_dicts and
workers_lua_vms fields with statistics on shared dictionaries and workers
Lua VM memory usage.
#4592kong.node.get_memory_stats(). This function returns statistics
on shared dictionaries and workers Lua VM memory usage, and powers the memory
statistics newly exposed by the /status endpoint.
#4632BasePlugin is now optional. Avoiding
the inheritance paradigm improves plugins' performance.
#4590http checks are not performed for tcp and tls
Services anymore; only tcp healthchecks are performed against such
Services.
#4616kong db_import to support inserting entities without specifying a UUID
for their primary key. Entities with a unique identifier (e.g. name for
Services) can have their primary key omitted.
#4657kong migrations [up|finish] -f commands does not run anymore if there
are no previously executed migrations.
#4617token_expiration value when
migrating from previous Kong versions.
#4572Released on: 2019/04/24
This is a patch release in the 1.0 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes.
Released on: 2019/03/28
This release contains a fix for 0.14 Kong clusters using Cassandra to safely migrate to Kong 1.1.
kong config init command to run without a pointing to a prefix
directory.
#4451Released on: 2019/03/27
This release introduces new features such as Declarative Configuration, DB-less Mode, Bulk Database Import, Tags, as well as Transparent Proxying. It contains a large number of other features and fixes, listed below. Also, the Plugin Development kit also saw a minor updated, bumped to version 1.1.
This release includes database migrations. Please take a few minutes to read the 1.1 Upgrade Path for more details regarding changes and migrations before planning to upgrade your Kong cluster.
:large_orange_diamond: Post-release note (as of 2019/03/28): an issue has been found when migrating from a 0.14 Kong cluster to 1.1.0 when running on top of Cassandra. Kong 1.1.1 has been released to address this issue. Kong clusters running on top of PostgreSQL are not affected by this issue, and can migrate to 1.1.0 or 1.1.1 safely.
service attribute on
Routes is now optional; a Route without an assigned Service will
proxy transparently
#4286tags fieldprotocols field in the Plugin entity, allowing plugin instances
to be set for specific protocols only (http, https, tcp or tls).
#4248
protocols fieldkong.conf: database=off to start Kong without
a databasekong.conf: declarative_config=kong.yml to
load a YAML file using Kong's new declarative config
formatkong.conf: pg_schema to specify Postgres schema
to be usednginx_stream_* (or KONG_NGINX_STREAM_* environment variables)
for injecting entries to the stream blocknginx_sproxy_* (or KONG_NGINX_SPROXY_* environment variables)
for injecting entries to the server block inside streamkong config db_import kong.yml. This command upserts all
entities specified in the given kong.yml file in bulk
#4284kong config init to generate a template kong.yml
file to get you startedkong config parse kong.yml to verify the syntax of
the kong.yml file before using it--wait in kong quit to ease graceful termination when using orchestration tools
#4201/config to replace the configuration of
Kong entities entirely, replacing it with the contents of a new
declarative config file
database=off configuration option,
the Admin API endpoints for entities (such as /routes and
/services) are read-only, since the configuration can only
be updated via /config
#4308/consumers?tags=example_tag)
/services?tags=serv1,mobile to search for services matching tags serv1 and mobile/services?tags=serv1/serv2 to search for services matching tags serv1 or serv2/tags/ for listing entities by tag: /tags/example_tagkong.client.get_protocol for obtaining the protocol
in use during the current request
#4307kong.nginx.get_subsystem, so plugins can detect whether
they are running on the HTTP or Stream subsystem
#4358stream_realip_module as well.
Kong in HTTP(S) Gateway scenarios does not require these patches.
#4163PUT /{entities}/{entity}/plugins/{plugin}
#4288/consumers?custom_id=
#4435typ handling for supporting JOSE (JSON Object
Signature and Validation)
Thanks @cdimascio for the patch!
#4256Released on: 2019/01/31
This is a patch release addressing several regressions introduced some plugins, and improving the robustness of our migrations and core components.
regex_priority (e.g. if it was removed as
part of a PATCH) don't prevent the router from being built.
#4255default = {} are
JSON-encoded as [].
#4257preserve_host enabled).
#4253(.*[.])?example\.org can now be used to match all
sub-domains, while regexes containing : will be evaluated against the
scheme and port of an origin (i.e.
^https?://(.*[.])?example\.org(:8000)?$).
#4261global_credentials = false).
#4262PUT method in auth plugins endpoints (e.g.
/consumers/:consumers/basic-auth/:basicauth_credentials) by preventing
a unnecessary read-before-write.
#4206Released on: 2019/01/18
This is a hotfix release mainly addressing an issue when connecting to the datastore over TLS (Cassandra and PostgreSQL).
PUT get enabled without requiring a restart.
#4220run_on field to top level plugin schema instead of its config.
kong-plugin-zipkin/pull/38Released on: 2019/01/16
This is a patch release in the 1.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes.
:red_circle: Post-release note (as of 2019/01/17): A regression has been observed with this version, preventing Kong from starting when connecting to its datastore over TLS. Installing this version is discouraged; consider upgrading to 1.0.2.
lua_ssl_verify_depth works even when lua_ssl_trusted_certificate
is not set
#4165.
Thanks @rainest for the patch.stream listener is enabled
#4195public schemas
#4198created_at
timestamps would occasionally display fractional values
#4183,
#4204/upstreams endpoints
for health checks
#4132,
#4205/plugins/schema/:name endpoint, as it was failing in
some cases (e.g. the datadog plugin) and producing incorrect
results in others (e.g. request-transformer).
#4136,
#4137
#4151,
#4162Released on: 2018/12/18
This is a major release, introducing new features such as Service Mesh and Stream Routing support, as well as a New Migrations framework. It also includes version 1.0.0 of the Plugin Development Kit. It contains a large number of other features and fixes, listed below. Also, all plugins included with Kong 1.0 are updated to use version 1.0 of the PDK.
As usual, major version upgrades require database migrations and changes to the Nginx configuration file (if you customized the default template). Please take a few minutes to read the 1.0 Upgrade Path for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster.
Being a major version, all entities and concepts that were marked as deprecated in Kong 0.x are now removed in Kong 1.0. The deprecated features are retained in Kong 0.15, the final entry in the Kong 0.x series, which is being released simultaneously to Kong 1.0.
Kong 1.0 includes all breaking changes from 0.15, as well as the removal of deprecated concepts.
custom_plugins directive is removed (deprecated since 0.14.0,
July 2018). Use plugins instead.cassandra_lb_policy changed from RoundRobin to
RequestRoundRobin. This helps reducing the amount of new connections being
opened during a request when using the Cassandra strategy.
#4004/apis
endpoint, are removed (deprecated since 0.13.0, March 2018). Use Routes
and Services instead.apis was the last entity using it).
Use the new schema format instead in custom plugins.
To ease the transition of plugins, the plugin loader in 1.0 includes
a best-effort schema auto-translator, which should be sufficient for many
plugins.kong.request.get_body will now return nil, err, mime
when the body is valid JSON but neither an object nor an array.
#4063kong.db DAO, and their endpoints have been upgraded to
the new Admin API (see below for details).
#3689
#3739
#3778A summary of the changes introduced in the new Admin API:
/consumers/x/plugins) instead
of querystring fields (/plugins?consumer_id=x).PUT method has been reimplemented with idempotent behavior and has
been added to some entities that didn't have it.For more details about the new Admin API, please visit the official docs: https://docs.konghq.com/
galileo plugin has been removed (deprecated since 0.13.0).
#3960kong.tools.ip module was removed. Use kong.ip from the PDK instead.kong.tools.public module was removed. Use the various equivalent
features from the PDK instead.kong.tools.responses module was removed. Please use
kong.response.exit from the PDK instead. You might want to use
kong.log.err to log internal server errors as well.kong.api.crud_helpers module was removed (deprecated since the
introduction of the new DAO in 0.13.0). Use kong.api.endpoints instead
if you need to customize the auto-generated endpoints.kong.db module, and their APIs have been updated to the new Admin API,
which is described in the above section.
#3766
#3774
#3778
#3839Kong's Service Mesh support resulted in a number of additions to Kong's configuration, Admin API, and plugins that deserve their own section in this changelog.
stream_listen config
option. #4009origins config property allows overriding hosts from Kong.
#3679transparent suffix added to stream listeners allows for setting up a
dynamic Service Mesh with iptables.
#3884run_on field to control how they behave in a Service Mesh
environment.
#3930
#4066preread. This is where stream traffic routing
is done.dns_valid_ttl property can be set to forcefully override the TTL
value of all resolved DNS records.
#3730pg_timeout property can be set to configure the timeout of PostgreSQL
connections. #3808upstream_keepalive can now be disabled when set to 0.
Thanks @pryorda for the patch.
#3716transparent suffix also applies to the proxy_listen directive.kong.node module. #3826kong.response.get_path_with_query() and
kong.request.get_start_time().
#3842kong.response.get_source() returns error on nginx-produced errors.
#4006kong.response.exit() can be used in the header_filter phase, but only
without a body. #4039distinct, ne, is_regex, contains, gt.name field (like Services).
#3764is_proxy_integration property.
Thanks @aloisbarreras for the patch!
#3427./ in the upstream URL when the
request path was longer than the configured Route's path attribute.
#3780kong.request.get_path() and other functions now properly handle cases
when $request_uri is nil.
#3842/certificates endpoints properly returns all SNIs configured on
a given certificate. #3722upstreams/:upstream/targets/... endpoints returns an empty JSON
array ([]) instead of an empty object ({}) when no targets exist.
#4058application/x-www-form-urlencoded.
#3770PATCH.
#3910Vary: Origin is set when config.credentials is enabled.
Thanks @marckhouzam for the patch!
#3765SELECT operations.
#3973Released on: 2018/12/18
This is the last release in the 0.x series, giving users one last chance to upgrade while still using some of the options and concepts that were marked as deprecated in Kong 0.x and were removed in Kong 1.0.
For a list of additions and fixes in Kong 0.15, see the 1.0.0 changelog. This release includes all new features included in 1.0 (Service Mesh, Stream Routes and New Migrations), but unlike Kong 1.0, it retains a lot of the deprecated functionality, like the API entity, around. Still, Kong 0.15 does have a number of breaking changes related to functionality that has changed since version 0.14 (see below).
If you are starting with Kong, we recommend you to use 1.0.0 instead of this release.
If you are already using Kong 0.14, our recommendation is to plan to move to 1.0 -- see the 1.0 Upgrade Path document for details. Upgrading to 0.15.0 is only recommended if you can't do away with the deprecated features but you need some fixes or new features right now.
cassandra_lb_policy changed from RoundRobin to
RequestRoundRobin. This helps reducing the amount of new connections being
opened during a request when using the Cassandra strategy.
#4004kong.request.get_body will now return nil, err, mime
when the body is valid JSON but neither an object nor an array.
#4063kong.db DAO, and their endpoints have been upgraded to
the new Admin API (see below for details).
#3689
#3739
#3778A summary of the changes introduced in the new Admin API:
/consumers/x/plugins) instead
of querystring fields (/plugins?consumer_id=x).PUT method has been reimplemented with idempotent behavior and has
been added to some entities that didn't have it.For more details about the new Admin API, please visit the official docs: https://docs.konghq.com/
kong.db module, and their APIs have been updated to the new Admin API,
which is described in the above section.
#3766
#3774
#3778
#3839Kong 0.15.0 contains the same additions as 1.0.0. See the 1.0.0 changelog for a complete list.
Kong 0.15.0 contains the same fixes as 1.0.0. See the 1.0.0 changelog for a complete list.
Released on: 2018/08/21
hide_groups_header configuration option. If enabled, this
option prevents the plugin from injecting the X-Consumer-Groups header
into the upstream request.
Thanks @jeremyjpj0916 for the patch!
#3703X-Consumer-Username: userdata: NULL in upstream requests headers, instead of not injecting this header at
all.
#3714cassandra_contact_points = cassandra).
#3693[postgres]).
#3648kong.api tag.
kong-plugin-zipkin/commit/4a645e9kong.credential tag.
kong-plugin-zipkin/commit/c627c36conf.header_type property, which allows browsers to show the
authentication popup automatically. Thanks
@francois-maillard for the patch.
#3656This release introduces the first version of the Plugin Development Kit: a Lua SDK, comprised of a set of functions to ease the development of custom plugins.
Additionally, it contains several major improvements consolidating Kong's
feature set and flexibility, such as the support for PUT endpoints on the
Admin API for idempotent workflows, the execution of plugins during
Nginx-produced errors, and the injection of Nginx directives without having
to rely on the custom Nginx configuration pattern!
Finally, new bundled plugins allow Kong to better integrate with Cloud Native environments, such as Zipkin and Prometheus.
As usual, major version upgrades require database migrations and changes to the Nginx configuration file (if you customized the default template). Please take a few minutes to read the 0.14 Upgrade Path for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster.
server_tokens and latency_tokens configuration properties
have been removed. Instead, a new headers configuration properties replaces
them and allows for more granular settings of injected headers (e.g.
Server, Via, X-Kong-*-Latency, etc...).
#3300lua_shared_dict entries must be added to the Nginx
configuration. You are not affected by this change if you do not use a custom
Nginx template.
#3557/certificates and /snis endpoints have
received notable usability improvements, but suffer from a few breaking
changes.
#3386/consumers endpoint has received notable usability improvements,
but suffers from a few breaking changes.
#3437db_cache_ttl is now 0 (disabled). Now that our level
of confidence around the new caching mechanism introduced in 0.11.0 is high
enough, we consider 0 (no TTL) to be an appropriate default for production
environments, as it offers a smoother cache consumption behavior and reduces
database pressure.
#3492db_resurrect_ttl
seconds (see configuration section).
#3579kong.conf file or via environment variables)! This new
way of customizing the Nginx configuration should render obsolete the old way
of maintaining a custom Nginx template in most cases!
#3530plugins configuration property is introduced, and is used to specify which
plugins should be loaded by the node. Custom plugins should now be specified
in this new property, and the custom_plugins property is deprecated.
If desired, Kong administrators can specify a minimal set of plugins to load
(instead of the default, bundled plugins), and improve P99 latency
thanks to the resulting decrease in database traffic.
#3387headers configuration property allows for specifying the injection
of a new header: X-Kong-Upstream-Status. When enabled, Kong will inject
this header containing the HTTP status code of the upstream response in the
client response. This is particularly useful for clients to distinguish
upstream statuses upon rewriting of the response by Kong.
#3263db_resurrect_ttl configuration property can be set to customize
the amount of time stale data can be resurrected for when it cannot be
refreshed. Defaults to 30 seconds.
#3579RequestRoundRobin
and RequestDCAwareRoundRobin. Both policies guarantee that the same peer
will be reused across several queries during the lifetime of a request, thus
guaranteeing no new connection will be opened against a peer during this
request.
#3545header_filter, body_filter, log). As such, Kong logging
plugins are not blind to such Nginx-produced errors anymore, and will start
properly reporting them. Plugins should be built defensively against cases
where their rewrite or access phases were not executed.
#3533access phase.
(See: https://github.com/Kong/kong-plugin-serverless-functions)
#3551config.maximum_expiration property can be set to indicate the maximum
number of seconds the exp claim may be ahead in the future.
Thanks @mvanholsteijn for the patch!
#3331us-gov-west-1 to the list of allowed regions.
#3529PUT in new endpoints (e.g. /services/{id or name}, /routes/{id}, /consumers/{id or username}), allowing the
development of idempotent configuration workflows when scripting the Admin
API.
#3416PATCH and DELETE on the /services/{name},
/consumers/{username}, and /snis/{name} endpoints.
#3416proxy_listen and admin_listen
configuration properties.
#35080.
#3478tcp_failures, and upstream timeouts were ignored.
Health check users should ensure that their timeout settings reflect their
intended behavior.
#3539Host header.
#3496Content-Type headers on HTTP 204 No Content responses.
#3351headers configuration
setting (previously server_tokens) and do not include the Server header
if not configured.
#3511access handler did not get a chance to run (e.g. on short-circuited,
unauthorized requests).
#3524/healthy and /unhealthy endpoints for upstream health checks
now properly propagate the new state to other nodes of a Kong cluster.
#3464/services with an empty
url argument.
#3452service.id when creating a Route). Previously some rows could have an empty
service_id field.
#3548/services, /routes,
/consumers) when using application/x-www-form-urlencoded MIME type.
#3416This release contains numerous bug fixes and a few convenience features.
Notably, a best-effort/backwards-compatible approach is followed to resolve
no memory errors caused by the fragmentation of shared memory between the
core and plugins.
lua_shared_dict kong_db_cache_miss 12m;.methods, hosts, or paths if at least
one of the three is specified in the body.
#3364config.key_claim_name values is looked for in the token header.
Thanks @brycehemme for the contribution!
#3313Numerous users have reported no memory errors which were caused by
circumstantial memory fragmentation. Such errors, while still possible if
plugin authors are not careful, should now mostly be addressed.
#3311
If you are using a custom Nginx template, be sure to define the following shared memory zones to benefit from these fixes:
lua_shared_dict kong_db_cache_miss 12m;
lua_shared_dict kong_rate_limiting_counters 12m;
kong start when
nginx_daemon is enabled (such as when using the Kong Docker image). This
also prevents growing log files when Nginx redirects logs to /dev/stdout
and /dev/stderr but nginx_daemon is disabled.
#3297port to 443 when the url convenience parameter uses
the https:// scheme.
#3358null.
#3355/plugin/schema/:name endpoint does not corrupt plugins' schemas.
#3348/consumers/<consumer>/basic-auth/John%20Doe/).
#3250lua_shared_dict instead of using the kong_cache shared memory zone.
This prevents memory fragmentation issues resulting in no memory errors
observed by numerous users. Users with a custom Nginx template are advised
to define such a zone to benefit from this fix:
lua_shared_dict kong_rate_limiting_counters 12m;.
#3311config.key_in_body and config.hide_credentials are enabled.
Thanks @p0pr0ck5 for the patch!
#3213scope type.
Thanks @Gman98ish for the patch!
#3206$request_uri) request
line (instead of $uri).
#3339X-Amz-Log-Type header.
#3398This release introduces two new core entities that will improve the way you configure Kong: Routes & Services. Those entities replace the "API" entity and simplify the setup of non-naive use-cases by providing better separation of concerns and allowing for plugins to be applied to specific endpoints.
As usual, major version upgrades require database migrations and changes to the Nginx configuration file (if you customized the default template). Please take a few minutes to read the 0.13 Upgrade Path for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster.
proxy_listen and admin_listen configuration values have a
new syntax. This syntax is more aligned with that of NGINX and is more
powerful while also simpler. As a result, the following configuration values
have been removed because superfluous: ssl, admin_ssl, http2,
admin_http2, proxy_listen_ssl, and admin_listen_ssl.
#3147custom_plugin configuration value.
#3233latest tag on Docker Hub now points to the
alpine image instead of CentOS. This also applies to the 0.13.0 tag.1.13.6.1. The 0.13.0 release should still be compatible with the OpenResty
1.11.2.x series for the time being.2.0.0.
#32200.12.
#31960.5.5.
#33180.4.0.
#3321proxy_listen and admin_listen supports off, which
disables either one of those interfaces. It is now simpler than ever to
make a Kong node "Proxy only" (data-plane) or "Admin only" (control-plane).
#3147/routes and /services to interact with the new
core entities. More specific endpoints are also available such as
/services/{service id or name}/routes,
/services/{service id or name}/plugins, and /routes/{route id}/plugins.
#3224hosts[]=a.com&hosts[]=b.com, hosts[1]=a.com&hosts[2]=b.com, which
avoid comma-separated arrays and related issues that can arise.
In the future, existing endpoints will gradually be moved to using this new
Admin API content parser.
#3224ngx.ctx.authenticated_jwt_token is available for other plugins to use.
#2988host, port and metrics are no longer marked as
"required", since they have a default value.
#3209kong migrations reset command has a new --yes flag. This flag makes
the command run non-interactively, and ensures no confirmation prompt will
occur.
#3189/upstreams/:upstream_id/health will return the health of the
specified upstream.
#3232/ endpoint in the Admin API now exposes the node_id field.
#3234GET /certificates/{uuid} does not return HTTP 500 when the given
identifier does not exist.
Thanks to @vdesjardins for the patch!
#3148This release addresses a few issues encountered with 0.12.0, including one which would prevent upgrading from a previous version. The 0.12 Upgrade Path is still relevant for upgrading existing clusters to 0.12.1.
access handler by
plugins.
38580ffThis major release focuses on two new features we are very excited about: health checks and hash based load balancing!
We also took this as an opportunity to fix a few prominent issues, sometimes
at the expense of breaking changes but overall improving the flexibility and
usability of Kong! Do keep in mind that this is a major release, and as such,
that we require of you to run the migrations step, via the
kong migrations up command.
Please take a few minutes to thoroughly read the 0.12 Upgrade Path for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster.
Starting with 0.12.0, we are announcing the deprecation of older versions of our supported databases:
Note that the above deprecated versions are still supported in this release, but will be dropped in subsequent ones.
:warning: By default, the Admin API now only listens on the local interface.
We consider this change to be an improvement in the default security policy
of Kong. If you are already using Kong, and your Admin API still binds to all
interfaces, consider updating it as well. You can do so by updating the
admin_listen configuration value, like so: admin_listen = 127.0.0.1:8001.
Thanks @pduldig-at-tw for the suggestion
and the patch.
#3016
:red_circle: Note to Docker users: Beware of this change as you may have
to ensure that your Admin API is reachable via the host's interface.
You can use the -e KONG_ADMIN_LISTEN argument when provisioning your
container(s) to update this value; for example,
-e KONG_ADMIN_LISTEN=0.0.0.0:8001.
:warning: To reduce confusion, the /upstreams/:upstream_name_or_id/targets/
has been updated to not show the full list of Targets anymore, but only
the ones that are currently active in the load balancer. To retrieve the full
history of Targets, you can now query
/upstreams/:upstream_name_or_id/targets/all. The
/upstreams/:upstream_name_or_id/targets/active endpoint has been removed.
Thanks @hbagdi for tackling this backlog item!
#3049
:warning: The orderlist property of Upstreams has been removed, along with
any confusion it may have brought. The balancer is now able to fully function
without it, yet with the same level of entropy in its load distribution.
#2748
$ kong compile command which was deprecated in 0.11.0 has
been removed.
#3069request.request_uri field has been
renamed to request.url.
#2445
#3098/healthy and /unhealthy.
#3096hash_* attributes of the Upstream entity. Hashes can be based off client
IPs, request headers, or Consumers!
#2875kong.tools.responses module for this behavior to be respected.
#3079$ kong start now considers the commonly used /opt/openresty prefix when
searching for the nginx executable.
#3074/healthy and /unhealthy can be used to manually bring
upstream Targets up or down, as part of the new health checks feature of the
load balancer.
#3096upstream_uri now logs the value of the
upstream request's path. This is useful to help debugging plugins or setups
that aim at rewriting a request's URL during proxying.
Thanks @shiprabehera for the patch!
#2445config.cookie_names
property to configure the behavior to your liking.
Thanks @mvanholsteijn for the patch!
#2974config.auth_header_name property to customize the authorization
header's name.
Thanks @supraja93
#2928config.refresh_ttl property to customize the TTL of refresh tokens,
previously hard-coded to 14 days.
Thanks @bob983 for the patch!
#2942config.header_type property to customize the authorization method
in the Authorization header.
Thanks @francois-maillard for the
patch!
#2963$ kong quit.
#3061/certificates endpoint now properly supports the snis parameter
in PUT and PATCH requests.
Thanks @hbagdi for the contribution!
#3040HTTP/1.1 415 Unsupported Content Type response when
receiving a request with a valid Content-Type, but with an empty payload.
#3077:.
Thanks @nico-acidtango for the patch!
#3014/key-auths/ to paginate through all keys./key-auths/:credential_key_or_id/consumer to retrieve the Consumer
associated with a key./basic-auths/ to paginate through all basic-auth credentials./basic-auths/:credential_username_or_id/consumer to retrieve the
Consumer associated with a credential./jwts/ to paginate through all JWTs./jwts/:jwt_key_or_id/consumer to retrieve the Consumer
associated with a JWT./hmac-auths/ to paginate through all hmac-auth credentials./hmac-auths/:hmac_username_or_id/consumer to retrieve the Consumer
associated with a credential./acls/ to paginate through all ACLs./acls/:acl_id/consumer to retrieve the Consumer
associated with an ACL.admin_listen_ssl property, ensuring it contains
a valid port.
#3031/ endpoint, ensure enabled_in_cluster shows up as an empty JSON
Array ([]), instead of an empty JSON Object ({}).
Thanks @hbagdi for the patch!
#2982Authorization header to avoid internal
errors resulting in HTTP 500.
Thanks @mvanholsteijn for the patch!
#2996lua_code_cache configuration property. This setting has been
considered harmful since 0.11.0 as it interferes with Kong's internals.
#2854preserve_host is disabled. Such records used to throw
Lua errors on the proxy code path.
Kong/lua-resty-dns-client#19preserve_host would sometimes craft an upstream
request with a Host header from a previous client request instead of the
current one.
#2832kong migrations command. Self-signed SSL certificates are
now properly verified during migrations according to the
lua_ssl_trusted_certificate configuration property.
#2908/upstream/{upstream}/targets/active endpoint used to return HTTP
405 Method Not Allowed when called with a trailing slash. Both notations
(with and without the trailing slash) are now supported.
#2884500 error if configured globally.
#29060.0.0.0/0 CIDR block. This block is
now supported and won't trigger an error when used in this plugin's properties.
#2918run_on_preflight configuration option to control
authentication on preflight requests.
#2857run_on_preflight configuration option to control authentication
on preflight requests.
#2857preserve_host is disabled. Such records used to throw
Lua errors on the proxy code path.
Kong/lua-resty-dns-client#19400 errors thrown by Nginx are now correctly caught by Kong and return
a native, Kong-friendly response.
#2476uris and strip_uri = true
would not always strip the client URI.
#2562uris value) as a prefix instead of a longer, matching prefix from
another API.
#2662slots property.
#2747#) can now be escaped (\#) and included in the Kong
configuration values such as your datastore passwords or usernames.
#2411data response field of the /upstreams/{upstream}/targets/active
Admin API endpoint now returns a list ([]) instead of an object ({})
when no active targets are present.
#26190.0.0.0/0 CIDR block. This block is
now supported and won't trigger an error when used in this plugin's properties.
#2918The latest and greatest version of Kong features improvements all over the board for a better and easier integration with your infrastructure!
The highlights of this release are:
As per usual, our major releases include datastore migrations which are considered breaking changes. Additionally, this release contains numerous breaking changes to the deployment process and proxying behavior that you should be familiar with.
We strongly advise that you read this changeset thoroughly, as well as the 0.11 Upgrade Path if you are planning to upgrade a Kong cluster.
kong start
anymore. Migrations are now a manual process, which must be executed via
the kong migrations command. In practice, this means that you have to run
kong migrations up [-c kong.conf] in one of your nodes before starting
your Kong nodes. This command should be run from a single node/container
to avoid several nodes running migrations concurrently and potentially
corrupting your database. Once the migrations are up-to-date, it is
considered safe to start multiple Kong nodes concurrently.
#2421db_update_frequency,
db_update_propagation, and db_cache_ttl. If you are using Cassandra, you
should pay a particular attention to the db_update_propagation setting,
as you should not use the default value of 0.
#25611.11.2.4. OpenResty's LuaJIT can
now be built with Lua 5.2 compatibility.
#2489
#2790X-Forwarded-* and X-Real-IP headers were
trusted from any client by default, and forwarded upstream. With the
introduction of the new trusted_ips property (see the below "Added"
section) and to enforce best security practices, Kong does not trust
any client IP address by default anymore. This will make Kong not
forward incoming X-Forwarded-* headers if not coming from configured,
trusted IP addresses blocks. This setting also affects the API
check_https field, which itself relies on trusted X-Forwarded-Proto
headers only.
#2236http_if_terminated is now set to false
by default. For Kong to evaluate the client X-Forwarded-Proto header, you
must now configure Kong to trust the client IP (see above change), and
you must explicitly set this value to true. This affects you if you are
doing SSL termination somewhere before your requests hit Kong, and if you
have configured https_only on the API, or if you use a plugin that requires
HTTPS traffic (e.g. OAuth2).
#2588search and ndots
configuration options of your resolv.conf file. Make sure that DNS
resolution is still consistent in your environment, and consider
eventually not using FQDNs anymore.
#2425/cluster endpoint has disappeared.
#2561/status endpoint does not return a count of the
database entities anymore. Instead, it now returns a database.reachable
boolean value, which reflects the state of the connection between Kong
and the underlying database. Please note that this flag does not
reflect the health of the database itself.
#2567$upstream_uri variable. Custom plugins using the ngx.req.set_uri()
API will not be taken into consideration anymore. One must now set the
ngx.var.upstream_uri variable from the Lua land.
#2519hooks.lua module for custom plugins is dropped, along
with the database_cache.lua module. Database entities caching and
eviction has been greatly improved to simplify and automate most caching
use-cases. See the Plugins Development
Guide
and the 0.11 Upgrade
Path
for more details.
#2561PRIORITY field of some
of our bundled plugins. If your custom plugin must run after or before a
specific bundled plugin, you might have to update your plugin's PRIORITY
field as well. The complete list of plugins and their priorities is available
on the Plugins Development
Guide.
#2489
#2813kong compile command has been deprecated. Instead, prefer using
the new kong prepare command.
#2706.kong_env file created by Kong in its running prefix is now written
without world-read permissions.
#2611marshall_event function on schemas is now ignored by Kong, and can be
safely removed as the new cache invalidation mechanism natively handles
safer events broadcasting.
#2561uris property. Those regexes can have capturing groups which can
be extracted by Kong during a request, and accessed later in the plugins
(useful for URI rewriting). See the Proxy
Guide for
documentation on how to use regex URIs.
#2681http2 directive now enables
HTTP/2 traffic on the proxy_listen_ssl address.
#2541search and ndots configuration options of
your resolv.conf file.
#2425X-Forwarded-Host, X-Forwarded-Port, and X-Forwarded-Proto.
#2236real_ip_header configuration
property is set to real_ip_header = proxy_protocol, then Kong will
append the proxy_protocol parameter to the Nginx listen directive of
the Kong proxy port.
#2236trusted_ips configuration property allows you to define a list of
trusted IP address blocks that are known to send trusted X-Forwarded-*
headers. Requests from trusted IPs will make Kong forward those headers
upstream. Requests from non-trusted IP addresses will make Kong override
the X-Forwarded-* headers with its own values. In addition, this
property also sets the ngx_http_realip_module set_real_ip_from
directive(s), which makes Kong trust the incoming X-Real-IP header as
well, which is used for operations such as rate-limiting by IP address,
and that Kong forwards upstream as well.
#2236trusted_ips which sets the
set_real_ip_from directives(s), two new properties, real_ip_header
and real_ip_recursive allow you to configure the ngx_http_realip_module
directives bearing the same name.
#2236server_tokens and latency_tokens will respectively toggle
whether the Server and X-Kong-*-Latency headers should be sent to
downstream clients.
#2259client_max_body_size and client_body_buffer_size directives
(mirroring their Nginx counterparts). Note these settings are only
defined for proxy requests; request body handling in the Admin API
remains unchanged.
#2602error_default_type configuration property. This setting is to
specify a MIME type that will be used as the error response body format
when Nginx encounters an error, but no Accept header was present in the
request. The default value is text/plain for backwards compatibility.
Thanks @therealgambo for the
contribution!
#2500nginx_user configuration property, which interfaces with the Nginx
user directive.
Thanks @depay for the contribution!
#2180kong prepare command to prepare the Kong running prefix (creating
log files, SSL certificates, etc...) and allow for Kong to be started via
the nginx binary. This is useful for environments like containers,
where the foreground process should be the Nginx master process. The
kong compile command has been deprecated as a result of this addition.
#2706/consumers/:username_or_id/plugins/ and
/consumers/:username_or_id/plugins/:plugin_id.
#2714null in PATCH requests to unset a value on any
entity.
#2700X-Amz-Function-Error header is "Unhandled".
Thanks @erran for the contribution!
#2587enforce_headers option and added HMAC-SHA256,
HMAC-SHA384, and HMAC-SHA512 support.
#2644uris value) as a prefix instead of a longer, matching prefix from
another API.
#2662uris and strip_uri = true
would not always strip the client URI.
#2562400 errors thrown by Nginx are now correctly caught by Kong and return
a native, Kong-friendly response.
#2476#) can now be escaped (\#) and included in the Kong
configuration values such as your datastore passwords or usernames.
#2411data response field of the /upstreams/{upstream}/targets/active
Admin API endpoint now returns a list ([]) instead of an object ({})
when no active targets are present.
#2619unique constraint on OAuth2 client_secrets has been removed.
#2447unique constraint on JWT Credentials secrets has been removed.
#2548/oauth2/token, one can now pass the
client_id as a request body parameter, while client_id:client_secret is
passed via the Authorization header. This allows for better integration
with some OAuth2 flows proposed out there, such as from Cloudflare Apps.
Thanks @cedum for the patch!
#2577latencies.kong field used to omit the
time Kong spent in its Load Balancing logic, which includes DNS resolution
time. This latency is now included in latencies.kong.
#2494cluster policy. The number of round trips to the
database has been limited to the number of configured
limits.
#2488ssl_cipher_suite and ssl_ciphers configuration
properties to configure the desired set of accepted ciphers,
based on the Mozilla recommended TLS ciphers list.
#2555proxy_ssl_certificate and proxy_ssl_certificate_key
configuration properties. These properties configure the
Nginx directives bearing the same name, to set client
certificates to Kong when connecting to your upstream services.
#2556uris when said
APIs also define hosts and/or methods as well. Thanks
@leonzz for the patch.
#2523cassandra_ssl_verify is enabled).
#2531anonymous user isn't
configured.
#2508redis policy is in use and the config.redis_database
property is set.
#2481* wildcard when conf.origin was not specified
has been fixed.
#2518MAXNS setting (3) when parsing the
nameservers specified in resolv.conf.
#2290$request_uri property, instead
of $uri, in order to better handle percent-encoded URIS. A more detailed
explanation will be included in the below "Fixed" section.
#2377/ anymore. See the
below "Added" section for more details.
#2315rewrite handler to execute code in
the Nginx rewrite phase. This phase is executed prior to matching a
registered Kong API, and prior to any authentication plugin. As such, only
global plugins (neither tied to an API or Consumer) will execute this phase.
#2354server_tokens and latency_tokens will respectively toggle whether the
Server and X-Kong-*-Latency headers should be sent to downstream clients.
#2259cassandra_schema_consensus_timeout configuration property, to allow for
Kong to wait for the schema consensus of your Cassandra cluster during
migrations.
#2326DEBUG level.
#2410/upstreams/:name_or_id/targets/:target_or_id.
#2304consumer
field, which contains the properties of the authenticated Consumer
(id, custom_id, and username), if any, and a tries field, which
includes the upstream connection successes and failures of the load-
balancer.
#2367
#2429conf.http_endpoint parameter includes an authentication
section. Thanks @amir for the contribution.
#2432config.reopen property to close and reopen the log file on
every request, in order to effectively rotate the logs.
#2348401 Unauthorized on invalid claims instead of the previous
403 Forbidden status.
#2433config.credentials = true, we do not send an ACAO header with
value *. The ACAO header value will be that of the request's Origin:
header.
#2451Host header value, and thus also depends
on the preserve_host setting of your API. Thanks
@konrade for the original patch.
#2225uris property.
Generally, this change also avoids normalizing (and thus, potentially
altering) the request URI when trying to match an API's uris value. Instead
of relying on the Nginx $uri variable, we now use $request_uri.
#2377uris matching
rule of APIs that would falsely lead Kong into believing no API was matched
for what would actually be a valid request.
#2343hosts matching rule, then the
preserve_host flag would never be honored.
#2344X-Forwarded-For header sent to your upstream services by Kong is not
set from the Nginx $proxy_add_x_forwarded_for variable anymore. Instead,
Kong uses the $realip_remote_addr variable to append the real IP address
of a client, instead of $remote_addr, which can come from a previous proxy
hop.
#2236cassandra_timeout configuration property is now correctly taken into
consideration by Kong.
#2326config.anonymous parameter).
#2424config.anonymous
parameter for "OR" authentication, such plugins would override each other's
results and response headers, causing false negatives.
#2222cassandra_contact_points property does not contain any port
information. Those should be specified in cassandra_port. Thanks
@Vermeille for the contribution.
#2263resolver ${{DNS_RESOLVER}} directive. Vales from the Kong
dns_resolver property will be flattened to a string and appended to the
directive.
#2386/snis and /certificates
endpoint.
#2285/certificates route used to not return the total and data JSON
fields. We now send those fields back instead of a root list of certificate
objects.
#2463/xxx_or_id will now also yield the
proper result if the xxx field is formatted as a UUID. Most notably, this
fixes a problem for Consumers whose username is a UUID, that could not be
found when requesting /consumers/{username_as_uuid}.
#2420:warning: Serf has been downgraded to version 0.7 in our distributions,
although versions up to 0.8.1 are still supported. This fixes a problem when
automatically detecting the first non-loopback private IP address, which was
defaulted to 127.0.0.1 in Kong 0.10.0. Greater versions of Serf can still
be used, but the IP address needs to be manually specified in the
cluster_advertise configuration property.
:warning: The CORS Plugin parameter
config.origin is now config.origins.
#2203
:red_circle: Post-release note (as of 2017/05/12): A faulty behavior
has been observed with this change. Previously, the plugin would send the
* wildcard when config.origin was not specified. With this change, the
plugin does not send the * wildcard by default anymore. You will need
to specify it manually when configuring the plugin, with config.origins=*.
This behavior is to be fixed in a future release.
:white_check_mark: Update (2017/05/24): A fix to this regression has been released as part of 0.10.3. See the section of the Changelog related to this release for more details.
Admin API:
GET /upstreams/{name}/targets/active.
#2230DELETE /upstreams/{name}/targets/{target}.
Under the hood, this creates a new target with weight = 0 (the
correct way of disabling targets, which used to cause confusion).
#2256405 Method Not Allowed as expected.
#2213kong migrations command that would prevent it to run
correctly.
#2238us-west-2 region in schema.
#2257Kong 0.10 is one of most significant releases to this day. It ships with exciting new features that have been heavily requested for the last few months, such as load balancing, Cassandra 3.0 compatibility, Websockets support, internal DNS resolution (A and SRV records without Dnsmasq), and more flexible matching capabilities for APIs routing.
On top of those new features, this release received a particular attention to performance, and brings many improvements and refactors that should make it perform significantly better than any previous version.
request_host and request_uri fields anymore. The 0.10 migrations
should upgrade your current API Objects, but make sure to read the new 0.10
Proxy Guide to learn the new routing
capabilities of Kong. On the good side, this means that Kong can now route
incoming requests according to a combination of Host headers, URIs, and HTTP
methods.upstream_url are no longer allowed.
#2115TLS/1.0 and defaulting Upgrade
responses to TLS/1.2.
#21191.11.2.1 and 1.11.2.2. Support
for OpenResty 1.11.2.2 requires the --without-luajit-lua52 compilation
flag.logs/admin_access.log.
#1782/upstreams and /targets entities of the Admin API.
#1587
#1735upstream block with a
configurablekeepalive directive, thanks to the new nginx_keepalive
configuration property.
#1587
#1827ws protocol when Upgrade: websocket is present.
#1827admin_listen_ssl, admin_ssl, admin_ssl_cert and
admin_ssl_cert_key.
#1706upstream_connect_timeout, upstream_send_timeout, upstream_read_timeout
to specify, in milliseconds, a timeout value for requests between Kong and
your APIs.
#2036cluster_keyring_file property in the configuration file.kong cluster keys .. CLI commands that expose the underlying
serf keys .. commands.
#2069lua_socket_pool_size property in configuration file.
#2109config.anonymous=<consumer_id> property, even non-authenticated requests
will be proxied by Kong, with the traditional Consumer headers set to the
designated anonymous consumer, but also with a X-Anonymous-Consumer
header. Multiple auth plugins will work in a logical OR fashion.
#1666 and
#2035config.redis_database plugin property.
#1941Host header.
#2045cluster_listen_rpc property in
the configuration file. Thanks Jeremy Monin for the patch.
#1860% character in proxied URLs encoding.
Thanks Thomas Jouannic for the patch.
#1998
#2040kong start honors the --conf flag is a config file already exists
at one of the default locations (/etc/kong.conf, /etc/kong/kong.conf).
#1681/ Admin API route which returns
the current node's configuration.
#1650/ route.
#1650kong start to stop an already running Kong node.
#1645username.
#1570username.
#1570key.
#1570key.
#1570client_id and tokens by access_token.
#15702.0.0 which
properly namespaces our fork, avoiding conflicts with other versions of
pgmoon, such as the one installed by Lapis.
#15824xx errors.
#1567unlimited value is now properly handled.
#1545Content-Length header to get request/response body size when
log_bodies is disabled.
#1584/plugins/enabled endpoint's response to be a JSON array, and
not an Object. #1529The main focus of this release is Kong's new CLI. With a simpler configuration file, new settings, environment variables support, new commands as well as a new interpreter, the new CLI gives more power and flexibility to Kong users and allow for an easier integration in your deployment workflow, as well as better testing for developers and plugins authors. Additionally, some new plugins and performance improvements are included as well as the regular bug fixes.
cassandra as your database.resty-cli interpreter (see lua-resty-cli) instead of LuaJIT. As a result, the resty executable must be available in your $PATH (resty-cli is shipped in the OpenResty bundle) as well as the bin/kong executable. Kong does not rely on Luarocks installing the bin/kong executable anymore. This change of behavior is taken care of if you are using one of the official Kong packages.kong start --template <file>, or by using kong compile to generate the Kong Nginx sub-configuration, and include it in a custom Nginx instance.continue_on_error property is now called fault_tolerant.continue_on_error property is now called fault_tolerant.kong check command: validates a Kong configuration file.request_host: internationalized url support; utf-8 domain names through punycode support and paths through %-encoding. #1300cluster, local and redis), and for a new limit_by property to force rate-limiting by consumer, credential or ip.cluster, local and redis), and for a new limit_by property to force rate-limiting by consumer, credential or ip.upstream_stream latency metric. #1466upstream_stream latency metric and tagging support for each metric. #1473internal
- new test suite using resty-cli and removing the need to monkey-patch the
ngxglobal.- custom assertions and new helper methods (
wait_until()) to gracefully fail in case of timeout.- increase atomicity of the testing environment.
- lighter testing instance, only running 1 worker and not using Dnsmasq by default.
This release includes some bugfixes:
INFO, that was printed when starting up the first Kong node in a new cluster.1.9.7.5.nodes table when running on the same machine. #1281algorithm is missing, it's now HS256 by default. This problem occurred when migrating from older versions of Kong.redirect_uri field. #1264 and #1267This release includes bugfixes and minor updates:
request_path. #1227X-Ratelimit-Remaining-{limit_name} and introduces a new config.block_on_first_violation property. #1235search_path configured on the database and its default value $user, public. #1196?param= when proxying the request. #1210cluster.ttl_on_failure is at least 60 seconds. #1199TYP value in the header is not optional and case-insensitive. #1192config.preflight_continue was enabled. #1240This release includes some fixes and minor updates:
X-Forwarded-Host and X-Forwarded-Prefix to the upstream request headers. #1180unique_users and request_per_user, that log the consumer information. #1179This release includes support for PostgreSQL as Kong's primary datastore!
/consumers/:consumer/keyauth/ and /consumers/:consumer/basicauth/ routes (deprecated in 0.5.0). The new routes (available since 0.5.0 too) use the real name of the plugin: /consumers/:consumer/key-auth and /consumers/:consumer/basic-auth./. #992X-Consumer-Groups to the request, so the upstream service can check what groups the consumer belongs to. #1154ttl_on_failure option in the cluster configuration, to configure the TTL of failed nodes. #1125port option when connecting to your Cassandra cluster instead of using the CQL default (9042). #1139internal
- replace globals with singleton pattern thanks to @mars.
- fixed resolution mismatches when using deep paths in the path resolver.
Due to the NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747), OpenResty was bumped to 1.9.7.3 which is not backwards compatible, and thus requires changes to be made to the nginx property of Kong's configuration file. See the 0.7 upgrade path for instructions.
However by upgrading the underlying OpenResty version, source installations do not have to patch the NGINX core and use the old ssl-cert-by-lua branch of ngx_lua anymore. This will make source installations much easier.
1.9.7.*. This includes NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747). #906response.size metric. #923config.async option to asynchronously increment counters to reduce latency at the cost of slightly reducing the accuracy. #912config.continue_on_error option to keep proxying requests in case the datastore is unreachable. rate-limiting operations will be disabled until the datastore is responsive again. #953ngx.ssl conversion utilities, which preserve the certificate chain. #968nodes table. #1008This release contains tiny bug fixes that were especially annoying for complex Cassandra setups and power users of the Admin API!
timeout property for the Cassandra configuration. In ms, this timeout is effective as a connection and a reading timeout. #937user Cassandra property to username (Kong looks for username, hence user would fail). #922/plugins/:id route for PATCH method. #941We would recommended to consult the suggested 0.6 upgrade path for this release.
$PATH. #799One of the biggest new features of this release is the cluster-awareness added to Kong in #729, which deserves its own section:
/cache endpoint for retrieving elements stored in the in-memory cache of a node./cluster endpoint used to add/remove/list members of the cluster, and also used internally for data propagation.kong cluster command for cluster management.kong status command for cluster healthcheck.Other additions include:
total field in API responses, that counts the total number of entities in the datastore. #635kong.yml. #625strip_request_path does not add a trailing slash to the API's upstream_url anymore before proxying. #675access_by_lua context) in cases such as the use of a custom nginx module. #594strip_request_path). #765next link is not being displayed anymore if there are no more entities to be returned. #635created_at fields. #820request_path validation for APIs. "/" is not considered a valid path anymore. #881mimeType value is always a string in ALFs. #584405 Method not allowed because the PATCH method was not implemented. #667internal
- Event bus for local and cluster-wide events propagation. Plans for this event bus is to be widely used among Kong in the future.
- The Kong Public Lua API (Lua helpers integrated in Kong such as DAO and Admin API helpers) is now documented with ldoc.
- Work has been done to restore the reliability of the CI platforms.
- Migrations can now execute DML queries (instead of DDL queries only). Handy for migrations implying plugin configuration changes, plugins renamings etc... #770
A few fixes requested by the community!
nginx in your $PATH variable.Fixing a few glitches we let out with 0.5.0!
X-Credential-Username to the upstream server.WWW-Authenticate header for HTTP 401 responses for basic-auth and key-auth. #588With new plugins, many improvements and bug fixes, this release comes with breaking changes that will require your attention.
Several breaking changes are introduced. You will have to slightly change your configuration file and a migration script will take care of updating your database cluster. Please follow the instructions in UPGRADE.md for an update without downtime.
hosts property was renamed to contact_points. #513public_dns -> request_hostpath -> request_pathstrip_path -> strip_request_pathtarget_url -> upstream_urlplugins_configurations have been renamed to plugins, and their value property has been renamed to config to avoid confusions. #513Old route New route
/consumers/:consumer/keyauth -> /consumers/:consumer/key-auth
/consumers/:consumer/keyauth/:id -> /consumers/:consumer/key-auth/:id
/consumers/:consumer/basicauth -> /consumers/:consumer/basic-auth
/consumers/:consumer/basicauth/:id -> /consumers/:consumer/basic-auth/:id
The old routes are still maintained but will be removed in upcoming versions. Consider them deprecated.
/plugins/enabled./plugins/schema/{plugin name}.Proxy-Authorization header. #460Expect: 100-continue header is being sent. #408/api/{api_name_or_id}/plugins/{plugin_name_or_id} changed to /api/{api_name_or_id}/plugins/{plugin_id} to avoid requesting the wrong plugin if two are configured for one API. #482name but with a request_path will now have a name which defaults to the set request_path. #547http://kong:8001/consumers/{consumer}/oauth2/{oauth2_id}. #469authenticated_userid on Password Grant. #476/oauth2/authorize and /oauth2/token endpoints in the OAuth 2.0 Plugin when an API with a path is being consumed using the public_dns instead. #503X-Authenticated-UserId in the client_credentials and password flows. #535Content-Type header.preserve_host flag on APIs to preserve the Host header when a request is proxied. #444cassandra.port property in configuration. Ports are specified by having cassandra.hosts addresses using the host:port notation (RFC 3986). #457nginx_working_dir.strip_path option wrongfully matching the path property multiple times in the request URI. #442strip_path option enabled. #431public_dns. #381 #297path property now accepts arbitrary depth. #310$ kong migrations reset now asks for confirmation. #365internal
/apis/{name_or_id}/plugins. #98 #257PUT method for endpoints such as /apis/, /apis/plugins/, /consumers/application/json and x-www-form-urlencoded Content Types for all PUT, POST and PATCH endpoints by passing a Content-Type header. #236target_url value are now being caught when creating an API. #149internal
- Schemas:
- New property type:
array. #277- Entities schemas now live in their own files and are starting to be unit tested.
- Subfields are handled better: (notify required subfields and auto-vivify is subfield has default values).
- Way faster unit tests. Not resetting the DB anymore between tests.
- Improved coverage computation (exclude
vendor/).- Travis now lints
kong/.- Way faster Travis setup.
- Added a new HTTP client for in-nginx usage, using the cosocket API.
- Various refactorings.
- Fix #196.
- Disabled ipv6 in resolver.
This is a maintenance release including several bug fixes and usability improvements.
name is now an optional property for APIs. If none is being specified, the name will be the API public_dns. #181set_keepalive on Cassandra sockets.internal
- Separate Migrations from the DAO factory.
- Update dev config + Makefile rules (
runbecomesstart).- Introducing an
ngxstub for unit tests and CLI.- Switch many PCRE regexes to using patterns.
First public release of Kong. This version brings a lot of internal improvements as well as more usability and a few additional plugins.
proxy_port and api_admin_port. #142/apis or /consumers.internal
- All scripts moved to the CLI as "hidden" commands (
kong db,kong config).- More tests as always, and they are structured better. The coverage went down mainly because of plugins which will later move to their own repos. We are all eagerly waiting for that!
src/was renamed tokong/for ease of development- All system dependencies versions for package building and travis-ci are now listed in
versions.sh- DAO doesn't need to
:prepare()prior to run queries. Queries can be prepared at runtime. #146
kong start.First public beta. Includes caching and better usability.
1.7.10.1.kong start using a new DB keyspace will automatically migrate the schema. #68kong.yml).plugins_installed was renamed to plugins_available. #59plugins_available doesn't matter anymore. #17bin/kong now defaults on /etc/kong.yml for config and /var/logs/kong for output. #71rollback now behaves as expected. #8Server header now sends Kong. #57internal
- We now have code linting and coverage.
- Faker and Migrations instances don't live in the DAO Factory anymore, they are only used in scripts and tests.
scripts/config.luaallows environment based configurations.make devgenerates akong.DEVELOPMENT.ymlandkong_TEST.yml. Different keyspaces and ports.spec_helpers.luaallows tests to not rely on theMakefileanymore. Integration tests can run 100% frombusted.- Switch integration testing from [httpbin.org] to [mockbin.com].
coreplugin was renamed toresolver.
First version running with Cassandra.
bin/kong script.db.lua).