Individual unreleased changelog entries can be located at changelog/unreleased. They will be assembled into CHANGELOG.md once released.
-
Improved proxy performance by refactoring internal hooking mechanism. #12784
-
Sped up the router matching when the
router_flavor
istraditional_compatible
orexpressions
. #12467
- Opentelemetry: Increased queue max batch size to 200. #12488
- AI Proxy: To support the new messages API of
Anthropic
, the upstream path of theAnthropic
forllm/v1/chat
route type has changed from/v1/complete
to/v1/messages
. #12699
-
Bumped atc-router from v1.6.0 to v1.6.2 #12231
-
Bumped libexpat to 2.6.2 #12910
-
Bumped lua-kong-nginx-module from 0.8.0 to 0.11.0 #12752
-
Bumped lua-protobuf to 0.5.1 #12834
-
Bumped lua-resty-acme to 0.13.0 #12909
-
Bumped lua-resty-aws from 1.3.6 to 1.4.1 #12846
-
Bumped lua-resty-lmdb from 1.4.1 to 1.4.2 #12786
-
Bumped lua-resty-openssl from 1.2.0 to 1.3.1 #12665
-
Bumped lua-resty-timer-ng to 0.2.7 #12756
-
Bumped PCRE from the legacy libpcre 8.45 to libpcre2 10.43 #12366
-
Bumped penlight to 1.14.0 #12862
-
Added package
tzdata
to DEB Docker image for convenient timezone setting. #12609 -
Bumped lua-resty-http to 0.17.2. #12908
-
Bumped LuaRocks from 3.9.2 to 3.11.0 #12662
-
Bumped
ngx_wasm_module
to91d447ffd0e9bb08f11cc69d1aa9128ec36b4526
#12011 -
Bumped
V8
version to12.0.267.17
#12704 -
Bumped
Wasmtime
version to19.0.0
#12011 -
Improved the robustness of lua-cjson when handling unexpected input. #12904
-
TLSv1.1 and lower versions are disabled by default in OpenSSL 3.x. #12420
-
Introduced
nginx_wasm_main_shm_kv
configuration parameter, which enables Wasm filters to use the Proxy-Wasm operationsget_shared_data
andset_shared_data
without namespaced keys. #12663 -
Schema: Added a deprecation field attribute to identify deprecated fields #12686
-
Added the
wasm_filters
configuration parameter for enabling individual filters #12843
-
Added
events:ai:response_tokens
,events:ai:prompt_tokens
andevents:ai:requests
to the anonymous report to start counting AI usage #12924 -
Improved config handling when the CP runs with the router set to the
expressions
flavor:- If mixed config is detected and a lower DP is attached to the CP, no config will be sent at all
- If the expression is invalid on the CP, no config will be sent at all
- If the expression is invalid on a lower DP, it will be sent to the DP and DP validation will catch this and communicate back to the CP (this could result in partial config application) #12967
-
The route entity now supports the following fields when the
router_flavor
isexpressions
:methods
,hosts
,paths
,headers
,snis
,sources
,destinations
, andregex_priority
. The meaning of these fields are consistent with the traditional route entity. #12667
- Added the
latencies.receive
property to the log serializer #12730
-
AI Proxy now reads most prompt tuning parameters from the client, while the plugin config parameters under
model_options
are now just defaults. This fixes support for using the respective provider's native SDK. #12903 -
AI Proxy now has a
preserve
option forroute_type
, where the requests and responses are passed directly to the upstream LLM. This is to enable compatibility with any and all models and SDKs that may be used when calling the AI services. #12903 -
Prometheus: Added workspace label to Prometheus plugin metrics. #12836
-
AI Proxy: Added support for streaming event-by-event responses back to the client on supported providers. #12792
-
AI Prompt Guard: Increased the maximum length of regex expressions to 500 for the allow and deny parameters. #12731
-
Addded support for EdDSA algorithms in JWT plugin #12726
-
Added support for ES512, PS256, PS384, PS512 algorithms in JWT plugin #12638
-
OpenTelemetry, Zipkin: The propagation module has been reworked. The new options allow better control over the configuration of tracing headers propagation. #12670
- Added support for debugging with EmmyLuaDebugger. This feature is a tech preview and not officially supported by Kong Inc. for now. #12899
- Fixed an issue where the
pg_timeout
was overridden to60s
even if--db-timeout
was not explicitly passed in CLI arguments. #12981
-
Fixed the default value in kong.conf.default documentation from 1000 to 10000 for the
upstream_keepalive_max_requests
option. #12643 -
Fixed an issue where an external plugin (Go, Javascript, or Python) would fail to apply a change to the plugin config via the Admin API. #12718
-
Disabled usage of the Lua DNS resolver from proxy-wasm by default. #12825
-
Set security level of gRPC's TLS to 0 when
ssl_cipher_suite
is set toold
. #12613
-
Fixed an issue where
POST /config?flatten_errors=1
could not return a proper response if the input included duplicate upstream targets. #12797 -
DNS Client: Ignore a non-positive values on resolv.conf for options timeout, and use a default value of 2 seconds instead. #12640
-
Updated the file permission of
kong.logrotate
to 644. #12629 -
Fixed a problem on hybrid mode DPs, where a certificate entity configured with a vault reference may not get refreshed on time. #12868
-
Fixed the missing router section for the output of the request-debugging. #12234
-
Fixed an issue in the internal caching logic where mutexes could get never unlocked. #12743
-
Fixed an issue where the router didn't work correctly when the route's configuration changed. #12654
-
Fixed an issue where SNI-based routing didn't work using
tls_passthrough
and thetraditional_compatible
router flavor. #12681 -
Fixed a bug that
X-Kong-Upstream-Status
didn't appear in the response headers even if it was set in theheaders
parameter in thekong.conf
file when the response was hit and returned by the Proxy Cache plugin. #12744 -
Fixed vault initialization by postponing vault reference resolving on init_worker #12554
-
Fixed a bug that allowed vault secrets to refresh even when they had no TTL set. #12877
-
Vault: do not use incorrect (default) workspace identifier when retrieving vault entity by prefix #12572
-
Core: Fixed unexpected table nil panic in the balancer's stop_healthchecks function #12865
-
Use
-1
as the worker ID of privileged agent to avoid access issues. #12385 -
Plugin Server: Fixed an issue where Kong failed to properly restart MessagePack-based pluginservers (used in Python and Javascript plugins, for example). #12582
-
Reverted the hard-coded limitation of the
ngx.read_body()
API in OpenResty upstreams' new versions when downstream connections are in HTTP/2 or HTTP/3 stream modes. #12658 -
Each Kong cache instance now utilizes its own cluster event channel. This approach isolates cache invalidation events and reducing the generation of unnecessary worker events. #12321
-
Updated telemetry collection for AI Plugins to allow multiple plugins data to be set for the same request. #12583
-
PDK: Fixed
kong.request.get_forwarded_port
to always return a number, which was caused by an incorrectly stored string value inngx.ctx.host_port
. #12806 -
The value of
latencies.kong
in the log serializer payload no longer includes the response receive time, so it now has the same value as theX-Kong-Proxy-Latency
response header. Response receive time is recorded in the newlatencies.receive
metric, so if desired, the old value can be calculated aslatencies.kong + latencies.receive
. Note: this also affects payloads from all logging plugins that use the log serializer:file-log
,tcp-log
,udp-log
,http-log
,syslog
, andloggly
, e.g. descriptions of JSON objects for the HTTP Log Plugin's log format. #12795 -
Tracing: enhanced robustness of trace ID parsing #12848
-
AI-proxy-plugin: Fixed the bug that the
route_type
/llm/v1/chat
didn't include the analytics in the responses. #12781 -
ACME: Fixed an issue where the certificate was not successfully renewed during ACME renewal. #12773
-
AWS-Lambda: Fixed an issue where the latency attributed to AWS Lambda API requests was counted as part of the latency in Kong. #12835
-
Jwt: Fixed an issue where the plugin would fail when using invalid public keys for ES384 and ES512 algorithms. #12724
-
Added WWW-Authenticate headers to all 401 responses in the Key Auth plugin. #11794
-
Opentelemetry: Fixed an OTEL sampling mode Lua panic bug, which happened when the
http_response_header_for_traceid
option was enabled. #12544 -
Improve error handling in AI plugins. #12991
-
ACME: Fixed migration of redis configuration. #12989
-
Response-RateLimiting: Fixed migration of redis configuration. #12989
-
Rate-Limiting: Fixed migration of redis configuration. #12989
- Admin API: fixed an issue where calling the endpoint
POST /schemas/vaults/validate
was conflicting with the endpoint/schemas/vaults/:name
which only has GET implemented, hence resulting in a 405. #12607
-
Fixed a bug where, if the the ulimit setting (open files) was low, Kong would fail to start as the
lua-resty-timer-ng
exhausted the availableworker_connections
. Decreased the concurrency range of thelua-resty-timer-ng
library from[512, 2048]
to[256, 1024]
to fix this bug. #12606 -
Fix an issue where external plugins using the protobuf-based protocol would fail to call the
kong.Service.SetUpstream
method with an errorbad argument #2 to 'encode' (table expected, got boolean)
. #12727
-
Kong Manager now supports creating and editing Expressions routes with an interactive in-browser editor with syntax highlighting and autocompletion features for Kong's Expressions language. #217
-
Kong Manager now groups the parameters to provide a better user experience while configuring plugins. Meanwhile, several issues with the plugin form page were fixed. #195 #199 #201 #202 #207 #208 #209 #213 #216
- Improved the user experience in Kong Manager by fixing various UI-related issues. #185 #188 #190 #195 #199 #201 #202 #207 #208 #209 #213 #216
- Opentelemetry: increase queue max batch size to 200 #12542
- Bumped lua-resty-openssl to 1.2.1 #12669
- now TLSv1.1 and lower is by default disabled in OpenSSL 3.x #12556
-
Fixed default value in kong.conf.default documentation from 1000 to 10000 for upstream_keepalive_max_requests option. #12648
-
Set security level of gRPC's TLS to 0 when ssl_cipher_suite is set to old #12616
-
Fix the missing router section for the output of the request-debugging #12649
-
revert the hard-coded limitation of the ngx.read_body() API in OpenResty upstreams' new versions when downstream connections are in HTTP/2 or HTTP/3 stream modes. #12666
- Fix a bug where the ulimit setting (open files) is low Kong will fail to start as the lua-resty-timer-ng exhausts the available worker_connections. Decrease the concurrency range of the lua-resty-timer-ng library from [512, 2048] to [256, 1024] to fix this bug. #12608
-
Bumped the concurrency range of the lua-resty-timer-ng library from [32, 256] to [512, 2048]. #12275
-
Cooperatively yield when building statistics of routes to reduce the impact to proxy path latency. #12013
-
Bump
dns_stale_ttl
default to 1 hour so stale DNS record can be used for longer time in case of resolver downtime. #12087 -
Bumped default values of
nginx_http_keepalive_requests
andupstream_keepalive_max_requests
to10000
. These changes are optimized to work better in systems with high throughput. In a low-throughput setting, these new settings may have visible effects in loadbalancing - it can take more requests to start using all the upstreams than before. #12223
- Reuse match context between requests to avoid frequent memory allocation/deallocation #12258
- Performance optimization to avoid unnecessary creations and garbage-collections of spans #12080
-
BREAKING: To avoid ambiguity with other Wasm-related nginx.conf directives, the prefix for Wasm
shm_kv
nginx.conf directives was changed fromnginx_wasm_shm_
tonginx_wasm_shm_kv_
#11919 -
In OpenSSL 3.2, the default SSL/TLS security level has been changed from 1 to 2. Which means security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled. #7714
- azure-functions: azure-functions plugin now eliminates upstream/request URI and only use
routeprefix
configuration field to construct request path when requesting Azure API #11850
-
ACME: Standardize redis configuration across plugins. The redis configuration right now follows common schema that is shared across other plugins. #12300
-
Rate Limiting: Standardize redis configuration across plugins. The redis configuration right now follows common schema that is shared across other plugins. #12301
-
Response-RateLimiting: Standardize redis configuration across plugins. The redis configuration right now follows common schema that is shared across other plugins. #12301
-
Bumped atc-router from 1.2.0 to 1.6.0 #12231
-
Bumped kong-lapis from 1.14.0.3 to 1.16.0.1 #12064
-
Bumped lua-messagepack from 0.5.2 to 0.5.3 #11956
-
Bumped lua-messagepack from 0.5.3 to 0.5.4 #12076
-
Bumped lua-resty-aws from 1.3.5 to 1.3.6 #12439
-
Bumped lua-resty-healthcheck from 3.0.0 to 3.0.1 #12237
-
Bumped lua-resty-lmdb from 1.3.0 to 1.4.1 #12026
-
Bumped lua-resty-timer-ng from 0.2.5 to 0.2.6 #12275
-
Bumped OpenResty from 1.21.4.2 to 1.25.3.1 #12327
-
Bumped OpenSSL from 3.1.4 to 3.2.1 #12264
-
Bump resty-openssl from 0.8.25 to 1.2.0 #12265
-
Bumped ngx_brotli to master branch, and disabled it on rhel7 rhel9-arm64 and amazonlinux-2023-arm64 due to toolchain issues #12444
-
Bumped lua-resty-healthcheck from 1.6.3 to 3.0.0 #11834
-
Bump
ngx_wasm_module
toa7087a37f0d423707366a694630f1e09f4c21728
#12011 -
Bump
Wasmtime
version to14.0.3
#12011
-
display a warning message when Kong Manager is enabled but the Admin API is not enabled #12071
-
add DHE-RSA-CHACHA20-POLY1305 cipher to the intermediate configuration #12133
-
The default value of
dns_no_sync
option has been changed tooff
#11869 -
Allow to inject Nginx directives into Kong's proxy location block #11623
-
Validate LMDB cache by Kong's version (major + minor), wiping the content if tag mismatch to avoid compatibility issues during minor version upgrade. #12026
-
Adds telemetry collection for AI Proxy, AI Request Transformer, and AI Response Transformer, pertaining to model and provider usage. #12495
-
add ngx_brotli module to kong prebuild nginx #12367
-
Allow primary key passed as a full entity to DAO functions. #11695
-
Build deb packages for Debian 12. The debian variant of kong docker image is built using Debian 12 now. #12218
-
The expressions route now supports the
!
(not) operator, which allows creating routes like!(http.path =^ "/a")
and!(http.path == "/a" || http.path == "/b")
#12419 -
Add
source
property to log serializer, indicating the response is generated bykong
orupstream
. #12052 -
Ensure Kong-owned directories are cleaned up after an uninstall using the system's package manager. #12162
-
Support
http.path.segments.len
andhttp.path.segments.*
fields in the expressions router which allows matching incoming (normalized) request path by individual segment or ranges of segments, plus checking the total number of segments. #12283 -
net.src.*
andnet.dst.*
match fields are now accessible in HTTP routes defined using expressions. #11950 -
Extend support for getting and setting Gateway values via proxy-wasm properties in the
kong.*
namespace. #11856
- Increase the precision of JSON number encoding from 14 to 16 decimals #12019
-
Introduced the new AI Prompt Decorator plugin that enables prepending and appending llm/v1/chat messages onto consumer LLM requests, for prompt tuning. #12336
-
Introduced the new AI Prompt Guard which can allow and/or block LLM requests based on pattern matching. #12427
-
Introduced the new AI Prompt Template which can offer consumers and array of LLM prompt templates, with variable substitutions. #12340
-
Introduced the new AI Proxy plugin that enables simplified integration with various AI provider Large Language Models. #12323
-
Introduced the new AI Request Transformer plugin that enables passing mid-flight consumer requests to an LLM for transformation or sanitization. #12426
-
Introduced the new AI Response Transformer plugin that enables passing mid-flight upstream responses to an LLM for transformation or sanitization. #12426
-
Tracing Sampling Rate can now be set via the
config.sampling_rate
property of the OpenTelemetry plugin instead of it just being a global setting for the gateway. #12054
-
add gateway edition to the root endpoint of the admin api #12097
-
Enable
status_listen
on127.0.0.1:8007
by default #12304
- Clustering: Expose data plane certificate expiry date on the control plane API. #11921
-
fix error data loss caused by weakly typed of function in declarative_config_flattened function #12167
-
respect custom
proxy_access_log
#12073
-
prevent ca to be deleted when it's still referenced by other entities and invalidate the related ca store caches when a ca cert is updated. #11789
-
Now cookie names are validated against RFC 6265, which allows more characters than the previous validation. #11881
-
Remove nulls only if the schema has transformations definitions. Improve performance as most schemas does not define transformations. #12284
-
Fix a bug that the error_handler can not provide the meaningful response body when the internal error code 494 is triggered. #12114
-
Header value matching (
http.headers.*
) inexpressions
router flavor are now case sensitive. This change does not affect ontraditional_compatible
mode where header value match are always performed ignoring the case. #11905 -
print error message correctly when plugin fails #11800
-
fix ldoc intermittent failure caused by LuaJIT error. #11983
-
use NGX_WASM_MODULE_BRANCH environment variable to set ngx_wasm_module repository branch when building Kong. #12241
-
Eliminate asynchronous timer in syncQuery() to prevent hang risk #11900
-
tracing: Fixed an issue where a DNS query failure would cause a tracing failure. #11935
-
Expressions route in
http
andstream
subsystem now have stricter validation. Previously they share the same validation schema which means admin can configure expressions route using fields likehttp.path
even for stream routes. This is no longer allowed. #11914 -
Tracing: dns spans are now correctly generated for upstream dns queries (in addition to cosocket ones) #11996
-
Validate private and public key for
keys
entity to ensure they match each other. #11923 -
proxy-wasm: Fixed "previous plan already attached" error thrown when a filter triggers re-entrancy of the access handler. #12452
-
response.set_header support header argument with table array of string #12164
-
Fix an issue that when using kong.response.exit, the Transfer-Encoding header set by user is not removed #11936
-
Plugin Server: fix an issue where every request causes a new plugin instance to be created #12020
-
Add missing WWW-Authenticate headers to 401 response in basic auth plugin. #11795
-
Enhance error responses for authentication failures in the Admin API #12456
-
Expose metrics for serviceless routes #11781
-
Rate Limiting: fix to provide better accuracy in counters when sync_rate is used with the redis policy. #11859
-
Rate Limiting: fix an issuer where all counters are synced to the same DB at the same rate. #12003
-
Datadog: Fix a bug that datadog plugin is not triggered for serviceless routes. In this fix, datadog plugin is always triggered, and the value of tag
name
(service_name) is set as an empty value. #12068
- Fix a bug causing data-plane status updates to fail when an empty PING frame is received from a data-plane #11917
-
Added a JSON/YAML format preview for all entity forms. #157
-
Adopted resigned basic components for better UI/UX. #131 #166
-
Kong Manager and Konnect now share the same UI for plugin selection page and plugin form page. #143 #147
- Standardized notification text format. #140
- Bumped the default value of
upstream_keepalive_pool_size
to512
andupstream_keepalive_max_requests
to1000
#11515
- refactor workspace id and name retrieval #11442
- Session: a new configuration field
read_body_for_logout
was added with a default value offalse
, that changes behavior oflogout_post_arg
in a way that it is not anymore considered if theread_body_for_logout
is not explicitly set totrue
. This is to avoid session plugin from reading request bodies by default on e.g.POST
request for logout detection. #10333
-
Bumped resty.openssl from 0.8.23 to 0.8.25 #11518
-
Fix incorrect LuaJIT register allocation for IR_*LOAD on ARM64 #11638
-
Fix LDP/STP fusing for unaligned accesses on ARM64 #11639
-
Bump lua-kong-nginx-module from 0.6.0 to 0.8.0 #11663
-
Fix incorrect LuaJIT LDP/STP fusion on ARM64 which may sometimes cause incorrect logic #11537
-
Bumped lua-resty-healthcheck from 1.6.2 to 1.6.3 #11360
-
Bumped OpenResty from 1.21.4.1 to 1.21.4.2 #11360
-
Bumped LuaSec from 1.3.1 to 1.3.2 #11553
-
Bumped lua-resty-aws from 1.3.1 to 1.3.5 #11613
-
bump OpenSSL from 3.1.1 to 3.1.4 #11844
-
Bumped kong-lapis from 1.14.0.2 to 1.14.0.3 #11849
-
Bumped ngx_wasm_module to latest rolling release version. #11678
-
Bump Wasmtime version to 12.0.2 #11738
-
Bumped lua-resty-aws from 1.3.0 to 1.3.1 #11419
-
Bumped lua-resty-session from 4.0.4 to 4.0.5 #11416
-
Add a new endpoint
/schemas/vaults/:name
to retrieve the schema of a vault. #11727 -
rename
privileged_agent
todedicated_config_processing. Enable
dedicated_config_processing` by default #11784 -
Support observing the time consumed by some components in the given request. #11627
-
Plugins can now implement
Plugin:configure(configs)
function that is called whenever there is a change in plugin entities. An array of current plugin configurations is passed to the function, ornil
in case there is no active configurations for the plugin. #11703 -
Add a request-aware table able to detect accesses from different requests. #11017
-
A unique Request ID is now populated in the error log, access log, error templates, log serializer, and in a new X-Kong-Request-Id header (configurable for upstream/downstream using the
headers
andheaders_upstream
configuration options). #11663 -
Add support for optional Wasm filter configuration schemas #11568
-
Support JSON in Wasm filter configuration #11697
-
Support HTTP query parameters in expression routes. #11348
-
response-ratelimiting: add support for secret rotation with redis connection #10570
-
CORS: Support the
Access-Control-Request-Private-Network
header in crossing-origin pre-light requests #11523 -
add scan_count to redis storage schema #11532
-
AWS-Lambda: the AWS-Lambda plugin has been refactored by using
lua-resty-aws
as an underlying AWS library. The refactor simplifies the AWS-Lambda plugin code base and adding support for multiple IAM authenticating scenarios. #11350 -
OpenTelemetry and Zipkin: Support GCP X-Cloud-Trace-Context header The field
header_type
now accepts the valuegcp
to propagate the Google Cloud trace header #11254
- Clustering: Allow configuring DP metadata labels for on-premise CP Gateway #11625
- The default value of
dns_no_sync
option has been changed toon
#11871
-
Fix an issue that the TTL of the key-auth plugin didnt work in DB-less and Hybrid mode. #11464
-
Fix a problem that abnormal socket connection will be reused when querying Postgres database. #11480
-
Fix upstream ssl failure when plugins use response handler #11502
-
Fix an issue that protocol
tls_passthrough
can not work with expressions flavor #11538 -
Fix a bug that will cause a failure of sending tracing data to datadog when value of x-datadog-parent-id header in requests is a short dec string #11599
-
Apply Nginx patch for detecting HTTP/2 stream reset attacks early (CVE-2023-44487) #11743
-
fix the building failure when applying patches #11696
-
Vault references can be used in Dbless mode in declarative config #11845
-
Properly warmup Vault caches on init #11827
-
Vault resurrect time is respected in case a vault secret is deleted from a vault #11852
-
Fixed critical level logs when starting external plugin servers. Those logs cannot be suppressed due to the limitation of OpenResty. We choose to remove the socket availability detection feature. #11372
-
Fix an issue where a crashing Go plugin server process would cause subsequent requests proxied through Kong to execute Go plugins with inconsistent configurations. The issue only affects scenarios where the same Go plugin is applied to different Route or Service entities. #11306
-
Fix an issue where cluster_cert or cluster_ca_cert is inserted into lua_ssl_trusted_certificate before being base64 decoded. #11385
-
Fix cache warmup mechanism not working in
acls
plugin groups config entity scenario. #11414 -
Fix an issue that queue stops processing when a hard error is encountered in the handler function. #11423
-
Fix an issue that query parameters are not forwarded in proxied request. Thanks @chirag-manwani for contributing this change. #11328
-
Fix an issue that response status code is not real upstream status when using kong.response function. #11437
-
Removed a hardcoded proxy-wasm isolation level setting that was preventing the
nginx_http_proxy_wasm_isolation
configuration value from taking effect. #11407
-
Fix several issues in Vault and refactor the Vault code base: - Make DAOs to fallback to empty string when resolving Vault references fail - Use node level mutex when rotation references - Refresh references on config changes - Update plugin referenced values only once per request - Pass only the valid config options to vault implementations - Resolve multi-value secrets only once when rotating them - Do not start vault secrets rotation timer on control planes - Re-enable negative caching - Reimplement the kong.vault.try function - Remove references from rotation in case their configuration has changed #11652
-
Fix response body gets repeated when
kong.response.get_raw_body()
is called multiple times in a request lifecycle. #11424 -
Tracing: fix an issue that resulted in some parent spans to end before their children due to different precision of their timestamps #11484
-
Fix a bug related to data interference between requests in the kong.log.serialize function. #11566
-
Opentelemetry: fix an issue that resulted in invalid parent IDs in the propagated tracing headers #11468
-
AWS-Lambda: let plugin-level proxy take effect on EKS IRSA credential provider #11551
-
Cache the AWS lambda service by those lambda service related fields #11821
-
Opentelemetry: fix an issue that resulted in traces with invalid parent IDs when
balancer
instrumentation was enabled #11830 -
tcp-log: fix an issue of unnecessary handshakes when reusing TLS connection #11848
-
OAuth2: For OAuth2 plugin,
scope
has been taken into account as a new criterion of the request validation. When refreshing token withrefresh_token
, the scopes associated with therefresh_token
provided in the request must be same with or a subset of the scopes configured in the OAuth2 plugin instance hit by the request. #11342 -
When the worker is in shutdown mode and more data is immediately available without waiting for
max_coalescing_delay
, queues are now cleared in batches. Thanks @JensErat for contributing this change. #11376 -
A race condition in the plugin queue could potentially crash the worker when
max_entries
was set tomax_batch_size
. #11378 -
AWS-Lambda: fix an issue that the AWS-Lambda plugin cannot extract a json encoded proxy integration response. #11413
- Restore lapis & luarocks-admin bins #11578
-
Add
JSON
andYAML
formats in entity config cards. #111 -
Plugin form fields now display descriptions from backend schema. #66
-
Add the
protocols
field in plugin form. #93 -
The upstream target list shows the
Mark Healthy
andMark Unhealthy
action items when certain conditions are met. #86
-
Fix incorrect port number in Port Details. #103
-
Fix a bug where the
proxy-cache
plugin cannot be installed. #104
- Apply Nginx patch for detecting HTTP/2 stream reset attacks early (CVE-2023-44487) #11743 CVE-2023 nginx-1 SIR-435
- Support HTTP query parameters in expression routes. #11348
- Fix incorrect LuaJIT LDP/STP fusion on ARM64 which may sometimes cause incorrect logic #11537
- Removed a hardcoded proxy-wasm isolation level setting that was preventing the
nginx_http_proxy_wasm_isolation
configuration value from taking effect. #11407 - Fix an issue that the TTL of the key-auth plugin didnt work in DB-less and Hybrid mode. #11464
- Fix a problem that abnormal socket connection will be reused when querying Postgres database. #11480
- Fix upstream ssl failure when plugins use response handler #11502
- Fix an issue that protocol
tls_passthrough
can not work with expressions flavor #11538
- Fix several issues in Vault and refactor the Vault code base: - Make DAOs to fallback to empty string when resolving Vault references fail - Use node level mutex when rotation references - Refresh references on config changes - Update plugin referenced values only once per request - Pass only the valid config options to vault implementations - Resolve multi-value secrets only once when rotating them - Do not start vault secrets rotation timer on control planes - Re-enable negative caching - Reimplement the kong.vault.try function - Remove references from rotation in case their configuration has changed
- Tracing: fix an issue that resulted in some parent spans to end before their children due to different precision of their timestamps #11484
- Opentelemetry: fix an issue that resulted in invalid parent IDs in the propagated tracing headers #11468
- Fixed entity docs link. #92
⚠️ Alpine packages and Docker images based on Alpine are no longer supported #10926⚠️ Cassandra as a datastore for Kong is no longer supported #10931- Ubuntu 18.04 artifacts are no longer supported as it's EOL
- AmazonLinux 2022 artifacts are renamed to AmazonLinux 2023 according to AWS's decision
- CentOS packages are now removed from the release and are no longer supported in future versions.
- Enable
expressions
andtraditional_compatible
router flavor in stream subsystem. #11071 - Make upstream
host_header
and routerpreserve_host
config work in stream tls proxy. #11244 - Add beta support for WebAssembly/proxy-wasm #11218
- '/schemas' endpoint returns additional information about cross-field validation as part of the schema. This should help tools that use the Admin API to perform better client-side validation. #11108
- First release of the Kong Manager Open Source Edition. #11131
- OpenTelemetry: Support AWS X-Ray propagation header
The field
header_type
now accepts theaws
value to handle this specific propagation header. 11075 - Opentelemetry: Support the
endpoint
parameter as referenceable. #11220 - Ip-Restriction: Add TCP support to the plugin. Thanks @scrudge for contributing this change. #10245
- In dbless mode, the declarative schema is now fully initialized at startup
instead of on-demand in the request path. This is most evident in decreased
response latency when updating configuration via the
/config
API endpoint. #10932 - The Prometheus plugin has been optimized to reduce proxy latency impacts during scraping. #10949 #11040 #11065
- Declarative config now performs proper uniqueness checks against its inputs: previously, it would silently drop entries with conflicting primary/endpoint keys, or accept conflicting unique fields silently. #11199
- Fixed a bug that causes
POST /config?flatten_errors=1
to throw an exception and return a 500 error under certain circumstances. #10896 - Fix a bug when worker consuming dynamic log level setting event and using a wrong reference for notice logging #10897
- Added a
User=
specification to the systemd unit definition so that Kong can be controlled by systemd again. #11066 - Fix a bug that caused sampling rate to be applied to individual spans producing split traces. #11135
- Fix a bug that caused spans to not be instrumented with http.status_code when the request was not proxied to an upstream. Thanks @backjo for contributing this change. #11152, #11406
- Fix a bug that caused the router to fail in
traditional_compatible
mode when a route with multiple paths and no service was created. #11158 - Fix an issue where the router of flavor
expressions
can not work correctly whenroute.protocols
is set togrpc
orgrpcs
. #11082 - Fix an issue where the router of flavor
expressions
can not configure https redirection. #11166 - Added new span attribute
net.peer.name
if balancer_data.hostname is available. Thanks @backjo for contributing this change. #10723 - Make
kong vault get
CLI command work in dbless mode by injecting the necessary directives into the kong cli nginx.conf. #11127 #11291 - Fix an issue where a crashing Go plugin server process would cause subsequent requests proxied through Kong to execute Go plugins with inconsistent configurations. The issue only affects scenarios where the same Go plugin is applied to different Route or Service entities. #11306
- Fix an issue where cluster_cert or cluster_ca_cert is inserted into lua_ssl_trusted_certificate before being base64 decoded. #11385
- Update the DNS client to follow configured timeouts in a more predictable manner. Also fix a corner case in its behavior that could cause it to resolve incorrectly during transient network and DNS server failures. #11386
- Fix an issue where
/schemas/plugins/validate
endpoint fails to validate valid plugin configuration when the key ofcustom_fields_by_lua
contains dot character(s). #11091 - Fix an issue with the
/tags/:tag
Admin API returning a JSON object ({}
) instead of an array ([]
) for empty data sets. #11213
- Response Transformer: fix an issue that plugin does not transform the response body while upstream returns a Content-Type with +json suffix at subtype. #10656
- grpc-gateway: Fixed an issue that empty (all default value) messages can not be unframed correctly. #10836
- ACME: Fixed sanity test can't work with "kong" storage in Hybrid mode #10852
- rate-limiting: Fixed an issue that impact the accuracy with the
redis
policy. Thanks @giovanibrioni for contributing this change. #10559 - Zipkin: Fixed an issue that traces not being generated correctly when instrumentations are enabled. #10983
- Acme: Fixed string concatenation on cert renewal errors #11364
- Validation for queue related parameters has been
improved.
max_batch_size
,max_entries
andmax_bytes
are nowinteger
s instead ofnumber
s.initial_retry_delay
andmax_retry_delay
must now benumber
s greater than 0.001 (seconds). #10840
- Tracing: new attribute
http.route
added to http request spans. #10981 - The default value of
lmdb_map_size
config has been bumped to2048m
from128m
to accommodate most commonly deployed config sizes in DB-less and Hybrid mode. #11047 - The default value of
cluster_max_payload
config has been bumped to16m
from4m
to accommodate most commonly deployed config sizes in Hybrid mode. #11090 - Remove kong branding from kong HTML error template. #11150
- Drop luasocket in cli #11177
- Remove the database information from the status API when operating in dbless mode or data plane. #10995
- Bumped lua-resty-openssl from 0.8.20 to 0.8.23 #10837 #11099
- Bumped kong-lapis from 1.8.3.1 to 1.14.0.2 #10841
- Bumped lua-resty-events from 0.1.4 to 0.2.0 #10883 #11083 #11214
- Bumped lua-resty-session from 4.0.3 to 4.0.4 #11011
- Bumped OpenSSL from 1.1.1t to 3.1.1 #10180 #11140
- Bumped pgmoon from 1.16.0 to 1.16.2 (Kong's fork) #11181 #11229
- Bumped atc-router from 1.0.5 to 1.2.0 #10100 #11071
- Bumped lua-resty-lmdb from 1.1.0 to 1.3.0 #11227
- Bumped lua-ffi-zlib from 0.5 to 0.6 #11373
- Some referenceable configuration fields, such as the
http_endpoint
field of thehttp-log
plugin and theendpoint
field of theopentelemetry
plugin, do not accept reference values due to incorrect field validation.
- The
traditional_compatible
router mode has been made more compatible with the behavior oftraditional
mode by splitting routes with multiple paths into multiple atc routes with separate priorities. Since the introduction of the new router in Kong Gateway 3.0,traditional_compatible
mode assigned only one priority to each route, even if different prefix path lengths and regular expressions were mixed in a route. This was not how multiple paths were handled in thetraditional
router and the behavior has now been changed so that a separate priority value is assigned to each path in a route. #10615
- http-log, statsd, opentelemetry, datadog: The queueing system
has been reworked, causing some plugin parameters to not function as expected
anymore. If you use queues on these plugin, new parameters must be configured.
The module
kong.tools.batch_queue
has been renamed tokong.tools.queue
in the process and the API was changed. If your custom plugin uses queues, it must be updated to use the new API. See this blog post for a tour of the new queues and how they are parametrized. #10172 - http-log: If the log server responds with a 3xx HTTP status code, the plugin will consider it to be an error and retry according to the retry configuration. Previously, 3xx status codes would be interpreted as success, causing the log entries to be dropped. #10172
- Serverless Functions:
kong.cache
now points to a cache instance that is dedicated to the Serverless Functions plugins: it does not provide access to the global kong cache. Access to certain fields in kong.configuration has also been restricted. #10417 - Zipkin: The zipkin plugin now uses queues for internal buffering. The standard queue parameter set is available to control queuing behavior. #10753
- Tracing: tracing_sampling_rate defaults to 0.01 (trace one of every 100 requests) instead of the previous 1 (trace all requests). Tracing all requests is inappropriate for most production systems #10774
- Proxy Cache: Add option to remove the proxy cache headers from the response #10445
- Make runloop and init error response content types compliant with Accept header value #10366
- Add a new field
updated_at
for core entities ca_certificates, certificates, consumers, targets, upstreams, plugins, workspaces, clustering_data_planes and snis. #10400 - Allow configuring custom error templates #10374
- The maximum number of request headers, response headers, uri args, and post args that are
parsed by default can now be configured with a new configuration parameters:
lua_max_req_headers
,lua_max_resp_headers
,lua_max_uri_args
andlua_max_post_args
#10443 - Allow configuring Labels for data planes to provide metadata information. Labels are only compatible with hybrid mode deployments with Kong Konnect (SaaS) #10471
- Add Postgres triggers on the core entites and entities in bundled plugins to delete the expired rows in an efficient and timely manner. #10389
- Support for configurable Node IDs #10385
- Request and response buffering options are now enabled for incoming HTTP 2.0 requests too. Thanks @PidgeyBE for contributing this change. #10595 #10204
- Add
KONG_UPSTREAM_DNS_TIME
tokong.ctx
so that we can record the time it takes for DNS resolution when Kong proxies to upstream. #10355 - Tracing: rename spans to simplify filtering on tracing backends. #10577
- Support timeout for dynamic log level #10288
- Added new span attribute
http.client_ip
to capture the client IP when behind a proxy. Thanks @backjo for this contribution! #10723
- The
/upstreams/<upstream>/health?balancer_health=1
endpoint always shows the balancer health, through a new attribute balancer_health, which always returns HEALTHY or UNHEALTHY (reporting the true state of the balancer), even if the overall upstream health status is HEALTHCHECKS_OFF. This is useful for debugging. #5885
- The
status_listen
server has been enhanced with the addition of the/status/ready
API for monitoring Kong's health. This endpoint provides a200
response upon receiving aGET
request, but only if a valid, non-empty configuration is loaded and Kong is prepared to process user requests. Load balancers frequently utilize this functionality to ascertain Kong's availability to distribute incoming requests. #10610 #10787
- ACME: acme plugin now supports configuring an
account_key
inkeys
andkey_sets
#9746 - Proxy-Cache: add
ignore_uri_case
to configuring cache-key uri to be handled as lowercase #10453 - HTTP-Log: add
application/json; charset=utf-8
option for theContent-Type
header in the http-log plugin, for log collectors that require that character set declaration. #10533 - DataDog: supports value of
host
to be referenceable. #10484 - Zipkin&Opentelemetry: convert traceid in http response headers to hex format #10534
- ACME: acme plugin now supports configuring
namespace
for redis storage which is default to empty string for backward compatibility. #10562 - AWS Lambda: add a new field
disable_https
to support scheme config on lambda service api endpoint #9799 - OpenTelemetry: spans are now correctly correlated in downstream Datadog traces. 10531
- OpenTelemetry: add
header_type
field in OpenTelemetry plugin. Previously, theheader_type
was hardcoded topreserve
, now it can be set to one of the following values:preserve
,ignore
,b3
,b3-single
,w3c
,jaeger
,ot
. #10620
- PDK now supports getting plugins' ID with
kong.plugin.get_id
. #9903
- Fixed an issue where upstream keepalive pool has CRC32 collision. #9856
- Fix an issue where control plane does not downgrade config for
aws_lambda
andzipkin
for older version of data planes. #10346 - Fix an issue where control plane does not rename fields correctly for
session
for older version of data planes. #10352 - Fix an issue where validation to regex routes may be skipped when the old-fashioned config is used for DB-less Kong. #10348
- Fix and issue where tracing may cause unexpected behavior. #10364
- Fix an issue where balancer passive healthcheck would use wrong status code when kong changes status code
from upstream in
header_filter
phase. #10325 #10592 - Fix an issue where schema validations failing in a nested record did not propagate the error correctly. #10449
- Fixed an issue where dangling Unix sockets would prevent Kong from restarting in Docker containers if it was not cleanly stopped. #10468
- Fix an issue where sorting function for traditional router sources/destinations lead to "invalid order function for sorting" error. #10514
- Fix the UDP socket leak caused by frequent DNS queries. #10691
- Fix a typo of mlcache option
shm_set_tries
. #10712 - Fix an issue where slow start up of Go plugin server causes dead lock. #10561
- Tracing: fix an issue that caused the
sampled
flag of incoming propagation headers to be handled incorrectly and only affect some spans. #10655 - Tracing: fix an issue that was preventing
http_client
spans to be created for OpenResty HTTP client requests. #10680 - Tracing: fix an approximation issue that resulted in reduced precision of the balancer span start and end times. #10681
- Tracing: tracing_sampling_rate defaults to 0.01 (trace one of every 100 requests) instead of the previous 1 (trace all requests). Tracing all requests is inappropriate for most production systems #10774
- Fix issue when stopping a Kong could error out if using Vault references #10775
- Fix issue where Vault configuration stayed sticky and cached even when configurations were changed. #10776
- Backported the openresty
ngx.print
chunk encoding buffer double free bug fix that leads to the corruption of chunk-encoded response data. #10816 #10824
- Fix an issue where empty value of URI argument
custom_id
crashes/consumer
. #10475
- Request-Transformer: fix an issue where requests would intermittently be proxied with incorrect query parameters. 10539
- Request Transformer: honor value of untrusted_lua configuration parameter #10327
- OAuth2: fix an issue that OAuth2 token was being cached to nil while access to the wrong service first. #10522
- OpenTelemetry: fix an issue that reconfigure of OpenTelemetry does not take effect. #10172
- OpenTelemetry: fix an issue that caused spans to be propagated incorrectly resulting in a wrong hierarchy being rendered on tracing backends. #10663
- gRPC gateway:
null
in the JSON payload caused an uncaught exception to be thrown during pb.encode. #10687 - Oauth2: prevent an authorization code created by one plugin instance to be exchanged for an access token by a different plugin instance. #10011
- gRPC gateway: fixed an issue that empty arrays in JSON are incorrectly encoded as
"{}"
; they are now encoded as"[]"
to comply with standard. #10790
- Fixed an issue for tracing PDK where sample rate does not work. #10485
- Postgres TTL cleanup timer will now only run on traditional and control plane nodes that have enabled the Admin API. #10405
- Postgres TTL cleanup timer now runs a batch delete loop on each ttl enabled table with a number of 50.000 rows per batch. #10407
- Postgres TTL cleanup timer now runs every 5 minutes instead of every 60 seconds. #10389
- Postgres TTL cleanup timer now deletes expired rows based on database server-side timestamp to avoid potential problems caused by the difference of clock time between Kong and database server. #10389
request.get_uri_captures
now returns the unnamed part tagged as an array (for jsonification). #10390
- Request-Termination: If the echo option was used, it would not return the uri-captures. #10390
- OpenTelemetry: add
http_response_header_for_traceid
field in OpenTelemetry plugin. The plugin will set the corresponding header in the response if the field is specified with a string value. #10379
- Bumped lua-resty-session from 4.0.2 to 4.0.3 #10338
- Bumped lua-protobuf from 0.3.3 to 0.5.0 #10137 #10790
- Bumped lua-resty-timer-ng from 0.2.3 to 0.2.5 #10419 #10664
- Bumped lua-resty-openssl from 0.8.17 to 0.8.20 #10463 #10476
- Bumped lua-resty-http from 0.17.0.beta.1 to 0.17.1 #10547
- Bumped LuaSec from 1.2.0 to 1.3.1 #10528
- Bumped lua-resty-acme from 0.10.1 to 0.11.0 #10562
- Bumped lua-resty-events from 0.1.3 to 0.1.4 #10634
- Bumped lua-kong-nginx-module from 0.5.1 to 0.6.0 #10288
- Bumped lua-resty-lmdb from 1.0.0 to 1.1.0 #10766
- JWT: JWT plugin now denies a request that has different tokens in the jwt token search locations. #9946
- Session: for sessions to work as expected it is required that all nodes run Kong >= 3.2.x.
For that reason it is advisable that during upgrades mixed versions of proxy nodes run for
as little as possible. During that time, the invalid sessions could cause failures and partial downtime.
All existing sessions are invalidated when upgrading to this version.
The parameter
idling_timeout
now has a default value of900
: unless configured differently, sessions expire after 900 seconds (15 minutes) of idling. The parameterabsolute_timeout
has a default value of86400
: unless configured differently, sessions expire after 86400 seconds (24 hours). #10199 - Proxy Cache: Add wildcard and parameter match support for content_type #10209
- Expose postgres connection pool configuration. #9603
- When
router_flavor
istraditional_compatible
, verify routes created using the Expression router instead of the traditional router to ensure created routes are actually compatible. #9987 - Nginx charset directive can now be configured with Nginx directive injections #10111
- Services upstream TLS config is extended to stream subsystem. #9947
- New configuration option
ssl_session_cache_size
to set the Nginx directivessl_session_cache
. This config defaults to10m
. Thanks Michael Kotten for contributing this change. #10021
- Add a new load-balancing
algorithm
optionlatency
to theUpstream
entity. This algorithm will choose a target based on the response latency of each target from prior requests. #9787
- Plugin: add an optional field
instance_name
that identifies a particular plugin entity. #10077 - Zipkin: Add support to set the durations of Kong phases as span tags
through configuration property
config.phase_duration_flavor
. #9891 - HTTP logging: Suppport value of
headers
to be referenceable. #9948 - AWS Lambda: Add
aws_imds_protocol_version
configuration parameter that allows the selection of the IMDS protocol version. Defaults tov1
, can be set tov2
to enable IMDSv2. #9962 - OpenTelemetry: Support scoping with services, routes and consumers. #10096
- Statsd: Add
tag_style
configuration parameter that allows to send metrics with tags. Defaults tonil
which means do not add any tags to the metrics. #10118 - Session: now uses lua-resty-session v4.0.0 #10199
- In dbless mode,
/config
API endpoint can now flatten entity-related schema validation errors to a single array via the optionalflatten_errors
query parameter. Non-entity errors remain unchanged in this mode. #10161 #10256
- Support for
upstream_status
field in log serializer. #10296
- Add back Postgres
FLOOR
function when calculatingttl
, so the returnedttl
is always a whole integer. #9960 - Fix an issue where after a valid declarative configuration is loaded,
the configuration hash is incorrectly set to the value:
00000000000000000000000000000000
. #9911 - Update the batch queues module so that queues no longer grow without bounds if their consumers fail to process the entries. Instead, old batches are now dropped and an error is logged. #10247
- Fix an issue where 'X-Kong-Upstream-Status' cannot be emitted when response is buffered. #10056
- Zipkin: Fix an issue where the global plugin's sample ratio overrides route-specific. #9877
- JWT: Deny requests that have different tokens in the jwt token search locations. Thanks Jackson 'Che-Chun' Kuo from Latacora for reporting this issue. #9946
- Statsd: Fix a bug in the StatsD plugin batch queue processing where metrics are published multiple times. #10052
- Datadog: Fix a bug in the Datadog plugin batch queue processing where metrics are published multiple times. #10044
- OpenTelemetry: Fix non-compliances to specification:
- OpenTelemetry: Fix a bug that when getting the trace of other formats, the trace ID reported and propagated could be of incorrect length. #10332
- OAuth2:
refresh_token_ttl
is now limited between0
and100000000
by schema validator. Previously numbers that are too large causes requests to fail. #10068
-
Improve error message for invalid JWK entities. #9904
-
Renamed two configuration properties:
opentelemetry_tracing
=>tracing_instrumentations
opentelemetry_tracing_sampling_rate
=>tracing_sampling_rate
The old
opentelemetry_*
properties are considered deprecated and will be fully removed in a future version of Kong. #10122 #10220
- Revert the removal of WebSocket protocol support for configuration sync, and disable the wRPC protocol. #9921
- Bumped luarocks from 3.9.1 to 3.9.2 #9942
- Bumped atc-router from 1.0.1 to 1.0.5 #9925 #10143 #10208
- Bumped lua-resty-openssl from 0.8.15 to 0.8.17 #9583 #10144
- Bumped lua-kong-nginx-module from 0.5.0 to 0.5.1 #10181
- Bumped lua-resty-session from 3.10 to 4.0.2 #10199 #10230 #10308
- Bumped OpenSSL from 1.1.1s to 1.1.1t #10266
- Bumped lua-resty-timer-ng from 0.2.0 to 0.2.3 #10265
- Change the reponse body for a TRACE method from
The upstream server responded with 405
toMethod not allowed
, make the reponse to show more clearly that Kong do not support TRACE method. #9448 - Add
allow_debug_header
Kong conf to allow use of theKong-Debug
header for debugging. This option defaults tooff
. #10054 #10125
- Allow
kong.conf
ssl properties to be stored in vaults or environment variables. Allow such properties to be configured directly as content or base64 encoded content. #9253 - Add support for full entity transformations in schemas #9431
- Allow schema
map
type field being marked as referenceable. #9611 - Add support for dynamically changing the log level #9744
- Add
keys
entity to store and manage asymmetric keys. #9737 - Add
key-sets
entity to group and managekeys
#9737
- Rate-limiting: The HTTP status code and response body for rate-limited requests can now be customized. Thanks, @utix! #8930
- Zipkin: add
response_header_for_traceid
field in Zipkin plugin. The plugin will set the corresponding header in the response if the field is specified with a string value. #9173 - AWS Lambda: add
requestContext
field intoawsgateway_compatible
input data #9380 - ACME: add support for Redis SSL, through configuration properties
config.storage_config.redis.ssl
,config.storage_config.redis.ssl_verify
, andconfig.storage_config.redis.ssl_server_name
. #9626 - Session: Add new config
cookie_persistent
that allows browser to persist cookies even if browser is closed. This defaults tofalse
which means cookies are not persistend across browser restarts. Thanks @tschaume for this contribution! #8187 - Response-rate-limiting: add support for Redis SSL, through configuration properties
redis_ssl
(can be set totrue
orfalse
),ssl_verify
, andssl_server_name
. #8595 Thanks @dominikkukacka! - OpenTelemetry: add referenceable attribute to the
headers
field that could be stored in vaults. #9611 - HTTP-Log: Support
http_endpoint
field to be referenceable #9714 - rate-limiting: Add a new configuration
sync_rate
to theredis
policy, which synchronizes metrics to redis periodically instead of on every request. #9538
- Data plane node IDs will now persist across restarts. #9067
- Add HTTP CONNECT forward proxy support for Hybrid Mode connections. New configuration
options
cluster_use_proxy
,proxy_server
andproxy_server_ssl_verify
are added. #9758 #9773
- Increase the default value of
lua_regex_cache_max_entries
, a warning will be thrown when there are too many regex routes androuter_flavor
istraditional
. #9624 - Add batch queue into the Datadog and StatsD plugin to reduce timer usage. #9521
- Extend
kong.client.tls.request_client_certificate
to support setting the Distinguished Name (DN) list hints of the accepted CA certificates. #9768
- Fix issue where external plugins crashing with unhandled exceptions would cause high CPU utilization after the automatic restart. #9384
- Fix issue where Zipkin plugin cannot parse OT baggage headers due to invalid OT baggage pattern. #9280
- Add
use_srv_name
options to upstream for balancer. #9430 - Fix issue in
header_filter
instrumentation where the span was not correctly created. #9434 - Fix issue in router building where when field contains an empty table, the generated expression is invalid. #9451
- Fix issue in router rebuilding where when paths field is invalid, the router's mutex is not released properly. #9480
- Fixed an issue where
kong docker-start
would fail ifKONG_PREFIX
was set to a relative path. #9337 - Fixed an issue with error-handling and process cleanup in
kong start
. #9337
- Fixed a race condition that can cause configuration push events to be dropped when the first data-plane connection is established with a control-plane worker. #9616
- Fix slow CLI performance due to pending timer jobs #9536
- Increase the maximum request argument number from
100
to1000
, and return400
error if request parameters reach the limitation to avoid being truncated. #9510 - Paging size parameter is now propogated to next page if specified in current request. #9503
- Non-normalized prefix route path is now rejected. It will also suggest how to write the path in normalized form. #9760
- Added support for
kong.request.get_uri_captures
(kong.request.getUriCaptures
) #9512 - Fixed parameter type of
kong.service.request.set_raw_body
(kong.service.request.setRawBody
), return type ofkong.service.response.get_raw_body
(kong.service.request.getRawBody
), and body parameter type ofkong.response.exit
to bytes. Note that old version of go PDK is incompatible after this change. #9526 - Vault will not call
semaphore:wait
ininit
orinit_worker
phase. #9851
- Add missing
protocols
field to various plugin schemas. #9525 - AWS Lambda: Fix an issue that is causing inability to read environment variables in ECS environment. #9460
- Request-Transformer: fix a bug when header renaming will override existing header and cause unpredictable result. #9442
- OpenTelemetry:
- Response-Transformer: Fix the bug that Response-Transformer plugin breaks when receiving an unexcepted body. #9463
- HTTP-Log: Fix an issue where queue id serialization
does not include
queue_size
andflush_timeout
. #9789
- The legacy hybrid configuration protocol has been removed in favor of the wRPC protocol introduced in 3.0. #9740
- Bumped openssl from 1.1.1q to 1.1.1s #9674
- Bumped atc-router from 1.0.0 to 1.0.1 #9558
- Bumped lua-resty-openssl from 0.8.10 to 0.8.15 #9583 #9600 #9675
- Bumped lyaml from 6.2.7 to 6.2.8 #9607
- Bumped lua-resty-acme from 0.8.1 to 0.9.0 #9626
- Bumped resty.healthcheck from 1.6.1 to 1.6.2 #9778
- Bumped pgmoon from 1.15.0 to 1.16.0 #9815
- Fix issue where Zipkin plugin cannot parse OT baggage headers due to invalid OT baggage pattern. #9280
- Fix issue in
header_filter
instrumentation where the span was not correctly created. #9434 - Fix issue in router building where when field contains an empty table, the generated expression is invalid. #9451
- Fix issue in router rebuilding where when paths field is invalid, the router's mutex is not released properly. #9480
- Fixed an issue where
kong docker-start
would fail ifKONG_PREFIX
was set to a relative path. #9337 - Fixed an issue with error-handling and process cleanup in
kong start
. #9337
Released 2022/09/12
This major release adds a new router written in Rust and a tracing API that is compatible with the OpenTelemetry API spec. Furthermore, various internal changes have been made to improve Kong's performance and memory consumption. As it is a major release, users are advised to review the list of braking changes to determine whether configuration changes are needed when upgrading.
- Blue-green deployment from Kong earlier than
2.1.0
is not supported, upgrade to2.1.0
or later before upgrading to3.0.0
to have blue-green deployment. Thank you @marc-charpentier for reporting issue and proposing a pull-request. #8896 - Deprecate/stop producing Amazon Linux (1) containers and packages (EOLed December 31, 2020) Kong/docs.konghq.com #3966
- Deprecate/stop producing Debian 8 "Jessie" containers and packages (EOLed June 2020) Kong/kong-build-tools #448 Kong/kong-distributions #766
- Kong schema library's
process_auto_fields
function will not any more make a deep copy of data that is passed to it when the given context is"select"
. This was done to avoid excessive deep copying of tables where we believe the data most of the time comes from a driver likepgmoon
orlmdb
. If a custom plugin relied onprocess_auto_fields
not overriding the given table, it must make its own copy before passing it to the function now. #8796 - The deprecated
shorthands
field in Kong Plugin or DAO schemas was removed in favor or the typedshorthand_fields
. If your custom schemas still useshorthands
, you need to update them to useshorthand_fields
. #8815 - The support for
legacy = true/false
attribute was removed from Kong schemas and Kong field schemas. #8958 - The deprecated alias of
Kong.serve_admin_api
was removed. If your custom Nginx templates still use it, please change it toKong.admin_content
. #8815 - The Kong singletons module
"kong.singletons"
was removed in favor of the PDKkong.*
. #8874 - The dataplane config cache was removed. The config persistence is now done automatically with LMDB. #8704
ngx.ctx.balancer_address
does not exist anymore, please usengx.ctx.balancer_data
instead. #9043- We have changed the normalization rules for
route.path
: Kong stores the unnormalized path, but regex path always pattern matches with the normalized URI. We used to replace percent-encoding in regex path pattern to ensure different forms of URI matches. That is no longer supported. Except for reserved characters defined in rfc3986, we should write all other characters without percent-encoding. #9024 - Kong will no longer use an heuristic to guess whether a
route.path
is a regex pattern. From now 3.0 onwards, all regex paths must start with the"~"
prefix, and all paths that don't start with"~"
will be considered plain text. The migration process should automatically convert the regex paths when upgrading from 2.x to 3.0 #9027 - Bumping version number (
_format_version
) of declarative configuration to "3.0" for changes onroute.path
. Declaritive configuration with older version are upgraded to "3.0" on the fly. #9078 - Removed deprecated
config.functions
from serverless-functions plugin's schema, please useconfig.access
phase instead. #8559 - Tags may now contain space characters. #9143
- The Secrets Management feature, which has been in beta since release 2.8.0, is now included as a regular feature. #8871 #9217
POST
requests on Targets endpoint are no longer able to update existing entities, they are only able to create new ones. #8596, #8798. If you have scripts that usePOST
requests to modify Targets, you should change them toPUT
requests to the appropriate endpoints before updating to Kong 3.0.- Insert and update operations on duplicated Targets returns 409. #8179, #8768
- The list of reported plugins available on the server now returns a table of
metadata per plugin instead of a boolean
true
. #8810
- The
kong.request.get_path()
PDK function now performs path normalization on the string that is returned to the caller. The raw, non-normalized version of the request path can be fetched viakong.request.get_raw_path()
. #8823 pdk.response.set_header()
,pdk.response.set_headers()
,pdk.response.exit()
now ignore and emit warnings for manually setTransfer-Encoding
headers. #8698- The PDK is no longer versioned #8585
- The JavaScript PDK now returns
Uint8Array
forkong.request.getRawBody
,kong.response.getRawBody
andkong.service.response.getRawBody
. The Python PDK returnsbytes
forkong.request.get_raw_body
,kong.response.get_raw_body
,kong.service.response.get_raw_body
. All these funtions used to return strings in the past. #8623
- DAOs in plugins must be listed in an array, so that their loading order is explicit. Loading them in a hash-like table is no longer supported. #8988
- Plugins MUST now have a valid
PRIORITY
(integer) andVERSION
("x.y.z" format) field in theirhandler.lua
file, otherwise the plugin will fail to load. #8836 - The old
kong.plugins.log-serializers.basic
library was removed in favor of the PDK functionkong.log.serialize
, please upgrade your plugins to use PDK. #8815 - The support for deprecated legacy plugin schemas was removed. If your custom plugins
still use the old (
0.x era
) schemas, you are now forced to upgrade them. #8815 - Some plugins received new priority values.
This is important for those who run custom plugins as it may affect the sequence your plugins are executed.
Note that this does not change the order of execution for plugins in a standard kong installation.
List of plugins and their old and new priority value:
acme
changed from 1007 to 1705basic-auth
changed from 1001 to 1100hmac-auth
changed from 1000 to 1030jwt
changed from 1005 to 1450key-auth
changed from 1003 to 1250ldap-auth
changed from 1002 to 1200oauth2
changed from 1004 to 1400rate-limiting
changed from 901 to 910
- HTTP-log:
headers
field now only takes a single string per header name, where it previously took an array of values #6992 - AWS Lambda:
aws_region
field must be set through either plugin config or environment variables, allow bothhost
andaws_region
fields, and always apply SigV4 signature. #8082 - Serverless Functions Removed deprecated
config.functions
, please useconfig.access
instead. #8559 - Serverless Functions: The pre-functions plugin changed priority from
+inf
to1000000
. #8836 - JWT: The authenticated JWT is no longer put into the nginx context (ngx.ctx.authenticated_jwt_token). Custom plugins which depend on that value being set under that name must be updated to use Kong's shared context instead (kong.ctx.shared.authenticated_jwt_token) before upgrading to 3.0
- Prometheus: The prometheus metrics have been reworked extensively for 3.0.
- Latency has been split into 4 different metrics: kong_latency_ms, upstream_latency_ms and request_latency_ms (http) /tcp_session_duration_ms (stream). Buckets details below.
- Separate out Kong Latency Bucket values and Upstream Latency Bucket values.
consumer_status
removed.request_count
andconsumer_status
have been merged into justhttp_requests_total
. If theper_consumer
config is set false, the consumer label will be empty. If theper_consumer
config is true, it will be filled.http_requests_total
has a new labelsource
, set to eitherexit
,error
orservice
.- New Metric:
node_info
. Single gauge set to 1 that outputs the node's id and kong version. - All Memory metrics have a new label
node_id
nginx_http_current_connections
merged withnginx_stream_current_connection
intonginx_current_connections
#8712
- Prometheus: The plugin doesn't export status codes, latencies, bandwidth and upstream
healthcheck metrics by default. They can still be turned on manually by setting
status_code_metrics
,latency_metrics
,bandwidth_metrics
andupstream_health_metrics
respectively. Enabling those metrics will impact the performance if you have a large volume of Kong entities, we recommend using the statsd plugin with the push model if that is the case. And nowprometheus
plugin new grafana dashboard updated #9028 - ACME:
allow_any_domain
field added. It is default to false and if set to true, the gateway will ignore thedomains
field. #9047 - Statsd:
- The metric name that is related to the service has been renamed by adding a
service.
prefix. e.g.kong.service.<service_identifier>.request.count
#9046 - The metric
kong.<service_identifier>.request.status.<status>
andkong.<service_identifier>.user.<consumer_identifier>.request.status.<status>
has been renamed tokong.service.<service_identifier>.status.<status>
andkong.service.<service_identifier>.user.<consumer_identifier>.status.<status>
#9046 - The metric
*.status.<status>.total
from metricsstatus_count
andstatus_count_per_user
has been removed #9046
- The metric name that is related to the service has been renamed by adding a
- Proxy-cache: The plugin does not store the response data in
ngx.ctx.proxy_cache_hit
anymore. Logging plugins that need the response data must read it fromkong.ctx.shared.proxy_cache_hit
from Kong 3.0 on. #8607 - Rate-limiting: The default policy is now
local
for all deployment modes. #9344 - Response-rate-limiting: The default policy is now
local
for all deployment modes. #9344
- The
go_pluginserver_exe
andgo_plugins_dir
directives are no longer supported. #8552. If you are using Go plugin server, please migrate your plugins to use the Go PDK before upgrading. - The migration helper library (mostly used for Cassandra migrations) is no longer supplied with Kong #8781
- The path_handling algorithm
v1
is deprecated and only supported whenrouter_flavor
config option is set totraditional
. #9290
- The Kong constant
CREDENTIAL_USERNAME
with value ofX-Credential-Username
was removed. Kong plugins in general have moved (since #5516) to use constantCREDENTIAL_IDENTIFIER
with value ofX-Credential-Identifier
when setting the upstream headers for a credential. #8815 - Change the default of
lua_ssl_trusted_certificate
tosystem
#8602 to automatically load trusted CA list from system CA store. - Remove a warning of
AAAA
being experimental withdns_order
. - It is no longer possible to use a .lua format to import a declarative config from the
kong
command-line tool, only json and yaml are supported. If your update procedure with kong involves executingkong config db_import config.lua
, please create aconfig.json
orconfig.yml
and use that before upgrading. #8898 - We bumped the version number (
_format_version
) of declarative configuration to "3.0" because of changes onroute.path
. Declarative configuration with older version should be upgraded to "3.0" on the fly. #9078
- Postgres migrations can now have an
up_f
part like Cassandra migrations, designating a function to call. Theup_f
part is invoked after theup
part has been executed against the database for both Postgres and Cassandra. - A new CLI command,
kong migrations status
, generates the status on a JSON file.
- Bumped OpenResty from 1.19.9.1 to 1.21.4.1 #8850
- Bumped pgmoon from 1.13.0 to 1.15.0 #8908 #8429
- Bumped OpenSSL from 1.1.1n to 1.1.1q #9074 #8544 #8752 #8994
- Bumped resty.openssl from 0.8.8 to 0.8.10 #8592 #8753 #9023
- Bumped inspect from 3.1.2 to 3.1.3 #8589
- Bumped resty.acme from 0.7.2 to 0.8.1 #8680 #9165
- Bumped luarocks from 3.8.0 to 3.9.1 #8700 #9204
- Bumped luasec from 1.0.2 to 1.2.0 #8754 #8754
- Bumped resty.healthcheck from 1.5.0 to 1.6.1 #8755 #9018 #9150
- Bumped resty.cassandra from 1.5.1 to 1.5.2 #8845
- Bumped penlight from 1.12.0 to 1.13.1 #9206
- Bumped lua-resty-mlcache from 2.5.0 to 2.6.0 #9287
- Do not register unnecessary event handlers on Hybrid mode Control Plane nodes #8452.
- Use the new timer library to improve performance, except for the plugin server. #8912
- Increased use of caching for DNS queries by activating
additional_section
by default #8895 pdk.request.get_header
changed to a faster implementation, not to fetch all headers every time it's called #8716- Conditional rebuilding of router, plugins iterator and balancer on DP #8519, #8671
- Made config loading code more cooperative by yielding #8888
- Use LuaJIT encoder instead of JSON to serialize values faster in LMDB #8942
- Move inflating and JSON decoding non-concurrent, which avoids blocking and makes DP reloads faster #8959
- Stop duplication of some events #9082
- Improve performance of config hash calculation by using string buffer and tablepool #9073
- Reduce cache usage in dbless by not using the kong cache for Routes and Services in LMDB #8972
- Implemented delayed response in stream mode #6878
- Added
cache_key
on target entity for uniqueness detection. #8179 - Introduced the tracing API which compatible with OpenTelemetry API spec and
add build-in instrumentations.
The tracing API is intend to be used with a external exporter plugin.
Build-in instrumentation types and sampling rate are configuable through
opentelemetry_tracing
andopentelemetry_tracing_sampling_rate
options. #8724 - Added
path
,uri_capture
, andquery_arg
options to upstreamhash_on
for load balancing. #8701 - Introduced unix domain socket based
lua-resty-events
to replace shared memory basedlua-resty-worker-events
. #8890 - Introduced a new router implementation
atc-router
, which is written in Rust. #8938 - Introduce a new field for entities
table_name
that allows to specify a table name. Before the name was deduced by the entityname
attribute. #9182 - Added
headers
on active healthcheck for upstreams. #8255 - Target entities using hostnames were resolved when they were not needed. Now when a target is removed or updated, the DNS record associated with it is removed from the list of hostnames to be resolved. #8497 9265
- Improved error handling and debugging info in the DNS code #8902
- Kong will now attempt to recover from an unclean shutdown by detecting and removing dangling unix sockets in the prefix directory #9254
- Added a new API
/timers
to get the timer statistics. #8912 and worker info #8999 /
endpoint now includes plugin priority #8821
- Add wRPC protocol support. Now configuration synchronization is over wRPC. wRPC is an RPC protocol that encodes with ProtoBuf and transports with WebSocket. #8357
- To keep compatibility with earlier versions, add support for CP to fall back to the previous protocol to support old DP. #8834
- Add support to negotiate services supported with wRPC protocol. We will support more services than config sync over wRPC in the future. #8926
- Declarative config exports happen inside a transaction in Postgres #8586
- Sync all plugin versions to the Kong version #8772
- Introduced the new OpenTelemetry plugin that export tracing instrumentations
to any OTLP/HTTP compatible backend.
opentelemetry_tracing
configuration should be enabled to collect the core tracing spans of Kong. #8826 - Zipkin: add support for including HTTP path in span name
through configuration property
http_span_name
. #8150 - Zipkin: add support for socket connect and send/read timeouts
through configuration properties
connect_timeout
,send_timeout
, andread_timeout
. This can help mitigatengx.timer
saturation when upstream collectors are unavailable or slow. #8735 - AWS-Lambda: add support for cross account invocation through
configuration properties
aws_assume_role_arn
andaws_role_session_name
.#8900 #8900 - AWS-Lambda: accept string type
statusCode
as valid return when working in proxy integration mode. #8765 - AWS-Lambda: separate aws credential cache by IAM role ARN #8907
- Statsd: 🎆 Newly open-sourced plugin capabilities: All capabilities of Statsd Advanced are now bundled in Statsd. #9046
- A new configuration item (
openresty_path
) has been added to allow developers/operators to specify the OpenResty installation to use when running Kong (instead of using the system-installed OpenResty) #8412 - Add
ipv6only
to listen options (e.g.KONG_PROXY_LISTEN
) #9225 - Add
so_keepalive
to listen options (e.g.KONG_PROXY_LISTEN
) #9225 - Add LMDB dbless config persistence and removed the JSON based config cache for faster startup time #8670
nginx_events_worker_connections=auto
has a lower bound of 1024 #9276nginx_main_worker_rlimit_nofile=auto
has a lower bound of 1024 #9276
- Added new PDK function:
kong.request.get_start_time()
#8688 kong.db.*.cache_key()
falls back to.id
if nothing fromcache_key
is found #8553
- The schema validator now correctly converts
null
from declarative configurations tonil
. #8483 - Only reschedule router and plugin iterator timers after finishing previous execution, avoiding unnecessary concurrent executions. #8567
- External plugins now handle returned JSON with null member correctly. #8611
- Fixed an issue where the address of the environ variable could change but the code didn't assumed it was fixed after init #8581
- Fix issue where the Go plugin server instance would not be updated after a restart (e.g., upon a plugin server crash). #8547
- Fixed an issue on trying to reschedule the DNS resolving timer when Kong was being reloaded. #8702
- The private stream API has been rewritten to allow for larger message payloads #8641
- Fixed an issue that the client certificate sent to upstream was not updated when calling PATCH Admin API #8934
- Fixed an issue where the CP and wRPC modules would cause Kong to crash when calling
export_deflated_reconfigure_payload
without a pcall #8668 - Moved all
.proto
files to/usr/local/kong/include
and ordered by priority. #8914 - Fixed an issue that cause unexpected 404 error on creating/updating configs with invalid options #8831
- Fixed an issue that causes crashes when calling some PDK APIs #8604
- Fixed an issue that cause crashes when go PDK calls return arrays #8891
- Plugin servers now shutdowns gracefully when Kong exits #8923
- CLI now prompts with
[y/n]
instead of[Y/n]
, as it does not takey
as default #9114 - Improved the error message when Kong cannot connect to Cassandra on init #8847
- Fixed an issue where Vault Subschema wasn't loaded in
off
strategy #9174 - The Schema now runs select transformations before process_auto_fields #9049
- Fixed an issue where Kong would use too many timers to keep track of upstreams when
worker_consistency
=eventual
#8694, #8858 - Fixed an issue where it wasn't possible to set target status using only a hostname for targets set only by their hostname #8797
- Fixed pagination issue when getting to the second page while iterationg over a foreign key field using the DAO #9255
- Fixed an issue where cache entries of some entities were not being properly invalidated after a cascade delete #9261
- Running
kong start
when Kong is already running will no longer clobber the existing.kong_env
file #9254
- Support HTTP/2 when requesting
/status
#8690
- Plugins with colliding priorities have now deterministic sorting based on their name #8957
- External Plugins: better handling of the logging when a plugin instance loses the instances_id in an event handler #8652
- ACME:
auth_method
default value is set totoken
#8565 - ACME: Added cache for
domains_matcher
#9048 - syslog:
conf.facility
default value is now set touser
#8564 - AWS-Lambda: Removed
proxy_scheme
field from schema #8566 - AWS-Lambda: Change path from request_uri to upstream_uri, fix uri can not follow the rule defined in the request-transformer configuration #9058 #9129
- hmac-auth: Removed deprecated signature format using
ngx.var.uri
#8558 - Remove deprecated
blacklist
/whitelist
config fields from bot-detection, ip-restriction and ACL plugins. #8560 - Zipkin: Correct the balancer spans' duration to include the connection time from Nginx to the upstream. #8848
- Zipkin: Correct the calculation of the header filter start time #9230
- Zipkin: Compatibility with the latest Jaeger header spec, which makes
parent_id
optional #8352 - LDAP-Auth: Refactored ASN.1 parser using OpenSSL API through FFI. #8663
- Rate-Limiting and Response-ratelimiting: Fix a disordered behaviour caused by
pairs
function which may cause Postgres DEADLOCK problem #8968 - Response-rate-Limiting: Fix a disordered behaviour caused by
pairs
function which may cause Postgres DEADLOCK problem #8968 - gRPC gateway: Fix the handling of boolean fields from URI arguments #9180
- Serverless Functions: Fix problem that could result in a crash #9269
- Azure-functions: Support working without dummy service #9177
- The cluster listener now uses the value of
admin_error_log
for its log file instead ofproxy_error_log
#8583 - Fixed a typo in some business logic that checks the Kong role before setting a value in cache at startup #9060
- Fixed DP get zero size config while service with plugin-enabled route is disabled #8816
- Localize
config_version
to avoid a race condition from the new yielding config loading code #8188
kong.response.get_source()
now return an error instead of an exit when plugin throws runtime exception on access phase #8599kong.tools.uri.normalize()
now does escaping of reserved and unreserved characters more correctly #8140
Please see CHANGELOG-OLD.md file for < 3.0 releases.