CINXE.COM
Kong Gateway Enterprise Changelog | Kong Docs
<!DOCTYPE html> <html lang="en-US" itemscope itemtype="http://schema.org/Article"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <!-- OneTrust Cookies Consent Notice start for konghq.com --> <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="2c4de954-6bec-4e93-8086-64cb113f151a"> </script> <script type="text/javascript"> function OptanonWrapper() { } </script> <!-- OneTrust Cookies Consent Notice end for konghq.com --> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer', 'GTM-NL48VKT');</script> <!-- End Google Tag Manager --> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Kong Gateway Enterprise Changelog | Kong Docs</title> <meta name="description" content="Documentation for Kong, the Cloud Connectivity Company for APIs and Microservices."> <meta name="author" content="KongHQ"> <meta property="og:title" content="Kong Gateway Enterprise Changelog | Kong Docs"> <meta property="og:site_name" content="Kong Docs"> <!-- use share link for facebook --> <meta property="og:url" content="https://docs.konghq.com"> <meta property="og:description" content="Documentation for Kong, the Cloud Connectivity Company for APIs and Microservices."> <meta property="og:type" content="website"> <meta property="og:locale" content="en_US"> <meta property="og:image" content="https://docs.konghq.com/assets/images/share.png"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@thekonginc"> <meta name="twitter:creator" content="@thekonginc"> <meta name="twitter:url" content="https://docs.konghq.com"> <meta name="twitter:description" content="Documentation for Kong, the Cloud Connectivity Company for APIs and Microservices."> <meta name="twitter:image" content="https://docs.konghq.com/assets/images/share.png"> <meta property="fb:admins" content="227304446"> <meta property="fb:admins" content="576641408"> <meta name="google-site-verification" content="CrU3zp02dNKTe8NSAipL4NCPkrIjDXG8fViTZ-MIzP4"> <script type="application/ld+json"> { "@context": "http://schema.org", "@type": "Organization", "name": "KongHQ", "url": "https://docs.konghq.com", "logo": "https://docs.konghq.com/assets/images/logo.png", "sameAs": [ "https://www.facebook.com/konginc", "https://twitter.com/thekonginc", "https://plus.google.com/+mashape" ] } </script> <!-- Preload assets --> <link rel="dns-prefetch" href="https://cloud.typography.com"> <link rel="dns-prefetch" href="https://dev.visualwebsiteoptimizer.com"> <link rel="dns-prefetch" href="https://cdn.segment.com"> <link rel="icon" type="image/x-icon" href="/assets/images/favicon.ico"> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@docsearch/css@3"> <link rel="canonical" href="https://docs.konghq.com/gateway/changelog/"> <link rel="alternate" hreflang="x-default" href="https://docs.konghq.com/gateway/changelog/"> <link rel="alternate" hreflang="ja" href="https://docs.jp.konghq.com/gateway/changelog/"> <meta name="robots" content="follow,index"> <!-- FontAwesome icon font --> <script src="https://kit.fontawesome.com/1332a92967.js" crossorigin="anonymous"> </script> <script src="/vite/assets/application-D8sXFsvE.js" crossorigin="anonymous" type="module"></script> <link href="/vite/assets/_commonjsHelpers-Cpj98o6Y.js" rel="modulepreload" as="script" crossorigin="anonymous"> <link rel="stylesheet" href="/vite/assets/application-C5Quk452.css" media="screen"> </head> <body id="" data-spy="scroll" data-target="#scroll-sidebar" data-offset="350"> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-NL48VKT" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <header class="navbar-v2 closed"> <a class="skip-main" href="#main">Skip to content</a> <!-- uncomment the promo-banner div when adding a new promo banner--> <!--also uncomment the promo banner sections in app/assets/stylesheets/header.less and application.js--> <!-- <div id="promo-banner"> <div class="container"> <div class="closebanner"></div> <strong>2024 API Summit Hackathon: Experiment with API Innovation & AI. Submit by Sept 11 —<a href="https://konghq.com/conferences/kong-summit/hackathon?utm_medium=website&utm_source=docs-konghq-com&utm_campaign=docs-banner">Enter Now →</a> </strong> </div> </div> --> <div class="navbar-content"> <a href="https://konghq.com" class="navbar-brand col col-xl-auto" target="_blank" rel="noopener noreferrer"> <img src="/assets/images/logos/konglogo-dark-theme.svg" alt="Kong Logo" id="kong-logo"> </a> <span class="logo-divider">|</span> <a href="/" class="navbar-brand col col-xl-auto"> <img src="/assets/images/logos/docslogo-dark-theme.svg" alt="Kong Docs Logo" id="kong-docs-logo"> </a> <div class="separator mobile"></div> <div class="search-input-wrapper" id="getkong-algolia-search-input"> </div> <div class="search-results-wrapper"></div> <div class="navbar-items" role="navigation" aria-label="Main menu"> <ul class="navbar-items" role="menubar"> <li id="top-module-list" aria-haspopup="true" role="menuitem" aria-expanded="false" class="navbar-item main-menu-item with-submenu active"> <span tabindex="0" id="docs-link" class="main-menu-item-title">Docs</span> <span class="caret"></span> <ul class="navbar-item-submenu" role="menu"> <div class="submenu-section"> <li role="menuitem" class="docs-dropdown-li"> <a href="/api/" class="docs-dropdown-li__link" tabindex="-1"> <div class="docs-dropdown-li__card"> <span class="heading">Explore the API Specs</span> <div class="docs-dropdown-li__card-link"> <img src="/assets/images/landing-page/view-all-api-specs.png" alt="View all API Specs"> <span class="docs-dropdown-li__card-image"> View all API Specs <img src="/assets/images/landing-page/arrow-right.svg" alt="View all API Specs arrow image"> </span> </div> </div> </a> </li> <li role="menuitem" class="docs-dropdown-li" tabindex="-1"> <div class="docs-dropdown-li__section"> <div class="docs-dropdown-li__section-title"> <span class="heading">Documentation</span> </div> <div class="docs-dropdown-li__section-items"> <a class="item item-all" href="/api/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">API Specs</div> </div> </a> <a class="item" href="/gateway/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Gateway</div> <div class="item__description-desc">Lightweight, fast, and flexible cloud-native API gateway</div> </div> </a> <a class="item" href="/konnect/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Konnect</div> <div class="item__description-desc">Single platform for SaaS end-to-end connectivity</div> </div> </a> <a class="item" href="/gateway/latest/ai-gateway/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong AI Gateway</div> <div class="item__description-desc">Multi-LLM AI Gateway for GenAI infrastructure</div> </div> </a> <a class="item" href="/mesh/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Mesh</div> <div class="item__description-desc">Enterprise service mesh based on Kuma and Envoy</div> </div> </a> <a class="item" href="/deck/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">decK</div> <div class="item__description-desc">Helps manage Kong’s configuration in a declarative fashion</div> </div> </a> <a class="item" href="/kubernetes-ingress-controller/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Ingress Controller</div> <div class="item__description-desc">Works inside a Kubernetes cluster and configures Kong to proxy traffic</div> </div> </a> <a class="item" href="/gateway-operator/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Gateway Operator</div> <div class="item__description-desc">Manage your Kong deployments on Kubernetes using YAML Manifests</div> </div> </a> <a class="item" href="https://docs.insomnia.rest/" tabindex="-1" target="_blank" rel="noopener nofollow noreferrer "> <div class="item__description"> <div class="item__description-title">Insomnia</div> <div class="item__description-desc">Collaborative API development platform</div> </div> </a> </div> </div> </li> </div> </ul> </li> <li role="menuitem" aria-haspopup="true" aria-expanded="false" class="navbar-item main-menu-item with-submenu navbar-item-hub"> <span id="plugin-link" class="main-menu-item-title" tabindex="0">Plugin Hub</span> <span class="caret"></span> <ul class="navbar-item-submenu" role="menu"> <div class="submenu-section"> <li role="menuitem" class="docs-dropdown-li"> <a href="/hub/" class="docs-dropdown-li__link" tabindex="-1"> <div class="docs-dropdown-li__card"> <span class="heading">Explore the Plugin Hub</span> <div class="docs-dropdown-li__card-link"> <img src="/assets/images/landing-page/view-all-plugins.svg" alt="View all plugins"> <span class="docs-dropdown-li__card-image"> View all plugins <img src="/assets/images/landing-page/arrow-right.svg" alt="View all plugins arrow image"> </span> </div> </div> </a> </li> <li role="menuitem" class="docs-dropdown-li"> <div class="docs-dropdown-li__section"> <div class="docs-dropdown-li__section-title"> <span class="heading">Functionality</span> <a href="/hub/" class="view-all" tabindex="-1"> View all <img src="/assets/images/landing-page/arrow-right.svg" alt="View all arrow image"> </a> </div> <div class="docs-dropdown-li__section-items"> <a class="item item-all" href="/hub/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">View all plugins</div> </div> </a> <a class="item" href="/hub/?category=ai" tabindex="-1"> <div> <img src="/assets/images/nav/hub/ai.svg" alt="AI's icon"> </div> <div class="item__description"> <div class="item__description-title">AI</div> <div class="item__description-desc">Govern, secure, and control AI traffic with multi-LLM AI Gateway plugins</div> </div> </a> <a class="item" href="/hub/?category=authentication" tabindex="-1"> <div> <img src="/assets/images/nav/hub/lock_person.svg" alt="Authentication's icon"> </div> <div class="item__description"> <div class="item__description-title">Authentication</div> <div class="item__description-desc">Protect your services with an authentication layer</div> </div> </a> <a class="item" href="/hub/?category=security" tabindex="-1"> <div> <img src="/assets/images/nav/hub/shield.svg" alt="Security's icon"> </div> <div class="item__description"> <div class="item__description-title">Security</div> <div class="item__description-desc">Protect your services with additional security layer</div> </div> </a> <a class="item" href="/hub/?category=traffic-control" tabindex="-1"> <div> <img src="/assets/images/nav/hub/route.svg" alt="Traffic Control's icon"> </div> <div class="item__description"> <div class="item__description-title">Traffic Control</div> <div class="item__description-desc">Manage, throttle and restrict inbound and outbound API traffic</div> </div> </a> <a class="item" href="/hub/?category=serverless" tabindex="-1"> <div> <img src="/assets/images/nav/hub/serverless.svg" alt="Serverless's icon"> </div> <div class="item__description"> <div class="item__description-title">Serverless</div> <div class="item__description-desc">Invoke serverless functions in combination with other plugins</div> </div> </a> <a class="item" href="/hub/?category=analytics-monitoring" tabindex="-1"> <div> <img src="/assets/images/nav/hub/bar_chart.svg" alt="Analytics & Monitoring's icon"> </div> <div class="item__description"> <div class="item__description-title">Analytics & Monitoring</div> <div class="item__description-desc">Visualize, inspect and monitor APIs and microservices traffic</div> </div> </a> <a class="item" href="/hub/?category=transformations" tabindex="-1"> <div> <img src="/assets/images/nav/hub/swap_horiz.svg" alt="Transformations's icon"> </div> <div class="item__description"> <div class="item__description-title">Transformations</div> <div class="item__description-desc">Transform request and responses on the fly on Kong</div> </div> </a> <a class="item" href="/hub/?category=logging" tabindex="-1"> <div> <img src="/assets/images/nav/hub/list_alt.svg" alt="Logging's icon"> </div> <div class="item__description"> <div class="item__description-title">Logging</div> <div class="item__description-desc">Log request and response data using the best transport for your infrastructure</div> </div> </a> </div> </div> </li> </div> </ul> </li> <li role="menuitem" class="main-menu-item"> <a href="https://support.konghq.com/" class="navbar-item" target="_blank" rel="noopener nofollow noreferrer ">Support</a> </li> <li role="menuitem" class="main-menu-item"> <a href="https://konghq.com/community/" class="navbar-item" target="_blank" rel="noopener noreferrer">Community</a> </li> <li role="menuitem" class="main-menu-item"> <a href="https://education.konghq.com" class="navbar-item" target="_blank" rel="noopener nofollow noreferrer ">Kong Academy</a> </li> </ul> <a id="top-cta" href="https://konghq.com/contact-sales?utm_source=docs.konghq.com" class="navbar-button" target="_blank" rel="noopener nofollow noreferrer "> Get a Demo </a> <a id="konnect-cta" href="https://konghq.com/products/kong-konnect/register?utm_medium=referral&utm_source=docs&utm_campaign=gateway-konnect&utm_content=top-nav" class="navbar-button" target="_blank" rel="noopener nofollow noreferrer "> Start Free Trial </a> </div> <div id="navbar-menu-toggle-button" class="small-screen-button" aria-label="Toggle navigation"> <div></div> <div></div> <div></div> </div> </div> </header> <div class="page v2 " data-url="/gateway/changelog/"> <div class="page--header-background page--header-background-doc"></div> <div class="container"> <header class="page-header page-header-doc"> <div class="page-header-product-version"> <div class="edition"> Kong Gateway </div> </div> <div class="page-header--nav"> <i class="sidebar-toggle"></i> <ul class="breadcrumbs"> <li class="breadcrumb-item"> <a href="/"> <img src="/assets/images/icons/hub-layout/icn-breadcrumbs.svg" alt="Home icon"> </a> </li> <li class="breadcrumb-item"> <a href="/gateway/latest/">Kong Gateway</a> </li> <li class="breadcrumb-item"> Changelog </li> <li class="breadcrumb-item"> <a href="/gateway/changelog/">Kong Gateway Enterprise Changelog</a> </li> </ul> <div class="github-links"> <div class="github-links--edit"> <a href="https://github.com/Kong/docs.konghq.com/edit/main/app/gateway/changelog.md" target="_blank" rel="noopener nofollow noreferrer "> <img src="/assets/images/icons/third-party/logo-github-white.svg" alt="github-edit-page">Edit this page </a> </div> <div class="github-links--issues"> <a href="https://github.com/Kong/docs.konghq.com/issues/" target="_blank" rel="noopener nofollow noreferrer "> <img src="/assets/images/icons/documentation/icn-monitoring-white.svg" alt="report-issue">Report an issue</a> </div> </div> </div> </header> <aside class="docs-toc"> <i class="fa fa-times close-sidebar"></i> <i class="fa fa-chevron-right collapse-toc"></i> <i class="far fa-list-alt expand-toc"></i> <div id="oss-ee-toggle" data-current="Enterprise" style="display: none"> <span class="oss-ee-toggle-inner"> <img src="/assets/images/icons/icn-enterprise-black.svg" alt="enterprise-switcher-icon"> <span>Switch to <span id="switch-to-version">OSS</span></span> </span> </div> <div class="docs-toc-title"> <img src="/assets/images/icons/hub-layout/icn-on-this-page.svg" alt="On this page"><a href="#">On this page</a> </div> <ul> <li> <a href="#3901" class="active scroll-to">3.9.0.1</a> <ul> <li><a href="#fixes" class="scroll-to">Fixes</a></li> <li><a href="#dependencies" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3900" class="scroll-to">3.9.0.0</a> <ul> <li><a href="#breaking-changes-and-deprecations" class="scroll-to">Breaking changes and deprecations</a></li> <li><a href="#features" class="scroll-to">Features</a></li> <li><a href="#fixes-1" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-1" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3810" class="scroll-to">3.8.1.0</a> <ul> <li><a href="#features-1" class="scroll-to">Features</a></li> <li><a href="#fixes-2" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-2" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3800" class="scroll-to">3.8.0.0</a> <ul> <li><a href="#breaking-changes-and-deprecations-1" class="scroll-to">Breaking changes and deprecations</a></li> <li><a href="#features-2" class="scroll-to">Features</a></li> <li><a href="#fixes-3" class="scroll-to">Fixes</a></li> <li><a href="#performance" class="scroll-to">Performance</a></li> <li><a href="#dependencies-3" class="scroll-to">Dependencies</a></li> <li><a href="#known-issues" class="scroll-to">Known issues</a></li> </ul> </li> <li> <a href="#3713" class="scroll-to">3.7.1.3</a> <ul> <li><a href="#fixes-4" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-4" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3712" class="scroll-to">3.7.1.2</a> <ul> <li><a href="#deprecations" class="scroll-to">Deprecations</a></li> <li><a href="#features-3" class="scroll-to">Features</a></li> <li><a href="#fixed" class="scroll-to">Fixed</a></li> <li><a href="#dependencies-5" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3711" class="scroll-to">3.7.1.1</a> <ul> <li><a href="#fixes-5" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3710" class="scroll-to">3.7.1.0</a> <ul> <li><a href="#known-issues-1" class="scroll-to">Known issues</a></li> <li><a href="#features-4" class="scroll-to">Features</a></li> <li><a href="#fixes-6" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-6" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3700" class="scroll-to">3.7.0.0</a> <ul> <li><a href="#breaking-changes-and-deprecations-2" class="scroll-to">Breaking changes and deprecations</a></li> <li><a href="#features-5" class="scroll-to">Features</a></li> <li><a href="#performance-1" class="scroll-to">Performance</a></li> <li><a href="#fixes-7" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-7" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3618" class="scroll-to">3.6.1.8</a> <ul> <li><a href="#features-6" class="scroll-to">Features</a></li> <li><a href="#fixes-8" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-8" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3617" class="scroll-to">3.6.1.7</a> <ul> <li><a href="#features-7" class="scroll-to">Features</a></li> <li><a href="#deprecations-1" class="scroll-to">Deprecations</a></li> <li><a href="#dependencies-9" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3616" class="scroll-to">3.6.1.6</a> <ul> <li><a href="#fixes-9" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3615" class="scroll-to">3.6.1.5</a> <ul> <li><a href="#known-issues-2" class="scroll-to">Known issues</a></li> <li><a href="#features-8" class="scroll-to">Features</a></li> <li><a href="#fixes-10" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-10" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3614" class="scroll-to">3.6.1.4</a> <ul> <li><a href="#features-9" class="scroll-to">Features</a></li> <li><a href="#fixes-11" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-11" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3613" class="scroll-to">3.6.1.3</a> <ul> <li><a href="#fixes-12" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3612" class="scroll-to">3.6.1.2</a> <ul> <li><a href="#features-10" class="scroll-to">Features</a></li> <li><a href="#fixes-13" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3611" class="scroll-to">3.6.1.1</a> <ul> <li><a href="#fixes-14" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3610" class="scroll-to">3.6.1.0</a> <ul> <li><a href="#features-11" class="scroll-to">Features</a></li> <li><a href="#fixes-15" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3600" class="scroll-to">3.6.0.0</a> <ul> <li><a href="#breaking-changes-and-deprecations-3" class="scroll-to">Breaking changes and deprecations</a></li> <li><a href="#features-12" class="scroll-to">Features</a></li> <li><a href="#fixes-16" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-13" class="scroll-to">Dependencies</a></li> <li><a href="#known-issues-3" class="scroll-to">Known issues</a></li> </ul> </li> <li> <a href="#3507" class="scroll-to">3.5.0.7</a> <ul> <li><a href="#deprecations-2" class="scroll-to">Deprecations</a></li> <li><a href="#features-13" class="scroll-to">Features</a></li> </ul> </li> <li> <a href="#3506" class="scroll-to">3.5.0.6</a> <ul> <li><a href="#fixes-17" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3505" class="scroll-to">3.5.0.5</a> <ul> <li><a href="#known-issues-4" class="scroll-to">Known issues</a></li> <li><a href="#features-14" class="scroll-to">Features</a></li> <li><a href="#fixes-18" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-14" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3504" class="scroll-to">3.5.0.4</a> <ul> <li><a href="#breaking-changes" class="scroll-to">Breaking Changes</a></li> <li><a href="#features-15" class="scroll-to">Features</a></li> <li><a href="#fixes-19" class="scroll-to">Fixes</a></li> <li><a href="#performance-3" class="scroll-to">Performance</a></li> <li><a href="#dependencies-15" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3503" class="scroll-to">3.5.0.3</a> <ul> <li><a href="#features-16" class="scroll-to">Features</a></li> <li><a href="#fixes-20" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-16" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3502" class="scroll-to">3.5.0.2</a> <ul> <li><a href="#breaking-changes-1" class="scroll-to">Breaking Changes</a></li> <li><a href="#features-17" class="scroll-to">Features</a></li> <li><a href="#fixes-21" class="scroll-to">Fixes</a></li> <li><a href="#performance-4" class="scroll-to">Performance</a></li> <li><a href="#dependencies-17" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3501" class="scroll-to">3.5.0.1</a> <ul> <li><a href="#fixes-22" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3500" class="scroll-to">3.5.0.0</a> <ul> <li><a href="#breaking-changes-and-deprecations-4" class="scroll-to">Breaking changes and deprecations</a></li> <li><a href="#features-18" class="scroll-to">Features</a></li> <li><a href="#fixes-23" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-18" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#34316" class="scroll-to">3.4.3.16</a> <ul> <li><a href="#dependencies-19" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#34315" class="scroll-to">3.4.3.15</a> <ul> <li><a href="#fixes-24" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-20" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#34314" class="scroll-to">3.4.3.14</a> <ul> <li><a href="#fixes-25" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#34313" class="scroll-to">3.4.3.13</a> <ul> <li><a href="#features-19" class="scroll-to">Features</a></li> <li><a href="#fixes-26" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-21" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#34312" class="scroll-to">3.4.3.12</a> <ul> <li><a href="#deprecations-3" class="scroll-to">Deprecations</a></li> <li><a href="#features-20" class="scroll-to">Features</a></li> <li><a href="#fixes-27" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#34311" class="scroll-to">3.4.3.11</a> <ul> <li><a href="#fixes-28" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#34310" class="scroll-to">3.4.3.10</a> <ul> <li><a href="#known-issues-5" class="scroll-to">Known issues</a></li> <li><a href="#fixes-29" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-22" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3439" class="scroll-to">3.4.3.9</a> <ul> <li><a href="#features-21" class="scroll-to">Features</a></li> <li><a href="#fixes-30" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-23" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3438" class="scroll-to">3.4.3.8</a> <ul> <li><a href="#features-22" class="scroll-to">Features</a></li> <li><a href="#fixes-31" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-24" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3437" class="scroll-to">3.4.3.7</a> <ul> <li><a href="#features-23" class="scroll-to">Features</a></li> <li><a href="#fixes-32" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-25" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3436" class="scroll-to">3.4.3.6</a> <ul> <li><a href="#features-24" class="scroll-to">Features</a></li> <li><a href="#fixes-33" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-26" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3435" class="scroll-to">3.4.3.5</a> <ul> <li><a href="#breaking-changes-2" class="scroll-to">Breaking changes</a></li> <li><a href="#features-25" class="scroll-to">Features</a></li> <li><a href="#fixes-34" class="scroll-to">Fixes</a></li> <li><a href="#performance-5" class="scroll-to">Performance</a></li> <li><a href="#dependencies-27" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3434" class="scroll-to">3.4.3.4</a> <ul> <li><a href="#features-26" class="scroll-to">Features</a></li> <li><a href="#fixes-35" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-28" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3433" class="scroll-to">3.4.3.3</a> <ul> <li><a href="#features-27" class="scroll-to">Features</a></li> <li><a href="#fixes-36" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-29" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3432" class="scroll-to">3.4.3.2</a> <ul> <li><a href="#features-28" class="scroll-to">Features</a></li> <li><a href="#fixes-37" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3431" class="scroll-to">3.4.3.1</a> <ul> <li><a href="#breaking-changes-3" class="scroll-to">Breaking Changes</a></li> <li><a href="#features-29" class="scroll-to">Features</a></li> <li><a href="#fixes-38" class="scroll-to">Fixes</a></li> <li><a href="#performance-6" class="scroll-to">Performance</a></li> <li><a href="#dependencies-30" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3420" class="scroll-to">3.4.2.0</a> <ul> <li><a href="#features-30" class="scroll-to">Features</a></li> <li><a href="#fixes-39" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-31" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3411" class="scroll-to">3.4.1.1</a> <ul> <li><a href="#fixes-40" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-32" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3410" class="scroll-to">3.4.1.0</a> <ul> <li><a href="#breaking-changes-4" class="scroll-to">Breaking Changes</a></li> <li><a href="#features-31" class="scroll-to">Features</a></li> <li><a href="#fixes-41" class="scroll-to">Fixes</a></li> <li><a href="#kong-manager-17" class="scroll-to">Kong Manager</a></li> <li><a href="#dependencies-33" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3400" class="scroll-to">3.4.0.0</a> <ul> <li><a href="#breaking-changes-and-deprecations-5" class="scroll-to">Breaking changes and deprecations</a></li> <li><a href="#features-32" class="scroll-to">Features</a></li> <li><a href="#fixes-42" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-34" class="scroll-to">Dependencies</a></li> <li><a href="#known-issues-6" class="scroll-to">Known issues</a></li> </ul> </li> <li> <a href="#3311" class="scroll-to">3.3.1.1</a> <ul> <li><a href="#breaking-changes-5" class="scroll-to">Breaking Changes</a></li> <li><a href="#features-33" class="scroll-to">Features</a></li> <li><a href="#fixes-43" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-35" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3310" class="scroll-to">3.3.1.0</a> <ul> <li><a href="#fixes-44" class="scroll-to">Fixes</a></li> <li><a href="#deprecations-4" class="scroll-to">Deprecations</a></li> </ul> </li> <li> <a href="#3300" class="scroll-to">3.3.0.0</a> <ul> <li><a href="#breaking-changes-and-deprecations-6" class="scroll-to">Breaking changes and deprecations</a></li> <li><a href="#features-34" class="scroll-to">Features</a></li> <li><a href="#fixes-45" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-36" class="scroll-to">Dependencies</a></li> <li><a href="#known-issues-7" class="scroll-to">Known Issues</a></li> </ul> </li> <li> <a href="#3225" class="scroll-to">3.2.2.5</a> <ul> <li><a href="#fixes-46" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-37" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3224" class="scroll-to">3.2.2.4</a> <ul> <li><a href="#breaking-changes-and-deprecations-7" class="scroll-to">Breaking changes and deprecations</a></li> <li><a href="#fixes-47" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-38" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3223" class="scroll-to">3.2.2.3</a> <ul> <li><a href="#fixes-48" class="scroll-to">Fixes</a></li> <li><a href="#deprecations-5" class="scroll-to">Deprecations</a></li> </ul> </li> <li> <a href="#3222" class="scroll-to">3.2.2.2</a> <ul> <li><a href="#fixes-49" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3221" class="scroll-to">3.2.2.1</a> <ul> <li><a href="#fixes-50" class="scroll-to">Fixes</a></li> <li><a href="#deprecations-6" class="scroll-to">Deprecations</a></li> </ul> </li> <li> <a href="#3220" class="scroll-to">3.2.2.0</a> <ul> <li><a href="#fixes-51" class="scroll-to">Fixes</a></li> <li><a href="#known-issues-8" class="scroll-to">Known issues</a></li> </ul> </li> <li> <a href="#3210" class="scroll-to">3.2.1.0</a> <ul> <li><a href="#deprecations-7" class="scroll-to">Deprecations</a></li> <li><a href="#breaking-changes-6" class="scroll-to">Breaking changes</a></li> <li><a href="#features-35" class="scroll-to">Features</a></li> <li><a href="#fixes-52" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-39" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3116" class="scroll-to">3.1.1.6</a> <ul> <li><a href="#fixes-53" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-40" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3115" class="scroll-to">3.1.1.5</a> <ul> <li><a href="#features-36" class="scroll-to">Features</a></li> <li><a href="#fixes-54" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-41" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#3114" class="scroll-to">3.1.1.4</a> <ul> <li><a href="#features-37" class="scroll-to">Features</a></li> <li><a href="#fixes-55" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3113" class="scroll-to">3.1.1.3</a> <ul> <li><a href="#fixes-56" class="scroll-to">Fixes</a></li> <li><a href="#upgrades" class="scroll-to">Upgrades</a></li> </ul> </li> <li> <a href="#3112" class="scroll-to">3.1.1.2</a> <ul> <li><a href="#features-38" class="scroll-to">Features</a></li> <li><a href="#fixes-57" class="scroll-to">Fixes</a></li> <li><a href="#deprecations-8" class="scroll-to">Deprecations</a></li> <li><a href="#known-issues-9" class="scroll-to">Known issues</a></li> </ul> </li> <li> <a href="#3100" class="scroll-to">3.1.0.0</a> <ul> <li><a href="#features-39" class="scroll-to">Features</a></li> <li><a href="#known-limitations" class="scroll-to">Known limitations</a></li> <li><a href="#fixes-58" class="scroll-to">Fixes</a></li> <li><a href="#breaking-changes-7" class="scroll-to">Breaking changes</a></li> </ul> </li> <li> <a href="#3010" class="scroll-to">3.0.1.0</a> <ul> <li><a href="#features-40" class="scroll-to">Features</a></li> <li><a href="#fixes-59" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#3000" class="scroll-to">3.0.0.0</a> <ul> <li><a href="#features-41" class="scroll-to">Features</a></li> <li><a href="#known-limitations-1" class="scroll-to">Known limitations</a></li> <li><a href="#breaking-changes-and-deprecations-8" class="scroll-to">Breaking changes and deprecations</a></li> <li><a href="#fixes-60" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-42" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#28413" class="scroll-to">2.8.4.13</a> <ul> <li><a href="#breaking-changes-8" class="scroll-to">Breaking Changes</a></li> <li><a href="#fixes-61" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#28412" class="scroll-to">2.8.4.12</a> <ul> <li><a href="#breaking-changes-and-deprecations-9" class="scroll-to">Breaking changes and deprecations</a></li> <li><a href="#fixes-62" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#28411" class="scroll-to">2.8.4.11</a> <ul> <li><a href="#fixes-63" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#28410" class="scroll-to">2.8.4.10</a> <ul> <li><a href="#known-issues-10" class="scroll-to">Known issues</a></li> <li><a href="#features-42" class="scroll-to">Features</a></li> <li><a href="#fixes-64" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-44" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#2849" class="scroll-to">2.8.4.9</a> <ul> <li><a href="#fixes-65" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#2848" class="scroll-to">2.8.4.8</a> <ul> <li><a href="#features-43" class="scroll-to">Features</a></li> <li><a href="#fixes-66" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-45" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#2847" class="scroll-to">2.8.4.7</a> <ul> <li><a href="#fixes-67" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#2846" class="scroll-to">2.8.4.6</a> <ul> <li><a href="#fixes-68" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-46" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#2845" class="scroll-to">2.8.4.5</a> <ul> <li><a href="#features-44" class="scroll-to">Features</a></li> <li><a href="#fixes-69" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-47" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#2844" class="scroll-to">2.8.4.4</a> <ul> <li><a href="#fixes-70" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#2843" class="scroll-to">2.8.4.3</a> <ul> <li><a href="#breaking-changes-and-deprecations-10" class="scroll-to">Breaking changes and deprecations</a></li> <li><a href="#features-45" class="scroll-to">Features</a></li> <li><a href="#fixes-71" class="scroll-to">Fixes</a></li> <li><a href="#performance-9" class="scroll-to">Performance</a></li> <li><a href="#dependencies-48" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#2842" class="scroll-to">2.8.4.2</a> <ul> <li><a href="#fixes-72" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-49" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#2841" class="scroll-to">2.8.4.1</a> <ul> <li><a href="#breaking-changes-9" class="scroll-to">Breaking Changes</a></li> <li><a href="#features-46" class="scroll-to">Features</a></li> <li><a href="#fixes-73" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-50" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#2840" class="scroll-to">2.8.4.0</a> <ul> <li><a href="#features-47" class="scroll-to">Features</a></li> <li><a href="#fixes-74" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#2824" class="scroll-to">2.8.2.4</a> <ul> <li><a href="#fixes-75" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#2823" class="scroll-to">2.8.2.3</a> <ul> <li><a href="#fixes-76" class="scroll-to">Fixes</a></li> <li><a href="#known-limitations-2" class="scroll-to">Known limitations</a></li> </ul> </li> <li> <a href="#2822" class="scroll-to">2.8.2.2</a> <ul> <li><a href="#fixes-77" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#2821" class="scroll-to">2.8.2.1</a> <ul> <li><a href="#fixes-78" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#2820" class="scroll-to">2.8.2.0</a> <ul> <li><a href="#fixes-79" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#2814" class="scroll-to">2.8.1.4</a> <ul> <li><a href="#dependencies-51" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#2813" class="scroll-to">2.8.1.3</a> <ul> <li><a href="#features-48" class="scroll-to">Features</a></li> <li><a href="#fixes-80" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#2812" class="scroll-to">2.8.1.2</a> <ul> <li><a href="#fixes-81" class="scroll-to">Fixes</a></li> <li><a href="#deprecated" class="scroll-to">Deprecated</a></li> </ul> </li> <li> <a href="#2811" class="scroll-to">2.8.1.1</a> <ul> <li><a href="#features-49" class="scroll-to">Features</a></li> <li><a href="#fixes-82" class="scroll-to">Fixes</a></li> </ul> </li> <li> <a href="#2810" class="scroll-to">2.8.1.0</a> <ul> <li><a href="#fixes-83" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-52" class="scroll-to">Dependencies</a></li> </ul> </li> <li> <a href="#2800" class="scroll-to">2.8.0.0</a> <ul> <li><a href="#features-50" class="scroll-to">Features</a></li> <li><a href="#fixes-84" class="scroll-to">Fixes</a></li> <li><a href="#dependencies-53" class="scroll-to">Dependencies</a></li> <li><a href="#deprecated-1" class="scroll-to">Deprecated</a></li> </ul> </li> </ul> </aside> <div class="page-content-container page-content-container-doc v2 no-sidebar" id="documentation"> <div class="toggles no-sidebar"> <i class="far fa-list-alt toc-sidebar-toggle"></i> </div> <div class="page-content"> <div class="content show-anchor-links"> <h1 tabindex="-1" id="main" class="page-content-title">Kong Gateway Enterprise Changelog </h1> <!-- vale off --> <p>Changelog for supported Kong Gateway Enterprise versions.</p> <p>For Kong Gateway OSS, view the <a href="https://github.com/Kong/kong/tree/master/changelog" target="_blank" rel="noopener nofollow noreferrer ">OSS changelog on GitHub</a>.</p> <p>For product versions that have reached the end of sunset support, see the <a href="https://legacy-gateway--kongdocs.netlify.app/enterprise/changelog/" target="_blank" rel="noopener nofollow noreferrer ">changelog archives</a>.</p> <h2 id="3901">3.9.0.1</h2> <p><strong>Release Date</strong> 2025/01/28</p> <h3 id="fixes">Fixes</h3> <h4 id="core">Core</h4> <ul> <li>Fixed an issue where consistent hashing did not correctly handle hyphenated-Pascal-case headers, leading to uneven distribution of requests across upstream targets.</li> <li>Fixed an issue where a certificate entity configured with a vault reference occasionally didn’t get refreshed on time when initialized with an invalid string.</li> </ul> <h4 id="plugins">Plugins</h4> <ul> <li> <p><strong>AI Plugins</strong>: Reverted the analytics container key from <code class="language-plaintext highlighter-rouge">proxy</code> to <code class="language-plaintext highlighter-rouge">ai-proxy</code> to align with previous versions.</p> </li> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>) <ul> <li>Fixed an issue in the Azure provider where <code class="language-plaintext highlighter-rouge">model.options.upstream_path</code> overrides would always return a 404 error code.</li> <li>Fixed an issue where Azure streaming responses would be missing individual tokens.</li> <li>Fixed an issue where response streaming in Gemini and Bedrock providers was returning whole chat responses in one chunk.</li> <li>Fixed an issue where multimodal requests (in OpenAI format) would not transform properly when using the Gemini provider.</li> </ul> </li> <li> <a href="/hub/kong-inc/grpc-web/"><strong>gRPC-Web</strong></a> (<code class="language-plaintext highlighter-rouge">grpc-web</code>) and <a href="/hub/kong-inc/grpc-gateway/"><strong>gRPC-Gateway</strong></a> (<code class="language-plaintext highlighter-rouge">grpc-gateway</code>) <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">TE</code> (transfer-encoding) header would not be sent to the upstream gRPC servers when <code class="language-plaintext highlighter-rouge">grpc-web</code> or <code class="language-plaintext highlighter-rouge">grpc-gateweay</code> were in use.</li> </ul> </li> </ul> <h3 id="dependencies">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> from 0.13.1 to 0.13.2.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">libexpat</code> from 2.6.2 to 2.6.4 to fix a crash in the <code class="language-plaintext highlighter-rouge">XML_ResumeParser</code> function caused by <code class="language-plaintext highlighter-rouge">XML_StopParser</code> stopping an uninitialized parser.</li> </ul> <h2 id="3900">3.9.0.0</h2> <p><strong>Release Date</strong> 2024/12/12</p> <h3 id="breaking-changes-and-deprecations">Breaking changes and deprecations</h3> <ul> <li>Manually specifying a <code class="language-plaintext highlighter-rouge">node_id</code> via Kong configuration is deprecated. The <code class="language-plaintext highlighter-rouge">node_id</code> parameter is planned to be removed in 4.x. <a href="https://github.com/Kong/kong/issues/13687" target="_blank" rel="noopener nofollow noreferrer ">#13687</a> </li> </ul> <h3 id="features">Features</h3> <h4 id="admin-api">Admin API</h4> <ul> <li>Added support for the YAML media-type (<code class="language-plaintext highlighter-rouge">application/yaml</code>) to the <code class="language-plaintext highlighter-rouge">/config</code> endpoint. <a href="https://github.com/Kong/kong/issues/13713" target="_blank" rel="noopener nofollow noreferrer ">#13713</a> </li> <li>Added the ability to remove the consumer list from the return value for consumer groups Admin API <code class="language-plaintext highlighter-rouge">/consumer_groups/:consumer_groups</code> when <code class="language-plaintext highlighter-rouge">list_consumers=false</code>.</li> <li>The following endpoints can now retrieve entity counts in DB-less mode: <ul> <li><code class="language-plaintext highlighter-rouge">/license/report</code></li> <li><code class="language-plaintext highlighter-rouge">/workspaces?counter</code></li> <li><code class="language-plaintext highlighter-rouge">/workspace/<workspace>/meta</code></li> </ul> </li> <li>The <code class="language-plaintext highlighter-rouge">belong_workspace</code> field of an admin can now be updated via the Admin API and Kong Manager.</li> <li>Wasm filters can now be configured via the <code class="language-plaintext highlighter-rouge">/plugins</code> Admin API endpoint.</li> </ul> <h4 id="cli">CLI</h4> <ul> <li>Added the <code class="language-plaintext highlighter-rouge">kong drain</code> CLI command to make the <code class="language-plaintext highlighter-rouge">/status/ready</code> endpoint return a <code class="language-plaintext highlighter-rouge">503 Service Unavailable</code> response. <a href="https://github.com/Kong/kong/issues/13838" target="_blank" rel="noopener nofollow noreferrer ">#13838</a> </li> </ul> <h4 id="clustering">Clustering</h4> <ul> <li>Added a remote procedure call (RPC) framework for hybrid mode deployments. <a href="https://github.com/Kong/kong/issues/12320" target="_blank" rel="noopener nofollow noreferrer ">#12320</a> </li> </ul> <h4 id="core-1">Core</h4> <ul> <li>Added the configuration parameter <code class="language-plaintext highlighter-rouge">admin_gui_auth_login_attempts_ttl</code> (default to <code class="language-plaintext highlighter-rouge">604800</code>) to allow users to specify a custom duration to wait before they can try log in again if they have exceeded the maximum login attempts. This is only meaningful when <code class="language-plaintext highlighter-rouge">admin_gui_auth_login_attempts</code> is a positive number.</li> <li>Added an ADA dependency: WHATWG-compliant and fast URL parser. <a href="https://github.com/Kong/kong/issues/13120" target="_blank" rel="noopener nofollow noreferrer ">#13120</a> </li> <li>Added a new LLM driver for interfacing with the Hugging Face inference API. The driver supports both serverless and dedicated LLM instances hosted by Hugging Face for conversational and text generation tasks. <a href="https://github.com/Kong/kong/issues/13484" target="_blank" rel="noopener nofollow noreferrer ">#13484</a> </li> <li>Added a <code class="language-plaintext highlighter-rouge">tls.disable_http2_alpn()</code> function patch for disabling HTTP/2 ALPN when performing a TLS handshake. <a href="https://github.com/Kong/kong/issues/13709" target="_blank" rel="noopener nofollow noreferrer ">#13709</a> </li> <li>Improved the output of the request debugger: <ul> <li>The resolution of field <code class="language-plaintext highlighter-rouge">total_time</code> is now in microseconds.</li> <li>A new field, <code class="language-plaintext highlighter-rouge">total_time_without_upstream</code>, shows the latency only introduced by Kong. <a href="https://github.com/Kong/kong/issues/13460" target="_blank" rel="noopener nofollow noreferrer ">#13460</a> </li> </ul> </li> <li>The embeddings driver can now cache the embeddings for a given model in the current request.</li> <li>Added an option for GitHub Actions to build nginx/OpenResty with debug symbols.</li> </ul> <h4 id="deployment">Deployment</h4> <ul> <li>Kong Gateway now supports Ubuntu 24.04 (Noble Numbat) with both open-source and Enterprise packages. <a href="https://github.com/Kong/kong/issues/13626" target="_blank" rel="noopener nofollow noreferrer ">#13626</a> </li> </ul> <h4 id="kong-manager">Kong Manager</h4> <ul> <li>Added a new feature for Kong Manager that supports multiple domains, enabling dynamic cross-origin access for Admin API requests. <a href="https://github.com/Kong/kong/issues/13664" target="_blank" rel="noopener nofollow noreferrer ">#13664</a> </li> <li>Kong Manager will now show a more friendly error message when failing to delete a service.</li> </ul> <h4 id="pdk">PDK</h4> <ul> <li>Added <code class="language-plaintext highlighter-rouge">kong.service.request.clear_query_arg(name)</code> to the PDK. <a href="https://github.com/Kong/kong/issues/13619" target="_blank" rel="noopener nofollow noreferrer ">#13619</a> </li> <li>Array and Map type span attributes are now supported by the tracing PDK. <a href="https://github.com/Kong/kong/issues/13818" target="_blank" rel="noopener nofollow noreferrer ">#13818</a> </li> </ul> <h4 id="plugins-1">Plugins</h4> <p><strong>New plugins:</strong></p> <ul> <li> <a href="/hub/kong-inc/redirect/"><strong>Redirect</strong></a> (<code class="language-plaintext highlighter-rouge">redirect</code>): Introduced the Redirect plugin, which lets you redirect requests to another location. <a href="https://github.com/Kong/kong/issues/13900" target="_blank" rel="noopener nofollow noreferrer ">#13900</a> </li> <li> <a href="/hub/kong-inc/injection-protection/"><strong>Injection Protection</strong></a> (<code class="language-plaintext highlighter-rouge">injection-protection</code>): Added the Injection Protection plugin, which supports blocking requests based on regex patterns.</li> <li> <a href="/hub/kong-inc/service-protection/"><strong>Service Protection</strong></a> (<code class="language-plaintext highlighter-rouge">service-protection</code>): Implemented a new plugin to protect services using request rate limiting.</li> </ul> <p><strong>Updates to existing plugins:</strong></p> <ul> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>) <ul> <li>Disabled the HTTP/2 ALPN handshake for connections on routes configured with AI Proxy. <a href="https://github.com/Kong/kong/issues/13735" target="_blank" rel="noopener nofollow noreferrer ">#13735</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/ai-proxy-advanced/"><strong>AI Proxy Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy-advanced</code>) <ul> <li>Added support for streaming responses to the AI Proxy Advanced plugin.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-rate-limiting-advanced/"><strong>AI Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ai-rate-limiting-advanced</code>) <ul> <li>Added support for the Hugging Face provider to the AI Rate Limiting Advanced plugin.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-semantic-cache/"><strong>AI Semantic Cache</strong></a> (<code class="language-plaintext highlighter-rouge">ai-semantic-cache</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">ignore_tool</code> configuration option to discard tool role prompts from the input text.</li> <li>This plugin can now be enabled on consumer groups.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-semantic-cache/"><strong>AI Semantic Cache</strong></a> (<code class="language-plaintext highlighter-rouge">ai-semantic-cache</code>), <a href="/hub/kong-inc/ai-semantic-cache/"><strong>AI Semantic Prompt Guard</strong></a> (<code class="language-plaintext highlighter-rouge">ai-semantic-cache</code>), <a href="/hub/kong-inc/ai-proxy-advanced/"><strong>AI Proxy Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy-advanced</code>) <ul> <li>Made the <code class="language-plaintext highlighter-rouge">embeddings.model.name</code> config field a free text entry, enabling use of a self-hosted (or otherwise compatible) model.</li> </ul> </li> <li> <a href="/hub/kong-inc/correlation-id/"><strong>Correlation ID</strong></a> (<code class="language-plaintext highlighter-rouge">correlation-id</code>) <ul> <li>Increased the priority order of the plugin to from 1 to 100001 so that the plugin can be used with other plugins, especially custom auth plugins. <a href="https://github.com/Kong/kong/issues/13581" target="_blank" rel="noopener nofollow noreferrer ">#13581</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/jwt-signer/"><strong>JWT Signer</strong></a> (<code class="language-plaintext highlighter-rouge">jwt-signer</code>) <ul> <li>The <code class="language-plaintext highlighter-rouge">/jwt-signer/jwks</code> endpoint is now supported in DB-less mode.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>The <code class="language-plaintext highlighter-rouge">http_proxy_authorization</code> and <code class="language-plaintext highlighter-rouge">https_proxy_authorization</code> fields are now referenceable.</li> <li>Added the <code class="language-plaintext highlighter-rouge">introspection_post_args_client_headers</code> config option, allowing you to pass client headers as introspection POST body arguments.</li> </ul> </li> <li> <a href="/hub/kong-inc/prometheus/"><strong>Prometheus</strong></a> (<code class="language-plaintext highlighter-rouge">prometheus</code>) <ul> <li>Increased the upper limit of <code class="language-plaintext highlighter-rouge">KONG_LATENCY_BUCKETS</code> to 6000 to enhance latency tracking precision. <a href="https://github.com/Kong/kong/issues/13588" target="_blank" rel="noopener nofollow noreferrer ">#13588</a> </li> <li>Added support for Proxy-Wasm metrics. <a href="https://github.com/Kong/kong/issues/13681" target="_blank" rel="noopener nofollow noreferrer ">#13681</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Added the new configuration field <code class="language-plaintext highlighter-rouge">lock_dictionary_name</code> to support specifying an independent shared memory for storing locks.</li> <li>Added support for authentication from Kong Gateway to Envoy Proxy.</li> <li>Added support for combining multiple identifier items with the new configuration field <code class="language-plaintext highlighter-rouge">compound_identifier</code>.</li> </ul> </li> </ul> <h3 id="fixes-1">Fixes</h3> <h4 id="admin-api-1">Admin API</h4> <ul> <li>Fixed an issue with querying Admin API entities with empty tags. <a href="https://github.com/Kong/kong/issues/13723" target="_blank" rel="noopener nofollow noreferrer ">#13723</a> </li> <li>Fixed an issue where nested parameters couldn’t be parsed correctly when using <code class="language-plaintext highlighter-rouge">form-urlencoded</code> requests. <a href="https://github.com/Kong/kong/issues/13668" target="_blank" rel="noopener nofollow noreferrer ">#13668</a> </li> <li>Fixed an issue where the entities counter wasn’t displayed in certain cases when they were empty.</li> <li>Fixed an issue where entity counts in <code class="language-plaintext highlighter-rouge">/license/report</code> were retrieved with <code class="language-plaintext highlighter-rouge">select count</code> instead of <code class="language-plaintext highlighter-rouge">workspace_entity_counters</code> table in DB-backed (traditional) mode.</li> <li>Fixed an issue where entity counts in <code class="language-plaintext highlighter-rouge">/workspaces?counter</code> and <code class="language-plaintext highlighter-rouge">/workspace/<workspace>/meta</code> were retrieved with <code class="language-plaintext highlighter-rouge">select count</code> instead of <code class="language-plaintext highlighter-rouge">workspace_entity_counters</code> table in DB-backed (traditional) mode.</li> </ul> <h4 id="clustering-1">Clustering</h4> <ul> <li>Adjusted error log levels for control plane connections. <a href="https://github.com/Kong/kong/issues/13863" target="_blank" rel="noopener nofollow noreferrer ">#13863</a> </li> <li>Fixed an issue where event hooks were not working in data planes.</li> <li>Fixed the clustering compatibility logic for the RDS assume role and custom STS endpoint features backport.</li> <li>Fixed a connection leak issue where the websocket connection was not closed promptly during reconnection.</li> </ul> <h4 id="core-2">Core</h4> <ul> <li>Introduced a fix to always pass <code class="language-plaintext highlighter-rouge">ngx.ctx</code> to <code class="language-plaintext highlighter-rouge">log_init_worker_errors</code>, as otherwise it may runtime crash. <a href="https://github.com/Kong/kong/issues/13731" target="_blank" rel="noopener nofollow noreferrer ">#13731</a> </li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">ngx.balancer.recreate_request</code> API did not refresh the body buffer when <code class="language-plaintext highlighter-rouge">ngx.req.set_body_data</code> was used in the balancer phase. <a href="https://github.com/Kong/kong/issues/13882" target="_blank" rel="noopener nofollow noreferrer ">#13882</a> </li> <li>Fixed an issue where the workspace ID was not included in the plugin config in the plugins iterator. <a href="https://github.com/Kong/kong/issues/13377" target="_blank" rel="noopener nofollow noreferrer ">#13377</a> </li> <li>Fixed a 500 error triggered by unhandled <code class="language-plaintext highlighter-rouge">nil</code> fields during schema validation. <a href="https://github.com/Kong/kong/issues/13861" target="_blank" rel="noopener nofollow noreferrer ">#13861</a> </li> <li>Vault fixes: <ul> <li>Fixed an issue where array-like configuration fields couldn’t contain vault references. <a href="https://github.com/Kong/kong/issues/13953" target="_blank" rel="noopener nofollow noreferrer ">#13953</a> </li> <li>Fixed an issue where updating a vault entity in a non-default workspace wouldn’t take effect. <a href="https://github.com/Kong/kong/issues/13610" target="_blank" rel="noopener nofollow noreferrer ">#13610</a> </li> <li>Fixed an issue where vault references in kong configuration couldn’t be dereferenced when both the HTTP and stream subsystems were enabled. <a href="https://github.com/Kong/kong/issues/13953" target="_blank" rel="noopener nofollow noreferrer ">#13953</a> </li> <li>Fixed an issue where using Hashicorp Vault AppRole authentication with a secret ID file would fail to read the secret ID.</li> </ul> </li> <li>Added a check that prevents Kong from starting when the database contains invalid Wasm filters. <a href="https://github.com/Kong/kong/issues/13764" target="_blank" rel="noopener nofollow noreferrer ">#13764</a> </li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">kong.request.enable_buffering</code> couldn’t be used when the downstream used HTTP/2. <a href="https://github.com/Kong/kong/issues/13614" target="_blank" rel="noopener nofollow noreferrer ">#13614</a> </li> <li>Fixed an issue where running the <code class="language-plaintext highlighter-rouge">kong migration</code> command would fail when upgrading to 3.8, which was caused by an incomplete Redis configuration-related SQL.</li> <li>Fixed an issue where the health checker could fail to initialize in rare cases.</li> <li>Fixed an issue where paginated results of <code class="language-plaintext highlighter-rouge">audit_requests</code> fetched via the <code class="language-plaintext highlighter-rouge">next</code> field were incorrect when <code class="language-plaintext highlighter-rouge">before</code> and <code class="language-plaintext highlighter-rouge">after</code> filters were applied.</li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">event_hooks</code> added during runtime didn’t function until restart.</li> <li>Fixed an issue where RBAC authorization could be enabled via <code class="language-plaintext highlighter-rouge">enforce_rbac</code> in DB-less mode. RBAC authorization should be disabled in DB-less mode.</li> <li>Fixed an issue where massive route insertion caused crashing and 500 errors.</li> </ul> <h4 id="kong-manager-1">Kong Manager</h4> <ul> <li>Fixed an issue where text was not centered in custom banners.</li> <li>Fixed an issue where a workspace named “portal”, but with different case letters, didn’t render the correct overview page.</li> <li>Fixed an issue where Kong Manager was not redirecting users to the previous page after cancelling plugin creation.</li> <li>Fixed an issue where an RBAC user’s username didn’t allow special characters.</li> </ul> <h4 id="pdk-1">PDK</h4> <ul> <li>Fixed the <code class="language-plaintext highlighter-rouge">kong.log.inspect</code> function to log at the <code class="language-plaintext highlighter-rouge">notice</code> level instead of <code class="language-plaintext highlighter-rouge">debug</code>. <a href="https://github.com/Kong/kong/issues/13642" target="_blank" rel="noopener nofollow noreferrer ">#13642</a> </li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">retries</code> error message incorrectly referred to the port. <a href="https://github.com/Kong/kong/issues/13605" target="_blank" rel="noopener nofollow noreferrer ">#13605</a> </li> </ul> <h4 id="plugins-2">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>) <ul> <li>Fixed an issue where tools (function) calls to Anthropic would return empty results. <a href="https://github.com/Kong/kong/issues/13760" target="_blank" rel="noopener nofollow noreferrer ">#13760</a> </li> <li>Fixed an issue where tools (function) calls to Bedrock would return empty results. <a href="https://github.com/Kong/kong/issues/13760" target="_blank" rel="noopener nofollow noreferrer ">#13760</a> </li> <li>Fixed an issue where Bedrock Guardrail config was ignored. <a href="https://github.com/Kong/kong/issues/13760" target="_blank" rel="noopener nofollow noreferrer ">#13760</a> </li> <li>Fixed an issue where tools (function) calls to Cohere would return empty results. <a href="https://github.com/Kong/kong/issues/13760" target="_blank" rel="noopener nofollow noreferrer ">#13760</a> </li> <li>Fixed an issue where the Gemini provider would return an error if content safety failed in AI Proxy. <a href="https://github.com/Kong/kong/issues/13760" target="_blank" rel="noopener nofollow noreferrer ">#13760</a> </li> <li>Fixed an issue where tools (function) calls to Gemini (or via Vertex) would return empty results. <a href="https://github.com/Kong/kong/issues/13760" target="_blank" rel="noopener nofollow noreferrer ">#13760</a> </li> <li>Fixed an issue where multi-modal requests were blocked on the Azure AI provider. <a href="https://github.com/Kong/kong/issues/13702" target="_blank" rel="noopener nofollow noreferrer ">#13702</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/ai-prompt-guard/"><strong>AI Prompt Guard</strong></a> (<code class="language-plaintext highlighter-rouge">ai-prompt-guard</code>) <ul> <li>Fixed an issue where the plugin could fail when handling requests with multiple models.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-proxy-advanced/"><strong>AI Proxy Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy-advanced</code>) <ul> <li>Fixed an issue where lowest-usage and lowest-latency strategies did not update data points correctly.</li> <li>Fixed an issue where stale plugin config was not updated in DB-less and hybrid modes.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-rate-limiting-advanced/"><strong>AI Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ai-rate-limiting-advanced</code>) <ul> <li>Updated the error message for exceeding the rate limit to include AI-related information.</li> <li>Fixed an issue where the plugin yielded an error when incrementing the rate limit counters in non-yieldable phases.</li> <li>Fixed an issue where the plugin could fail to authenticate to Redis correctly with vault-referenced Redis configuration.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-request-transformer/"><strong>AI Request Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">ai-request-transformer</code>) and <a href="/hub/kong-inc/ai-response-transformer/"><strong>AI Response Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">ai-response-transformer</code>) <ul> <li>Fixed an issue where Azure Managed Identity did not work for the AI Transformer plugins.</li> <li>Fixed an issue where AI Transformer plugins always returned a 404 error when using Google One Gemini subscriptions. <a href="https://github.com/Kong/kong/issues/13703" target="_blank" rel="noopener nofollow noreferrer ">#13703</a> </li> <li>Fixed an issue where the correct LLM error message was not propagated to the caller. <a href="https://github.com/Kong/kong/issues/13703" target="_blank" rel="noopener nofollow noreferrer ">#13703</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/ai-semantic-cache/"><strong>AI Semantic Cache</strong></a> <ul> <li>Fixed an issue where the plugin couldn’t use the request-provided models. <a href="https://github.com/Kong/kong/issues/13627" target="_blank" rel="noopener nofollow noreferrer ">#13627</a> </li> <li>Fixed the exact matching to catch everything, including embeddings.</li> <li>Fixed an issue where the AI Semantic Cache plugin would abort in stream mode when another plugin enabled the buffering proxy mode.</li> <li>Fixed an issue where the AI Semantic Cache plugin put the wrong type value in the metrics when using the Prometheus plugin.</li> <li>Fixed an issue where the plugin failed when handling requests with multiple models.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-semantic-cache/"><strong>AI Semantic Prompt Guard</strong></a> (<code class="language-plaintext highlighter-rouge">ai-semantic-prompt-guard</code>) <ul> <li>Fixed an issue where the plugin could fail when handling requests with multiple models.</li> <li>Fixed an issue where stale plugin config was not updated in DB-less and hybrid modes.</li> </ul> </li> <li> <a href="/hub/kong-inc/app-dynamics/"><strong>AppDynamics</strong></a> (<code class="language-plaintext highlighter-rouge">app-dynamics</code>) <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">snapshot</code> of the fields <code class="language-plaintext highlighter-rouge">upstream</code>, <code class="language-plaintext highlighter-rouge">service</code>, <code class="language-plaintext highlighter-rouge">route</code>, and <code class="language-plaintext highlighter-rouge">consumer</code> was missing in the AppDynamics plugin.</li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Fixed an issue in proxy integration mode that caused an internal server error when the <code class="language-plaintext highlighter-rouge">multiValueHeaders</code> was null. <a href="https://github.com/Kong/kong/issues/13533" target="_blank" rel="noopener nofollow noreferrer ">#13533</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/degraphql/"><strong>DeGraphQL</strong></a> (<code class="language-plaintext highlighter-rouge">degraphql</code>) <ul> <li>Fixed an issue where the DeGraphQL routes were updated from the control plane but not updated in the DeGraphQL router on the data plane.</li> </ul> </li> <li> <a href="/hub/kong-inc/exit-transformer/"><strong>Exit Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">exit-transformer</code>) <ul> <li>Fixed an issue where the plugin couldn’t take effect on invalid non-admin requests.</li> </ul> </li> <li> <a href="/hub/kong-inc/graphql-rate-limiting-advanced/"><strong>GraphQL Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>) <ul> <li>Fixed an issue where the plugin could fail to authenticate to Redis correctly with vault-referenced Redis configuration.</li> </ul> </li> <li> <a href="/hub/kong-inc/json-threat-protection/"><strong>JSON Threat Protection</strong></a> (<code class="language-plaintext highlighter-rouge">json-threat-protection</code>) <ul> <li>Fixed an issue where the length counting of escape sequences, non-ASCII characters, and object entry names in JSON strings was incorrect. The plugin now uses UTF-8 character count instead of bytes.</li> <li>Fixed an issue where certain default parameter values were incorrectly interpreted as 0 in some environments (for example, ARM64-based): <ul> <li><code class="language-plaintext highlighter-rouge">max_container_depth</code></li> <li><code class="language-plaintext highlighter-rouge">max_object_entry_count</code></li> <li><code class="language-plaintext highlighter-rouge">max_object_entry_name_length</code></li> <li><code class="language-plaintext highlighter-rouge">max_array_element_count</code></li> <li><code class="language-plaintext highlighter-rouge">max_string_value_length</code></li> </ul> </li> </ul> </li> <li> <a href="/hub/kong-inc/jwe-decrypt/"><strong>JWE Decrypt</strong></a> (<code class="language-plaintext highlighter-rouge">jwe-decrypt</code>) <ul> <li>Fixed an issue where an unnecessary warn log was printed.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwt/"><strong>JWT</strong></a> (<code class="language-plaintext highlighter-rouge">jwt</code>) <ul> <li>Ensured that <code class="language-plaintext highlighter-rouge">rsa_public_key</code> isn’t base64-decoded. <a href="https://github.com/Kong/kong/issues/13717" target="_blank" rel="noopener nofollow noreferrer ">#13717</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/kafka-log/"><strong>Kafka Log</strong></a> (<code class="language-plaintext highlighter-rouge">kafka-log</code>) <ul> <li>Fixed an issue where the plugin couldn’t function correctly when configured in a non-default workspace with <code class="language-plaintext highlighter-rouge">certificate_id</code>.</li> <li>Reduced noisy logs from the plugin and counters.</li> </ul> </li> <li> <a href="/hub/kong-inc/key-auth/"><strong>Key Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">key-auth</code>) <ul> <li>Fixed an issue with the order of query arguments, ensuring that arguments retain order when hiding the credentials. <a href="https://github.com/Kong/kong/issues/13619" target="_blank" rel="noopener nofollow noreferrer ">#13619</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/loggly/"><strong>Loggly</strong></a> (<code class="language-plaintext highlighter-rouge">loggly</code>) <ul> <li>Fixed an issue where a missing <code class="language-plaintext highlighter-rouge">/bin/hostname</code> caused an error warning on startup. <a href="https://github.com/Kong/kong/issues/13788" target="_blank" rel="noopener nofollow noreferrer ">#13788</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Fixed an issue where the error message was omitted if <code class="language-plaintext highlighter-rouge">notify_only_request_body_validation_failure</code> or <code class="language-plaintext highlighter-rouge">notify_only_response_body_validation_failure</code> was set to <code class="language-plaintext highlighter-rouge">false</code>.</li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">include_base_path</code> did not work when multiple servers were provided.</li> <li>Fixed an issue where the spec could not be located if the <code class="language-plaintext highlighter-rouge">Content-Type</code> in the request/response body included parameters (for example, <code class="language-plaintext highlighter-rouge">application/json; charset=utf8</code>) while the OpenAPI specification defined in <code class="language-plaintext highlighter-rouge">api_spec</code> did not include parameters.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed an <code class="language-plaintext highlighter-rouge">500</code> error caused by JSON <code class="language-plaintext highlighter-rouge">null</code> from the request body when parsing bearer tokens or client IDs.</li> <li>Fixed an issue where the configured Redis database was ignored.</li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">token_cache_key_include_scope</code> feature was not considering scopes defined via <code class="language-plaintext highlighter-rouge">config.scopes</code> to generate the cache key.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/"><strong>Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>) <ul> <li>Fixed an issue where the returned values from <code class="language-plaintext highlighter-rouge">get_redis_connection()</code> were incorrect. <a href="https://github.com/Kong/kong/issues/13613" target="_blank" rel="noopener nofollow noreferrer ">#13613</a> </li> <li>Fixed an issue that caused an HTTP 500 error when <code class="language-plaintext highlighter-rouge">hide_client_headers</code> was set to <code class="language-plaintext highlighter-rouge">true</code> and the request exceeded the rate limit. <a href="https://github.com/Kong/kong/issues/13722" target="_blank" rel="noopener nofollow noreferrer ">#13722</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> <ul> <li>Fixed an issue where counters of the overriding consumer groups weren’t fetched when the <code class="language-plaintext highlighter-rouge">window_size</code> was different and the workspace was non-default.</li> <li>Fixed an issue where a warn log was printed when <code class="language-plaintext highlighter-rouge">event_hooks</code> was disabled.</li> <li>Fixed an issue where, if multiple plugin instances sharing the same namespace enforced consumer groups and different <code class="language-plaintext highlighter-rouge">window_size</code>s were used in the consumer group overriding configs, then the rate limiting of some consumer groups would fall back to the <code class="language-plaintext highlighter-rouge">local</code> strategy. Now, every plugin instance sharing the same namespace can set a different <code class="language-plaintext highlighter-rouge">window_size</code>.</li> <li>Fixed an issue where the plugin could fail to authenticate to Redis correctly with vault-referenced Redis configuration.</li> <li>Fixed an issue where plugin-stored items with a long expiration time caused <code class="language-plaintext highlighter-rouge">no memory</code> errors.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-validator/"><strong>Request Validator</strong></a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>Fixed an issue where requests would get rejected when defining an object parameter in exploded form style.</li> </ul> </li> </ul> <h3 id="dependencies-1">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> from 0.11.0 to 0.13.1 to fix the upstream certificate chain issue and enable the new API for retrieving the SSL pointer.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-events</code> to 0.3.1. Optimized the memory usage. <a href="https://github.com/Kong/kong/issues/13097" target="_blank" rel="noopener nofollow noreferrer ">#13097</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-lmdb</code> to 1.6.0, allowing <code class="language-plaintext highlighter-rouge">page_size</code> to be 1. <a href="https://github.com/Kong/kong/issues/13908" target="_blank" rel="noopener nofollow noreferrer ">#13908</a> </li> <li>Bumped lua-resty-lmdb to 1.5.0. Added the <code class="language-plaintext highlighter-rouge">page_size</code> parameter to allow overriding page size from the caller side. <a href="https://github.com/Kong/kong/issues/12786" target="_blank" rel="noopener nofollow noreferrer ">#12786</a> </li> <li>Added Ubuntu 24.04 (Noble Numbat) FIPS packages and image.</li> <li>Bumped the bundled <code class="language-plaintext highlighter-rouge">datakit</code> Wasm filter to <code class="language-plaintext highlighter-rouge">0.3.1</code>. <a href="https://github.com/Kong/kong/issues/13922" target="_blank" rel="noopener nofollow noreferrer ">#13922</a> </li> <li>Updated the default base for RPM Dockerfile from UBI 8 to UBI 9. <a href="https://github.com/Kong/kong/issues/13574" target="_blank" rel="noopener nofollow noreferrer ">#13574</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> to 1.5.4 to fix a bug inside region prefix generation. <a href="https://github.com/Kong/kong/issues/12846" target="_blank" rel="noopener nofollow noreferrer ">#12846</a> </li> <li>Bumped lua-resty-ljsonschema to 1.2.0. Fixed UTF-8 string length calculation and added support for <code class="language-plaintext highlighter-rouge">null</code> as a valid option in <code class="language-plaintext highlighter-rouge">enum</code> types. <a href="https://github.com/Kong/kong/issues/13783" target="_blank" rel="noopener nofollow noreferrer ">#13783</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">ngx_wasm_module</code> to <code class="language-plaintext highlighter-rouge">9136e463a6f1d80755ce66c88c3ddecd0eb5e25d</code>. <a href="https://github.com/Kong/kong/issues/12011" target="_blank" rel="noopener nofollow noreferrer ">#12011</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">Wasmtime</code> version to <code class="language-plaintext highlighter-rouge">26.0.0</code>. <a href="https://github.com/Kong/kong/issues/12011" target="_blank" rel="noopener nofollow noreferrer ">#12011</a> </li> <li>Bumped OpenSSL to 3.2.3 to fix unbounded memory growth with session handling in TLSv1.3 and other CVEs. <a href="https://github.com/Kong/kong/issues/13448" target="_blank" rel="noopener nofollow noreferrer ">#13448</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-redis-cluster</code> to <code class="language-plaintext highlighter-rouge">1.5.5</code>: <ul> <li>The timeout for acquiring a lock was fixed to <code class="language-plaintext highlighter-rouge">5s</code>. Added the new option <code class="language-plaintext highlighter-rouge">lock_timeout</code> to make it configurable.</li> <li>The lock timeout parameter was incorrectly set to <code class="language-plaintext highlighter-rouge">time_out = 0</code>. Fixed the parameter to <code class="language-plaintext highlighter-rouge">timeout = 0</code>. This improves performance as there is no need for each instance to refresh the slots.</li> <li> <code class="language-plaintext highlighter-rouge">kong-redis-cluster</code> now returns detailed error messages to downstream components (e.g. Kong Gateway) for better debuggability.</li> </ul> </li> <li>Bumped lua-resty-azure to 1.6.1 to fix a <code class="language-plaintext highlighter-rouge">GET</code> request build issue, which was causing problems with Azure secret references.</li> </ul> <h2 id="3810">3.8.1.0</h2> <p><strong>Release Date</strong> 2024/11/04</p> <h3 id="features-1">Features</h3> <h4 id="plugins-3">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/prometheus/"><strong>Prometheus</strong></a> (<code class="language-plaintext highlighter-rouge">prometheus</code>) <ul> <li>Increased the upper limit of <code class="language-plaintext highlighter-rouge">KONG_LATENCY_BUCKETS</code> to 6000 to enhance latency tracking precision.</li> </ul> </li> </ul> <h3 id="fixes-2">Fixes</h3> <h4 id="clustering-2">Clustering</h4> <ul> <li>Fixed the clustering compatibility logic for the RDS assume role and custom STS endpoint features.</li> </ul> <h4 id="core-3">Core</h4> <ul> <li> <strong>Vault</strong>: Fixed an issue where updating a vault entity in a non-default workspace wouldn’t take effect.</li> </ul> <h4 id="admin-api-2">Admin API</h4> <ul> <li> <strong>Admin API</strong> Fixed an issue where sending <code class="language-plaintext highlighter-rouge">tags=</code> as an empty parameter resulted in a 500 error. Now, Kong returns a 400 error because empty explicit tags are not allowed.</li> </ul> <h4 id="kong-manager-2">Kong Manager</h4> <ul> <li>Fixed an issue where text was not centered in custom banners.</li> <li>Fixed an issue where a workspace named “portal”, but with different case letters, didn’t render the correct overview page.</li> </ul> <h4 id="plugins-4">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>) <ul> <li>Fixed an issue where multi-modal requests were blocked on the Azure AI provider.</li> <li>Fixed an issue where AI Transformer plugins always returned a 404 error when using ‘Google One’ Gemini subscription.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-proxy-advanced/"><strong>AI Proxy Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy-advanced</code>) <ul> <li>Fixed an issue where the lowest-usage and lowest-latency strategies did not update data points correctly.</li> <li>Fixed an issue where stale plugin config was not updated in DB-less or hybrid mode.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-rate-limiting-advanced/"><strong>AI Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ai-rate-limiting-advanced</code>) <ul> <li>Fixed an issue where the plugin yielded an error when incrementing the rate limit counters in non-yieldable phases.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-request-transformer/"><strong>AI Request Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">ai-request-transformer</code>) and <a href="/hub/kong-inc/ai-response-transformer/"><strong>AI Response Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">ai-response-transformer</code>) <ul> <li>Fixed an issue where the correct LLM error message was not propagated to the caller.</li> <li>Fixed an issue where AI Transformer plugins always returned a 404 error when using Google One Gemini subscriptions.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-semantic-cache/"><strong>AI Semantic Cache</strong></a> <ul> <li>Fixed an issue where the plugin couldn’t use the request-provided models.</li> <li>Fixed an issue where the plugin put the wrong type value in the metrics when using the Prometheus plugin.</li> <li>Fixed an issue where the plugin would abort in stream mode when another plugin enabled buffering proxy mode.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-semantic-prompt-guard/"><strong>AI Semantic Prompt Guard</strong></a> <ul> <li>Fixed an issue where stale plugin config was not updated in DB-less or hybrid mode.</li> </ul> </li> <li> <a href="/hub/kong-inc/degraphql/"><strong>DeGraphQL</strong></a> (<code class="language-plaintext highlighter-rouge">degraphql</code>) <ul> <li>Fixed an issue where the degraphql routes were updated from the control plane but not updated in the degraphql router on the data plane.</li> </ul> </li> <li> <a href="/hub/kong-inc/json-threat-protection/"><strong>JSON Threat Protection</strong></a> <ul> <li>Fixed an issue where the length counting of escape sequences, non-ASCII characters, and object entry names in JSON strings was incorrect. The plugin now uses UTF-8 character count instead of bytes.</li> <li>Fixed an issue where certain default parameter values were incorrectly interpreted as 0 in some environments (e.g., ARM64-based): <ul> <li><code class="language-plaintext highlighter-rouge">max_container_depth</code></li> <li><code class="language-plaintext highlighter-rouge">max_object_entry_count</code></li> <li><code class="language-plaintext highlighter-rouge">max_object_entry_name_length</code></li> <li><code class="language-plaintext highlighter-rouge">max_array_element_count</code></li> <li><code class="language-plaintext highlighter-rouge">max_string_value_length</code></li> </ul> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/"><strong>Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>) <ul> <li>Fixed an issue that caused an HTTP 500 error when <code class="language-plaintext highlighter-rouge">hide_client_headers</code> was set to <code class="language-plaintext highlighter-rouge">true</code> and the request exceeded the rate limit.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue where a warn log was printed when <code class="language-plaintext highlighter-rouge">event_hooks</code> was disabled.</li> </ul> </li> </ul> <h3 id="dependencies-2">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> from 0.11.0 to 0.11.1 to fix an issue where the upstream cert chain wasn’t properly set.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> to 1.5.4 to fix a bug inside region prefix generation.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-azure</code> to 1.6.1 to fix a <code class="language-plaintext highlighter-rouge">GET</code> request build issue, which was causing problems with Azure secret references.</li> </ul> <h2 id="3800">3.8.0.0</h2> <p><strong>Release Date</strong> 2024/09/11</p> <h3 id="breaking-changes-and-deprecations-1">Breaking changes and deprecations</h3> <p><strong>Deployments</strong></p> <ul> <li>Debian 10 and RHEL 7 reached their End of Life (EOL) dates on June 30, 2024. As of version 3.8.0.0 onward, Kong is not building installation packages or Docker images for these operating systems. Kong is no longer providing official support for any Kong version running on these systems. <a href="https://github.com/Kong/kong/issues/13468" target="_blank" rel="noopener nofollow noreferrer ">#13468</a> </li> </ul> <p><strong>Redis standardization changes</strong></p> <ul> <li>Standardized Redis configuration across plugins. The Redis configuration now follows a common schema shared with other plugins. This change affects: <ul> <li>SAML</li> <li>OpenID Connect</li> </ul> </li> <li>PDK: The shared configuration for Redis <code class="language-plaintext highlighter-rouge">kong/enterprise_edition/redis/init.lua</code> was deprecated in favor of <code class="language-plaintext highlighter-rouge">kong/enterprise_edition/tools/redis/v2/init.lua</code> </li> <li>The following parameters have been deprecated: <ul> <li> <code class="language-plaintext highlighter-rouge">cluster_address</code> has been deprecated and replaced by <code class="language-plaintext highlighter-rouge">cluster_nodes</code>.</li> <li> <code class="language-plaintext highlighter-rouge">sentinel_cluster</code> has been deprecated and replaced by <code class="language-plaintext highlighter-rouge">sentinel_nodes</code>.</li> <li>The <code class="language-plaintext highlighter-rouge">timeout</code> config field in Redis configuration has been deprecated and replaced with <code class="language-plaintext highlighter-rouge">connect_timeout</code>, <code class="language-plaintext highlighter-rouge">send_timeout</code>, and <code class="language-plaintext highlighter-rouge">read_timeout</code>. The deprecated <code class="language-plaintext highlighter-rouge">timeout</code> field will be removed in an upcoming major version.</li> </ul> <p>These deprecations affect the following plugins:</p> <ul> <li>AI Rate Limiting Advanced</li> <li>GraphQL Proxy Cache Advanced</li> <li>GraphQL Rate Limiting Advanced</li> <li>Proxy Cache Advanced</li> <li>Rate limiting Advanced</li> </ul> <p>For more information about the Redis standardization changes, see the <a href="/gateway/3.8.x/breaking-changes/">3.8 Breaking Changes</a>.</p> </li> </ul> <h3 id="features-2">Features</h3> <h4 id="admin-api-3">Admin API</h4> <ul> <li>Added support for brackets syntax for map fields configuration via the Admin API. <a href="https://github.com/Kong/kong/issues/13313" target="_blank" rel="noopener nofollow noreferrer ">#13313</a> </li> </ul> <h4 id="cli-1">CLI</h4> <ul> <li>Added the new sub-command <code class="language-plaintext highlighter-rouge">status</code> to the <code class="language-plaintext highlighter-rouge">kong debug</code> CLI tool.</li> </ul> <h4 id="configuration">Configuration</h4> <ul> <li>You can now configure the Wasmtime module cache when Wasm is enabled. <a href="https://github.com/Kong/kong/issues/12930" target="_blank" rel="noopener nofollow noreferrer ">#12930</a> </li> <li>Added two configuration options, <code class="language-plaintext highlighter-rouge">admin_gui_auth_change_password_attempts</code> (default value <code class="language-plaintext highlighter-rouge">0</code>) and <code class="language-plaintext highlighter-rouge">admin_gui_auth_change_password_ttl</code> (default value <code class="language-plaintext highlighter-rouge">86400</code>), to limit the number of password change attempts in Kong Manager.</li> </ul> <h4 id="core-4">Core</h4> <ul> <li>Added the new queue configuration parameter <code class="language-plaintext highlighter-rouge">concurrency_limit</code> (integer, defaults to 1), which lets you specify the number of delivery timers in the queue. Note that setting <code class="language-plaintext highlighter-rouge">concurrency_limit</code> to <code class="language-plaintext highlighter-rouge">-1</code> means no limit at all, and each HTTP log entry would create an individual timer for sending. <a href="https://github.com/Kong/kong/issues/13332" target="_blank" rel="noopener nofollow noreferrer ">#13332</a> </li> <li>Kong Gateway now appends gateway info to the upstream <code class="language-plaintext highlighter-rouge">Via</code> header in the format <code class="language-plaintext highlighter-rouge">1.1 kong/3.8.0</code>, and optionally to the response <code class="language-plaintext highlighter-rouge">Via</code> header if it is present in the <a href="/gateway/3.8.x/reference/configuration/#headers"><code class="language-plaintext highlighter-rouge">headers</code></a> config of <code class="language-plaintext highlighter-rouge">kong.conf</code>, in the format <code class="language-plaintext highlighter-rouge">2 kong/3.8.0</code>. This follows standards defined in <a href="https://datatracker.ietf.org/doc/html/rfc7230" target="_blank" rel="noopener nofollow noreferrer ">RFC7230</a> and <a href="https://datatracker.ietf.org/doc/html/rfc9110" target="_blank" rel="noopener nofollow noreferrer ">RFC9110</a>. <a href="https://github.com/Kong/kong/issues/12733" target="_blank" rel="noopener nofollow noreferrer ">#12733</a> </li> <li>Kong Gateway 3.8.x adds a new DNS client library. This library is disabled by default, and can be enabled by setting the <a href="/gateway/3.8.x/reference/configuration/#new_dns_client"><code class="language-plaintext highlighter-rouge">new_dns_client</code></a> parameter to <code class="language-plaintext highlighter-rouge">on</code>. The new DNS client library provides the following: <ul> <li>Global caching for DNS records across workers, significantly reducing the query load on DNS servers.</li> <li>Observable statistics for the new DNS client, and a new Status API <code class="language-plaintext highlighter-rouge">/status/dns</code> to retrieve them.</li> <li>Simplified and standardized logic. Learn more about enabling and using the new DNS client library in the <a href="/gateway/3.8.x/migrate-to-new-dns-client/">DNS migration guide</a>. <a href="https://github.com/Kong/kong/issues/12305" target="_blank" rel="noopener nofollow noreferrer ">#12305</a> </li> </ul> </li> <li> <strong>Analytics</strong>: <ul> <li>Added support for sending AI analytics about latency and caching to Konnect.</li> <li>Added support for sending cache data of AI analytics to Konnect.</li> </ul> </li> <li>Added connection support via Redis Proxy (for example, Envoy Redis proxy or twemproxy) via the configuration field <a href="/gateway/3.8.x/reference/configuration/#connection_is_proxied"><code class="language-plaintext highlighter-rouge">connection_is_proxied</code></a>.</li> <li>Added support for assuming an AWS IAM role in AWS IAM Database Authentication, with the following new configuration fields: <code class="language-plaintext highlighter-rouge">pg_iam_auth_assume_role_arn</code>, <code class="language-plaintext highlighter-rouge">pg_iam_auth_role_session_name</code>, <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_assume_role_arn</code>, and <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_role_session_name</code>. See the <a href="/gateway/3.8.x/reference/configuration/#postgres-settings">PostgreSQL settings section</a> in the Kong configuration reference for details.</li> <li>Added keyring encryption support to <a href="/gateway/3.8.x/kong-enterprise/db-encryption/#configure-license-payload-encryption">license database entity payloads</a>.</li> <li>Added support for a configurable STS endpoint for RDS IAM Authentication with the following new configuration fields: <code class="language-plaintext highlighter-rouge">pg_iam_auth_sts_endpoint_url</code> and <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_sts_endpoint_url</code>. See the <a href="/gateway/3.8.x/reference/configuration/#postgres-settings">PostgreSQL settings section</a> in the Kong configuration reference for details.</li> <li>Added support for a configurable STS endpoint for AWS Vault. This can either be configured by <a href="/gateway/3.8.x/reference/configuration/#vault_aws_sts_endpoint_url"><code class="language-plaintext highlighter-rouge">vault_aws_sts_endpoint_url</code></a> as a global configuration, or <a href="/gateway/3.8.x/kong-enterprise/secrets-management/backends/aws-sm/"><code class="language-plaintext highlighter-rouge">sts_endpoint_url</code></a> on a custom AWS vault entity.</li> </ul> <h4 id="kong-manager-3">Kong Manager</h4> <ul> <li>Improved accessibility in Kong Manager.</li> <li>Enhanced entity lists so that you can resize or hide list columns.</li> <li>Added an SNIs field to the certificate form.</li> <li> <strong>Kong Manager Enterprise</strong>: <ul> <li>While deleting a workspace, Kong Manager now lists admins that prevent the operation.</li> <li>Kong Manager now shows scoping entities as links in the plugin detail page.</li> <li>Added UI components for building the vault reference while configuring referenceable fields for plugins.</li> </ul> </li> <li>Kong Manager now shows input boxes that allow optionally creating SNIs while creating a certificate.</li> </ul> <h4 id="pdk-2">PDK</h4> <ul> <li>Added <code class="language-plaintext highlighter-rouge">0</code> to support unlimited body size. When the parameter <code class="language-plaintext highlighter-rouge">max_allowed_file_size</code> is <code class="language-plaintext highlighter-rouge">0</code>, <code class="language-plaintext highlighter-rouge">get_raw_body</code> returns the entire body, but the size of this body is still limited by Nginx’s <code class="language-plaintext highlighter-rouge">client_max_body_size</code>. <a href="https://github.com/Kong/kong/issues/13431" target="_blank" rel="noopener nofollow noreferrer ">#13431</a> </li> <li>Extended <code class="language-plaintext highlighter-rouge">kong.request.get_body</code> and <code class="language-plaintext highlighter-rouge">kong.request.get_raw_body</code> to read from buffered files. <a href="https://github.com/Kong/kong/issues/13158" target="_blank" rel="noopener nofollow noreferrer ">#13158</a> </li> <li>Added the new PDK module <code class="language-plaintext highlighter-rouge">kong.telemetry</code> and the function <code class="language-plaintext highlighter-rouge">kong.telemetry.log</code> to generate log entries to be reported via the OpenTelemetry plugin. <a href="https://github.com/Kong/kong/issues/13329" target="_blank" rel="noopener nofollow noreferrer ">#13329</a> </li> </ul> <h4 id="plugins-5">Plugins</h4> <p><strong>New plugins</strong>:</p> <ul> <li> <a href="/hub/kong-inc/ai-proxy-advanced/"><strong>AI Proxy Advanced</strong></a>: An advanced AI Proxy which supports load balancing between LLM services.</li> <li> <a href="/hub/kong-inc/ai-semantic-cache/"><strong>AI Semantic Cache</strong></a>: Configure an embeddings-based caching system for LLM responses.</li> <li> <a href="/hub/kong-inc/ai-semantic-prompt-guard/"><strong>AI Semantic Prompt Guard</strong></a>: Use semantic similarity-based prompt guarding with the AI Proxy.</li> <li> <a href="/hub/kong-inc/upstream-oauth/"><strong>Upstream OAuth</strong></a>: A plugin that enables Kong to obtain OAuth2 tokens to consume upstream APIs.</li> <li> <a href="/hub/kong-inc/confluent/"><strong>Confluent</strong></a>: Transform requests into Kafka messages in a Confluent topic.</li> <li> <a href="/hub/kong-inc/standard-webhooks/"><strong>Standard Webhooks</strong></a>: Validate that incoming webhooks adhere to the <a href="https://github.com/standard-webhooks/standard-webhooks" target="_blank" rel="noopener nofollow noreferrer ">Standard Webhooks</a> specification.</li> <li> <a href="/hub/kong-inc/header-cert-auth/"><strong>Header Cert Authentication</strong></a>: Authenticate clients with mTLS certificates passed in headers by a WAF or load balancer.</li> <li> <a href="/hub/kong-inc/json-threat-protection/"><strong>JSON Threat Protection</strong></a>: Validate JSON nesting depth, array elements, object entries, key length, and string length, then log or terminate violating requests.</li> </ul> <p><strong>Existing plugins</strong>:</p> <ul> <li> <a href="/hub/kong-inc/acl/"><strong>ACL</strong></a> (<code class="language-plaintext highlighter-rouge">acl</code>) <ul> <li>Added the new configuration parameter <code class="language-plaintext highlighter-rouge">always_use_authenticated_groups</code> to support using authenticated groups even when an authenticated consumer already exists. <a href="https://github.com/Kong/kong/issues/13184" target="_blank" rel="noopener nofollow noreferrer ">#13184</a> </li> </ul> </li> <li> <a href="/hub/?category=ai"><strong>All AI plugins</strong></a>: <ul> <li>Latency data is now pushed to logs and metrics. <a href="https://github.com/Kong/kong/issues/13428" target="_blank" rel="noopener nofollow noreferrer ">#13428</a> </li> <li>Kong AI Gateway now supports all AWS Bedrock Converse API models. <a href="https://github.com/Kong/kong/issues/12948" target="_blank" rel="noopener nofollow noreferrer ">#12948</a> </li> <li>Kong AI Gateway now supports the Google Gemini chat (<code class="language-plaintext highlighter-rouge">generateContent</code>) interface. <a href="https://github.com/Kong/kong/issues/12948" target="_blank" rel="noopener nofollow noreferrer ">#12948</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">allow_override</code> option to allow overriding the upstream model auth parameter or header from the caller’s request. <a href="https://github.com/Kong/kong/issues/13158" target="_blank" rel="noopener nofollow noreferrer ">#13158</a> </li> <li>Replaced the library and use <code class="language-plaintext highlighter-rouge">cycle_aware_deep_copy</code> for the <code class="language-plaintext highlighter-rouge">request_table</code> object. <a href="https://github.com/Kong/kong/issues/13582" target="_blank" rel="noopener nofollow noreferrer ">#13582</a> </li> <li>The Mistral provider can now use mistral.ai-managed services by omitting the <code class="language-plaintext highlighter-rouge">upstream_url</code>. <a href="https://github.com/Kong/kong/issues/13481" target="_blank" rel="noopener nofollow noreferrer ">#13481</a> </li> <li>Added the new response header <code class="language-plaintext highlighter-rouge">X-Kong-LLM-Model</code>, which displays the name of the language model used in the AI Proxy plugin. <a href="https://github.com/Kong/kong/issues/13472" target="_blank" rel="noopener nofollow noreferrer ">#13472</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/ai-rate-limiting-advanced/"><strong>AI Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ai-rate-limiting-advanced</code>) <ul> <li>Added the Redis <code class="language-plaintext highlighter-rouge">cluster_max_redirections</code> configuration option.</li> <li>Added stats for reaching the limit and exiting the AI Rate Limiting plugin.</li> <li>Add the cost strategy to the AI Rate Limiting plugin.</li> <li>Added the <code class="language-plaintext highlighter-rouge">bedrock</code> and <code class="language-plaintext highlighter-rouge">gemini</code> providers to the supported providers list.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-prompt-guard/"><strong>AI Prompt Guard</strong></a> (<code class="language-plaintext highlighter-rouge">ai-prompt-guard</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">match_all_roles</code> option to allow matching all roles in addition to <code class="language-plaintext highlighter-rouge">user</code>. <a href="https://github.com/Kong/kong/issues/13183" target="_blank" rel="noopener nofollow noreferrer ">#13183</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/app-dynamics/"><strong>AppDynamics</strong></a> (<code class="language-plaintext highlighter-rouge">app-dynamics</code>) <ul> <li>Added a new <code class="language-plaintext highlighter-rouge">ANALYTICS_ENABLE</code> flag. This plugin now also collects more snapshot user data in runtime.</li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Added support for a configurable STS endpoint with the new configuration field <code class="language-plaintext highlighter-rouge">aws_sts_endpoint_url</code>. <a href="https://github.com/Kong/kong/issues/13388" target="_blank" rel="noopener nofollow noreferrer ">#13388</a> </li> <li>Added the configuration field <code class="language-plaintext highlighter-rouge">empty_arrays_mode</code> to control whether Kong should send <code class="language-plaintext highlighter-rouge">[]</code> empty arrays (returned by Lambda function) as <code class="language-plaintext highlighter-rouge">[]</code> empty arrays or <code class="language-plaintext highlighter-rouge">{}</code> empty objects in JSON responses. <a href="https://github.com/Kong/kong/issues/13084" target="_blank" rel="noopener nofollow noreferrer ">#13084</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/jwt-signer/"><strong>JWT Signer</strong></a> (<code class="language-plaintext highlighter-rouge">jwt-signer</code>) <ul> <li>This plugin now supports using the <code class="language-plaintext highlighter-rouge">/jwt-signer/jwks/:jwt_signer_jwks</code> endpoint in DB-less mode.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>This plugin now supports decoding an empty sequence or set represented in long form length.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Added support for Redis caching introspection results with the new fields <code class="language-plaintext highlighter-rouge">cluster_cache_strategy</code> and <code class="language-plaintext highlighter-rouge">cluster_cache_redis</code>. When configured, the plugin will share the token introspection response cache across nodes configured to use the same Redis database.</li> <li>Added the <code class="language-plaintext highlighter-rouge">claims_forbidden</code> property to restrict access.</li> </ul> </li> <li> <a href="/hub/kong-inc/prometheus/"><strong>Prometheus</strong></a> (<code class="language-plaintext highlighter-rouge">prometheus</code>) <ul> <li>Added <code class="language-plaintext highlighter-rouge">ai_requests_total</code>, <code class="language-plaintext highlighter-rouge">ai_cost_total</code>, and <code class="language-plaintext highlighter-rouge">ai_tokens_total</code> metrics to the Prometheus plugin to start counting AI usage. <a href="https://github.com/Kong/kong/issues/13148" target="_blank" rel="noopener nofollow noreferrer ">#13148</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Added support for OpenTelemetry-formatted logs. <a href="https://github.com/Kong/kong/issues/13291" target="_blank" rel="noopener nofollow noreferrer ">#13291</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/graphql-proxy-cache-advanced/"><strong>GraphQL Proxy Cache Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">graphql-proxy-cache-advanced</code>), <a href="/hub/kong-inc/graphql-rate-limiting-advanced/"><strong>GraphQL Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>), <a href="/hub/kong-inc/proxy-cache-advanced/"><strong>Proxy Cache Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>), and <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Added the Redis <code class="language-plaintext highlighter-rouge">cluster_max_redirections</code> configuration option.</li> </ul> </li> <li> <a href="/hub/kong-inc/response-transformer/"><strong>Response Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">response-transformer</code>) <ul> <li>Added support for <code class="language-plaintext highlighter-rouge">json_body</code> renaming. <a href="https://github.com/Kong/kong/issues/13131" target="_blank" rel="noopener nofollow noreferrer ">#13131</a> </li> </ul> </li> </ul> <h3 id="fixes-3">Fixes</h3> <h4 id="admin-api-4">Admin API</h4> <ul> <li>Fixed an issue where validation of the certificate schema failed if the <code class="language-plaintext highlighter-rouge">snis</code> field was present in the request body. <a href="https://github.com/Kong/kong/issues/13357" target="_blank" rel="noopener nofollow noreferrer ">#13357</a> </li> <li>Fixed an issue where resetting the token was allowed while disabling <code class="language-plaintext highlighter-rouge">rbac_token_enabled</code>.</li> <li>Fixed an issue where the field <code class="language-plaintext highlighter-rouge">is_default</code> should be immutable when updating the <code class="language-plaintext highlighter-rouge">rbac_roles</code>.</li> <li>Fixed an issue where the license report returned a 500 error code when non-required fields weren’t specified in the Lambda and Kafka plugins.</li> <li>Kong Gateway now returns a detailed error message when failing to cascade delete a workspace caused by associated admins.</li> </ul> <h4 id="cli-2">CLI</h4> <ul> <li>Fixed an issue where some debug level error logs were not being displayed by the CLI. <a href="https://github.com/Kong/kong/issues/13143" target="_blank" rel="noopener nofollow noreferrer ">#13143</a> </li> </ul> <h4 id="clustering-3">Clustering</h4> <ul> <li>Fixed an issue where hybrid mode wouldn’t work if the forward proxy password contained the special character <code class="language-plaintext highlighter-rouge">#</code>. Note that the <code class="language-plaintext highlighter-rouge">proxy_server</code> configuration parameter still needs to be url-encoded. <a href="https://github.com/Kong/kong/issues/13457" target="_blank" rel="noopener nofollow noreferrer ">#13457</a> </li> </ul> <h4 id="configuration-1">Configuration</h4> <ul> <li>Re-enabled the Lua DNS resolver from <code class="language-plaintext highlighter-rouge">proxy-wasm</code> by default. <a href="https://github.com/Kong/kong/issues/13424" target="_blank" rel="noopener nofollow noreferrer ">#13424</a> </li> <li>The behavior of the configuration option <code class="language-plaintext highlighter-rouge">analytics_flush_interval</code> has changed to save memory resources by flushing analytics messages more frequently. It now controls the maximum time interval between two flushes of analytics messages to the configured backend, which means that if enough (less than <code class="language-plaintext highlighter-rouge">analytics_buffer_size_limit</code>) messages have already been buffered, the flush will happen before the configured interval. Previously, Kong always tried to flush messages after the configured interval, regardless of the number of messages in the buffer.</li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">debug_listen</code> incorrectly used the SSL-related configuration of <code class="language-plaintext highlighter-rouge">status_listen</code>.</li> </ul> <h4 id="core-5">Core</h4> <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">luarocks-admin</code> was not available in <code class="language-plaintext highlighter-rouge">/usr/local/bin</code>. <a href="https://github.com/Kong/kong/issues/13372" target="_blank" rel="noopener nofollow noreferrer ">#13372</a> </li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">read</code> was not always passed to PostgreSQL read-only database operations. <a href="https://github.com/Kong/kong/issues/13530" target="_blank" rel="noopener nofollow noreferrer ">#13530</a> </li> <li>Fixed the behavior of shorthand fields, which are used to describe deprecated fields: <ul> <li>Fixed an issue with deprecated shorthand fields so that they don’t take precedence over replacement fields when both are specified. <a href="https://github.com/Kong/kong/issues/13486" target="_blank" rel="noopener nofollow noreferrer ">#13486</a> </li> <li>Changed the way deprecated shorthand fields are used with new fields. If the new field contains <code class="language-plaintext highlighter-rouge">null</code>, the deprecated field will overwrite it if both are present in the request. <a href="https://github.com/Kong/kong/issues/13592" target="_blank" rel="noopener nofollow noreferrer ">#13592</a> </li> <li>If both fields are sent in the request and their values mismatch, the request will be rejected. <a href="https://github.com/Kong/kong/issues/13594" target="_blank" rel="noopener nofollow noreferrer ">#13594</a> </li> </ul> </li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">lua-nginx-module</code> context was cleared when <code class="language-plaintext highlighter-rouge">ngx.send_header()</code> triggered <code class="language-plaintext highlighter-rouge">filter_finalize</code>. <a href="https://github.com/openresty/lua-nginx-module/pull/2323" target="_blank" rel="noopener nofollow noreferrer ">openresty/lua-nginx-module#2323</a>. <a href="https://github.com/Kong/kong/issues/13316" target="_blank" rel="noopener nofollow noreferrer ">#13316</a> </li> <li>Fixed an issue where an unnecessary uninitialized variable error log was reported when 400 bad requests were received. <a href="https://github.com/Kong/kong/issues/13201" target="_blank" rel="noopener nofollow noreferrer ">#13201</a> </li> <li>Fixed an issue where the URI captures were unavailable when the first capture group was absent. <a href="https://github.com/Kong/kong/issues/13024" target="_blank" rel="noopener nofollow noreferrer ">#13024</a> </li> <li>Fixed an issue where the priority field could be set in a traditional mode route when <code class="language-plaintext highlighter-rouge">router_flavor</code> was configured as <code class="language-plaintext highlighter-rouge">expressions</code>. <a href="https://github.com/Kong/kong/issues/13142" target="_blank" rel="noopener nofollow noreferrer ">#13142</a> </li> <li>Fixed an issue where setting <code class="language-plaintext highlighter-rouge">tls_verify</code> to <code class="language-plaintext highlighter-rouge">false</code> didn’t override the global level <code class="language-plaintext highlighter-rouge">proxy_ssl_verify</code>. <a href="https://github.com/Kong/kong/issues/13470" target="_blank" rel="noopener nofollow noreferrer ">#13470</a> </li> <li>Fixed an issue where the SNI cache wasn’t invalidated when an SNI was updated. <a href="https://github.com/Kong/kong/issues/13165" target="_blank" rel="noopener nofollow noreferrer ">#13165</a> </li> <li> <p>The <code class="language-plaintext highlighter-rouge">kong.logrotate</code> configuration file is no longer overwritten during upgrade.</p> <p>This change presents an additional prompt for Debian users upgrading via <code class="language-plaintext highlighter-rouge">apt</code> and <code class="language-plaintext highlighter-rouge">deb</code> packages. To accept the defaults provided by Kong in the package, use the following command, adjusting it to your architecture and the version you’re upgrading to:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="nv">DEBIAN_FRONTEND</span><span class="o">=</span>noninteractive apt upgrade kong-enterprise-edition_3.8.0.0_arm64.deb </code></pre></div> </div> <p><a href="https://github.com/Kong/kong/issues/13348" target="_blank" rel="noopener nofollow noreferrer ">#13348</a></p> </li> <li>Fixed an issue where the Vault secret cache got refreshed during <code class="language-plaintext highlighter-rouge">resurrect_ttl</code> time and could not be fetched by other workers. <a href="https://github.com/Kong/kong/issues/13561" target="_blank" rel="noopener nofollow noreferrer ">#13561</a> </li> <li>Error logs produced during Vault secret rotation are now logged at the <code class="language-plaintext highlighter-rouge">notice</code> level instead of <code class="language-plaintext highlighter-rouge">warn</code>. <a href="https://github.com/Kong/kong/issues/13540" target="_blank" rel="noopener nofollow noreferrer ">#13540</a> </li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">host_header</code> attribute of the upstream entity wouldn’t be set correctly as a Host header in requests to the upstream during connection retries. <a href="https://github.com/Kong/kong/issues/13135" target="_blank" rel="noopener nofollow noreferrer ">#13135</a> </li> <li>Moved internal Unix sockets to a subdirectory (<code class="language-plaintext highlighter-rouge">sockets</code>) of the Kong prefix. <a href="https://github.com/Kong/kong/issues/13409" target="_blank" rel="noopener nofollow noreferrer ">#13409</a> </li> <li>Reverted the DNS client to the original behavior of ignoring the <code class="language-plaintext highlighter-rouge">ADDITIONAL SECTION</code> in DNS responses. <a href="https://github.com/Kong/kong/issues/13278" target="_blank" rel="noopener nofollow noreferrer ">#13278</a> </li> <li>Shortened names of internal Unix sockets to avoid exceeding the socket name limit. <a href="https://github.com/Kong/kong/issues/13571" target="_blank" rel="noopener nofollow noreferrer ">#13571</a> </li> <li>Built-in RBAC roles for admins (<code class="language-plaintext highlighter-rouge">admin</code> under the default workspace and <code class="language-plaintext highlighter-rouge">workspace-admin</code> under non-default workspaces) now disallow CRUD actions to <code class="language-plaintext highlighter-rouge">/groups</code> and <code class="language-plaintext highlighter-rouge">/groups/*</code> endpoints.</li> <li>Fixed an issue where luarocks-admin was not available in <code class="language-plaintext highlighter-rouge">/usr/local/bin</code>.</li> <li>Fixed an issue where running Kong CLI commands with database configurations containing HashiCorp Vault references would fail to execute.</li> <li>Fixed an issue where the CPs wouldn’t trigger a configuration push after a keyring recovery.</li> <li>Fixed an issue where Azure Managed Identity tokens would never rotate in the case of a network failure when authenticating.</li> <li>Fixed an issue where the stale license expiry warning continued to be logged even if the license was updated.</li> <li>License expiry warnings are no longer logged and license info is removed from <code class="language-plaintext highlighter-rouge">/metrics</code> in Konnect.</li> </ul> <h4 id="kong-manager-4">Kong Manager</h4> <ul> <li>Improved the user experience in Kong Manager by fixing various UI-related issues. <a href="https://github.com/Kong/kong-manager/issues/232" target="_blank" rel="noopener nofollow noreferrer ">#232</a> <a href="https://github.com/Kong/kong-manager/issues/233" target="_blank" rel="noopener nofollow noreferrer ">#233</a> <a href="https://github.com/Kong/kong-manager/issues/234" target="_blank" rel="noopener nofollow noreferrer ">#234</a> <a href="https://github.com/Kong/kong-manager/issues/237" target="_blank" rel="noopener nofollow noreferrer ">#237</a> <a href="https://github.com/Kong/kong-manager/issues/238" target="_blank" rel="noopener nofollow noreferrer ">#238</a> <a href="https://github.com/Kong/kong-manager/issues/240" target="_blank" rel="noopener nofollow noreferrer ">#240</a> <a href="https://github.com/Kong/kong-manager/issues/244" target="_blank" rel="noopener nofollow noreferrer ">#244</a> <a href="https://github.com/Kong/kong-manager/issues/250" target="_blank" rel="noopener nofollow noreferrer ">#250</a> <a href="https://github.com/Kong/kong-manager/issues/252" target="_blank" rel="noopener nofollow noreferrer ">#252</a> <a href="https://github.com/Kong/kong-manager/issues/255" target="_blank" rel="noopener nofollow noreferrer ">#255</a> <a href="https://github.com/Kong/kong-manager/issues/257" target="_blank" rel="noopener nofollow noreferrer ">#257</a> <a href="https://github.com/Kong/kong-manager/issues/263" target="_blank" rel="noopener nofollow noreferrer ">#263</a> <a href="https://github.com/Kong/kong-manager/issues/264" target="_blank" rel="noopener nofollow noreferrer ">#264</a> <a href="https://github.com/Kong/kong-manager/issues/267" target="_blank" rel="noopener nofollow noreferrer ">#267</a> <a href="https://github.com/Kong/kong-manager/issues/272" target="_blank" rel="noopener nofollow noreferrer ">#272</a> </li> <li>Fixed an issue where dynamic ordering was configurable for plugins scoped by consumers and/or consumer groups. These plugins do not support dynamic ordering.</li> <li>Removed redundant data previously saved in browser’s local storage.</li> <li>Fixed issues with <code class="language-plaintext highlighter-rouge">cluster_addresses</code> and <code class="language-plaintext highlighter-rouge">sentinel_addresses</code> fields for plugins that support Redis clusters.</li> <li>Fixed an issue where the overview page for Dev Portal was not correctly rendered.</li> <li>Fixed an issue where user info was not refreshed after the active admin was updated.</li> </ul> <h4 id="pdk-3">PDK</h4> <ul> <li> <strong>PDK</strong>: Fixed an issue where the log serializer logged <code class="language-plaintext highlighter-rouge">upstream_status</code> as nil in the requests that contained subrequests. <a href="https://github.com/Kong/kong/issues/12953" target="_blank" rel="noopener nofollow noreferrer ">#12953</a> </li> <li> <strong>Vault</strong>: References ending with a slash, when parsed, will no longer return a key. <a href="https://github.com/Kong/kong/issues/13538" target="_blank" rel="noopener nofollow noreferrer ">#13538</a> </li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">pdk.log.serialize()</code> threw an error when the JSON entity set by <code class="language-plaintext highlighter-rouge">serialize_value</code> contained <code class="language-plaintext highlighter-rouge">json.null</code>. <a href="https://github.com/Kong/kong/issues/13376" target="_blank" rel="noopener nofollow noreferrer ">#13376</a> </li> </ul> <h4 id="plugins-6">Plugins</h4> <ul> <li> <p><strong>Plugins with a shared Redis schema</strong>: Fixed a Redis schema issue where <code class="language-plaintext highlighter-rouge">connect_timeout</code>, <code class="language-plaintext highlighter-rouge">read_timeout</code>, <code class="language-plaintext highlighter-rouge">send_timeout</code> were reset to <code class="language-plaintext highlighter-rouge">null</code> if the deprecated <code class="language-plaintext highlighter-rouge">timeout</code> was <code class="language-plaintext highlighter-rouge">null</code>.</p> </li> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>) <ul> <li>Fixed an issue where certain Azure models would return partial tokens/words when in response-streaming mode.</li> <li>Fixed an issue where Cohere and Anthropic providers didn’t read the <code class="language-plaintext highlighter-rouge">model</code> parameter properly from the caller’s request body.</li> <li>Fixed an issue where using OpenAI Function inference requests would log a request error, and then hang until timeout.</li> <li>Fixed an issue where AI Proxy would still allow callers to specify their own model, ignoring the plugin-configured model name.</li> <li>Fixed an issue where AI Proxy would not take precedence of the plugin’s configured model tuning options over those in the user’s LLM request.</li> <li>Fixed an issue where setting OpenAI SDK model parameter <code class="language-plaintext highlighter-rouge">null</code> caused analytics to not be written to the logging plugin(s).</li> </ul> <p><a href="https://github.com/Kong/kong/issues/13000" target="_blank" rel="noopener nofollow noreferrer ">#13000</a></p> <ul> <li>Fixed an issue when response was gzipped even if the client didn’t accept the format. <a href="https://github.com/Kong/kong/issues/13155" target="_blank" rel="noopener nofollow noreferrer ">#13155</a> </li> <li>Fixed an issue where the object constructor would set data on the class instead of the instance. <a href="https://github.com/Kong/kong/issues/13028" target="_blank" rel="noopener nofollow noreferrer ">#13028</a> </li> <li>Added a configuration validation to prevent <code class="language-plaintext highlighter-rouge">log_statistics</code> from being enabled on providers that don’t support statistics. Accordingly, the default of <code class="language-plaintext highlighter-rouge">log_statistics</code> has changed from <code class="language-plaintext highlighter-rouge">true</code> to <code class="language-plaintext highlighter-rouge">false</code>, and a database migration has been added for disabling <code class="language-plaintext highlighter-rouge">log_statistics</code> if it has already been enabled upon unsupported providers. <a href="https://github.com/Kong/kong/issues/12860" target="_blank" rel="noopener nofollow noreferrer ">#12860</a> </li> </ul> </li> <li> <a href="/hub/?category=ai"><strong>AI plugins</strong></a> <ul> <li>Fixed an issue where certain AI plugins couldn’t be applied per consumer or per service. <a href="https://github.com/Kong/kong/issues/13209" target="_blank" rel="noopener nofollow noreferrer ">#13209</a> </li> <li>Fixed an issue where multi-modal inputs weren’t properly validated and calculated. <a href="https://github.com/Kong/kong/issues/13445" target="_blank" rel="noopener nofollow noreferrer ">#13445</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/ai-prompt-guard/"><strong>AI Prompt Guard</strong></a> (<code class="language-plaintext highlighter-rouge">ai-prompt-guard</code>) <ul> <li>Fixed an issue which occurred when <code class="language-plaintext highlighter-rouge">allow_all_conversation_history</code> was set to false, and caused the first user request to be selected instead of the last one. <a href="https://github.com/Kong/kong/issues/13183" target="_blank" rel="noopener nofollow noreferrer ">#13183</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/ai-request-transformer/"><strong>AI Request Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">ai-request-transformer</code>) and <a href="/hub/kong-inc/ai-response-transformer/"><strong>AI Response Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">ai-response-transformer</code>) <ul> <li>Fixed an issue where Cloud Identity authentication was not used in <code class="language-plaintext highlighter-rouge">ai-request-transformer</code> and <code class="language-plaintext highlighter-rouge">ai-response-transformer</code> plugins.</li> </ul> </li> <li> <a href="/hub/kong-inc/prometheus/"><strong>Prometheus</strong></a> (<code class="language-plaintext highlighter-rouge">prometheus</code>) <ul> <li>Improved error logging when having an inconsistent label count. <a href="https://github.com/Kong/kong/issues/13020" target="_blank" rel="noopener nofollow noreferrer ">#13020</a> </li> <li>Fixed an issue where the CP/DP compatibility check was missing for the new configuration field <code class="language-plaintext highlighter-rouge">ai_metrics</code>. <a href="https://github.com/Kong/kong/issues/13417" target="_blank" rel="noopener nofollow noreferrer ">#13417</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/acme/"><strong>ACME</strong></a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>Fixed an issue where the DP would report that deprecated config fields were used when configuration was pushed from the CP. <a href="https://github.com/Kong/kong/issues/13069" target="_blank" rel="noopener nofollow noreferrer ">#13069</a> </li> <li>Fixed an issue where username and password were not accepted as valid authentication methods. <a href="https://github.com/Kong/kong/issues/13496" target="_blank" rel="noopener nofollow noreferrer ">#13496</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Fixed an issue where the plugin didn’t work with <code class="language-plaintext highlighter-rouge">multiValueHeaders</code> defined in proxy integration and legacy <code class="language-plaintext highlighter-rouge">empty_arrays_mode</code>. <a href="https://github.com/Kong/kong/issues/13381" target="_blank" rel="noopener nofollow noreferrer ">#13381</a> </li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">version</code> field wasn’t set in the request payload when <code class="language-plaintext highlighter-rouge">awsgateway_compatible</code> was enabled. <a href="https://github.com/Kong/kong/issues/13018" target="_blank" rel="noopener nofollow noreferrer ">#13018</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/cors/"><strong>CORS</strong></a> (<code class="language-plaintext highlighter-rouge">cors</code>) <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">Access-Control-Allow-Origin</code> header was not sent when <code class="language-plaintext highlighter-rouge">conf.origins</code> had multiple entries but included <code class="language-plaintext highlighter-rouge">*</code>. <a href="https://github.com/Kong/kong/issues/13334" target="_blank" rel="noopener nofollow noreferrer ">#13334</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/correlation-id/"><strong>Correlation ID</strong></a> (<code class="language-plaintext highlighter-rouge">correlation-id</code>) <ul> <li>Fixed an issue where the plugin would not work if you explicitly set the <code class="language-plaintext highlighter-rouge">generator</code> to <code class="language-plaintext highlighter-rouge">null</code>. <a href="https://github.com/Kong/kong/issues/13439" target="_blank" rel="noopener nofollow noreferrer ">#13439</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/grpc-gateway/"><strong>gRPC-Gateway</strong></a> (<code class="language-plaintext highlighter-rouge">grpc-gateway</code>) <ul> <li>When there is a JSON decoding error, the plugin now responds with status 400 and error information in the body instead of status 500. <a href="https://github.com/Kong/kong/issues/12971" target="_blank" rel="noopener nofollow noreferrer ">#12971</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/hmac-auth/"><strong>HMAC Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">hmac-auth</code>), <a href="/hub/kong-inc/jwt/"><strong>JWT</strong></a> (<code class="language-plaintext highlighter-rouge">jwt</code>), <a href="/hub/kong-inc/ldap-auth/"><strong>LDAP Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth</code>), and <a href="/hub/kong-inc/oauth2/"><strong>OAuth2</strong></a> (<code class="language-plaintext highlighter-rouge">oauth2</code>) <ul> <li>Added WWW-Authenticate headers to 401 responses. <a href="https://github.com/Kong/kong/issues/11791" target="_blank" rel="noopener nofollow noreferrer ">#11791</a> <a href="https://github.com/Kong/kong/issues/11792" target="_blank" rel="noopener nofollow noreferrer ">#11792</a> <a href="https://github.com/Kong/kong/issues/11820" target="_blank" rel="noopener nofollow noreferrer ">#11820</a> <a href="https://github.com/Kong/kong/issues/11833" target="_blank" rel="noopener nofollow noreferrer ">#11833</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/http-log/"><strong>HTTP Log</strong></a> (<code class="language-plaintext highlighter-rouge">http-log</code>) <ul> <li>Fixed an issue where the plugin didn’t include port information in the HTTP host header when sending requests to the log server. <a href="https://github.com/Kong/kong/issues/13116" target="_blank" rel="noopener nofollow noreferrer ">#13116</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Fixed an issue where the plugin couldn’t obtain the value when the path parameter name contained hyphen characters.</li> <li>Fixed an issue where parameter serialization didn’t behave the same as in the OpenAPI specification.</li> <li>Fixed an issue where the non-string primitive types passed via URL query were unexpectedly cast to string when the OpenAPI spec version was v3.1.0.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed an issue where migration failed when upgrading from versions earlier than 3.3.x to 3.7.x. <a href="https://github.com/Kong/kong/issues/13391" target="_blank" rel="noopener nofollow noreferrer ">#13391</a> </li> <li>Removed redundant deprecation warnings. <a href="https://github.com/Kong/kong/issues/13220" target="_blank" rel="noopener nofollow noreferrer ">#13220</a> </li> <li>Improved the accuracy of sampling decisions. <a href="https://github.com/Kong/kong/issues/13275" target="_blank" rel="noopener nofollow noreferrer ">#13275</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/zipkin/"><strong>Zipkin</strong></a> (<code class="language-plaintext highlighter-rouge">zipkin</code>) <ul> <li>Removed redundant deprecation warnings. <a href="https://github.com/Kong/kong/issues/13220" target="_blank" rel="noopener nofollow noreferrer ">#13220</a> </li> <li>Improved the accuracy of sampling decisions. <a href="https://github.com/Kong/kong/issues/13275" target="_blank" rel="noopener nofollow noreferrer ">#13275</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/request-transformer/"><strong>Request Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">request-transformer</code>) <ul> <li>Fixed an issue where renamed query parameters, url-encoded body parameters, and JSON body parameters were not handled properly when the target name was the same as the source name in the request. <a href="https://github.com/Kong/kong/issues/13358" target="_blank" rel="noopener nofollow noreferrer ">#13358</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/basic-auth/"><strong>Basic Auth</strong></a> (<code class="language-plaintext highlighter-rouge">basic-auth</code>) <ul> <li>Fixed an issue where the realm field wasn’t recognized for older Kong Gateway versions (earlier than 3.6.x). <a href="https://github.com/Kong/kong/issues/13042" target="_blank" rel="noopener nofollow noreferrer ">#13042</a> </li> <li>Added WWW-Authenticate headers to all 401 responses and realm option. <a href="https://github.com/Kong/kong/issues/11833" target="_blank" rel="noopener nofollow noreferrer ">#11833</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/key-auth/"><strong>Key Auth</strong></a> (<code class="language-plaintext highlighter-rouge">key-auth</code>) <ul> <li>Fixed an issue where the realm field wasn’t recognized for older Kong Gateway versions (earlier than 3.7). <a href="https://github.com/Kong/kong/issues/13042" target="_blank" rel="noopener nofollow noreferrer ">#13042</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/request-size-limiting/"><strong>Request Size Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">request-size-limiting</code>) <ul> <li>Fixed an issue where the body size didn’t get checked when the request body was buffered to a temporary file. <a href="https://github.com/Kong/kong/issues/13303" target="_blank" rel="noopener nofollow noreferrer ">#13303</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/response-ratelimiting/"><strong>Response Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Fixed an issue where the DP would report that deprecated config fields were used when configuration was pushed from the CP. <a href="https://github.com/Kong/kong/issues/13069" target="_blank" rel="noopener nofollow noreferrer ">#13069</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/"><strong>Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>) <ul> <li>Fixed an issue where the DP would report that deprecated config fields were used when configuration was pushed from the CP. <a href="https://github.com/Kong/kong/issues/13069" target="_blank" rel="noopener nofollow noreferrer ">#13069</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Timer spikes no longer occur when there is network instability with the central data store.</li> <li>Fixed an issue where, if the <code class="language-plaintext highlighter-rouge">window_size</code> in the consumer group overriding config was different from the <code class="language-plaintext highlighter-rouge">window_size</code> in the default config, the rate limiting of that consumer group would fall back to local strategy.</li> <li>Fixed an issue where the sync timer could stop working due to a race condition.</li> </ul> </li> <li> <a href="/hub/kong-inc/proxy-cache/"><strong>Proxy Cache</strong></a> (<code class="language-plaintext highlighter-rouge">proxy-cache</code>) <ul> <li>Fixed an issue where the Age header was not being updated correctly when serving cached responses. <a href="https://github.com/Kong/kong/issues/13387" target="_blank" rel="noopener nofollow noreferrer ">#13387</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/oauth2-introspection/"><strong>OAuth 2.0 Introspection</strong></a> (<code class="language-plaintext highlighter-rouge">oauth2-introspection</code>) <ul> <li>Fixed an issue where the consumer’s cache couldn’t be invalidated when the OAuth2 Introspection plugin used <code class="language-plaintext highlighter-rouge">client_id</code> as <code class="language-plaintext highlighter-rouge">consumer_by</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed an issue where anonymous consumers could be cached as nil under a certain condition.</li> <li>Updated the rediscovery to use a short lifetime (5s) if the last discovery failed.</li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">using_pseudo_issuer</code> didn’t work when sending <code class="language-plaintext highlighter-rouge">PATCH</code> requests.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-rate-limiting-advanced/"><strong>AI Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ai-rate-limiting-advanced</code>) <ul> <li>Edited the logic for the window adjustment and fixed missing passing window to shared memory.</li> </ul> </li> <li> <a href="/hub/kong-inc/tls-metadata-headers/"><strong>TLS Metadata Headers</strong></a> (<code class="language-plaintext highlighter-rouge">tls-metadata-headers</code>) <ul> <li>Fixed an issue where the intermediate certificate’s details were not added to request headers.</li> </ul> </li> <li> <a href="/hub/kong-inc/key-auth-enc/"><strong>Key Authentication Encrypted</strong></a> (<code class="language-plaintext highlighter-rouge">key-auth-enc</code>) <ul> <li>Added WWW-Authenticate headers to all 401 responses.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Added WWW-Authenticate headers to all 401 responses.</li> </ul> </li> <li> <a href="/hub/kong-inc/degraphql/"><strong>DeGraphQL</strong></a> (<code class="language-plaintext highlighter-rouge">degraphql</code>) <ul> <li>Fixed an issue where multiple parameter types were not handled correctly when converting query parameters.</li> </ul> </li> <li> <a href="/hub/kong-inc/proxy-cache-advanced/"><strong>Proxy Cache Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>) <ul> <li>Fixed an issue where the Age header was not being updated correctly when serving cached requests.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-validator/"><strong>Request Validator</strong></a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>Fixed an issue where the plugin could fail to handle requests when <code class="language-plaintext highlighter-rouge">param_schema</code> was <code class="language-plaintext highlighter-rouge">$ref schema</code>.</li> <li>Added a new configuration field <code class="language-plaintext highlighter-rouge">content_type_parameter_validation</code> to determine whether to enable Content-Type parameter validation.</li> </ul> </li> <li> <a href="/hub/kong-inc/statsd/"><strong>StatsD</strong></a> (<code class="language-plaintext highlighter-rouge">statsd</code>) <ul> <li>Fixed an issue where the exported workspace was always <code class="language-plaintext highlighter-rouge">default</code> when the workspace identifier was set to the workspace name.</li> </ul> </li> </ul> <h3 id="performance">Performance</h3> <ul> <li>Fixed an inefficiency issue in the Luajit hashing algorithm. <a href="https://github.com/Kong/kong/issues/13240" target="_blank" rel="noopener nofollow noreferrer ">#13240</a> </li> <li>Removed unnecessary DNS client initialization. <a href="https://github.com/Kong/kong/issues/13479" target="_blank" rel="noopener nofollow noreferrer ">#13479</a> </li> <li>Improved latency performance when gzipping/gunzipping large data (such as CP/DP config data). <a href="https://github.com/Kong/kong/issues/13338" target="_blank" rel="noopener nofollow noreferrer ">#13338</a> </li> <li>Improved the performance of Konnect Analytics by fetching the Rate Limiting context more efficiently.</li> <li>Improved the performance of Konnect Analytics by optimizing the buffering mechanism.</li> </ul> <h3 id="dependencies-3">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-acme</code> to 0.15.0 to support username/password auth with Redis. <a href="https://github.com/Kong/kong/issues/12909" target="_blank" rel="noopener nofollow noreferrer ">#12909</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> to 1.5.3 to fix a bug related to the STS regional endpoint. <a href="https://github.com/Kong/kong/issues/12846" target="_blank" rel="noopener nofollow noreferrer ">#12846</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-events</code> to 0.3.0. <a href="https://github.com/Kong/kong/issues/13097" target="_blank" rel="noopener nofollow noreferrer ">#13097</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> from 3.0.1 to 3.1.0 to reduce active healthcheck timer usage. <a href="https://github.com/Kong/kong/issues/13038" target="_blank" rel="noopener nofollow noreferrer ">#13038</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-lmdb</code> to 1.4.3 (lmdb 0.9.33) <a href="https://github.com/Kong/kong/issues/12786" target="_blank" rel="noopener nofollow noreferrer ">#12786</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-openssl</code> to 1.5.1. <a href="https://github.com/Kong/kong/issues/12665" target="_blank" rel="noopener nofollow noreferrer ">#12665</a> </li> <li>Bumped OpenResty to 1.25.3.2 <a href="https://github.com/Kong/kong/issues/12327" target="_blank" rel="noopener nofollow noreferrer ">#12327</a> </li> <li>Bumped PCRE2 to 10.44 to fix some bugs and organize the release. <a href="https://github.com/Kong/kong/issues/12366" target="_blank" rel="noopener nofollow noreferrer ">#12366</a> </li> <li>Introduced a yieldable JSON library <code class="language-plaintext highlighter-rouge">lua-resty-simdjson</code>, which significantly improves latency. <a href="https://github.com/Kong/kong/issues/13421" target="_blank" rel="noopener nofollow noreferrer ">#13421</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-protobuf</code> to 0.5.2 <a href="https://github.com/Kong/kong/issues/12834" target="_blank" rel="noopener nofollow noreferrer ">#12834</a> </li> <li>Bumped LuaRocks from 3.11.0 to 3.11.1 <a href="https://github.com/Kong/kong/issues/12662" target="_blank" rel="noopener nofollow noreferrer ">#12662</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">ngx_wasm_module</code> to <code class="language-plaintext highlighter-rouge">96b4e27e10c63b07ed40ea88a91c22f23981db35</code> <a href="https://github.com/Kong/kong/issues/12011" target="_blank" rel="noopener nofollow noreferrer ">#12011</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">Wasmtime</code> version to 23.0.2 <a href="https://github.com/Kong/kong/issues/12011" target="_blank" rel="noopener nofollow noreferrer ">#12011</a> </li> <li>Made the RPM package relocatable with the default prefix set to <code class="language-plaintext highlighter-rouge">/</code>. <a href="https://github.com/Kong/kong/issues/13468" target="_blank" rel="noopener nofollow noreferrer ">#13468</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">libxml2</code> to 2.12.9.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">libxslt</code> to 1.1.42.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">msgpack-c</code> to 6.1.0.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-lua-resty-kafka</code> to 0.20 to support TCP socket keepalive and allow <code class="language-plaintext highlighter-rouge">client_id</code> to be set for the Kafka client.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-jsonschema-rs</code> to 0.1.5</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-cookie</code> to 0.3.0</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-azure</code> to 1.6.0 to support more Azure authentication methods.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">luaexpat</code> to 1.5.2.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-redis-cluster</code> to 1.5.4, fixing the following issues: <ul> <li>Fixed an issue where Kong Gateway couldn’t recover if partial or all pods were restared with new IPs in Kubernetes environment.</li> <li>Fixed a memory leak issue where the master nodes cache expanded infinitely upon refresh.</li> <li>Fixed an issue where multiple cluster instances were accidentally flushed.</li> </ul> </li> </ul> <h3 id="known-issues">Known issues</h3> <ul> <li>In the <a href="/hub/kong-inc/json-threat-protection/configuration/">JSON Threat Protection plugin</a>, the default value of <code class="language-plaintext highlighter-rouge">-1</code> for any of the <code class="language-plaintext highlighter-rouge">max_*</code> parameters indicates unlimited. In some environments (such as ARM64-based environments), the default value is interpreted incorrectly. The plugin can erroneously block valid requests if any of the parameters continue with the default values. To mitigate this issue, configure the JSON Threat Protection plugin with limits for all of the <code class="language-plaintext highlighter-rouge">max_*</code> parameters.</li> </ul> <h2 id="3713">3.7.1.3</h2> <p><strong>Release Date</strong> 2024/11/26</p> <h3 id="fixes-4">Fixes</h3> <h4 id="core-6">Core</h4> <ul> <li> <p>The <code class="language-plaintext highlighter-rouge">kong.logrotate</code> configuration file is no longer overwritten during upgrade.</p> <p>This change presents an additional prompt for Debian users upgrading via <code class="language-plaintext highlighter-rouge">apt</code> and <code class="language-plaintext highlighter-rouge">deb</code> packages. To accept the defaults provided by Kong in the package, use the following command, adjusting it to your architecture and the version you’re upgrading to:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="nv">DEBIAN_FRONTEND</span><span class="o">=</span>noninteractive apt upgrade kong-enterprise-edition_3.4.3.11_arm64.deb </code></pre></div> </div> </li> <li> <strong>Vault</strong>: <ul> <li>Fixed an issue where updating a vault entity in a non-default workspace didn’t take effect.</li> <li>Fixed an issue where the Vault secret cache got refreshed during <code class="language-plaintext highlighter-rouge">resurrect_ttl</code> time and could not be fetched by other workers.</li> </ul> </li> <li>Moved internal Unix sockets to a subdirectory (<code class="language-plaintext highlighter-rouge">sockets</code>) of the Kong prefix.</li> <li>Shortened names of internal Unix sockets to avoid exceeding the socket name limit.</li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">luarocks-admin</code> was not available in <code class="language-plaintext highlighter-rouge">/usr/local/bin</code>.</li> <li>Fixed an issue where AWS IAM assume role could not be used in AWS IAM Database Authentication, by using the following fields: <code class="language-plaintext highlighter-rouge">pg_iam_auth_assume_role_arn</code>, <code class="language-plaintext highlighter-rouge">pg_iam_auth_role_session_name</code>, <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_assume_role_arn</code>, and <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_role_session_name</code>.</li> <li>Fixed an issue where the STS endpoint could not be configured manually in RDS IAM Authentication, AWS Vault, and AWS Lambda plugin. For RDS IAM Authentication, it can be configured by <code class="language-plaintext highlighter-rouge">pg_iam_auth_sts_endpoint_url</code> and <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_sts_endpoint_url</code>; for AWS Vault, it can be configured by <code class="language-plaintext highlighter-rouge">vault_aws_sts_endpoint_url</code> as a global configuration, or <code class="language-plaintext highlighter-rouge">sts_endpoint_url</code> on a custom AWS vault entity; for the AWS Lambda plugin, it can be configured by <code class="language-plaintext highlighter-rouge">aws_sts_endpoint_url</code>.</li> </ul> <h4 id="plugins-7">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>) <ul> <li>Fixed an issue where certain Azure models would return partial tokens/words when in response-streaming mode.</li> <li>Fixed an issue where Cohere and Anthropic providers didn’t read the <code class="language-plaintext highlighter-rouge">model</code> parameter properly from the caller’s request body.</li> <li>Fixed an issue where using OpenAI Function inference requests would log a request error, and then hang until timeout.</li> <li>Fixed an issue where AI Proxy would still allow callers to specify their own model, ignoring the plugin-configured model name.</li> <li>Fixed an issue where the AI Proxy plugin’s configured model tuning options would not take precedence over those in the user’s LLM request.</li> <li>Fixed an issue where setting OpenAI SDK model parameter <code class="language-plaintext highlighter-rouge">null</code> caused analytics to not be written to the logging plugin(s).</li> </ul> <p><a href="https://github.com/Kong/kong/issues/13000" target="_blank" rel="noopener nofollow noreferrer ">#13000</a></p> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue where, if the <code class="language-plaintext highlighter-rouge">window_size</code> in the consumer group overriding config was different from the <code class="language-plaintext highlighter-rouge">window_size</code> in the default config, the rate limiting of that consumer group would fall back to local strategy.</li> <li>Fixed an issue where the sync timer could stop working due to a race condition.</li> </ul> </li> </ul> <h3 id="dependencies-4">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> to 1.5.3 to fix a bug related to STS regional endpoint.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-azure</code> to 1.6.1 to fix a <code class="language-plaintext highlighter-rouge">GET</code> request build issue, which was causing problems with Azure secret references.</li> <li>Made the RPM package relocatable with the default prefix set to <code class="language-plaintext highlighter-rouge">/</code>.</li> </ul> <h2 id="3712">3.7.1.2</h2> <p><strong>Release Date</strong> 2024/07/09</p> <h3 id="deprecations">Deprecations</h3> <ul> <li>Debian 10, CentOS 7, and RHEL 7 reached their End of Life (EOL) dates on June 30, 2024. As of this patch, Kong is not building Kong Gateway 3.7.x installation packages or Docker images for these operating systems. Kong is no longer providing official support for any Kong version running on these systems.</li> </ul> <h3 id="features-3">Features</h3> <h4 id="plugins-8">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/aws-lambda"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Added the new configuration parameter <code class="language-plaintext highlighter-rouge">empty_arrays_mode</code>, which lets you control whether Kong Gateway should send empty arrays (<code class="language-plaintext highlighter-rouge">[]</code>) returned by the Lambda function as empty arrays (<code class="language-plaintext highlighter-rouge">[]</code>), or as empty objects (<code class="language-plaintext highlighter-rouge">{}</code>) in JSON responses.</li> </ul> </li> </ul> <h3 id="fixed">Fixed</h3> <ul> <li>Fixed an issue where the Dev Portal documentation link was unavailable because the official documentation was removed after 3.4.x.</li> </ul> <h3 id="dependencies-5">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-events</code> to 0.3.0 to fix race condition issues in event delivery at startup.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> to 3.1.0 to remove version checks of the <code class="language-plaintext highlighter-rouge">lua-resty-events</code> lib.</li> </ul> <h2 id="3711">3.7.1.1</h2> <p><strong>Release Date</strong> 2024/06/22</p> <h3 id="fixes-5">Fixes</h3> <ul> <li>Fixed an issue where the DNS client was incorrectly using the content of the <code class="language-plaintext highlighter-rouge">ADDITIONAL SECTION</code> in DNS responses.</li> </ul> <h2 id="3710">3.7.1.0</h2> <p><strong>Release Date</strong> 2024/06/18</p> <h3 id="known-issues-1">Known issues</h3> <ul> <li>There is an issue with the DNS client fix, where the DNS client incorrectly uses the content <code class="language-plaintext highlighter-rouge">ADDITIONAL SECTION</code> in DNS responses. To avoid this issue, install 3.7.1.1 instead of this patch.</li> </ul> <h3 id="features-4">Features</h3> <h4 id="plugins-9">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/request-validator/"><strong>Request Validator</strong></a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>Added the new configuration field <code class="language-plaintext highlighter-rouge">content_type_parameter_validation</code> to determine whether to enable Content-Type parameter validation.</li> </ul> </li> </ul> <h3 id="fixes-6">Fixes</h3> <h4 id="core-7">Core</h4> <ul> <li> <strong>DNS Client</strong>: Fixed an issue where the Kong DNS client stored records with non-matching domain and type when parsing answers. It now ignores records when the RR type differs from that of the query when parsing answers.</li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">host_header</code> attribute of the upstream entity wouldn’t be set correctly as a Host header in requests to the upstream during connection retries.</li> <li>Built-in RBAC roles for admins (<code class="language-plaintext highlighter-rouge">admin</code> under the default workspace and <code class="language-plaintext highlighter-rouge">workspace-admin</code> under non-default workspaces) now disallow CRUD actions to <code class="language-plaintext highlighter-rouge">/groups</code> and <code class="language-plaintext highlighter-rouge">/groups/*</code> endpoints.</li> <li>Fixed an issue where the priority field could be set in a traditional mode route when <code class="language-plaintext highlighter-rouge">router_flavor</code> was configured as <code class="language-plaintext highlighter-rouge">expressions</code>.</li> </ul> <h4 id="plugins-10">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>) <ul> <li>Resolved an issue where the object constructor would set data on the class instead of the instance.</li> </ul> </li> <li> <a href="/hub/kong-inc/basic-auth/"><strong>Basic Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">basic-auth</code>) <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">realm</code> field wasn’t recognized for Kong Gateway versions before 3.6.</li> </ul> </li> <li> <a href="/hub/kong-inc/key-auth/"><strong>Key Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">key-auth</code>) <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">realm</code> field wasn’t recognized for Kong Gateway versions before 3.7.</li> </ul> </li> <li> <a href="/hub/kong-inc/ai-rate-limiting-advanced/"><strong>AI Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ai-rate-limiting-advanced</code>) <ul> <li>Fixed the logic for the window adjustment when using a sliding window.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed an issue where anonymous consumers were being cached as <code class="language-plaintext highlighter-rouge">nil</code> under a certain condition.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Timer spikes no longer occur when there is network instability with the central data store.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-validator/"><strong>Request Validator</strong></a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>Fixed an issue where the plugin could fail to handle requests when <code class="language-plaintext highlighter-rouge">param_schema</code> was <code class="language-plaintext highlighter-rouge">$ref schema</code>.</li> </ul> </li> </ul> <h3 id="dependencies-6">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-events</code> to 0.2.1.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> from 3.0.1 to 3.0.2 to fix memory leak issues by reusing a timer for the same active healthcheck target instead of running many timers.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-jsonschema-rs</code> to 0.1.5.</li> </ul> <h2 id="3700">3.7.0.0</h2> <p><strong>Release Date</strong> 2024/05/28</p> <h3 id="breaking-changes-and-deprecations-2">Breaking changes and deprecations</h3> <ul> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>): To support the new messages API of Anthropic, the upstream path of the <code class="language-plaintext highlighter-rouge">Anthropic</code> for <code class="language-plaintext highlighter-rouge">llm/v1/chat</code> route type has changed from <code class="language-plaintext highlighter-rouge">/v1/complete</code> to <code class="language-plaintext highlighter-rouge">/v1/messages</code>. <a href="https://github.com/Kong/kong/issues/12699" target="_blank" rel="noopener nofollow noreferrer ">#12699</a> </li> <li> <strong>HashiCorp Vault</strong>: <ul> <li>Starting from this version, a string entirely made of spaces can’t be specified as the <code class="language-plaintext highlighter-rouge">role_id</code> or <code class="language-plaintext highlighter-rouge">secret_id</code> value in the HashiCorp Vault entity when using the AppRole authentication method.</li> <li>Starting from this version, you must specify at least one of <code class="language-plaintext highlighter-rouge">secret_id</code> or <code class="language-plaintext highlighter-rouge">secret_id_file</code> in the HashiCorp Vault entity when using the AppRole authentication method.</li> </ul> </li> <li> <p>The <strong>Granular Tracing</strong> feature has been deprecated and removed. As part of your upgrade to 3.7, remove the following tracing-related parameters from your <code class="language-plaintext highlighter-rouge">kong.conf</code> file:</p> <ul> <li><code class="language-plaintext highlighter-rouge">tracing</code></li> <li><code class="language-plaintext highlighter-rouge">tracing_write_strategy</code></li> <li><code class="language-plaintext highlighter-rouge">tracing_write_endpoint</code></li> <li><code class="language-plaintext highlighter-rouge">tracing_time_threshold</code></li> <li><code class="language-plaintext highlighter-rouge">tracing_types</code></li> <li><code class="language-plaintext highlighter-rouge">tracing_debug_header</code></li> <li><code class="language-plaintext highlighter-rouge">generate_trace_details</code></li> </ul> <p>We recommend transitioning to <a href="/gateway/latest/production/tracing/">OpenTelemetry Instrumentation</a> instead.</p> </li> </ul> <h3 id="features-5">Features</h3> <h4 id="admin-api-5">Admin API</h4> <ul> <li>Added LHS bracket filtering to search fields.</li> <li> <strong>Audit logs:</strong> <ul> <li>Added <code class="language-plaintext highlighter-rouge">request_timestamp</code> to <code class="language-plaintext highlighter-rouge">audit_objects</code>.</li> <li>Added before and after aliases for LHS Brackets filters.</li> <li> <code class="language-plaintext highlighter-rouge">audit_requests</code> and <code class="language-plaintext highlighter-rouge">audit_objects</code> can now be filtered by <code class="language-plaintext highlighter-rouge">request_timestamp</code>.</li> <li>Changed the default ordering of <code class="language-plaintext highlighter-rouge">audit_requests</code> to be sorted by <code class="language-plaintext highlighter-rouge">request_timestamp</code> in descending order.</li> </ul> </li> </ul> <h4 id="configuration-2">Configuration</h4> <ul> <li>TLSv1.1 and lower versions are now disabled by default in OpenSSL 3.x. <a href="https://github.com/Kong/kong/issues/12420" target="_blank" rel="noopener nofollow noreferrer ">#12420</a> </li> <li>Introduced the <a href="/gateway/latest/reference/configuration/#nginx_wasm_main_shm_kv"><code class="language-plaintext highlighter-rouge">nginx_wasm_main_shm_kv</code></a> configuration parameter, which enables Wasm filters to use the Proxy-Wasm operations <code class="language-plaintext highlighter-rouge">get_shared_data</code> and <code class="language-plaintext highlighter-rouge">set_shared_data</code> without namespaced keys. <a href="https://github.com/Kong/kong/issues/12663" target="_blank" rel="noopener nofollow noreferrer ">#12663</a> </li> <li>Added a deprecation field attribute to schemas to identify deprecated fields. <a href="https://github.com/Kong/kong/issues/12686" target="_blank" rel="noopener nofollow noreferrer ">#12686</a> </li> <li>Added the <a href="/gateway/latest/reference/configuration/#wasm_filters"><code class="language-plaintext highlighter-rouge">wasm_filters</code></a> configuration parameter for enabling individual filters. <a href="https://github.com/Kong/kong/issues/12843" target="_blank" rel="noopener nofollow noreferrer ">#12843</a> </li> </ul> <h4 id="core-8">Core</h4> <ul> <li>Added <code class="language-plaintext highlighter-rouge">events:ai:response_tokens</code>, <code class="language-plaintext highlighter-rouge">events:ai:prompt_tokens</code>, and <code class="language-plaintext highlighter-rouge">events:ai:requests</code> to the anonymous report to start counting AI usage. <a href="https://github.com/Kong/kong/issues/12924" target="_blank" rel="noopener nofollow noreferrer ">#12924</a> </li> <li>Improved config handling when the control plane (CP) runs with the router set to the <code class="language-plaintext highlighter-rouge">expressions</code> flavor <a href="https://github.com/Kong/kong/issues/12967" target="_blank" rel="noopener nofollow noreferrer ">#12967</a>: <ul> <li>If mixed config is detected and a lower data plane (DP) is attached to the CP, no config will be sent at all.</li> <li>If the expression is invalid on the CP, no config will be sent at all.</li> <li>If the expression is invalid on a lower DP, it will be sent to the DP. DP validation will catch the invalid config and communicate back to the CP. This could result in partial config application.</li> </ul> </li> <li>The route entity now supports the following fields when the <a href="/gateway/latest/reference/configuration/#router_flavor"><code class="language-plaintext highlighter-rouge">router_flavor</code></a> is <code class="language-plaintext highlighter-rouge">expressions</code>: <code class="language-plaintext highlighter-rouge">methods</code>, <code class="language-plaintext highlighter-rouge">hosts</code>, <code class="language-plaintext highlighter-rouge">paths</code>, <code class="language-plaintext highlighter-rouge">headers</code>, <code class="language-plaintext highlighter-rouge">snis</code>, <code class="language-plaintext highlighter-rouge">sources</code>, <code class="language-plaintext highlighter-rouge">destinations</code>, and <code class="language-plaintext highlighter-rouge">regex_priority</code>. The meaning of these fields are consistent with the <a href="/gateway/api/admin-ee/latest/#/Routes">traditional route entity</a>. <a href="https://github.com/Kong/kong/issues/12667" target="_blank" rel="noopener nofollow noreferrer ">#12667</a> </li> <li>Added support for debugging with EmmyLuaDebugger. This feature is in tech preview and is not officially supported by Kong Inc. <a href="https://github.com/Kong/kong/issues/12899" target="_blank" rel="noopener nofollow noreferrer ">#12899</a> </li> <li> <strong>Analytics</strong>: <ul> <li>Added the <code class="language-plaintext highlighter-rouge">latencies.receive_ms</code> and <code class="language-plaintext highlighter-rouge">websocket</code> fields.</li> <li>Removed received time and latency from <code class="language-plaintext highlighter-rouge">latencies.kong_gateway_ms</code>.</li> <li>Added the <code class="language-plaintext highlighter-rouge">sse</code> boolean field to the payload, which is set to <code class="language-plaintext highlighter-rouge">true</code> for Server-Sent Event requests and responses.</li> </ul> </li> </ul> <h4 id="kong-manager-5">Kong Manager</h4> <ul> <li>Kong Manager now supports creating and editing expressions routes using interactive in-browser editor with syntax highlighting and autocompletion features for Kong’s Expressions language. <a href="https://github.com/Kong/kong-manager/issues/217" target="_blank" rel="noopener nofollow noreferrer ">#217</a> </li> <li>Kong Manager now groups parameters to provide a better user experience while configuring plugins.</li> <li>When authenticating Kong Manager with IDPs (for example, OIDC or LDAP), the source of an RBAC role is now stored in its <code class="language-plaintext highlighter-rouge">role_source</code> field. This enables the existing roles with a source of <code class="language-plaintext highlighter-rouge">idp</code> to be removed upon new logins after IDP role mapping has changed. This also allows users to switch a role’s source between <code class="language-plaintext highlighter-rouge">local</code> and <code class="language-plaintext highlighter-rouge">idp</code>.</li> </ul> <h4 id="pdk-4">PDK</h4> <ul> <li>Added the <code class="language-plaintext highlighter-rouge">latencies.receive</code> property to the log serializer. <a href="https://github.com/Kong/kong/issues/12730" target="_blank" rel="noopener nofollow noreferrer ">#12730</a> </li> </ul> <h4 id="plugins-11">Plugins</h4> <p><strong>New plugins</strong>:</p> <ul> <li> <a href="/hub/kong-inc/ai-rate-limiting-advanced/"><strong>AI Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ai-rate-limiting-advanced</code>): This plugin lets you implement a rate limit by an AI provider.</li> <li> <a href="/hub/kong-inc/ai-azure-content-safety/"><strong>AI Azure Content Safety</strong></a> (<code class="language-plaintext highlighter-rouge">ai-azure-content-safety</code>): Lets you enforce introspection of all AI Proxy requests with the Azure Content Safety service. The plugin enables configurable thresholds for the different moderation categories, and reports audit results into the Kong log serializer for reporting purposes.</li> </ul> <p><strong>Updates to existing plugins:</strong></p> <ul> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>) <ul> <li>AI Proxy now reads most prompt tuning parameters from the client, while the plugin config parameters under <code class="language-plaintext highlighter-rouge">model_options</code> are now just defaults. This fixes support for using the respective provider’s native SDK. <a href="https://github.com/Kong/kong/issues/12903" target="_blank" rel="noopener nofollow noreferrer ">#12903</a> </li> <li>AI Proxy now has a <a href="/hub/kong-inc/ai-proxy/configuration/#config-route_type"><code class="language-plaintext highlighter-rouge">preserve</code> option for <code class="language-plaintext highlighter-rouge">route_type</code></a>, where the requests and responses are passed directly to the upstream LLM. This enables compatibility with any models and SDKs that may be used when calling the AI services. <a href="https://github.com/Kong/kong/issues/12903" target="_blank" rel="noopener nofollow noreferrer ">#12903</a> </li> <li>Added support for <a href="/hub/kong-inc/ai-proxy/how-to/streaming/">streaming event-by-event responses</a> back to the client on supported providers. <a href="https://github.com/Kong/kong/issues/12792" target="_blank" rel="noopener nofollow noreferrer ">#12792</a> </li> <li> <strong>Enterprise-only feature</strong>: Added support for <a href="/hub/kong-inc/ai-proxy/how-to/cloud-provider-authentication/">Managed Identity authentication</a> when using the Azure provider with AI Proxy.</li> </ul> </li> <li> <a href="/hub/kong-inc/prometheus/"><strong>Prometheus</strong></a> (<code class="language-plaintext highlighter-rouge">prometheus</code>) <ul> <li>Added a workspace label to Prometheus plugin metrics. <a href="https://github.com/Kong/kong/issues/12836" target="_blank" rel="noopener nofollow noreferrer ">#12836</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/ai-prompt-guard/"><strong>AI Prompt Guard</strong></a> (<code class="language-plaintext highlighter-rouge">ai-prompt-guard</code>) <ul> <li>Increased the maximum length of regex expressions to 500 for the <code class="language-plaintext highlighter-rouge">allow</code> and <code class="language-plaintext highlighter-rouge">deny</code> parameters. <a href="https://github.com/Kong/kong/issues/12731" target="_blank" rel="noopener nofollow noreferrer ">#12731</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/jwt/"><strong>JWT</strong></a> (<code class="language-plaintext highlighter-rouge">jwt</code>) <ul> <li>Added support for EdDSA algorithms. <a href="https://github.com/Kong/kong/issues/12726" target="_blank" rel="noopener nofollow noreferrer ">#12726</a> </li> <li>Added support for ES512, PS256, PS384, and PS512 algorithms. <a href="https://github.com/Kong/kong/issues/12638" target="_blank" rel="noopener nofollow noreferrer ">#12638</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) and <a href="/hub/kong-inc/zipkin/"><strong>Zipkin</strong></a> (<code class="language-plaintext highlighter-rouge">zipkin</code>) <ul> <li>The propagation module has been reworked. The new options allow better control over the configuration of tracing header propagation. <a href="https://github.com/Kong/kong/issues/12670" target="_blank" rel="noopener nofollow noreferrer ">#12670</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Added support for <a href="/hub/kong-inc/openid-connect/how-to/demonstrating-proof-of-possession/">DPoP (Demonstrating Proof-of-Possession) token validation</a>. You can enable it using the configuration parameter <a href="/hub/kong-inc/openid-connect/configuration/#config-proof_of_possession_dpop"><code class="language-plaintext highlighter-rouge">proof_of_possession_dpop</code></a>.</li> <li>Added support for JWT Secured Authorization Requests (JAR) on Authorization and Pushed Authorization (PAR) endpoints. See the configuration parameter <a href="/hub/kong-inc/openid-connect/configuration/#config-require_signed_request_object"><code class="language-plaintext highlighter-rouge">require_signed_request_object</code></a>.</li> <li>Added support for JARM response modes: <code class="language-plaintext highlighter-rouge">query.jwt</code>, <code class="language-plaintext highlighter-rouge">form_post.jwt</code>, <code class="language-plaintext highlighter-rouge">fragment.jwt</code>, and <code class="language-plaintext highlighter-rouge">jwt</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/graphql-proxy-cache-advanced/"><strong>GraphQL Proxy Cache Advanced</strong></a> <ul> <li>Added Redis strategy support.</li> <li>Added the ability to resolve unhandled errors with bypass, with the request going upstream. Enable it using the <a href="/hub/kong-inc/graphql-proxy-cache-advanced/configuration/#config-bypass_on_err"><code class="language-plaintext highlighter-rouge">bypass_on_err</code></a> configuration option.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwt-signer/"><strong>JWT Signer</strong></a> (<code class="language-plaintext highlighter-rouge">jwt-signer</code>) <ul> <li>Added support for basic authentication and mTLS authentication to external JWKS services.</li> <li>The plugin now supports periodically rotating the JWKS. For example, to automatically rotate <code class="language-plaintext highlighter-rouge">access_token_jwks_uri</code>, you can set the configuration option <a href="/hub/kong-inc/jwt-signer/configuration/#config-access_token_jwks_uri_rotate_period"><code class="language-plaintext highlighter-rouge">access_token_jwks_uri_rotate_period</code></a>.</li> <li>The plugin now supports adding the original JWT(s) to the upstream request header by specifying the names of the upstream request header with <a href="/hub/kong-inc/jwt-signer/configuration/#config-original_access_token_upstream_header"><code class="language-plaintext highlighter-rouge">original_access_token_upstream_header</code></a> and <a href="/hub/kong-inc/jwt-signer/configuration/#config-original_channel_token_upstream_header"><code class="language-plaintext highlighter-rouge">original_channel_token_upstream_header</code></a>.</li> <li> <a href="/hub/kong-inc/jwt-signer/configuration/#config-access_token_upstream_header"><code class="language-plaintext highlighter-rouge">access_token_upstream_header</code></a>, <a href="/hub/kong-inc/jwt-signer/configuration/#config-channel_token_upstream_header"><code class="language-plaintext highlighter-rouge">channel_token_upstream_header</code></a>, <a href="/hub/kong-inc/jwt-signer/configuration/#config-original_access_token_upstream_header"><code class="language-plaintext highlighter-rouge">original_access_token_upstream_header</code></a>, and <a href="/hub/kong-inc/jwt-signer/configuration/#config-original_channel_token_upstream_header"><code class="language-plaintext highlighter-rouge">original_channel_token_upstream_header</code></a> should not have the same value.</li> <li>The plugin now supports pseudo JSON values in <a href="/hub/kong-inc/jwt-signer/configuration/#config-add_claims"><code class="language-plaintext highlighter-rouge">add_claims</code></a> and <a href="/hub/kong-inc/jwt-signer/configuration/#config-set_claims"><code class="language-plaintext highlighter-rouge">set_claims</code></a>. We can achieve the goal of passing multiple values to a key by passing a JSON string as the value.</li> <li>Added <a href="/hub/kong-inc/jwt-signer/configuration/#config-add_access_token_claims"><code class="language-plaintext highlighter-rouge">add_access_token_claims</code></a>, <a href="/hub/kong-inc/jwt-signer/configuration/#config-set_access_token_claims"><code class="language-plaintext highlighter-rouge">set_access_token_claims</code></a>, <a href="/hub/kong-inc/jwt-signer/configuration/#config-add_channel_token_claims"><code class="language-plaintext highlighter-rouge">add_channel_token_claims</code></a>, <a href="/hub/kong-inc/jwt-signer/configuration/#config-set_channel_token_claims"><code class="language-plaintext highlighter-rouge">set_channel_token_claims</code></a> for individually adding claims to access tokens and channel tokens.</li> <li>Added <a href="/hub/kong-inc/jwt-signer/configuration/#config-remove_access_token_claims"><code class="language-plaintext highlighter-rouge">remove_access_token_claims</code></a> and <a href="/hub/kong-inc/jwt-signer/configuration/#config-remove_channel_token_claims"><code class="language-plaintext highlighter-rouge">remove_channel_token_claims</code></a> to support the removal of claims.</li> </ul> </li> <li> <a href="/hub/kong-inc/mocking/"><strong>Mocking</strong></a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Added the <a href="/hub/kong-inc/mocking/configuration/#config-custom_base_path"><code class="language-plaintext highlighter-rouge">custom_base_path</code></a> field to specify a custom base path. Use it with the <a href="/deck/latest/reference/deck_file_namespace/"><code class="language-plaintext highlighter-rouge">deck file namespace</code></a> command.</li> </ul> </li> <li> <a href="/hub/kong-inc/mtls-auth/"><strong>Mutual TLS Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Added the <a href="/hub/kong-inc/mtls-auth/configuration/#config-default_consumer"><code class="language-plaintext highlighter-rouge">default_consumer</code></a> option, which lets you use a default consumer when the client certificate is valid but doesn’t match any existing consumers.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Added the new field <a href="/hub/kong-inc/oas-validation/configuration/#config-api_spec_encoded"><code class="language-plaintext highlighter-rouge">api_spec_encoded</code></a> to indicate whether the <code class="language-plaintext highlighter-rouge">api_spec</code> is URI-Encoded.</li> <li>Add the <a href="/hub/kong-inc/oas-validation/configuration/#config-custom_base_path"><code class="language-plaintext highlighter-rouge">custom_base_path</code></a> field to specifiy a custom base path. Use it with the <a href="/deck/latest/reference/deck_file_namespace/"><code class="language-plaintext highlighter-rouge">deck file namespace</code></a> command.</li> <li>The plugin now supports OpenAPI Specification v3.1.0. The plugin now switches to a new JSONSchema validator when the specification version is v3.1.0.</li> </ul> </li> </ul> <h3 id="performance-1">Performance</h3> <ul> <li>Improved proxy performance by refactoring the internal hooking mechanism. <a href="https://github.com/Kong/kong/issues/12784" target="_blank" rel="noopener nofollow noreferrer ">#12784</a> </li> <li>Sped up the router matching when the <code class="language-plaintext highlighter-rouge">router_flavor</code> is <code class="language-plaintext highlighter-rouge">traditional_compatible</code> or <code class="language-plaintext highlighter-rouge">expressions</code>. <a href="https://github.com/Kong/kong/issues/12467" target="_blank" rel="noopener nofollow noreferrer ">#12467</a> </li> <li> <strong>OpenTelemetry</strong>: Increased queue max batch size to 200. <a href="https://github.com/Kong/kong/issues/12488" target="_blank" rel="noopener nofollow noreferrer ">#12488</a> </li> <li>Sped up the tracing mechanism.</li> </ul> <h3 id="fixes-7">Fixes</h3> <h4 id="admin-api-6">Admin API</h4> <ul> <li>Fixed an issue where calling the endpoint <code class="language-plaintext highlighter-rouge">POST /schemas/vaults/validate</code> was conflicting with the endpoint <code class="language-plaintext highlighter-rouge">/schemas/vaults/:name</code> which only has GET implemented, resulting in a 405. <a href="https://github.com/Kong/kong/issues/12607" target="_blank" rel="noopener nofollow noreferrer ">#12607</a> </li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">POST /config?flatten_errors=1</code> could not return a proper response if the input included duplicate upstream targets. <a href="https://github.com/Kong/kong/issues/12797" target="_blank" rel="noopener nofollow noreferrer ">#12797</a> </li> <li>The <code class="language-plaintext highlighter-rouge">/<workspace>/admins</code> endpoint was incorrectly used to return admins associated with a workspace based on their assigned RBAC roles. It has been fixed to return admins according to the workspace they belong to.</li> </ul> <h4 id="cli-3">CLI</h4> <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">pg_timeout</code> was overridden to <code class="language-plaintext highlighter-rouge">60s</code> even if <code class="language-plaintext highlighter-rouge">--db-timeout</code> was not explicitly passed in CLI arguments.</li> <li>Fixed an issue which caused the <code class="language-plaintext highlighter-rouge">kong</code> command line tool to ignore the <code class="language-plaintext highlighter-rouge">lua_ssl_trusted_certificate</code> configuration option.</li> </ul> <h4 id="clustering-4">Clustering</h4> <ul> <li>Adjusted the clustering compatibility check related to AWS Secrets Manager to use <code class="language-plaintext highlighter-rouge">AK-SK</code> environment variables to grant IAM role permissions.</li> <li>Adjusted a clustering compatibility check related to HCV Kubernetes authentication paths.</li> <li>Adjusted a clustering compatibility check related to HashiCorp Vault Approle authentication.</li> <li>Fixed an issue where event hooks were prematurely validated in hybrid mode. The fix delays the validation of event hooks to the point where event hooks are emitted.</li> </ul> <h4 id="configuration-3">Configuration</h4> <ul> <li>Fixed the default value for <code class="language-plaintext highlighter-rouge">upstream_keepalive_max_requests</code> in <code class="language-plaintext highlighter-rouge">kong.conf.default</code> from 1000 to 10000. <a href="https://github.com/Kong/kong/issues/12643" target="_blank" rel="noopener nofollow noreferrer ">#12643</a> </li> <li>Fixed an issue where an external plugin (Go, Javascript, or Python) would fail to apply a change to the plugin config via the Admin API. <a href="https://github.com/Kong/kong/issues/12718" target="_blank" rel="noopener nofollow noreferrer ">#12718</a> </li> <li>Disabled the usage of the Lua DNS resolver from <code class="language-plaintext highlighter-rouge">proxy-wasm</code> by default. <a href="https://github.com/Kong/kong/issues/12825" target="_blank" rel="noopener nofollow noreferrer ">#12825</a> </li> <li>Set the security level of gRPC’s TLS to <code class="language-plaintext highlighter-rouge">0</code> when <code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code> is set to <code class="language-plaintext highlighter-rouge">old</code>. <a href="https://github.com/Kong/kong/issues/12613" target="_blank" rel="noopener nofollow noreferrer ">#12613</a> </li> </ul> <h4 id="core-9">Core</h4> <ul> <li> <strong>DNS Client</strong>: Kong now ignores non-positive values on <code class="language-plaintext highlighter-rouge">resolv.conf</code> for options timeout, a nd uses a default value of 2 seconds instead. <a href="https://github.com/Kong/kong/issues/12640" target="_blank" rel="noopener nofollow noreferrer ">#12640</a> </li> <li>Updated the file permission of <code class="language-plaintext highlighter-rouge">kong.logrotate</code> to 644 <a href="https://github.com/Kong/kong/issues/12629" target="_blank" rel="noopener nofollow noreferrer ">#12629</a> </li> <li>Fixed an issue with data planes in hybrid mode, where a certificate entity configured with a vault reference was occasionally not refreshed on time. <a href="https://github.com/Kong/kong/issues/12868" target="_blank" rel="noopener nofollow noreferrer ">#12868</a> </li> <li>Fixed the missing router section for the output of request debugging. <a href="https://github.com/Kong/kong/issues/12234" target="_blank" rel="noopener nofollow noreferrer ">#12234</a> </li> <li>Fixed an issue in the internal caching logic where mutexes could get never unlocked. <a href="https://github.com/Kong/kong/issues/12743" target="_blank" rel="noopener nofollow noreferrer ">#12743</a> </li> <li>Fixed an issue where the router didn’t work correctly when the route’s configuration changed. <a href="https://github.com/Kong/kong/issues/12654" target="_blank" rel="noopener nofollow noreferrer ">#12654</a> </li> <li>Fixed an issue where SNI-based routing didn’t work when using <code class="language-plaintext highlighter-rouge">tls_passthrough</code> with the <code class="language-plaintext highlighter-rouge">traditional_compatible</code> router flavor. <a href="https://github.com/Kong/kong/issues/12681" target="_blank" rel="noopener nofollow noreferrer ">#12681</a> </li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">X-Kong-Upstream-Status</code> didn’t appear in the response headers when the response was hit and returned by the Proxy Cache plugin, even if it was set in the <code class="language-plaintext highlighter-rouge">headers</code> parameter in the <code class="language-plaintext highlighter-rouge">kong.conf</code> file. <a href="https://github.com/Kong/kong/issues/12744" target="_blank" rel="noopener nofollow noreferrer ">#12744</a> </li> <li> <strong>Vaults</strong>: <ul> <li>Fixed vault initialization by postponing vault reference resolution to a timer in the <code class="language-plaintext highlighter-rouge">init_worker</code> phase. <a href="https://github.com/Kong/kong/issues/12554" target="_blank" rel="noopener nofollow noreferrer ">#12554</a> </li> <li>Fixed an issue that allowed vault secrets to refresh even when they had no TTL set. <a href="https://github.com/Kong/kong/issues/12877" target="_blank" rel="noopener nofollow noreferrer ">#12877</a> </li> <li>Fixed an issue where the vault used the wrong (default) workspace identifier when retrieving a vault entity by prefix. <a href="https://github.com/Kong/kong/issues/12572" target="_blank" rel="noopener nofollow noreferrer ">#12572</a> </li> </ul> </li> <li>Fixed an unexpected table nil panic in the balancer’s <code class="language-plaintext highlighter-rouge">stop_healthchecks</code> function. <a href="https://github.com/Kong/kong/issues/12865" target="_blank" rel="noopener nofollow noreferrer ">#12865</a> </li> <li>Kong Gateway now uses <code class="language-plaintext highlighter-rouge">-1</code> as the worker ID of the privileged agent to avoid access issues. <a href="https://github.com/Kong/kong/issues/12385" target="_blank" rel="noopener nofollow noreferrer ">#12385</a> </li> <li>Fixed an issue where Kong Gateway failed to properly restart MessagePack-based pluginservers (used in Python and Javascript plugins, for example). <a href="https://github.com/Kong/kong/issues/12582" target="_blank" rel="noopener nofollow noreferrer ">#12582</a> </li> <li>Reverted the hard-coded limitation of the <code class="language-plaintext highlighter-rouge">ngx.read_body()</code> API in OpenResty upstreams’ new versions when downstream connections are in HTTP/2 or HTTP/3 stream modes. <a href="https://github.com/Kong/kong/issues/12658" target="_blank" rel="noopener nofollow noreferrer ">#12658</a> </li> <li>Each Kong cache instance now uses its own cluster event channel. This approach isolates cache invalidation events and reduces the generation of unnecessary worker events. <a href="https://github.com/Kong/kong/issues/12321" target="_blank" rel="noopener nofollow noreferrer ">#12321</a> </li> <li>Updated telemetry collection for AI Plugins to allow multiple plugins’ data to be set for the same request. <a href="https://github.com/Kong/kong/issues/12583" target="_blank" rel="noopener nofollow noreferrer ">#12583</a> </li> <li>Fixed an issue where a low ulimit setting (open files) caused Kong to fail to start, as the <code class="language-plaintext highlighter-rouge">lua-resty-timer-ng</code> exhausted the available <code class="language-plaintext highlighter-rouge">worker_connections</code>. Decreased the concurrency range of the <code class="language-plaintext highlighter-rouge">lua-resty-timer-ng</code> library from <code class="language-plaintext highlighter-rouge">[512, 2048]</code> to <code class="language-plaintext highlighter-rouge">[256, 1024]</code> to fix this bug. <a href="https://github.com/Kong/kong/issues/12606" target="_blank" rel="noopener nofollow noreferrer ">#12606</a> </li> <li>Fixed an issue where external plugins using the protobuf-based protocol would fail to call the <code class="language-plaintext highlighter-rouge">kong.Service.SetUpstream</code> method with the error <code class="language-plaintext highlighter-rouge">bad argument #2 to 'encode' (table expected, got boolean)</code>. <a href="https://github.com/Kong/kong/issues/12727" target="_blank" rel="noopener nofollow noreferrer ">#12727</a> </li> <li>Disabled analytics in the stream module to avoid unnecessary error logs.</li> <li>Fixed an issue where a new data plane couldn’t resolve a Vault reference after the first configuration push. This was happening due to issues with license pre-loading.</li> <li>Fixed an issue where DP couldn’t resolve license-required Vault references when loading an existing lmdb.</li> <li>Fixed an issue where users were not allowed to start Kong Gateway if <code class="language-plaintext highlighter-rouge">admin_gui_auth_conf.scope</code> was missing <code class="language-plaintext highlighter-rouge">"openid"</code>, or if <code class="language-plaintext highlighter-rouge">"offline_access"</code> was missing when <code class="language-plaintext highlighter-rouge">admin_gui_auth</code> was set to <code class="language-plaintext highlighter-rouge">openid-connect</code>. Kong Gateway will now print warning logs only if <code class="language-plaintext highlighter-rouge">"openid"</code> is missing from <code class="language-plaintext highlighter-rouge">admin_gui_auth_conf.scope</code>.</li> </ul> <h4 id="kong-manager-6">Kong Manager</h4> <ul> <li> <p>Improved the user experience in Kong Manager by fixing various UI-related issues.</p> <p><a href="https://github.com/Kong/kong-manager/issues/185" target="_blank" rel="noopener nofollow noreferrer ">#185</a> <a href="https://github.com/Kong/kong-manager/issues/188" target="_blank" rel="noopener nofollow noreferrer ">#188</a> <a href="https://github.com/Kong/kong-manager/issues/190" target="_blank" rel="noopener nofollow noreferrer ">#190</a> <a href="https://github.com/Kong/kong-manager/issues/195" target="_blank" rel="noopener nofollow noreferrer ">#195</a> <a href="https://github.com/Kong/kong-manager/issues/199" target="_blank" rel="noopener nofollow noreferrer ">#199</a> <a href="https://github.com/Kong/kong-manager/issues/201" target="_blank" rel="noopener nofollow noreferrer ">#201</a> <a href="https://github.com/Kong/kong-manager/issues/202" target="_blank" rel="noopener nofollow noreferrer ">#202</a> <a href="https://github.com/Kong/kong-manager/issues/207" target="_blank" rel="noopener nofollow noreferrer ">#207</a> <a href="https://github.com/Kong/kong-manager/issues/208" target="_blank" rel="noopener nofollow noreferrer ">#208</a> <a href="https://github.com/Kong/kong-manager/issues/209" target="_blank" rel="noopener nofollow noreferrer ">#209</a> <a href="https://github.com/Kong/kong-manager/issues/213" target="_blank" rel="noopener nofollow noreferrer ">#213</a> <a href="https://github.com/Kong/kong-manager/issues/216" target="_blank" rel="noopener nofollow noreferrer ">#216</a></p> </li> <li>Fixed an issue where the <strong>Add Role</strong> button was visible when authenticating with an IDP. It is now hidden when Kong Manager is set to authenticate with an IDP.</li> <li>Fixed the documentation link shown on the RBAC user form page.</li> </ul> <h4 id="pdk-5">PDK</h4> <ul> <li> <p>Fixed an issue where <code class="language-plaintext highlighter-rouge">kong.request.get_forwarded_port</code> incorrectly returned a string from <code class="language-plaintext highlighter-rouge">ngx.ctx.host_port</code>. It now correctly returns a number. <a href="https://github.com/Kong/kong/issues/12806" target="_blank" rel="noopener nofollow noreferrer ">#12806</a></p> </li> <li> <p>The value of <code class="language-plaintext highlighter-rouge">latencies.kong</code> in the log serializer payload no longer includes the response receive time, so it now has the same value as the <code class="language-plaintext highlighter-rouge">X-Kong-Proxy-Latency</code> response header. Response receive time is recorded in the new <code class="language-plaintext highlighter-rouge">latencies.receive</code> metric, so if desired, the old value can be calculated as <code class="language-plaintext highlighter-rouge">latencies.kong + latencies.receive</code>. <a href="https://github.com/Kong/kong/issues/12795" target="_blank" rel="noopener nofollow noreferrer ">#12795</a></p> <blockquote class="note"> <p><strong>Note:</strong> This also affects payloads from all logging plugins that use the log serializer: <code class="language-plaintext highlighter-rouge">file-log</code>, <code class="language-plaintext highlighter-rouge">tcp-log</code>, <code class="language-plaintext highlighter-rouge">udp-log</code>,<code class="language-plaintext highlighter-rouge">http-log</code>, <code class="language-plaintext highlighter-rouge">syslog</code>, and <code class="language-plaintext highlighter-rouge">loggly</code>.</p> </blockquote> </li> <li> <p><strong>Tracing</strong>: Enhanced the robustness of trace ID parsing. <a href="https://github.com/Kong/kong/issues/12848" target="_blank" rel="noopener nofollow noreferrer ">#12848</a></p> </li> </ul> <h4 id="plugins-12">Plugins</h4> <ul> <li> <p>Cleaned and improved error handling for AI plugins.</p> </li> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>) <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">/llm/v1/chat</code> route type didn’t include analytics in the responses. <a href="https://github.com/Kong/kong/issues/12781" target="_blank" rel="noopener nofollow noreferrer ">#12781</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/acme/"><strong>ACME</strong></a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>Fixed an issue where the certificate was not successfully renewed during ACME renewal. <a href="https://github.com/Kong/kong/issues/12773" target="_blank" rel="noopener nofollow noreferrer ">#12773</a> </li> <li>Fixed migration of Redis configuration.</li> <li>Fixed an issue where the wrong error log was printed regarding private keys.</li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda/"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Fixed an issue where the latency attributed to AWS Lambda API requests was counted as part of the latency in Kong Gateway. <a href="https://github.com/Kong/kong/issues/12835" target="_blank" rel="noopener nofollow noreferrer ">#12835</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/jwt/"><strong>JWT</strong></a> (<code class="language-plaintext highlighter-rouge">jwt</code>) <ul> <li>Fixed an issue where the plugin would fail when using invalid public keys for ES384 and ES512 algorithms. <a href="https://github.com/Kong/kong/issues/12724" target="_blank" rel="noopener nofollow noreferrer ">#12724</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/key-auth/"><strong>Key Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">key-auth</code>) <ul> <li>Added missing <code class="language-plaintext highlighter-rouge">WWW-Authenticate</code> headers to all 401 responses. <a href="https://github.com/Kong/kong/issues/11794" target="_blank" rel="noopener nofollow noreferrer ">#11794</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed an OTEL sampling mode Lua panic bug, which happened when the <code class="language-plaintext highlighter-rouge">http_response_header_for_traceid</code> option was enabled. <a href="https://github.com/Kong/kong/issues/12544" target="_blank" rel="noopener nofollow noreferrer ">#12544</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/"><strong>Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>) <ul> <li>Fixed migration of Redis configuration.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li> <p>Refactored <code class="language-plaintext highlighter-rouge">kong/tools/public/rate-limiting</code>, adding the new interface <code class="language-plaintext highlighter-rouge">new_instance</code> to provide isolation between different plugins. The original interfaces remain unchanged for backward compatibility.</p> <p>If you are using custom Rate Limiting plugins based on this library, update the initialization code to the new format. For example: <code class="language-plaintext highlighter-rouge">'local ratelimiting = require("kong.tools.public.rate-limiting").new_instance("custom-plugin-name")'</code>. The old interface will be removed in the upcoming major release.</p> </li> <li>Fixed an issue where any plugins using the <code class="language-plaintext highlighter-rouge">rate-limiting</code> library, when used together, would interfere with each other and fail to synchronize counter data to the central data store.</li> <li>Fixed an issue with <code class="language-plaintext highlighter-rouge">sync_rate</code> setting being used with the <code class="language-plaintext highlighter-rouge">redis</code> strategy. If the Redis connection is interrupted while <code class="language-plaintext highlighter-rouge">sync_rate = 0</code>, the plugin now accurately falls back to the <code class="language-plaintext highlighter-rouge">local</code> strategy.</li> <li>Fixed an issue where, if <code class="language-plaintext highlighter-rouge">sync_rate</code> was changed from a value greater than <code class="language-plaintext highlighter-rouge">0</code> to <code class="language-plaintext highlighter-rouge">0</code>, the namespace was cleared unexpectedly.</li> <li>Fixed some timer-related issues where the counter syncing timer couldn’t be created or destroyed properly.</li> <li>The plugin now creates counter syncing timers during plugin execution instead of plugin creation to reduce some meaningless error logs.</li> <li>Fixed an issue where Kong Gateway produced a log of error log entries when multiple Rate Limiting Advanced plugins shared the same namespace.</li> </ul> </li> <li> <a href="/hub/kong-inc/response-ratelimiting/"><strong>Response Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Fixed migration of Redis configuration.</li> </ul> </li> <li> <a href="/hub/kong-inc/degraphql/"><strong>DeGraphQL</strong></a> (<code class="language-plaintext highlighter-rouge">degraphql</code>) <ul> <li>Fixed an issue where GraphQL variables were not being correctly parsed and coerced into their defined types.</li> <li>This plugin now uses a new configuration handler to update the GraphQL router with better error handling.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Fixed an issue where, if the credential was encoded with no username, Kong Gateway threw an error and returned a 500 code.</li> <li>Fixed an issue where an exception would be thrown when LDAP search failed.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>), <a href="/hub/kong-inc/websocket-size-limit/"><strong>WebSocket Size Limit</strong></a> (<code class="language-plaintext highlighter-rouge">websocket-size-limit</code>), <a href="/hub/kong-inc/websocket-validator/"><strong>WebSocket Validator</strong></a> (<code class="language-plaintext highlighter-rouge">websocket-validator</code>), <a href="/hub/kong-inc/xml-threat-protection/"><strong>XML Threat Protection</strong></a> (<code class="language-plaintext highlighter-rouge">xml-threat-protection</code>) <ul> <li>The <a href="/gateway/latest/plugin-development/custom-logic/#plugins-execution-order">priorities</a> of these plugins have been updated to prevent collisions between plugins. The relative priority (and the order of execution) of bundled plugins remains unchanged.</li> </ul> </li> </ul> <h3 id="dependencies-7">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">atc-router</code> from v1.6.0 to v1.6.2 <a href="https://github.com/Kong/kong/issues/12231" target="_blank" rel="noopener nofollow noreferrer ">#12231</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">libexpat</code> to 2.6.2 <a href="https://github.com/Kong/kong/issues/12910" target="_blank" rel="noopener nofollow noreferrer ">#12910</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> from 0.8.0 to 0.11.0 <a href="https://github.com/Kong/kong/issues/12752" target="_blank" rel="noopener nofollow noreferrer ">#12752</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-protobuf</code> to 0.5.1 <a href="https://github.com/Kong/kong/issues/12834" target="_blank" rel="noopener nofollow noreferrer ">#12834</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-acme</code> to 0.13.0 <a href="https://github.com/Kong/kong/issues/12909" target="_blank" rel="noopener nofollow noreferrer ">#12909</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> from 1.3.6 to 1.4.1 <a href="https://github.com/Kong/kong/issues/12846" target="_blank" rel="noopener nofollow noreferrer ">#12846</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-lmdb</code> from 1.4.1 to 1.4.2 <a href="https://github.com/Kong/kong/issues/12786" target="_blank" rel="noopener nofollow noreferrer ">#12786</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-openssl</code> from 1.2.0 to 1.3.1 <a href="https://github.com/Kong/kong/issues/12665" target="_blank" rel="noopener nofollow noreferrer ">#12665</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-timer-ng</code> to 0.2.7 <a href="https://github.com/Kong/kong/issues/12756" target="_blank" rel="noopener nofollow noreferrer ">#12756</a> </li> <li>Bumped PCRE from the legacy <code class="language-plaintext highlighter-rouge">libpcre</code> 8.45 to <code class="language-plaintext highlighter-rouge">libpcre2</code> 10.43 <a href="https://github.com/Kong/kong/issues/12366" target="_blank" rel="noopener nofollow noreferrer ">#12366</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">penlight</code> to 1.14.0 <a href="https://github.com/Kong/kong/issues/12862" target="_blank" rel="noopener nofollow noreferrer ">#12862</a> </li> <li>Added the package <code class="language-plaintext highlighter-rouge">tzdata</code> to the DEB Docker image for convenient timezone setting <a href="https://github.com/Kong/kong/issues/12609" target="_blank" rel="noopener nofollow noreferrer ">#12609</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-http</code> to 0.17.2. <a href="https://github.com/Kong/kong/issues/12908" target="_blank" rel="noopener nofollow noreferrer ">#12908</a> </li> <li>Bumped LuaRocks from 3.9.2 to 3.11.0 <a href="https://github.com/Kong/kong/issues/12662" target="_blank" rel="noopener nofollow noreferrer ">#12662</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">ngx_wasm_module</code> to <code class="language-plaintext highlighter-rouge">91d447ffd0e9bb08f11cc69d1aa9128ec36b4526</code> <a href="https://github.com/Kong/kong/issues/12011" target="_blank" rel="noopener nofollow noreferrer ">#12011</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">V8</code> to 12.0.267.17 <a href="https://github.com/Kong/kong/issues/12704" target="_blank" rel="noopener nofollow noreferrer ">#12704</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">Wasmtime</code> to 19.0.0 <a href="https://github.com/Kong/kong/issues/12011" target="_blank" rel="noopener nofollow noreferrer ">#12011</a> </li> <li>Improved the robustness of <code class="language-plaintext highlighter-rouge">lua-cjson</code> when handling unexpected input <a href="https://github.com/Kong/kong/issues/12904" target="_blank" rel="noopener nofollow noreferrer ">#12904</a> </li> <li>Bumped submodule <code class="language-plaintext highlighter-rouge">kong-openid-connect</code> to 2.7.1</li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-lua-resty-kafka</code> to 0.18</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-luasocket</code> to 1.1.2 to fix <a href="https://github.com/lunarmodules/luasocket/issues/427" target="_blank" rel="noopener nofollow noreferrer ">luasocket#427</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-mail</code> to 1.1.0</li> <li>Bumped OpenSSL FIPS-provider to 3.0.9 to address <a href="https://konghq.atlassian.net/browse/CVE-2023" target="_blank" rel="noopener nofollow noreferrer ">CVE-2023</a> and <a href="https://konghq.atlassian.net/browse/CVE-2022" target="_blank" rel="noopener nofollow noreferrer ">CVE-2022</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">libpasswdqc</code> to 2.0.3</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-cookie</code> to 0.2.0</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-passwdqc</code> to 2.0</li> <li>Bumped <code class="language-plaintext highlighter-rouge">xmlua</code> to 1.2.1</li> <li>Bumped <code class="language-plaintext highlighter-rouge">libxml2</code> to 2.12.6</li> <li>Bumped <code class="language-plaintext highlighter-rouge">libxslt</code> to 1.1.39</li> <li>Bumped <code class="language-plaintext highlighter-rouge">msgpack-c</code> to 6.0.1</li> <li>Removed the <code class="language-plaintext highlighter-rouge">lua-resty-openssl-aux-module</code> dependency</li> </ul> <h2 id="3618">3.6.1.8</h2> <p><strong>Release Date</strong> 2024/10/11</p> <h3 id="features-6">Features</h3> <ul> <li>Added support for AWS IAM role assuming in AWS IAM Database Authentication with the following new configuration fields: <code class="language-plaintext highlighter-rouge">pg_iam_auth_assume_role_arn</code>, <code class="language-plaintext highlighter-rouge">pg_iam_auth_role_session_name</code>, <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_assume_role_arn</code>, and <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_role_session_name</code>.</li> <li>Added support for a configurable STS endpoint for RDS IAM Authentication with the following new configuration fields: <code class="language-plaintext highlighter-rouge">pg_iam_auth_sts_endpoint_url</code> and <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_sts_endpoint_url</code>.</li> <li>Added support for a configurable STS endpoint for AWS Vault. This can either be configured by <code class="language-plaintext highlighter-rouge">vault_aws_sts_endpoint_url</code> as a global configuration, or <code class="language-plaintext highlighter-rouge">sts_endpoint_url</code> on a custom AWS vault entity.</li> </ul> <h4 id="plugins-13">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/aws-lambda"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Added support for a configurable STS endpoint with the new configuration field <code class="language-plaintext highlighter-rouge">aws_sts_endpoint_url</code>. <a href="https://github.com/Kong/kong/issues/13388" target="_blank" rel="noopener nofollow noreferrer ">#13388</a> </li> </ul> </li> </ul> <h3 id="fixes-8">Fixes</h3> <h4 id="core-10">Core</h4> <ul> <li> <p>The <code class="language-plaintext highlighter-rouge">kong.logrotate</code> configuration file is no longer overwritten during upgrade.</p> <p>This change presents an additional prompt for Debian users upgrading via <code class="language-plaintext highlighter-rouge">apt</code> and <code class="language-plaintext highlighter-rouge">deb</code> packages. To accept the defaults provided by Kong in the package, use the following command, adjusting it to your architecture and the version you’re upgrading to:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="nv">DEBIAN_FRONTEND</span><span class="o">=</span>noninteractive apt upgrade kong-enterprise-edition_3.4.3.11_arm64.deb </code></pre></div> </div> </li> <li> <strong>Vault</strong>: <ul> <li>Fixed an issue where updating a vault entity in a non-default workspace didn’t take effect.</li> <li>Fixed an issue where the Vault secret cache got refreshed during <code class="language-plaintext highlighter-rouge">resurrect_ttl</code> time and could not be fetched by other workers.</li> </ul> </li> <li>Moved internal Unix sockets to a subdirectory (<code class="language-plaintext highlighter-rouge">sockets</code>) of the Kong prefix.</li> <li>Shortened names of internal Unix sockets to avoid exceeding the socket name limit.</li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">luarocks-admin</code> was not available in <code class="language-plaintext highlighter-rouge">/usr/local/bin</code>.</li> </ul> <h4 id="plugins-14">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/opentelemetry"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">header_type</code> being <code class="language-plaintext highlighter-rouge">nil</code> caused a log message concatenation error.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue where the sync timer could stop working due to a race condition.</li> <li>Fixed an issue where, if the <code class="language-plaintext highlighter-rouge">window_size</code> in the consumer group overriding config was different from the <code class="language-plaintext highlighter-rouge">window_size</code> in the default config, the rate limiting of that consumer group would fall back to local strategy.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/">LDAP Auth Advanced</a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Fixed an issue where an exception would be thrown when LDAP search failed.</li> </ul> </li> </ul> <h3 id="dependencies-8">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> to 1.5.3 to fix a bug related to the STS regional endpoint.</li> <li>Made the RPM package relocatable with the default prefix set to <code class="language-plaintext highlighter-rouge">/</code>.</li> </ul> <h2 id="3617">3.6.1.7</h2> <p><strong>Release Date</strong> 2024/07/09</p> <h3 id="features-7">Features</h3> <h3 id="deprecations-1">Deprecations</h3> <ul> <li>Debian 10, CentOS 7, and RHEL 7 reached their End of Life (EOL) dates on June 30, 2024. As of this patch, Kong is not building Kong Gateway 3.6.x installation packages or Docker images for these operating systems. Kong is no longer providing official support for any Kong version running on these systems.</li> </ul> <h4 id="plugins-15">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/aws-lambda"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Added the new configuration parameter <code class="language-plaintext highlighter-rouge">empty_arrays_mode</code>, which lets you control whether Kong Gateway should send empty arrays (<code class="language-plaintext highlighter-rouge">[]</code>) returned by the Lambda function as empty arrays (<code class="language-plaintext highlighter-rouge">[]</code>), or as empty objects (<code class="language-plaintext highlighter-rouge">{}</code>) in JSON responses.</li> </ul> </li> </ul> <h3 id="dependencies-9">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-events</code> to 0.3.0 to fix race condition issues in event delivery at startup.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> to 3.1.0 to remove version checks of the <code class="language-plaintext highlighter-rouge">lua-resty-events</code> lib.</li> </ul> <h2 id="3616">3.6.1.6</h2> <p><strong>Release Date</strong> 2024/06/22</p> <h3 id="fixes-9">Fixes</h3> <ul> <li>Fixed an issue where the DNS client was incorrectly using the content of the <code class="language-plaintext highlighter-rouge">ADDITIONAL SECTION</code> in DNS responses.</li> </ul> <h2 id="3615">3.6.1.5</h2> <p><strong>Release Date</strong> 2024/06/18</p> <h3 id="known-issues-2">Known issues</h3> <ul> <li>There is an issue with the DNS client fix, where the DNS client incorrectly uses the content <code class="language-plaintext highlighter-rouge">ADDITIONAL SECTION</code> in DNS responses. To avoid this issue, install 3.6.1.6 instead of this patch.</li> </ul> <h3 id="features-8">Features</h3> <h4 id="admin-api-7">Admin API</h4> <ul> <li>Added LHS bracket filtering to search fields.</li> <li> <strong>Audit logs:</strong> <ul> <li>Added <code class="language-plaintext highlighter-rouge">request_timestamp</code> to <code class="language-plaintext highlighter-rouge">audit_objects</code>.</li> <li>Added before and after aliases for LHS Brackets filters.</li> <li> <code class="language-plaintext highlighter-rouge">audit_requests</code> and <code class="language-plaintext highlighter-rouge">audit_objects</code> can now be filtered by <code class="language-plaintext highlighter-rouge">request_timestamp</code>.</li> <li>Changed the default ordering of <code class="language-plaintext highlighter-rouge">audit_requests</code> to be sorted by <code class="language-plaintext highlighter-rouge">request_timestamp</code> in descending order.</li> </ul> </li> </ul> <h4 id="plugins-16">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/request-validator/"><strong>Request Validator</strong></a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>Added the new configuration field <code class="language-plaintext highlighter-rouge">content_type_parameter_validation</code> to determine whether to enable Content-Type parameter validation.</li> </ul> </li> </ul> <h3 id="fixes-10">Fixes</h3> <h4 id="admin-api-8">Admin API</h4> <ul> <li>The <code class="language-plaintext highlighter-rouge">/<workspace>/admins</code> endpoint was incorrectly used to return admins associated with a workspace based on their assigned RBAC roles. This has been fixed and now accurately returns admins according to their specific workspace associations.</li> </ul> <h4 id="cli-4">CLI</h4> <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">pg_timeout</code> was overridden to <code class="language-plaintext highlighter-rouge">60s</code> even if <code class="language-plaintext highlighter-rouge">--db-timeout</code> was not explicitly passed in CLI arguments.</li> </ul> <h4 id="core-11">Core</h4> <ul> <li>Built-in RBAC roles for admins (<code class="language-plaintext highlighter-rouge">admin</code> under the default workspace and <code class="language-plaintext highlighter-rouge">workspace-admin</code> under non-default workspaces) now disallow CRUD actions to <code class="language-plaintext highlighter-rouge">/groups</code> and <code class="language-plaintext highlighter-rouge">/groups/*</code> endpoints.</li> <li> <strong>DNS Client</strong>: Fixed an issue where the Kong DNS client stored records with non-matching domain and type when parsing answers. It now ignores records when the RR type differs from that of the query when parsing answers.</li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">host_header</code> attribute of the upstream entity wouldn’t be set correctly as a Host header in requests to the upstream during connection retries.</li> </ul> <h4 id="plugins-17">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/basic-auth/"><strong>Basic Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">basic-auth</code>) <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">realm</code> field wasn’t recognized for Kong Gateway versions before 3.6.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed an issue where anonymous consumers were being cached as <code class="language-plaintext highlighter-rouge">nil</code> under a certain condition.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-validator/"><strong>Request Validator</strong></a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>Fixed an issue where the plugin could fail to handle requests when <code class="language-plaintext highlighter-rouge">param_schema</code> was <code class="language-plaintext highlighter-rouge">$ref schema</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Timer spikes no longer occur when there is network instability with the central data store.</li> </ul> </li> <li> <a href="/hub/kong-inc/acme/"><strong>ACME</strong></a> (<code class="language-plaintext highlighter-rouge">acme</code>), <a href="/hub/kong-inc/rate-limiting/"><strong>Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>), and <a href="/hub/kong-inc/response-ratelimiting/"><strong>Response Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Fixed migration of Redis configuration.</li> </ul> </li> </ul> <h3 id="dependencies-10">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-azure</code> from 1.4.1 to 1.5.0 to refine some error logging.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-events</code> to 0.2.1.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> from 3.0.1 to 3.0.2 to fix memory leak issues by reusing a timer for the same active healthcheck target instead of running many timers.</li> <li>Improved the robustness of <code class="language-plaintext highlighter-rouge">lua-cjson</code> when handling unexpected input.</li> </ul> <h2 id="3614">3.6.1.4</h2> <p><strong>Release Date</strong> 2024/05/14</p> <h3 id="features-9">Features</h3> <h4 id="plugins-18">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/application-registration/"><strong>Portal Application Registration</strong></a> (<code class="language-plaintext highlighter-rouge">application-registration</code>) <ul> <li>Added support for accessing the service using consumer credential authentication. To use this functionality, enable <code class="language-plaintext highlighter-rouge">enable_proxy_with_consumer_credential</code> (default is <code class="language-plaintext highlighter-rouge">false</code>).</li> </ul> </li> <li> <a href="/hub/kong-inc/mtls-auth/"><strong>Mutual TLS Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">default_consumer</code> option, which lets you use a default consumer when the client certificate is valid but doesn’t match any existing consumers.</li> </ul> </li> </ul> <h3 id="fixes-11">Fixes</h3> <h4 id="clustering-5">Clustering</h4> <ul> <li>Fixed an issue where event hooks were prematurely validated in hybrid mode. The fix delays the validation of event hooks to the point where event hooks are emitted.</li> </ul> <h4 id="core-12">Core</h4> <ul> <li> <p>Fixed an issue with data planes in hybrid mode, where a certificate entity configured with a vault reference was occasionally not refreshed on time.</p> </li> <li> <p>Fixed vault initialization by postponing vault reference resolution to a timer in the <code class="language-plaintext highlighter-rouge">init_worker</code> phase.</p> </li> </ul> <h4 id="pdk-6">PDK</h4> <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">kong.request.get_forwarded_port</code> incorrectly returned a string from <code class="language-plaintext highlighter-rouge">ngx.ctx.host_port</code>. It now correctly returns a number.</li> </ul> <h4 id="plugins-19">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>), <a href="/hub/kong-inc/websocket-size-limit/"><strong>WebSocket Size Limit</strong></a> (<code class="language-plaintext highlighter-rouge">websocket-size-limit</code>), <a href="/hub/kong-inc/websocket-validator/"><strong>WebSocket Validator</strong></a> (<code class="language-plaintext highlighter-rouge">websocket-validator</code>), <a href="/hub/kong-inc/xml-threat-protection/"><strong>XML Threat Protection</strong></a> (<code class="language-plaintext highlighter-rouge">xml-threat-protection</code>) <ul> <li>The priorities of these plugins have been updated to prevent collisions between plugins. The relative priority (and the order of execution) of bundled plugins remains unchanged.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li> <p>Refactored <code class="language-plaintext highlighter-rouge">kong/tools/public/rate-limiting</code>, adding the new interface <code class="language-plaintext highlighter-rouge">new_instance</code> to provide isolation between different plugins. The original interfaces remain unchanged for backward compatibility.</p> <p>If you are using custom Rate Limiting plugins based on this library, update the initialization code to the new format. For example: <code class="language-plaintext highlighter-rouge">'local ratelimiting = require("kong.tools.public.rate-limiting").new_instance("custom-plugin-name")'</code>. The old interface will be removed in the upcoming major release.</p> </li> </ul> </li> </ul> <h3 id="dependencies-11">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-protobuf</code> to 0.5.1.</li> </ul> <h2 id="3613">3.6.1.3</h2> <p><strong>Release Date</strong> 2024/04/16</p> <h3 id="fixes-12">Fixes</h3> <h4 id="kong-manager-7">Kong Manager</h4> <ul> <li>Fixed an issue where the admin account profile page returned a 404 error if the <code class="language-plaintext highlighter-rouge">admin_gui_path</code> was not a slash.</li> </ul> <h4 id="plugins-20">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Improved robustness of parsing for short trace IDs.</li> </ul> </li> </ul> <h2 id="3612">3.6.1.2</h2> <p><strong>Release Date</strong> 2024/04/08</p> <h3 id="features-10">Features</h3> <h4 id="plugins-21">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Added the new field <code class="language-plaintext highlighter-rouge">api_spec_encoded</code> to indicate whether the <code class="language-plaintext highlighter-rouge">api_spec</code> is URI-encoded.</li> </ul> </li> </ul> <h3 id="fixes-13">Fixes</h3> <h4 id="clustering-6">Clustering</h4> <ul> <li>Adjusted the clustering compatible check related to AWS Secrets Manager to use <code class="language-plaintext highlighter-rouge">AK-SK</code> environment variables to grant IAM role permissions.</li> </ul> <h4 id="configuration-4">Configuration</h4> <ul> <li>Fixed an issue where an external plugin (Go, Javascript, or Python) would fail to apply a change to the plugin config via the Admin API.</li> </ul> <h4 id="core-13">Core</h4> <ul> <li>Updated the file permission of <code class="language-plaintext highlighter-rouge">kong.logrotate</code> to 644.</li> <li>Vaults: <ul> <li>Fixed an issue where the vault used the wrong (default) workspace identifier when retrieving a vault entity by prefix.</li> <li>Fixed an issue where a new data plane couldn’t resolve a Vault reference after the first configuration push. This was happening due to issues with license pre-loading.</li> </ul> </li> <li>Fixed an issue where users were not allowed to start Kong Gateway if <code class="language-plaintext highlighter-rouge">admin_gui_auth_conf.scope</code> was missing <code class="language-plaintext highlighter-rouge">"openid"</code>, or if <code class="language-plaintext highlighter-rouge">"offline_access"</code> when <code class="language-plaintext highlighter-rouge">admin_gui_auth</code> was set to <code class="language-plaintext highlighter-rouge">openid-connect</code>. Kong Gateway will now only print warning logs if <code class="language-plaintext highlighter-rouge">"openid"</code> is missing from <code class="language-plaintext highlighter-rouge">admin_gui_auth_conf.scope</code>.</li> </ul> <h4 id="kong-manager-enterprise">Kong Manager Enterprise</h4> <ul> <li>Fixed the display of the remaining days for the license expiration date.</li> <li>Updated the type of RBAC token for the RBAC user to <code class="language-plaintext highlighter-rouge">password</code>.</li> </ul> <h4 id="plugins-22">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/acme/"><strong>ACME</strong></a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>Fixed an issue where the certificate was not successfully renewed during ACME renewal.</li> </ul> </li> <li> <a href="/hub/kong-inc/degraphql/"><strong>DeGraphQL</strong></a> (<code class="language-plaintext highlighter-rouge">degraphql</code>) <ul> <li>Fixed an issue where GraphQL variables were not being correctly parsed and coerced into their defined types.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue where any plugins using the <code class="language-plaintext highlighter-rouge">rate-limiting</code> library, when used together, would interfere with each other and fail to synchronize counter data to the central data store.</li> </ul> </li> </ul> <h4 id="dependencies-12">Dependencies</h4> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-openssl</code> to 1.2.1</li> <li>Bumped PCRE from the legacy <code class="language-plaintext highlighter-rouge">libpcre</code> 8.45 to <code class="language-plaintext highlighter-rouge">libpcre2</code> 10.43</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> to 0.8.1</li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-lua-resty-kafka</code> to 0.18</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-luasocket</code> to 1.1.2 to fix <a href="https://github.com/lunarmodules/luasocket/issues/427" target="_blank" rel="noopener nofollow noreferrer ">luasocket#427</a> </li> </ul> <h2 id="3611">3.6.1.1</h2> <p><strong>Release Date</strong> 2024/03/05</p> <h3 id="fixes-14">Fixes</h3> <h4 id="clustering-7">Clustering</h4> <ul> <li>Adjusted a clustering compatibility check related to HashiCorp Vault Approle authentication.</li> </ul> <h4 id="core-14">Core</h4> <ul> <li>Fixed the missing router section for the output of request debugging.</li> <li>Reverted the hard-coded limitation of the <code class="language-plaintext highlighter-rouge">ngx.read_body()</code> API in OpenResty upstreams’ new versions when downstream connections are in HTTP/2 or HTTP/3 stream modes.</li> </ul> <h4 id="kong-manager-and-konnect">Kong Manager and Konnect</h4> <ul> <li>Fixed an issue where custom plugins were missing from the plugin selection page.</li> <li>Fixed an issue where the service was not prefilled in the route form while using the expressions router.</li> </ul> <h4 id="plugins-23">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue with <code class="language-plaintext highlighter-rouge">sync_rate</code> setting being used with the <code class="language-plaintext highlighter-rouge">redis</code> strategy. If the Redis connection is interrupted while <code class="language-plaintext highlighter-rouge">sync_rate = 0</code>, the plugin now accurately falls back to the <code class="language-plaintext highlighter-rouge">local</code> strategy.</li> <li>Fixed an issue where, if <code class="language-plaintext highlighter-rouge">sync_rate</code> was changed from a value greater than <code class="language-plaintext highlighter-rouge">0</code> to <code class="language-plaintext highlighter-rouge">0</code>, the namespace was cleared unexpectedly.</li> <li>Fixed some timer-related issues where the counter syncing timer couldn’t be created or destroyed properly.</li> <li>The plugin now creates counter syncing timers during plugin execution instead of plugin creation to reduce some meaningless error logs.</li> </ul> </li> </ul> <h2 id="3610">3.6.1.0</h2> <p><strong>Release Date</strong> 2024/02/26</p> <h3 id="features-11">Features</h3> <h4 id="configuration-5">Configuration</h4> <ul> <li>TLSv1.1 and lower is now disabled by default in OpenSSL 3.x.</li> </ul> <h4 id="plugins-24">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Increased queue max batch size to 200.</li> </ul> </li> </ul> <h3 id="fixes-15">Fixes</h3> <h4 id="general">General</h4> <ul> <li>Fixed a bug where a low ulimit setting (open files) caused Kong to fail to start, as the <code class="language-plaintext highlighter-rouge">lua-resty-timer-ng</code> exhausted the available <code class="language-plaintext highlighter-rouge">worker_connections</code>. Decreased the concurrency range of the <code class="language-plaintext highlighter-rouge">lua-resty-timer-ng</code> library from <code class="language-plaintext highlighter-rouge">[512, 2048]</code> to <code class="language-plaintext highlighter-rouge">[256, 1024]</code> to fix this bug.</li> </ul> <h4 id="configuration-6">Configuration</h4> <ul> <li>Set the security level of gRPC’s TLS to <code class="language-plaintext highlighter-rouge">0</code> when <code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code> is set to <code class="language-plaintext highlighter-rouge">old</code>.</li> </ul> <h4 id="clustering-8">Clustering</h4> <ul> <li>Adjusted a clustering compatibility check related to HCV Kubernetes authentication paths.</li> </ul> <h4 id="plugins-25">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed an OTEL sampling mode Lua panic bug that occurred when the <code class="language-plaintext highlighter-rouge">http_response_header_for_traceid</code> option was enabled.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Fixed an issue where, if the credential was encoded with no username, Kong Gateway threw an error and returned a 500 code.</li> </ul> </li> </ul> <h2 id="3600">3.6.0.0</h2> <p><strong>Release Date</strong> 2024/02/12</p> <h3 id="breaking-changes-and-deprecations-3">Breaking changes and deprecations</h3> <ul> <li>Kong Gateway 3.6.0.0 requires a higher limit on the number of file descriptions than 1024 to function properly. This requirement will be removed in a subsequent version. We recommend setting the <code class="language-plaintext highlighter-rouge">ulimit -n</code> to at least 4096 when running Kong Gateway 3.6.0.0.</li> <li> <p>To avoid ambiguity with other Wasm-related <code class="language-plaintext highlighter-rouge">nginx.conf</code> directives, the prefix for Wasm <code class="language-plaintext highlighter-rouge">shm_kv</code> nginx.conf directives was changed from <code class="language-plaintext highlighter-rouge">nginx_wasm_shm_</code> to <code class="language-plaintext highlighter-rouge">nginx_wasm_shm_kv_</code>. <a href="https://github.com/Kong/kong/issues/11919" target="_blank" rel="noopener nofollow noreferrer ">#11919</a></p> </li> <li> <p>The listing endpoints for consumer groups (<code class="language-plaintext highlighter-rouge">/consumer_groups</code>) and consumers (<code class="language-plaintext highlighter-rouge">/consumers</code>) now respond with paginated results. The JSON key for the list has been changed to <code class="language-plaintext highlighter-rouge">data</code> instead of <code class="language-plaintext highlighter-rouge">consumer_groups</code> or <code class="language-plaintext highlighter-rouge">consumers</code>.</p> </li> <li>In OpenSSL 3.2, the default SSL/TLS security level has been changed from 1 to 2. This means the security level is set to 112 bits of security. As a result, the following are prohibited: <ul> <li>RSA, DSA, and DH keys shorter than 2048 bits</li> <li>ECC keys shorter than 224 bits</li> <li>Any cipher suite using RC4</li> <li>SSL version 3 Additionally, compression is disabled.</li> </ul> </li> <li> <p>The recent OpenResty bump includes TLS 1.3 and deprecates TLS 1.1. If you still need to support TLS 1.1, set the <a href="/gateway/latest/reference/configuration/#ssl_cipher_suite"><code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code></a> setting to <code class="language-plaintext highlighter-rouge">old</code>.</p> </li> <li> <p>If you are using <code class="language-plaintext highlighter-rouge">ngx.var.http_*</code> in custom code to access HTTP headers, the behavior of that variable changes slightly when the same header is used multiple times in a single request. Previously, it would return the first value only; now it returns all of the values, separated by commas. Kong Gateway’s PDK header getters and setters work as before.</p> </li> <li> <p>Kong Manager now uses the session management mechanism in the OpenID Connect plugin. <code class="language-plaintext highlighter-rouge">admin_gui_session_conf</code> is no longer required when authenticating with OIDC. Instead, session-related configuration parameters are set in <code class="language-plaintext highlighter-rouge">admin_gui_auth_conf</code> (like <code class="language-plaintext highlighter-rouge">session_secret</code>).</p> <p>See the <a href="/gateway/3.6.x/kong-manager/auth/oidc/migrate/">migration guide</a> for more information.</p> </li> </ul> <h4 id="plugins-26">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/acme/"><strong>ACME</strong></a> (<code class="language-plaintext highlighter-rouge">acme</code>), <a href="/hub/kong-inc/rate-limiting/"><strong>Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>), and <a href="/hub/kong-inc/response-ratelimiting/"><strong>Response Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Standardized Redis configuration across plugins. The Redis configuration now follows a common schema that is shared across other plugins. <a href="https://github.com/Kong/kong/issues/12300" target="_blank" rel="noopener nofollow noreferrer ">#12300</a> <a href="https://github.com/Kong/kong/issues/12301" target="_blank" rel="noopener nofollow noreferrer ">#12301</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/azure-functions/"><strong>Azure Functions</strong></a> (<code class="language-plaintext highlighter-rouge">azure-functions</code>): <ul> <li>The Azure Functions plugin now eliminates the upstream/request URI and only uses the <a href="/hub/kong-inc/azure-functions/configuration/#config-routeprefix"><code class="language-plaintext highlighter-rouge">routeprefix</code></a> configuration field to construct the request path when requesting the Azure API.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>The plugin now bypasses schema validation when the content type is not <code class="language-plaintext highlighter-rouge">application/json</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/proxy-cache-advanced/"><strong>Proxy Cache Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>) <ul> <li>Removed the undesired <code class="language-plaintext highlighter-rouge">proxy-cache-advanced/migrations/001_035_to_050.lua</code> file, which blocked migration from OSS to Enterprise. This is a breaking change only if you are upgrading from a Kong Gateway version between <code class="language-plaintext highlighter-rouge">0.3.5</code> and <code class="language-plaintext highlighter-rouge">0.5.0</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/saml"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>) <ul> <li>Adjusted the priority of the SAML plugin to 1010 to correct the integration between the SAML plugin and other consumer-based plugins.</li> </ul> </li> </ul> <h3 id="features-12">Features</h3> <h4 id="admin-api-9">Admin API</h4> <ul> <li>Added the Kong Gateway edition to the root endpoint (<code class="language-plaintext highlighter-rouge">/</code>) of the Admin API. <a href="https://github.com/Kong/kong/issues/12097" target="_blank" rel="noopener nofollow noreferrer ">#12097</a> </li> <li>Enabled <code class="language-plaintext highlighter-rouge">status_listen</code> on <code class="language-plaintext highlighter-rouge">127.0.0.1:8007</code> by default. <a href="https://github.com/Kong/kong/issues/12304" target="_blank" rel="noopener nofollow noreferrer ">#12304</a> </li> <li>FIPS enablement status now responds to license changes. Introduced a new endpoint, <code class="language-plaintext highlighter-rouge">/fips-status</code>, to show its current status.</li> <li>Added pagination support for <code class="language-plaintext highlighter-rouge">/consumer_group/consumers</code> and <code class="language-plaintext highlighter-rouge">/consumer/consumer_groups</code>.</li> </ul> <h4 id="cli-5">CLI</h4> <ul> <li>Automatically reinitializes the workspace entity counters after executing the CLI change migrations commands.</li> </ul> <h4 id="clustering-9">Clustering</h4> <ul> <li>Added the data plane certificate expiry date to the control plane API response (<code class="language-plaintext highlighter-rouge">/clustering/data-planes</code>). <a href="https://github.com/Kong/kong/issues/11921" target="_blank" rel="noopener nofollow noreferrer ">#11921</a> </li> <li>Added resilience support for homogeneous data plane deployments. Data planes can now act as importers and exporters at the same time, and Kong Gateway will try to control the concurrency when exporting the config.</li> <li>Data plane nodes running in Konnect will now report config reload failures to the control plane, such as invalid configuration or transient errors.</li> <li>Kong Gateway now prints log entries noting possible config options that may be causing a data plane to control plane connection error.</li> </ul> <h4 id="configuration-7">Configuration</h4> <ul> <li>Kong Gateway now displays a warning message when Kong Manager is enabled but the Admin API is not enabled. <a href="https://github.com/Kong/kong/issues/12071" target="_blank" rel="noopener nofollow noreferrer ">#12071</a> </li> <li>Added the DHE-RSA-CHACHA20-POLY1305 cipher to the intermediate configuration. <a href="https://github.com/Kong/kong/issues/12133" target="_blank" rel="noopener nofollow noreferrer ">#12133</a> </li> <li>The default value of the <code class="language-plaintext highlighter-rouge">dns_no_sync</code> configuration option has been changed to <code class="language-plaintext highlighter-rouge">off</code>. <a href="https://github.com/Kong/kong/issues/11869" target="_blank" rel="noopener nofollow noreferrer ">#11869</a> </li> <li>Added support for injecting Nginx directives into Kong’s proxy location block. <a href="https://github.com/Kong/kong/issues/11623" target="_blank" rel="noopener nofollow noreferrer ">#11623</a> </li> <li>The LMDB cache is now validated by Kong’s version (major and minor), wiping the contents if there is a tag mismatch to avoid compatibility issues during minor version upgrades. <a href="https://github.com/Kong/kong/issues/12026" target="_blank" rel="noopener nofollow noreferrer ">#12026</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">dns_stale_ttl</code> default to 1 hour so the stale DNS record can be used for a longer amount of time in case of resolver downtime. <a href="https://github.com/Kong/kong/issues/12087" target="_blank" rel="noopener nofollow noreferrer ">#12087</a> </li> <li>Bumped the default values of <code class="language-plaintext highlighter-rouge">nginx_http_keepalive_requests</code> and <code class="language-plaintext highlighter-rouge">upstream_keepalive_max_requests</code> to <code class="language-plaintext highlighter-rouge">10000</code>. These changes are optimized to work better in systems with high throughput. In a low-throughput setting, these new settings may have visible effects in load balancing, where it can take more requests to start using all the upstreams than before. <a href="https://github.com/Kong/kong/issues/12223" target="_blank" rel="noopener nofollow noreferrer ">#12223</a> </li> </ul> <h4 id="core-15">Core</h4> <ul> <li>Added telemetry collection for AI Proxy, AI Request Transformer, and AI Response Transformer plugins, pertaining to model and provider usage. <a href="https://github.com/Kong/kong/issues/12495" target="_blank" rel="noopener nofollow noreferrer ">#12495</a> </li> <li>Added the <code class="language-plaintext highlighter-rouge">ngx_brotli</code> module to kong prebuild nginx. See the <a href="/gateway/latest/production/performance/brotli/">documentation</a> to learn how to enable Brotli compression for Kong Gateway. <a href="https://github.com/Kong/kong/issues/12367" target="_blank" rel="noopener nofollow noreferrer ">#12367</a> </li> <li>You can now pass a primary key as a full entity to DAO functions. <a href="https://github.com/Kong/kong/issues/11695" target="_blank" rel="noopener nofollow noreferrer ">#11695</a> </li> <li>The Debian variant of the Kong Gateway Docker image is now built using Debian 12. <a href="https://github.com/Kong/kong/issues/12218" target="_blank" rel="noopener nofollow noreferrer ">#12218</a> </li> <li>The expressions router now supports the <code class="language-plaintext highlighter-rouge">!</code> (not) operator, which allows creating routes like <code class="language-plaintext highlighter-rouge">!(http.path =^ "/a")</code> and <code class="language-plaintext highlighter-rouge">!(http.path == "/a" || http.path == "/b")</code>. <a href="https://github.com/Kong/kong/issues/12419" target="_blank" rel="noopener nofollow noreferrer ">#12419</a> </li> <li>Added a <code class="language-plaintext highlighter-rouge">source</code> property to the log serializer, indicating that the response is generated by <code class="language-plaintext highlighter-rouge">kong</code> or <code class="language-plaintext highlighter-rouge">upstream</code>. <a href="https://github.com/Kong/kong/issues/12052" target="_blank" rel="noopener nofollow noreferrer ">#12052</a> </li> <li>Ensure that Kong-owned directories are cleaned up after an uninstall using the system’s package manager. <a href="https://github.com/Kong/kong/issues/12162" target="_blank" rel="noopener nofollow noreferrer ">#12162</a> </li> <li>Kong Gateway now supports <a href="/gateway/latest/key-concepts/routes/expressions/#matching-fields"><code class="language-plaintext highlighter-rouge">http.path.segments.len</code> and <code class="language-plaintext highlighter-rouge">http.path.segments.*</code></a> fields in the expressions router, which allows matching incoming (normalized) request paths by individual segments or ranges of segments, and checking the total number of segments. <a href="https://github.com/Kong/kong/issues/12283" target="_blank" rel="noopener nofollow noreferrer ">#12283</a> </li> <li>The <code class="language-plaintext highlighter-rouge">net.src.*</code> and <code class="language-plaintext highlighter-rouge">net.dst.*</code> match fields are now accessible in HTTP routes defined using expressions. <a href="https://github.com/Kong/kong/issues/11950" target="_blank" rel="noopener nofollow noreferrer ">#11950</a> </li> <li>Extended support for getting and setting Kong Gateway values via <code class="language-plaintext highlighter-rouge">proxy-wasm</code> properties in the <code class="language-plaintext highlighter-rouge">kong.*</code> namespace. <a href="https://github.com/Kong/kong/issues/11856" target="_blank" rel="noopener nofollow noreferrer ">#11856</a> </li> <li>Added an <code class="language-plaintext highlighter-rouge">examples</code> field to the metaschema.</li> <li>Added new <code class="language-plaintext highlighter-rouge">upstream_status</code> and <code class="language-plaintext highlighter-rouge">source</code> properties to the analytics pusher.</li> <li>Added <code class="language-plaintext highlighter-rouge">consumer_groups</code> support for analytics.</li> <li>The HashiCorp Vault secrets management backend now supports the AppRole authentication method. Added support for namespaced authentication and user-defined authentication paths when using HashiCorp Vault on Kubernetes.</li> <li>Kong Gateway now uses the values provided by the Request ID header for all request ID fields, for better consistency.</li> <li>Dot keys (for example, <code class="language-plaintext highlighter-rouge">a.b.c</code>) are now excluded from both audit requests and audit objects, and singular keys (for example, <code class="language-plaintext highlighter-rouge">password</code>) are excluded recursively.</li> <li>Kong Gateway Enterprise container images are now produced with build provenance and signed using cosign. Signatures and attestations are published to the Docker Hub repository. Build provenance can be <a href="/gateway/3.6.x/kong-enterprise/provenance-verification/">verified by cosign/slsa-verifier</a> using the published attestations.</li> </ul> <h4 id="kong-manager-enterprise-1">Kong Manager Enterprise</h4> <ul> <li>You can now use an RBAC token to authenticate while using <a href="/gateway/3.6.x/kong-manager/auth/oidc/mapping/">group mapping with Kong Manager</a> (for example, with OIDC or LDAP).</li> <li>Added support for creating and editing the Route by Header plugin from the UI.</li> <li>Added an onboarding flow to make it easier for new users to start using Kong Gateway.</li> <li>The workspace and overview summary pages now have a new design.</li> </ul> <h4 id="kong-manager-open-source">Kong Manager Open Source</h4> <ul> <li>Added a JSON/YAML format preview for all entity forms. <a href="https://github.com/Kong/kong-manager/issues/157" target="_blank" rel="noopener nofollow noreferrer ">#157</a> </li> <li>Adopted resigned basic components for better UI/UX. <a href="https://github.com/Kong/kong-manager/issues/131" target="_blank" rel="noopener nofollow noreferrer ">#131</a> <a href="https://github.com/Kong/kong-manager/issues/166" target="_blank" rel="noopener nofollow noreferrer ">#166</a> </li> <li>Kong Manager and Konnect now share the same UI for the plugin selection page and the plugin form page. <a href="https://github.com/Kong/kong-manager/issues/143" target="_blank" rel="noopener nofollow noreferrer ">#143</a> <a href="https://github.com/Kong/kong-manager/issues/147" target="_blank" rel="noopener nofollow noreferrer ">#147</a> </li> </ul> <h4 id="pdk-7">PDK</h4> <ul> <li>Increased the precision of JSON number encoding from 14 to 16 decimals. <a href="https://github.com/Kong/kong/issues/12019" target="_blank" rel="noopener nofollow noreferrer ">#12019</a> </li> </ul> <h4 id="performance-2">Performance</h4> <ul> <li>Fix incorrect LuaJIT LDP/STP fusion on ARM64 which sometimes caused incorrect logic.</li> <li>Bumped the concurrency range of the <code class="language-plaintext highlighter-rouge">lua-resty-timer-ng</code> library from <code class="language-plaintext highlighter-rouge">[32, 256]</code> to <code class="language-plaintext highlighter-rouge">[512, 2048]</code>. <a href="https://github.com/Kong/kong/issues/12275" target="_blank" rel="noopener nofollow noreferrer ">#12275</a> </li> <li>Cooperatively yield when building statistics of routes to reduce the impact to proxy path latency. <a href="https://github.com/Kong/kong/issues/12013" target="_blank" rel="noopener nofollow noreferrer ">#12013</a> </li> </ul> <h4 id="plugins-27">Plugins</h4> <p><strong>New plugins</strong>:</p> <ul> <li> <a href="/hub/kong-inc/ai-proxy/"><strong>AI Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">ai-proxy</code>): Enables simplified integration with various AI provider Large Language Models (LLMs). <a href="https://github.com/Kong/kong/issues/12323" target="_blank" rel="noopener nofollow noreferrer ">#12323</a> </li> <li> <a href="/hub/kong-inc/ai-prompt-decorator/"><strong>AI Prompt Decorator</strong></a> (<code class="language-plaintext highlighter-rouge">ai-prompt-decorator</code>): Prepend and append <code class="language-plaintext highlighter-rouge">llm/v1/chat</code> messages onto consumer LLM requests for prompt tuning. <a href="https://github.com/Kong/kong/issues/12336" target="_blank" rel="noopener nofollow noreferrer ">#12336</a> </li> <li> <a href="/hub/kong-inc/ai-prompt-guard/"><strong>AI Prompt Guard</strong></a> (<code class="language-plaintext highlighter-rouge">ai-prompt-guard</code>): Set up allow or block lists for LLM requests based on pattern matching. <a href="https://github.com/Kong/kong/issues/12427" target="_blank" rel="noopener nofollow noreferrer ">#12427</a> </li> <li> <a href="/hub/kong-inc/ai-prompt-template/"><strong>AI Prompt Template</strong></a> (<code class="language-plaintext highlighter-rouge">ai-prompt-template</code>): Set up an array of LLM prompt templates with variable substitutions. <a href="https://github.com/Kong/kong/issues/12340" target="_blank" rel="noopener nofollow noreferrer ">#12340</a> </li> <li> <a href="/hub/kong-inc/ai-request-transformer/"><strong>AI Request Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">ai-request-transformer</code>): Pass mid-flight client requests to an LLM for transformation or sanitization. <a href="https://github.com/Kong/kong/issues/12426" target="_blank" rel="noopener nofollow noreferrer ">#12426</a> </li> <li> <a href="/hub/kong-inc/ai-response-transformer/"><strong>AI Response Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">ai-response-transformer</code>): Pass mid-flight upstream responses to an LLM for transformation or sanitization. <a href="https://github.com/Kong/kong/issues/12426" target="_blank" rel="noopener nofollow noreferrer ">#12426</a> </li> </ul> <p>Learn more about these plugins in the <a href="/gateway/latest/get-started/ai-gateway/">AI Gateway quickstart</a>.</p> <p><strong>Existing plugins</strong>:</p> <ul> <li> <strong>Consumer groups support</strong>: The following plugins can now be scoped to consumer groups: <ul> <li>IP Restriction</li> <li>Rate Limiting</li> <li>Request Termination</li> <li>Proxy Cache</li> <li>Proxy Cache Advanced</li> </ul> </li> <li> <a href="/hub/kong-inc/acl/"><strong>ACL</strong></a> (<code class="language-plaintext highlighter-rouge">acl</code>) <ul> <li>The plugin now includes the configuration parameter <code class="language-plaintext highlighter-rouge">include_consumer_groups</code>, which lets you specify whether Kong consumer groups can be added to allow and deny lists.</li> </ul> </li> <li> <a href="/hub/kong-inc/app-dynamics/"><strong>AppDynamics</strong></a> (<code class="language-plaintext highlighter-rouge">app-dynamics</code>) <ul> <li>This plugin now supports using self-signed certificates via the <code class="language-plaintext highlighter-rouge">CONTROLLER_CERTIFICATE_FILE</code> and <code class="language-plaintext highlighter-rouge">CONTROLLER_CERTIFICATE_DIR</code> environment configuration options.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>This plugin now supports decoding non-standard <code class="language-plaintext highlighter-rouge">asn1</code> integers and enumerated encoding with redundant leading padding.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>The configuration parameters <code class="language-plaintext highlighter-rouge">scopes</code>, <code class="language-plaintext highlighter-rouge">login_redirect_uri</code>, <code class="language-plaintext highlighter-rouge">logout_redirect_uri</code>, and <code class="language-plaintext highlighter-rouge">introspection_headers_values</code> can now be referenced as secrets in the Kong Vault.</li> <li>Extended the <code class="language-plaintext highlighter-rouge">token_post_args_client</code> configuration parameter to support injection from headers.</li> <li>Added support for explicit proof key for code exchange (PKCE).</li> <li>Added support for pushed authorization requests (PAR).</li> <li>Added support for the <code class="language-plaintext highlighter-rouge">tls_client_auth</code> and <code class="language-plaintext highlighter-rouge">self_signed_tls_client_auth</code> authentication methods, allowing <a href="/hub/kong-inc/openid-connect/how-to/client-authentication/mtls/">mTLS client authentication</a> with the IdP.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Tracing sampling rate can now be set via the <a href="/hub/kong-inc/opentelemetry/configuration/#configsampling_rate"><code class="language-plaintext highlighter-rouge">config.sampling_rate</code></a> property of the OpenTelemetry plugin instead of just being a global setting for Kong Gateway. <a href="https://github.com/Kong/kong/issues/12054" target="_blank" rel="noopener nofollow noreferrer ">#12054</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Enhanced the resolution of the RLA sliding window weight.</li> </ul> </li> </ul> <h3 id="fixes-16">Fixes</h3> <h4 id="admin-api-10">Admin API</h4> <ul> <li>Enhanced error responses for authentication failures in the Admin API. <a href="https://github.com/Kong/kong/issues/12456" target="_blank" rel="noopener nofollow noreferrer ">#12456</a> </li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">/rbac/roles/:role/endpoints</code> endpoint did not accept <code class="language-plaintext highlighter-rouge">actions</code> as an array.</li> <li>The workspace listing API now only shows workspaces that the current user has endpoints associated with.</li> <li>Fixed an issue where HTTP 500 errors were returned when paginating and sorting by timestamp fields (for example, <code class="language-plaintext highlighter-rouge">created_at</code>).</li> <li>Fixed an issue where unique violation errors were reported while trying to update the <code class="language-plaintext highlighter-rouge">user_token</code> with the same value on the same RBAC user.</li> <li>Disallowed admins and RBAC users from updating their own roles.</li> </ul> <h4 id="cli-6">CLI</h4> <ul> <li>The CLI no longer reinitializes workspace entity counters when migrating from CE to EE.</li> </ul> <h4 id="clustering-10">Clustering</h4> <ul> <li>Fixed a bug causing data plane status updates to fail when an empty PING frame was received from a data plane. <a href="https://github.com/Kong/kong/issues/11917" target="_blank" rel="noopener nofollow noreferrer ">#11917</a> </li> <li>Fixed an issue where the data plane’s log serializer output had a workspace name under hybrid mode.</li> <li>Reduced message push error logs when the <code class="language-plaintext highlighter-rouge">cluster_telemetry_endpoint</code> config is disabled.</li> <li>Clustering analytics now shows <code class="language-plaintext highlighter-rouge">-1</code> as the worker ID for the privileged agent.</li> </ul> <h4 id="configuration-8">Configuration</h4> <ul> <li>Fixed a data loss error caused by a weakly-typed <code class="language-plaintext highlighter-rouge">of</code> function in the <code class="language-plaintext highlighter-rouge">declarative_config_flattened</code> function. <a href="https://github.com/Kong/kong/issues/12167" target="_blank" rel="noopener nofollow noreferrer ">#12167</a> </li> <li>Kong Gateway now respects custom <code class="language-plaintext highlighter-rouge">proxy_access_log</code> values. <a href="https://github.com/Kong/kong/issues/12073" target="_blank" rel="noopener nofollow noreferrer ">#12073</a> </li> </ul> <h4 id="core-16">Core</h4> <ul> <li>You can no longer delete a CA cert if it’s still referenced by other entities. The related CA store caches are invalidated when a CA cert is updated. <a href="https://github.com/Kong/kong/issues/11789" target="_blank" rel="noopener nofollow noreferrer ">#11789</a> </li> <li>Cookie names are now validated against RFC 6265, which allows more characters than the previous validation. <a href="https://github.com/Kong/kong/issues/11881" target="_blank" rel="noopener nofollow noreferrer ">#11881</a> </li> <li>Nulls are now removed only if the schema has transformations definitions. This improves performance, as most schemas don’t define transformations. <a href="https://github.com/Kong/kong/issues/12284" target="_blank" rel="noopener nofollow noreferrer ">#12284</a> </li> <li>Fixed a bug where the <code class="language-plaintext highlighter-rouge">error_handler</code> couldn’t provide the meaningful response body when the internal error code 494 is triggered. <a href="https://github.com/Kong/kong/issues/12114" target="_blank" rel="noopener nofollow noreferrer ">#12114</a> </li> <li>Header value matching (<code class="language-plaintext highlighter-rouge">http.headers.*</code>) in the <code class="language-plaintext highlighter-rouge">expressions</code> router flavor is now case sensitive. This change doesn’t affect <code class="language-plaintext highlighter-rouge">traditional_compatible</code> mode where header value matching is always performed with the case ignored. <a href="https://github.com/Kong/kong/issues/11905" target="_blank" rel="noopener nofollow noreferrer ">#11905</a> </li> <li>Fixed an incorrect error message that appeared when a plugin failed. <a href="https://github.com/Kong/kong/issues/11800" target="_blank" rel="noopener nofollow noreferrer ">#11800</a> </li> <li>Fixed intermittent ldoc failures caused by a LuaJIT error. <a href="https://github.com/Kong/kong/issues/11983" target="_blank" rel="noopener nofollow noreferrer ">#11983</a> </li> <li>The <code class="language-plaintext highlighter-rouge">NGX_WASM_MODULE_BRANCH</code> environment variable now sets the <code class="language-plaintext highlighter-rouge">ngx_wasm_module</code> repository branch when building Kong. <a href="https://github.com/Kong/kong/issues/12241" target="_blank" rel="noopener nofollow noreferrer ">#12241</a> </li> <li>Eliminated an asynchronous timer in <code class="language-plaintext highlighter-rouge">syncQuery()</code> to prevent hang risk. <a href="https://github.com/Kong/kong/issues/11900" target="_blank" rel="noopener nofollow noreferrer ">#11900</a> </li> <li>Tracing fixes: <ul> <li>Fixed an issue where a DNS query failure would cause a tracing failure. <a href="https://github.com/Kong/kong/issues/11935" target="_blank" rel="noopener nofollow noreferrer ">#11935</a> </li> <li>DNS spans are now correctly generated for upstream DNS queries, in addition to cosocket queries. <a href="https://github.com/Kong/kong/issues/11996" target="_blank" rel="noopener nofollow noreferrer ">#11996</a> </li> </ul> </li> <li>Expressions routes in <code class="language-plaintext highlighter-rouge">http</code> and <code class="language-plaintext highlighter-rouge">stream</code> subsystems now have stricter validation. Previously, they shared the same validation schema, so admins could configure expressions routes using fields like <code class="language-plaintext highlighter-rouge">http.path</code> even for stream routes. This is no longer allowed. <a href="https://github.com/Kong/kong/issues/11914" target="_blank" rel="noopener nofollow noreferrer ">#11914</a> </li> <li>Kong Gateway now validates private and public keys for the <code class="language-plaintext highlighter-rouge">keys</code> entity to ensure they match each other. <a href="https://github.com/Kong/kong/issues/11923" target="_blank" rel="noopener nofollow noreferrer ">#11923</a> </li> <li>Fixed the <code class="language-plaintext highlighter-rouge">previous plan already attached</code> error in <code class="language-plaintext highlighter-rouge">proxy-wasm</code>, which occurred when a filter triggered re-entrancy of the access handler. <a href="https://github.com/Kong/kong/issues/12452" target="_blank" rel="noopener nofollow noreferrer ">#12452</a> </li> <li>Fixed an RBAC issue which required adding missing endpoints to all workspaces.</li> <li>Dismissed a confusing debug log entry from the Redis rate limiting tool.</li> <li>Fixed an issue where workload identity didn’t work for dataplane resilience.</li> <li>Fixed an issue where the GCP backend vault would hide the error message when secrets couldn’t be fetched.</li> <li>Added the missing <code class="language-plaintext highlighter-rouge">workspace_id</code> to the output of request debugging when using a filter.</li> <li>Fixed an issue where the IAM auth token was not refreshed when the underlying AWS credential expired.</li> <li>Redis’s <code class="language-plaintext highlighter-rouge">timeout</code> warning message is only printed if the timeout is set explicitly. If it isn’t set, the default timeout value is used.</li> <li>Removed inaccurate critical level logs which appeared when starting external plugin servers. These logs can’t be suppressed due to a limitation of OpenResty. We chose to remove the socket availability detection feature.</li> </ul> <h4 id="kong-manager-enterprise-2">Kong Manager Enterprise</h4> <ul> <li>Fixed issues with Admin GUI authentication using OpenID Connect, including <code class="language-plaintext highlighter-rouge">session</code>, <code class="language-plaintext highlighter-rouge">response_mode</code>, and RP-initiated logout.</li> <li>Corrected the UI descriptions under Teams when mapping roles from external sources (for example, OIDC or LDAP).</li> <li>Kong Manager now supports operating keys scoped to a specific keyset without permissions on the <code class="language-plaintext highlighter-rouge">/keys/*</code> endpoint.</li> <li>Fixed various issues encountered while authenticating the Admin API via OpenID Connect.</li> </ul> <h4 id="kong-manager-open-source-1">Kong Manager Open Source</h4> <ul> <li>Standardized notification text format. <a href="https://github.com/Kong/kong-manager/issues/140" target="_blank" rel="noopener nofollow noreferrer ">#140</a> </li> </ul> <h4 id="pdk-8">PDK</h4> <ul> <li>Optimized performance by avoiding unnecessary creations and garbage collections of spans. <a href="https://github.com/Kong/kong/issues/12080" target="_blank" rel="noopener nofollow noreferrer ">#12080</a> </li> <li> <code class="language-plaintext highlighter-rouge">response.set_header</code> now correctly supports header arguments with a table array of strings. <a href="https://github.com/Kong/kong/issues/12164" target="_blank" rel="noopener nofollow noreferrer ">#12164</a> </li> <li>Fixed an issue where, when using <code class="language-plaintext highlighter-rouge">kong.response.exit</code>, the Transfer-Encoding header set by the user wasn’t removed. <a href="https://github.com/Kong/kong/issues/11936" target="_blank" rel="noopener nofollow noreferrer ">#11936</a> </li> <li> <strong>Plugin Server</strong>: Fixed an issue where every request caused a new plugin instance to be created. <a href="https://github.com/Kong/kong/issues/12020" target="_blank" rel="noopener nofollow noreferrer ">#12020</a> </li> </ul> <h4 id="plugins-28">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/basic-auth/"><strong>Basic Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">basic-auth</code>) <ul> <li>Added missing <code class="language-plaintext highlighter-rouge">WWW-Authenticate</code> headers to 401 responses. <a href="https://github.com/Kong/kong/issues/11795" target="_blank" rel="noopener nofollow noreferrer ">#11795</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/datadog/"><strong>Datadog</strong></a> (<code class="language-plaintext highlighter-rouge">datadog</code>) <ul> <li>Fixed an issue where the plugin wasn’t triggered for serviceless routes. The Datadog plugin is now always triggered, and the value of tag <code class="language-plaintext highlighter-rouge">name</code>(<code class="language-plaintext highlighter-rouge">service_name</code>) is set as an empty value. <a href="https://github.com/Kong/kong/issues/12068" target="_blank" rel="noopener nofollow noreferrer ">#12068</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/forward-proxy/"><strong>Forward Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>) <ul> <li>The plugin now falls back to the non-streaming proxy when the request body has already been read.</li> <li>Fixed an issue where request payload was being discarded when the payload exceeded the <code class="language-plaintext highlighter-rouge">client_body_buffer_size</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwe-decrypt/"><strong>JWE Decrypt</strong></a> (<code class="language-plaintext highlighter-rouge">jwe-decrypt</code>) <ul> <li>Fixed a typo in an error message.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwt-signer/"><strong>JWT Signer</strong></a> (<code class="language-plaintext highlighter-rouge">jwt-signer</code>) <ul> <li>Added support for consumer group scoping by using the PDK <code class="language-plaintext highlighter-rouge">kong.client.authenticate</code> function.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Added support for consumer group scoping by using the PDK <code class="language-plaintext highlighter-rouge">kong.client.authenticate</code> function.</li> <li>Fixed some cache-related issues which caused <code class="language-plaintext highlighter-rouge">groups_required</code> to return unexpected codes after a non-200 response.</li> </ul> </li> <li> <a href="/hub/kong-inc/mocking/"><strong>Mocking</strong></a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Fixed an issue where valid recursive schemas were always rejected.</li> <li>Fixed an issue where the plugin failed to return the mock response when <code class="language-plaintext highlighter-rouge">responses</code> contained <code class="language-plaintext highlighter-rouge">default</code> or wildcard codes like <code class="language-plaintext highlighter-rouge">2XX</code>.</li> <li>The plugin now prints a <code class="language-plaintext highlighter-rouge">notice</code> log entry if a revocation check fails with <code class="language-plaintext highlighter-rouge">revocation_check_mode = IGNORE_CA_ERROR</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Fixed an issue where the plugin throws a runtime error caused by the ref parameter schema not being dereferenced.</li> <li>Exposed metrics for serviceless routes.</li> <li>Fixed an issue where the plugin threw a runtime error while validating parameters with the AnyType schema and style keyword defined.</li> <li>Fixed an issue where the cookie parameters weren’t being validated.</li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">nullable</code> keyword didn’t take effect.</li> <li>Fixed an issue where the request path couldn’t matched when containing regex escape characters. The URI component escaped characters were incorrectly unescaped.</li> </ul> </li> <li> <a href="/hub/kong-inc/oauth2-introspection/"><strong>OAuth 2.0 Introspection</strong></a> (<code class="language-plaintext highlighter-rouge">oauth2-introspection</code>) <ul> <li>Added support for consumer group scoping by using the PDK <code class="language-plaintext highlighter-rouge">kong.client.authenticate</code> function.</li> <li>The <code class="language-plaintext highlighter-rouge">authorization_value</code> configuration parameter can now be encrypted.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed logout URI suffix detection by using the normalized version of <code class="language-plaintext highlighter-rouge">kong.request.get_forwarded_path()</code> instead of <code class="language-plaintext highlighter-rouge">ngx.var.request_uri</code>, especially when passing query strings to logout.</li> <li>The <code class="language-plaintext highlighter-rouge">introspection_headers_values</code> configuration parameter can now be encrypted.</li> <li>Removed the unwanted argument <code class="language-plaintext highlighter-rouge">ignore_signature.userinfo</code> from the <code class="language-plaintext highlighter-rouge">userinfo_load</code> function.</li> <li>Added support for consumer group scoping by using the PDK <code class="language-plaintext highlighter-rouge">kong.client.authenticate</code> function.</li> <li>Fixed the cache key collision when config <code class="language-plaintext highlighter-rouge">issuer</code> and <code class="language-plaintext highlighter-rouge">extra_jwks_uris</code> contain the same URI.</li> <li>The plugin now correctly handled boundary conditions for token expiration time checking.</li> <li>The plugin now updates the time when calculating token expiration.</li> </ul> </li> <li> <a href="/hub/kong-inc/prometheus/"><strong>Prometheus</strong></a> (<code class="language-plaintext highlighter-rouge">prometheus</code>) <ul> <li>Exposed metrics for serviceless routes. <a href="https://github.com/Kong/kong/issues/11781" target="_blank" rel="noopener nofollow noreferrer ">#11781</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/proxy-cache-advanced/"><strong>Proxy Cache Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>) <ul> <li>Removed the undesired <code class="language-plaintext highlighter-rouge">proxy-cache-advanced/migrations/001_035_to_050.lua</code> file, which blocked migration from OSS to Enterprise. This is a breaking change only if you are upgrading from a Kong Gateway version between <code class="language-plaintext highlighter-rouge">0.3.5</code> and <code class="language-plaintext highlighter-rouge">0.5.0</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/"><strong>Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>) <ul> <li>The plugin now provides better accuracy in counters when <code class="language-plaintext highlighter-rouge">sync_rate</code> is used with the Redis policy. <a href="https://github.com/Kong/kong/issues/11859" target="_blank" rel="noopener nofollow noreferrer ">#11859</a> </li> <li>Fixed an issue where all counters were synced to the same database at the same rate. <a href="https://github.com/Kong/kong/issues/12003" target="_blank" rel="noopener nofollow noreferrer ">#12003</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>The plugin now checks for query errors in the Redis pipeline.</li> <li>The plugin now checks if <code class="language-plaintext highlighter-rouge">sync_rate</code> is <code class="language-plaintext highlighter-rouge">nil</code> or <code class="language-plaintext highlighter-rouge">null</code> when calling the <code class="language-plaintext highlighter-rouge">configure()</code> phase. If it is <code class="language-plaintext highlighter-rouge">nil</code> or <code class="language-plaintext highlighter-rouge">null</code>, the plugin skips the sync with the database or with Redis.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-validator/"><strong>Request Validator</strong></a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>The plugin now validates the request body schema when <code class="language-plaintext highlighter-rouge">json</code> is the suffix value in the request content type’s subtype (for example, <code class="language-plaintext highlighter-rouge">application/merge-patch+json</code>).</li> </ul> </li> <li> <a href="/hub/kong-inc/route-transformer-advanced/"><strong>Route Transformer Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">route-transformer-advanced</code>) <ul> <li>Improved error messages.</li> </ul> </li> <li> <a href="/hub/kong-inc/saml/"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>) <ul> <li>Added support for consumer group scoping by using the PDK <code class="language-plaintext highlighter-rouge">kong.client.authenticate</code> function.</li> </ul> </li> </ul> <h3 id="dependencies-13">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">atc-router</code> from 1.2.0 to 1.6.0 <a href="https://github.com/Kong/kong/issues/12231" target="_blank" rel="noopener nofollow noreferrer ">#12231</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-lapis</code> from 1.14.0.3 to 1.16.0.1 <a href="https://github.com/Kong/kong/issues/12064" target="_blank" rel="noopener nofollow noreferrer ">#12064</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">LPEG</code> from 1.0.2 to 1.1.0 <a href="https://github.com/Kong/kong/issues/11955" target="_blank" rel="noopener nofollow noreferrer ">#11955</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-messagepack</code> from 0.5.2 to 0.5.3 <a href="https://github.com/Kong/kong/issues/11956" target="_blank" rel="noopener nofollow noreferrer ">#11956</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-messagepack</code> from 0.5.3 to 0.5.4 <a href="https://github.com/Kong/kong/issues/12076" target="_blank" rel="noopener nofollow noreferrer ">#12076</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> from 1.3.5 to 1.3.6 <a href="https://github.com/Kong/kong/issues/12439" target="_blank" rel="noopener nofollow noreferrer ">#12439</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> from 3.0.0 to 3.0.1 <a href="https://github.com/Kong/kong/issues/12237" target="_blank" rel="noopener nofollow noreferrer ">#12237</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-lmdb</code> from 1.3.0 to 1.4.1 <a href="https://github.com/Kong/kong/issues/12026" target="_blank" rel="noopener nofollow noreferrer ">#12026</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-timer-ng</code> from 0.2.5 to 0.2.6 <a href="https://github.com/Kong/kong/issues/12275" target="_blank" rel="noopener nofollow noreferrer ">#12275</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">OpenResty</code> from 1.21.4.2 to 1.25.3.1 <a href="https://github.com/Kong/kong/issues/12327" target="_blank" rel="noopener nofollow noreferrer ">#12327</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">OpenSSL</code> from 3.1.4 to 3.2.1 <a href="https://github.com/Kong/kong/issues/12264" target="_blank" rel="noopener nofollow noreferrer ">#12264</a> </li> <li>Bump <code class="language-plaintext highlighter-rouge">resty-openssl</code> from 0.8.25 to 1.2.0 <a href="https://github.com/Kong/kong/issues/12265" target="_blank" rel="noopener nofollow noreferrer ">#12265</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">ngx_brotli</code> to master branch, and disabled it on rhel7, rhel9-arm64, and amazonlinux-2023-arm64 due to toolchain issues <a href="https://github.com/Kong/kong/issues/12444" target="_blank" rel="noopener nofollow noreferrer ">#12444</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> from 1.6.3 to 3.0.0 <a href="https://github.com/Kong/kong/issues/11834" target="_blank" rel="noopener nofollow noreferrer ">#11834</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">ngx_wasm_module</code> to <code class="language-plaintext highlighter-rouge">a7087a37f0d423707366a694630f1e09f4c21728</code> <a href="https://github.com/Kong/kong/issues/12011" target="_blank" rel="noopener nofollow noreferrer ">#12011</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">Wasmtime</code> to <code class="language-plaintext highlighter-rouge">14.0.3</code> <a href="https://github.com/Kong/kong/issues/12011" target="_blank" rel="noopener nofollow noreferrer ">#12011</a> </li> <li>Bumped submodule <code class="language-plaintext highlighter-rouge">kong-openid-connect</code> to 2.7.0</li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-redis-cluster</code> to 1.5.3</li> <li>Bumped <code class="language-plaintext highlighter-rouge">jq</code> to 1.7.1</li> <li>Bumped <code class="language-plaintext highlighter-rouge">luasec</code> to 1.3.2</li> </ul> <h3 id="known-issues-3">Known issues</h3> <ul> <li>The recent OpenResty bump includes TLS 1.3 and deprecates TLS 1.1. If you still need to still support TLS 1.1, set the <a href="/gateway/latest/reference/configuration/#ssl_cipher_suite"><code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code></a> setting to <code class="language-plaintext highlighter-rouge">old</code>.</li> <li>If you are using <code class="language-plaintext highlighter-rouge">ngx.var.http_*</code> in custom code in order to access HTTP headers, the behavior of that variable changed slightly when the same header is used multiple times in a single request. Previously it would return the first value only, now it returns all the values, separated by commas. Kong’s PDK header getters and setters work as before.</li> </ul> <h2 id="3507">3.5.0.7</h2> <p><strong>Release Date</strong> 2024/07/09</p> <h3 id="deprecations-2">Deprecations</h3> <ul> <li>Debian 10, CentOS 7, and RHEL 7 reached their End of Life (EOL) dates on June 30, 2024. As of this patch, Kong is not building Kong Gateway 3.5.x installation packages or Docker images for these operating systems. Kong is no longer providing official support for any Kong version running on these systems.</li> </ul> <h3 id="features-13">Features</h3> <h4 id="plugins-29">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/aws-lambda"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Added the new configuration parameter <code class="language-plaintext highlighter-rouge">empty_arrays_mode</code>, which lets you control whether Kong Gateway should send empty arrays (<code class="language-plaintext highlighter-rouge">[]</code>) returned by the Lambda function as empty arrays (<code class="language-plaintext highlighter-rouge">[]</code>), or as empty objects (<code class="language-plaintext highlighter-rouge">{}</code>) in JSON responses.</li> </ul> </li> </ul> <h2 id="3506">3.5.0.6</h2> <p><strong>Release Date</strong> 2024/06/22</p> <h3 id="fixes-17">Fixes</h3> <ul> <li>Fixed an issue where the DNS client was incorrectly using the content of the <code class="language-plaintext highlighter-rouge">ADDITIONAL SECTION</code> in DNS responses.</li> </ul> <h2 id="3505">3.5.0.5</h2> <p><strong>Release Date</strong> 2024/06/18</p> <h3 id="known-issues-4">Known issues</h3> <ul> <li>There is an issue with the DNS client fix, where the DNS client incorrectly uses the content <code class="language-plaintext highlighter-rouge">ADDITIONAL SECTION</code> in DNS responses. To avoid this issue, install 3.5.0.6 instead of this patch.</li> </ul> <h3 id="features-14">Features</h3> <h4 id="admin-api-11">Admin API</h4> <ul> <li>Added LHS bracket filtering to search fields.</li> <li> <strong>Audit logs:</strong> <ul> <li>Added <code class="language-plaintext highlighter-rouge">request_timestamp</code> to <code class="language-plaintext highlighter-rouge">audit_objects</code>.</li> <li>Added before and after aliases for LHS Brackets filters.</li> <li> <code class="language-plaintext highlighter-rouge">audit_requests</code> and <code class="language-plaintext highlighter-rouge">audit_objects</code> can now be filtered by <code class="language-plaintext highlighter-rouge">request_timestamp</code>.</li> </ul> </li> </ul> <h4 id="plugin">Plugin</h4> <ul> <li> <a href="/hub/kong-inc/application-registration/"><strong>Portal Application Registration</strong></a> (<code class="language-plaintext highlighter-rouge">application-registration</code>) <ul> <li>Added support for accessing the service using consumer credential authentication. To use this functionality, enable <code class="language-plaintext highlighter-rouge">enable_proxy_with_consumer_credential</code> (default is <code class="language-plaintext highlighter-rouge">false</code>).</li> </ul> </li> </ul> <h3 id="fixes-18">Fixes</h3> <h4 id="core-17">Core</h4> <ul> <li> <strong>DNS Client</strong>: Fixed an issue where the Kong DNS client stored records with non-matching domain and type when parsing answers. It now ignores records when the RR type differs from that of the query when parsing answers.</li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">host_header</code> attribute of the upstream entity wouldn’t be set correctly as a Host header in requests to the upstream during connection retries.</li> <li>Built-in RBAC roles for admins (<code class="language-plaintext highlighter-rouge">admin</code> under the default workspace and <code class="language-plaintext highlighter-rouge">workspace-admin</code> under non-default workspaces) now disallow CRUD actions to <code class="language-plaintext highlighter-rouge">/groups</code> and <code class="language-plaintext highlighter-rouge">/groups/*</code> endpoints.</li> </ul> <h4 id="plugins-30">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed an issue where anonymous consumers were being cached as <code class="language-plaintext highlighter-rouge">nil</code> under a certain condition.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Timer spikes no longer occur when there is network instability with the central data store.</li> </ul> </li> </ul> <h4 id="admin-api-12">Admin API</h4> <ul> <li>The <code class="language-plaintext highlighter-rouge">/<workspace>/admins</code> endpoint was incorrectly used to return admins associated with a workspace based on their assigned RBAC roles. This has been fixed and now accurately returns admins according to their specific workspace associations.</li> <li>Fixed an issue with the workspace listing API, which showed workspaces that the user didn’t have any roles in. The API now only shows workspaces that a user has access to.</li> </ul> <h3 id="dependencies-14">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-azure</code> from 1.4.1 to 1.5.0 to refine some error logging.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-events</code> to 0.2.1.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> from 1.6.4 to 1.6.5 to fix memory leak issues by reusing a timer for the same active healthcheck target instead of running many timers.</li> </ul> <h2 id="3504">3.5.0.4</h2> <p><strong>Release Date</strong> 2024/05/20</p> <h3 id="breaking-changes">Breaking Changes</h3> <ul> <li>In OpenSSL 3.2, the default SSL/TLS security level has been changed from 1 to 2. This means the security level is set to 112 bits of security. As a result, the following are prohibited: <ul> <li>RSA, DSA, and DH keys shorter than 2048 bits</li> <li>ECC keys shorter than 224 bits</li> <li>Any cipher suite using RC4</li> <li>SSL version 3 Additionally, compression is disabled.</li> </ul> </li> <li>The recent OpenResty bump includes TLS 1.3 and deprecates TLS 1.1. If you still need to support TLS 1.1, set the <a href="/gateway/3.5.x/reference/configuration/#ssl_cipher_suite"><code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code></a> setting to <code class="language-plaintext highlighter-rouge">old</code>.</li> </ul> <h3 id="features-15">Features</h3> <h4 id="configuration-9">Configuration</h4> <ul> <li>TLSv1.1 and lower is now disabled by default in OpenSSL 3.x.</li> <li>Added resilience support for homogeneous data plane deployments. Data planes can now act as importers and exporters at the same time, and Kong Gateway will try to control the concurrency when exporting the config.</li> </ul> <h4 id="core-18">Core</h4> <ul> <li>The HashiCorp Vault secrets management backend now supports the AppRole authentication method.</li> <li>You can now use an RBAC token to authenticate while using <a href="/gateway/3.5.x/kong-manager/auth/oidc/mapping/">group mapping with Kong Manager</a> (for example, with OIDC or LDAP).</li> <li>Expressions router: <ul> <li>The expressions router now supports the <code class="language-plaintext highlighter-rouge">!</code> (not) operator, which allows creating routes like <code class="language-plaintext highlighter-rouge">!(http.path =^ "/a")</code> and <code class="language-plaintext highlighter-rouge">!(http.path == "/a" || http.path == "/b")</code>.</li> <li>Kong Gateway now supports <a href="/gateway/3.5.x/key-concepts/routes/expressions/#matching-fields"><code class="language-plaintext highlighter-rouge">http.path.segments.len</code> and <code class="language-plaintext highlighter-rouge">http.path.segments.*</code></a> fields in the expressions router, which allows matching incoming (normalized) request paths by individual segments or ranges of segments, and checking the total number of segments.</li> <li>The <a href="/gateway/3.5.x/key-concepts/routes/expressions/#matching-fields"><code class="language-plaintext highlighter-rouge">net.src.*</code> and <code class="language-plaintext highlighter-rouge">net.dst.*</code></a> match fields are now accessible in HTTP routes defined using expressions.</li> </ul> </li> </ul> <h4 id="admin-api-13">Admin API</h4> <ul> <li>Changed the default ordering of <code class="language-plaintext highlighter-rouge">audit_requests</code> to sorted by <code class="language-plaintext highlighter-rouge">request_timestamp</code> in descending order.</li> <li>Added the Kong Gateway edition to the root endpoint of the Admin API.</li> </ul> <h4 id="plugins-31">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/mtls-auth/"><strong>mTLS Auth</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Added a <code class="language-plaintext highlighter-rouge">default_consumer</code> option, which allows a default consumer to be used when the client certificate is valid but doesn’t match any existing consumers.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Added the new field <code class="language-plaintext highlighter-rouge">api_spec_encoded</code> to indicate whether the <code class="language-plaintext highlighter-rouge">api_spec</code> is URI-encoded.</li> </ul> </li> </ul> <p><a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>)</p> <ul> <li>The plugin now supports decoding non-standard <code class="language-plaintext highlighter-rouge">asn1</code> integer and enumerated encoded with redundant leading padding.</li> </ul> <h3 id="fixes-19">Fixes</h3> <h4 id="admin-api-14">Admin API</h4> <ul> <li>Fixed an issue where HTTP 500 errors were returned when paginating and sorting by timestamp fields (for example, <code class="language-plaintext highlighter-rouge">created_at</code>).</li> <li>It is no longer possible for admins or RBAC users to update their own roles.</li> </ul> <h4 id="clustering-11">Clustering</h4> <ul> <li>Fixed an issue where event hooks were prematurely validated in hybrid mode. The fix delays the validation of event hooks to the point where event hooks are emitted.</li> <li>Adjusted the clustering compatible check related to AWS Secrets Manager to use <code class="language-plaintext highlighter-rouge">AK-SK</code> environment variables to grant IAM role permissions.</li> <li>Adjusted a clustering compatibility check related to HCV Kubernetes authentication paths.</li> <li>Reduce message push error logs when the <code class="language-plaintext highlighter-rouge">cluster_telemetry_endpoint</code> config is disabled.</li> </ul> <h4 id="configuration-10">Configuration</h4> <ul> <li>Fixed an issue where an external plugin (Go, Javascript, or Python) would fail to apply a change to the plugin config via the Admin API.</li> <li>Set the security level of gRPC’s TLS to <code class="language-plaintext highlighter-rouge">0</code> when <code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code> is set to <code class="language-plaintext highlighter-rouge">old</code>.</li> </ul> <h4 id="core-19">Core</h4> <ul> <li>Fixed an issue with data planes in hybrid mode, where a certificate entity configured with a vault reference was occasionally not refreshed on time.</li> <li>Fixed an issue where external pluginservers would not start automatically with Kong Gateway.</li> <li>Fixed vault initialization by postponing vault reference resolution to a timer in the <code class="language-plaintext highlighter-rouge">init_worker</code> phase.</li> <li>Updated the file permission of <code class="language-plaintext highlighter-rouge">kong.logrotate</code> to 644.</li> <li>Fixed the missing router section for the output of request debugging.</li> <li>Vaults: <ul> <li>Fixed an issue where the vault used the wrong (default) workspace identifier when retrieving a vault entity by prefix.</li> <li>Fixed an issue where a new data plane couldn’t resolve a Vault reference after the first configuration push. This was happening due to issues with license pre-loading.</li> </ul> </li> <li>Header value matching (<code class="language-plaintext highlighter-rouge">http.headers.*</code>) in the <code class="language-plaintext highlighter-rouge">expressions</code> router flavor is now case sensitive. This change doesn’t affect <code class="language-plaintext highlighter-rouge">traditional_compatible</code> mode where header value matching is always performed with the case ignored.</li> <li>Expressions routes in <code class="language-plaintext highlighter-rouge">http</code> and <code class="language-plaintext highlighter-rouge">stream</code> subsystems now have stricter validation. Previously, they shared the same validation schema, so admins could configure expressions routes using fields like <code class="language-plaintext highlighter-rouge">http.path</code> even for stream routes. This is no longer allowed.</li> <li>Fixed an RBAC issue which required adding missing endpoints to all workspaces.</li> <li>Fixed an issue where workload identity didn’t work for dataplane resilience.</li> <li>Fixed an issue where the GCP backend vault would hide the error message when secrets couldn’t be fetched.</li> </ul> <h4 id="kong-manager-enterprise-3">Kong Manager Enterprise</h4> <ul> <li>Fixed an issue where the admin account profile page returned a 404 error if the <code class="language-plaintext highlighter-rouge">admin_gui_path</code> was not a slash.</li> <li>Fixed the display of the remaining days for the license expiration date. The number of days was inconsistent between the workspaces page and the top banner.</li> <li>Updated the type of RBAC token for the RBAC user to <code class="language-plaintext highlighter-rouge">password</code>.</li> </ul> <h4 id="pdk-9">PDK</h4> <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">kong.request.get_forwarded_port</code> incorrectly returned a string from <code class="language-plaintext highlighter-rouge">ngx.ctx.host_port</code>. It now correctly returns a number.</li> </ul> <h4 id="plugins-32">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>), <a href="/hub/kong-inc/websocket-size-limit/"><strong>WebSocket Size Limit</strong></a> (<code class="language-plaintext highlighter-rouge">websocket-size-limit</code>), <a href="/hub/kong-inc/websocket-validator/"><strong>WebSocket Validator</strong></a> (<code class="language-plaintext highlighter-rouge">websocket-validator</code>), <a href="/hub/kong-inc/xml-threat-protection/"><strong>XML Threat Protection</strong></a> (<code class="language-plaintext highlighter-rouge">xml-threat-protection</code>) <ul> <li>The priorities of these plugins have been updated to prevent collisions between plugins. The relative priority (and the order of execution) of bundled plugins remains unchanged.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li> <p>Refactored <code class="language-plaintext highlighter-rouge">kong/tools/public/rate-limiting</code>, adding the new interface <code class="language-plaintext highlighter-rouge">new_instance</code> to provide isolation between different plugins. The original interfaces remain unchanged for backward compatibility.</p> <p>If you are using custom Rate Limiting plugins based on this library, update the initialization code to the new format. For example: <code class="language-plaintext highlighter-rouge">'local ratelimiting = require("kong.tools.public.rate-limiting").new_instance("custom-plugin-name")'</code>. The old interface will be removed in the upcoming major release.</p> </li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Improved robustness of parsing for short trace IDs.</li> </ul> </li> <li> <a href="/hub/kong-inc/acme/"><strong>ACME</strong></a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>Fixed an issue where the certificate was not successfully renewed during ACME renewal.</li> </ul> </li> <li> <a href="/hub/kong-inc/degraphql/"><strong>DeGraphQL</strong></a> (<code class="language-plaintext highlighter-rouge">degraphql</code>) <ul> <li>Fixed an issue where GraphQL variables were not being correctly parsed and coerced into their defined types.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/"><strong>Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>), <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>), <a href="/hub/kong-inc/graphql-rate-limiting-advanced/"><strong>GraphQL Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>), and <a href="/hub/kong-inc/response-ratelimiting/"><strong>Response Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Fixed an issue where any plugins using the <code class="language-plaintext highlighter-rouge">rate-limiting</code> library, when used together, would interfere with each other and fail to synchronize counter data to the central data store.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue with <code class="language-plaintext highlighter-rouge">sync_rate</code> setting being used with the <code class="language-plaintext highlighter-rouge">redis</code> strategy. If the Redis connection is interrupted while <code class="language-plaintext highlighter-rouge">sync_rate = 0</code>, the plugin now accurately falls back to the <code class="language-plaintext highlighter-rouge">local</code> strategy.</li> <li>Fixed an issue where, if <code class="language-plaintext highlighter-rouge">sync_rate</code> was changed from a value greater than <code class="language-plaintext highlighter-rouge">0</code> to <code class="language-plaintext highlighter-rouge">0</code>, the namespace was cleared unexpectedly.</li> <li>Fixed some timer-related issues where the counter syncing timer couldn’t be created or destroyed properly.</li> <li>The plugin now creates counter syncing timers during plugin execution instead of plugin creation to reduce some meaningless error logs.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Fixed an issue where, if the credential was encoded with no username, Kong Gateway would return a 500 error code.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed an OTEL sampling mode Lua panic bug that occurred when the <code class="language-plaintext highlighter-rouge">http_response_header_for_traceid</code> option was enabled.</li> </ul> </li> <li> <a href="/hub/kong-inc/forward-proxy/"><strong>Forward Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>) <ul> <li>The plugin now falls back to the non-streaming proxy when the request body has already been read.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Marked the <code class="language-plaintext highlighter-rouge">introspection_headers_values</code> as an encrypted and referenceable field.</li> <li>Added support for consumer group scoping by using the PDK <code class="language-plaintext highlighter-rouge">kong.client.authenticate</code> function.</li> </ul> </li> <li> <a href="/hub/kong-inc/oauth2-introspection/"><strong>OAuth 2.0 Introspection</strong></a> (<code class="language-plaintext highlighter-rouge">oauth2-introspection</code>) <ul> <li>Added support for consumer group scoping by using the PDK <code class="language-plaintext highlighter-rouge">kong.client.authenticate</code> function.</li> </ul> </li> <li> <a href="/hub/kong-inc/saml"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>) <ul> <li>Added support for consumer group scoping by using the PDK <code class="language-plaintext highlighter-rouge">kong.client.authenticate</code> function.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwt-signer/"><strong>JWT Signer</strong></a> (<code class="language-plaintext highlighter-rouge">jwt-signer</code>) <ul> <li>Added support for consumer group scoping by using the PDK <code class="language-plaintext highlighter-rouge">kong.client.authenticate</code> function.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Fixed some cache-related issues which caused <code class="language-plaintext highlighter-rouge">groups_required</code> to return unexpected codes after a non-200 response.</li> <li>Added support for consumer group scoping by using the PDK <code class="language-plaintext highlighter-rouge">kong.client.authenticate</code> function.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Fixed an issue where cookie parameters were not being validated.</li> </ul> </li> </ul> <h3 id="performance-3">Performance</h3> <h4 id="configuration-11">Configuration</h4> <ul> <li>Bumped the default values of <code class="language-plaintext highlighter-rouge">nginx_http_keepalive_requests</code> and <code class="language-plaintext highlighter-rouge">upstream_keepalive_max_requests</code> to 10000.</li> </ul> <h4 id="core-20">Core</h4> <ul> <li>Improved the robustness of <code class="language-plaintext highlighter-rouge">lua-cjson</code> when handling unexpected input.</li> <li>Reuse match context between requests to avoid frequent memory allocation or deallocation.</li> </ul> <h4 id="plugins-33">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/opentelemetry"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Increased queue max batch size to 200.</li> </ul> </li> </ul> <h3 id="dependencies-15">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">atc-router</code> from 1.2.0 to 1.6.0.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-protobuf</code> to 0.5.1.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-openssl</code> to 1.2.1.</li> <li>Bumped OpenSSL from 3.1.4 to 3.2.0.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">resty-openssl</code> from 0.8.25 to 1.2.0.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> to 0.8.1.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-lua-resty-kafka</code> to <code class="language-plaintext highlighter-rouge">0.18</code>.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-luasocket</code> to <code class="language-plaintext highlighter-rouge">1.1.2</code> to fix <a href="https://github.com/lunarmodules/luasocket/issues/427" target="_blank" rel="noopener nofollow noreferrer ">luasocket#427</a>.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> to 1.6.4.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> to 1.3.6.</li> </ul> <h2 id="3503">3.5.0.3</h2> <p><strong>Release Date</strong> 2024/01/26</p> <h3 id="features-16">Features</h3> <ul> <li> <p>The Debian variant of the Kong Gateway Docker image is now built using Debian 12. <a href="https://github.com/Kong/kong/issues/7673" target="_blank" rel="noopener nofollow noreferrer ">#7673</a></p> </li> <li> <p>Added pagination support for nested consumer lists and consumer group lists, both in the Admin API and in Kong Manager.</p> </li> </ul> <h3 id="fixes-20">Fixes</h3> <h4 id="kong-manager-8">Kong Manager</h4> <ul> <li>Fixed an issue where the dynamic ordering dropdown list didn’t show custom plugins.</li> <li>Fixed an issue where the targets page showed a 404 error in any workspace except <code class="language-plaintext highlighter-rouge">default</code>.</li> <li>Fixed an issue where the role of the current workspace couldn’t be created by the <code class="language-plaintext highlighter-rouge">workspace-super-admin</code>.</li> </ul> <h3 id="dependencies-16">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-redis-cluster</code> to 1.5.3.</li> </ul> <h2 id="3502">3.5.0.2</h2> <p><strong>Release Date</strong> 2023/12/21</p> <h3 id="breaking-changes-1">Breaking Changes</h3> <h4 id="plugins-34">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/saml"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>) <ul> <li>Adjusted the priority of the SAML plugin to 1010 to correct the integration between the SAML plugin and other consumer-based plugins.</li> </ul> </li> </ul> <h3 id="features-17">Features</h3> <h4 id="configuration-12">Configuration</h4> <ul> <li>The default value of the <a href="/gateway/3.4.x/reference/configuration/#dns_no_sync"><code class="language-plaintext highlighter-rouge">dns_no_sync</code></a> option has been changed to <code class="language-plaintext highlighter-rouge">off</code>.</li> </ul> <h4 id="plugins-35">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Configurations <code class="language-plaintext highlighter-rouge">scopes</code>, <code class="language-plaintext highlighter-rouge">login_redirect_uri</code>, <code class="language-plaintext highlighter-rouge">logout_redirect_uri</code> can now be referenced as a secret in the Kong Vault.</li> <li>Extend <code class="language-plaintext highlighter-rouge">token_post_args_client</code> to support injection from headers.</li> </ul> </li> </ul> <h3 id="fixes-21">Fixes</h3> <h4 id="core-21">Core</h4> <ul> <li>Dismissed confusing debug log from Redis tool of rate limiting.</li> <li>Fixed the missing <code class="language-plaintext highlighter-rouge">workspace_id</code> in the output of request debugging when using the filter.</li> <li>Eliminated asynchronous timer in syncQuery() to prevent risk of query hanging.</li> <li>Fixed ldoc intermittent failure caused by LuaJIT error. <a href="https://github.com/Kong/kong/issues/7494" target="_blank" rel="noopener nofollow noreferrer ">#7494</a> </li> </ul> <h4 id="pdk-10">PDK</h4> <ul> <li>Fixed an issue in the plugin server where every request caused a new plugin instance to be created.</li> </ul> <h4 id="plugin-1">Plugin</h4> <ul> <li> <a href="/hub/kong-inc/oauth2-introspection/"><strong>OAuth 2.0 Introspection</strong></a> (<code class="language-plaintext highlighter-rouge">oauth2-introspection</code>) <ul> <li>Marked the <code class="language-plaintext highlighter-rouge">authorization_value</code> as an encrypted field.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwe-decrypt/"><strong>JWE Decrypt</strong></a> (<code class="language-plaintext highlighter-rouge">jwe-decrypt</code>) <ul> <li>Fixed typo in <code class="language-plaintext highlighter-rouge">jwe-decrypt</code> error message.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed logout uri suffix detection by using normalized version of <code class="language-plaintext highlighter-rouge">kong.request.get_forwarded_path()</code> instead of <code class="language-plaintext highlighter-rouge">ngx.var.request_uri</code>, especially when passing query strings to logout.</li> <li>Updated time when calculating token expiration.</li> </ul> </li> <li> <a href="/hub/kong-inc/forward-proxy/"><strong>Forward Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>) <ul> <li>Fixed the issue where request payload is being discarded when payload exceeded the <code class="language-plaintext highlighter-rouge">client_body_buffer_size</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/mocking/"><strong>Mocking</strong></a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Fixed an issue where valid recursive schemas are always rejected.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Fixed an issue that the plugin throws a runtime error while validating parameters with AnyType schema and style keyword defined.</li> <li>Fixed an issue that the nullable keyword did not take effect.</li> <li>Fixed an issue that the URI component escaped characters were incorrectly unescaped.</li> <li>Fixed an issue where the plugin throws a runtime error caused by the ref parameter schema not being de-referenced. <a href="https://github.com/Kong/kong/issues/7544" target="_blank" rel="noopener nofollow noreferrer ">#7544</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/response-ratelimiting/"><strong>Response Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Fixed an issue where all counters are synced to the same DB at the same rate.<a href="https://github.com/Kong/kong/issues/7315" target="_blank" rel="noopener nofollow noreferrer ">#7315</a> </li> </ul> </li> </ul> <h4 id="admin-api-15">Admin API</h4> <ul> <li>Fixed an issue where unique violation errors were reported while trying to update the <code class="language-plaintext highlighter-rouge">user_token</code> with the same value on the same RBAC user.</li> </ul> <h4 id="clustering-12">Clustering</h4> <ul> <li>Fixed an issue where the dataplane’s log serializer output has workspace name under Hybrid mode.</li> </ul> <h4 id="default">Default</h4> <ul> <li>Fixed critical level logs when starting external plugin servers. Those logs cannot be suppressed due to the limitation of OpenResty. We choose to remove the socket availability detection feature.</li> </ul> <h4 id="configuration-13">Configuration</h4> <ul> <li>Respect custom <code class="language-plaintext highlighter-rouge">proxy_access_log</code>. <a href="https://github.com/Kong/kong/issues/7435" target="_blank" rel="noopener nofollow noreferrer ">#7435</a> </li> </ul> <h3 id="performance-4">Performance</h3> <h4 id="configuration-14">Configuration</h4> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">dns_stale_ttl</code> default to 1 hour so that a stale DNS record can be used for longer time in case of resolver downtime.</li> </ul> <h3 id="dependencies-17">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">OpenResty</code> from 1.21.4.2 to 1.21.4.3 <a href="https://github.com/Kong/kong/issues/7518" target="_blank" rel="noopener nofollow noreferrer ">#7518</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">resty-openssl</code> from 0.8.25 to 1.0.2 <a href="https://github.com/Kong/kong/issues/7418" target="_blank" rel="noopener nofollow noreferrer ">#7418</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">luasec</code> to 1.3.2</li> </ul> <h2 id="3501">3.5.0.1</h2> <p><strong>Release Date</strong> 2023/11/14</p> <h3 id="fixes-22">Fixes</h3> <h4 id="kong-manager-9">Kong Manager</h4> <ul> <li>Fixed an issue where some values in the config cards did not display correctly.</li> </ul> <h2 id="3500">3.5.0.0</h2> <p><strong>Release Date</strong> 2023/11/08</p> <h3 id="breaking-changes-and-deprecations-4">Breaking changes and deprecations</h3> <ul> <li> <p><a href="/hub/kong-inc/session/"><strong>Session</strong></a> plugin: Introduced the new configuration field <code class="language-plaintext highlighter-rouge">read_body_for_logout</code> with a default value of <code class="language-plaintext highlighter-rouge">false</code>. This change alters the behavior of <code class="language-plaintext highlighter-rouge">logout_post_arg</code> in such a way that it is no longer considered, unless <code class="language-plaintext highlighter-rouge">read_body_for_logout</code> is explicitly set to <code class="language-plaintext highlighter-rouge">true</code>. This adjustment prevents the Session plugin from automatically reading request bodies for logout detection, particularly on POST requests.</p> </li> <li> <p>As of this release, the product component known as Kong Enterprise Portal (Developer Portal) is no longer included in the Kong Gateway Enterprise (previously known as Kong Enterprise) software package. Existing customers who have purchased Kong Enterprise Portal can continue to use it and be supported via a dedicated mechanism.</p> <p>If you have purchased Kong Enterprise Portal in the past and would like to continue to use it with this release or a future release of Kong Gateway Enterprise, contact <a href="https://support.konghq.com/support/s/" target="_blank" rel="noopener nofollow noreferrer ">Kong Support</a> for more information.</p> </li> <li> <p>As of this release, the product component known as Vitals is no longer included in Kong Gateway Enterprise. Existing customers who have purchased Kong Vitals can continue to use it and be supported via a dedicated mechanism. Kong Konnect users can take advantage of our <a href="/konnect/analytics/">API Analytics</a> offering, which provides a superset of Vitals functionality.</p> <p>If you have purchased Vitals in the past and would like to continue to use it with this release or a future release of Kong Gateway Enterprise, contact <a href="https://support.konghq.com/support/s/" target="_blank" rel="noopener nofollow noreferrer ">Kong Support</a> for more information.</p> </li> <li> <p>The default value of the <a href="/gateway/3.5.x/reference/configuration/#dns_no_sync"><code class="language-plaintext highlighter-rouge">dns_no_sync</code></a> option has been changed to <code class="language-plaintext highlighter-rouge">on</code>. <a href="https://github.com/kong/kong/pull/11871" target="_blank" rel="noopener nofollow noreferrer ">#11871</a>.</p> </li> <li> <p>Kong Gateway now requires an Enterprise license to use dynamic plugin ordering.</p> </li> </ul> <h3 id="features-18">Features</h3> <h4 id="enterprise">Enterprise</h4> <ul> <li>Modified the current AWS Vault backend to support <code class="language-plaintext highlighter-rouge">CredentialProviderChain</code> so that users can choose not to use <code class="language-plaintext highlighter-rouge">AK-SK</code> environment variables to grant IAM role permissions.</li> <li>Added support for Microsoft Azure’s KeyVault Secrets Engine. Set it up using the <a href="/gateway/3.5.x/reference/configuration/#vault_azure_vault_uri"><code class="language-plaintext highlighter-rouge">vault_azure_*</code></a>. configuration parameters.</li> <li>License management: <ul> <li>Implemented a new grace period that lasts 30 days from the Kong Enterprise license expiration date. During the grace period all open source functionality will be available, and Enterprise functionality will be set to read-only mode.</li> <li>Added support for counters such as routes, plugins, licenses, and deployment information to the license report.</li> <li>Added a checksum to the output of the license endpoint.</li> </ul> </li> <li>The Kong Enterprise package is now renamed to Kong Gateway Enterprise. This change only affects documentation, and doesn’t affect the Kong Gateway code in any way.</li> </ul> <h5 id="kong-manager-10">Kong Manager</h5> <ul> <li>Added the ability to delete workspaces along with all associated resources. Previously, a workspace couldn’t be deleted until all the entities associated with it were manually deleted. With forced deletion, you can automatically remove any entities associated with a workspace while you are deleting it. For more information, see <a href="/gateway/3.5.x/kong-manager/workspaces/#delete-a-workspace">Delete a workspace</a>.</li> <li>Added support for Azure’s KeyVault Secrets Engine.</li> <li>Enabled plugins to be scoped to consumer groups.</li> <li>Implemented the removal of consumer group policies.</li> <li>Enhanced the user experience of detail pages for entities with a refined look and feel.</li> <li>Improved the user experience with a new design for the <strong>Overview</strong> and <strong>Workspaces</strong> pages.</li> <li>The Vault form now supports TTL fields.</li> </ul> <h4 id="core-22">Core</h4> <ul> <li>Added the <a href="/gateway/3.5.x/reference/configuration/#analytics_debug"><code class="language-plaintext highlighter-rouge">analytics_debug</code></a> option to the output of logged requests.</li> <li>Added the <a href="/gateway/3.5.x/reference/configuration/#cluster_fallback_export_s3_config"><code class="language-plaintext highlighter-rouge">cluster_fallback_export_s3_config</code></a> option to allow adding a config table to the Kong exporter config S3 <code class="language-plaintext highlighter-rouge">putObject</code> request.</li> <li>Added troubleshooting tools to container images.</li> <li> <code class="language-plaintext highlighter-rouge">workspaces.get_workspace()</code> now tries to get the workspace from the cache instead of querying the database directly.</li> <li>Introduced the new endpoint <a href="/gateway/api/admin-ee/latest/#/Information/get-schemas-vaults-vault_name"><code class="language-plaintext highlighter-rouge">/schemas/vaults/:name</code></a> for retrieving the schema of a vault. <a href="https://github.com/Kong/kong/pull/11727" target="_blank" rel="noopener nofollow noreferrer ">#11727</a> </li> <li>Renamed <code class="language-plaintext highlighter-rouge">privileged_agent</code> to <a href="/gateway/3.5.x/reference/configuration/#dedicated_config_processing"><code class="language-plaintext highlighter-rouge">dedicated_config_processing</code></a> and enabled <code class="language-plaintext highlighter-rouge">dedicated_config_processing</code> by default. <a href="https://github.com/Kong/kong/pull/11784" target="_blank" rel="noopener nofollow noreferrer ">#11784</a> </li> <li>Debugging tools: <ul> <li>Added a unique Request ID that is now populated in the error log, access log, error templates, log serializer, and a new <code class="language-plaintext highlighter-rouge">X-Kong-Request-Id</code> header. This configuration can be customized for upstreams and downstreams using the <a href="/gateway/3.5.x/reference/configuration/#headers"><code class="language-plaintext highlighter-rouge">headers</code></a> and <a href="/gateway/3.5.x/reference/configuration/#headers_upstream"><code class="language-plaintext highlighter-rouge">headers_upstream</code></a> configuration options. <a href="https://github.com/Kong/kong/pull/11663" target="_blank" rel="noopener nofollow noreferrer ">#11663</a> </li> <li>Added support for the debug request header <code class="language-plaintext highlighter-rouge">X-Kong-Request-Debug-Output</code>, which lets you observe the time consumed by specific components in a given request. Enable it using the <a href="/gateway/3.5.x/reference/configuration/#request_debug"><code class="language-plaintext highlighter-rouge">request_debug</code></a> configuration parameter. This header helps you diagnose the cause of any latency in Kong Gateway. See the <a href="/gateway/3.5.x/production/debug-request/">Request Debugging</a> guide for more information. <a href="https://github.com/Kong/kong/pull/11627" target="_blank" rel="noopener nofollow noreferrer ">#11627</a> </li> </ul> </li> <li>Enabled plugins to implement the <code class="language-plaintext highlighter-rouge">Plugin:configure(configs)</code> function, which is called when there is a change in plugin entities. It receives an array of current plugin configurations or nil if there are no active configurations. Learn more about this function in the guide for <a href="/gateway/3.5.x/plugin-development/custom-logic/">Implementing Custom Logic</a> for plugins. <a href="https://github.com/Kong/kong/pull/11703" target="_blank" rel="noopener nofollow noreferrer ">#11703</a> </li> <li>Implemented a request-aware table capable of detecting accesses from different requests. <a href="https://github.com/Kong/kong/pull/11017" target="_blank" rel="noopener nofollow noreferrer ">#11017</a> </li> <li>WebAssembly (Wasm): <ul> <li>Added support for optional Wasm filter configuration schemas. <a href="https://github.com/Kong/kong/pull/11568" target="_blank" rel="noopener nofollow noreferrer ">#11568</a> </li> <li>Improved support for JSON in Wasm filter configuration. <a href="https://github.com/Kong/kong/pull/11697" target="_blank" rel="noopener nofollow noreferrer ">#11697</a> </li> </ul> <p>See the <a href="/gateway/3.5.x/plugin-development/wasm/filter-configuration/">Proxy-Wasm filter configuration</a> guide to learn more.</p> </li> </ul> <h4 id="kong-manager-open-source-2">Kong Manager Open Source</h4> <ul> <li>Added <code class="language-plaintext highlighter-rouge">JSON</code> and <code class="language-plaintext highlighter-rouge">YAML</code> formats in entity configuration cards. <a href="https://github.com/Kong/kong-manager/pull/111" target="_blank" rel="noopener nofollow noreferrer ">#111</a> </li> <li>Plugin form fields now display descriptions from backend schema. <a href="https://github.com/kong/kong-manager/pull/66" target="_blank" rel="noopener nofollow noreferrer ">#66</a> </li> <li>Added the <code class="language-plaintext highlighter-rouge">protocols</code> field to the plugins form. <a href="https://github.com/kong/kong-manager/pull/93" target="_blank" rel="noopener nofollow noreferrer ">#93</a> </li> <li>The upstream target list shows the <code class="language-plaintext highlighter-rouge">Mark Healthy</code> and <code class="language-plaintext highlighter-rouge">Mark Unhealthy</code> action items when certain conditions are met. <a href="https://github.com/kong/kong-manager/pull/86" target="_blank" rel="noopener nofollow noreferrer ">#86</a> </li> </ul> <h4 id="plugins-36">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/mocking/"><strong>Mocking</strong></a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Added a new property <code class="language-plaintext highlighter-rouge">include_base_path</code> for path match evaluation.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Added a new property <code class="language-plaintext highlighter-rouge">include_base_path</code> for path match evaluation.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Added the new field <code class="language-plaintext highlighter-rouge">unauthorized_destroy_session</code>. When set to <code class="language-plaintext highlighter-rouge">true</code>, it destroys the session when receiving an unauthorized request by deleting the user’s session cookie.</li> <li>Added the new field <code class="language-plaintext highlighter-rouge">using_pseudo_issuer</code>. When set to <code class="language-plaintext highlighter-rouge">true</code>, the plugin instance will not discover configuration from the issuer.</li> <li>Added support for public clients for token revocation and introspection.</li> <li>Added support for designating parameter names <code class="language-plaintext highlighter-rouge">introspection_token_param_name</code> and <code class="language-plaintext highlighter-rouge">revocation_token_param_name</code>.</li> <li>Added support for mTLS proof of possession. The feature is available by enabling <code class="language-plaintext highlighter-rouge">proof_of_possession_mtls</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> <ul> <li>Added a new value to the parameter <code class="language-plaintext highlighter-rouge">header_type</code>, which allows Kong Gateway to inject Datadog headers into the headers of requests forwarding to the upstream.</li> </ul> </li> <li> <a href="/hub/kong-inc/response-ratelimiting/"><strong>Response Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Added support for secret rotation with Redis connections. <a href="https://github.com/Kong/kong/pull/10570" target="_blank" rel="noopener nofollow noreferrer ">#10570</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/cors"><strong>CORS</strong></a> (<code class="language-plaintext highlighter-rouge">cors</code>) <ul> <li>Added support for the <code class="language-plaintext highlighter-rouge">Access-Control-Request-Private-Network</code> header in cross-origin pre-flight requests. <a href="https://github.com/kong/kong/pull/11523" target="_blank" rel="noopener nofollow noreferrer ">#11523</a>.</li> </ul> </li> <li> <a href="/hub/kong-inc/acme/"><strong>ACME</strong></a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>Exposed the new configuration field <code class="language-plaintext highlighter-rouge">scan_count</code> for Redis storage, which controls how many keys are returned in a <code class="language-plaintext highlighter-rouge">scan</code> call. <a href="https://github.com/kong/kong/pull/11532" target="_blank" rel="noopener nofollow noreferrer ">#11532</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/session/"><strong>Session</strong></a> (<code class="language-plaintext highlighter-rouge">session</code>) <ul> <li>Introduced the new configuration field <code class="language-plaintext highlighter-rouge">read_body_for_logout</code> with a default value of <code class="language-plaintext highlighter-rouge">false</code>. This change alters the behavior of <code class="language-plaintext highlighter-rouge">logout_post_arg</code> in such a way that it is no longer considered, unless <code class="language-plaintext highlighter-rouge">read_body_for_logout</code> is explicitly set to <code class="language-plaintext highlighter-rouge">true</code>.</li> </ul> <p>This adjustment prevents the Session plugin from automatically reading request bodies for logout detection, particularly on POST requests.</p> </li> </ul> <h3 id="fixes-23">Fixes</h3> <h4 id="enterprise-1">Enterprise</h4> <ul> <li>Fixed a keyring issue where Kong nodes failed to send keyring material when using the cluster strategy.</li> <li>Enforced Content Security Policy (CSP) headers for serving static resources via Kong Manager.</li> <li>Fixed an RBAC issue related to retrieving group roles with a numeric group name type.</li> <li>When using <code class="language-plaintext highlighter-rouge">openid-connect</code> as the <code class="language-plaintext highlighter-rouge">admin_gui_auth</code> method for Kong Manager, some <code class="language-plaintext highlighter-rouge">admin_gui_auth_conf</code> required settings are now hardcoded.</li> <li>Fixed an issue where the data plane hostname was <code class="language-plaintext highlighter-rouge">nil</code> in Vitals when running Kong Gateway in hybrid mode.</li> </ul> <h5 id="admin-api-16">Admin API</h5> <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">rbac_role_entities</code> records of cascaded entities were not deleted when the entity was deleted.</li> <li>Fixed an issue that allowed the creation of colliding routes in different workspaces when using <code class="language-plaintext highlighter-rouge">application/x-www-form-urlencoded</code> as the content type in the Admin API.</li> <li>Optimized the performance of querying plugins when accessing the <code class="language-plaintext highlighter-rouge">application_services</code> and <code class="language-plaintext highlighter-rouge">application_instances</code> endpoints.</li> <li>Fixed an issue where users were unable to completely delete a developer by its email via the Admin API.</li> <li>Added FIPS state and license type checks in <code class="language-plaintext highlighter-rouge">validate_fips</code>.</li> <li>Removed FIPS from free mode.</li> <li>Implemented lazy enabling of FIPS mode upon receiving a valid license, emitting warnings instead of blocking Kong Gateway startup. This approach allows normal use of non-FIPS content without a license, and FIPS mode activates only with a valid license. When no license is present, the service can start with a warning log, and FIPS mode remains disabled until a valid license is added. Additionally, deleting a valid license via the Admin API results in a warning without disabling FIPS mode.</li> <li>Unified the error responses for failed admin authentication via Admin and Portal APIs.</li> </ul> <h5 id="kong-manager-11">Kong Manager</h5> <ul> <li>Resolved an issue where the admin page remained pending when no admin was added.</li> <li>Updated the service name in the application list to be directly returned from the backend.</li> <li>Fixed breadcrumbs and RBAC permissions for entities sharing one menu item in the sidebar.</li> <li>Corrected the service query endpoint in the route form.</li> <li>Fixed an issue where the file upload input in the service document form was not functioning properly.</li> </ul> <h4 id="core-23">Core</h4> <ul> <li>Removed the chart <code class="language-plaintext highlighter-rouge">Current Database Availability</code>, which is not a vitals metric with Prometheus.</li> <li>Implemented cache invalidation based on both names and IDs for consumer groups.</li> <li>Applied Nginx patch to detect HTTP/2 stream reset attacks early, addressing <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-44487" target="_blank" rel="noopener nofollow noreferrer ">CVE-2023-44487</a>.</li> <li>Resolved an issue where the TTL of the Key Authentication plugin did not work in DB-less and hybrid modes. <a href="https://github.com/kong/kong/pull/11464" target="_blank" rel="noopener nofollow noreferrer ">#11464</a> </li> <li>Addressed a problem where an abnormal socket connection would be reused when querying the PostgreSQL database. <a href="https://github.com/kong/kong/pull/11480" target="_blank" rel="noopener nofollow noreferrer ">#11480</a> </li> <li>Fixed an issue causing upstream SSL failures when plugins used response handlers. <a href="https://github.com/Kong/kong/issues/11502" target="_blank" rel="noopener nofollow noreferrer ">#11502</a> </li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">tls_passthrough</code> protocol could not work with the expressions flavor router. <a href="https://github.com/kong/kong/issues/11538" target="_blank" rel="noopener nofollow noreferrer ">#11538</a> </li> <li>Fixed an issue which caused failures in sending tracing data to Datadog when the value of the <code class="language-plaintext highlighter-rouge">x-datadog-parent-id</code> header in requests was a short decimal string. <a href="https://github.com/kong/kong/issues/11599" target="_blank" rel="noopener nofollow noreferrer ">#11599</a> </li> <li>Resolved the building failure when applying patches. <a href="https://github.com/kong/kong/issues/11696" target="_blank" rel="noopener nofollow noreferrer ">#11696</a> </li> <li>Enabled the use of vault references in DB-less mode in declarative configuration files. <a href="https://github.com/kong/kong/issues/11845" target="_blank" rel="noopener nofollow noreferrer ">#11845</a> </li> <li>Vault caches now properly warm up during initialization. <a href="https://github.com/kong/kong/issues/11827" target="_blank" rel="noopener nofollow noreferrer ">#11827</a> </li> <li>The vault resurrect time is now respected if a vault secret is deleted from a vault. <a href="https://github.com/kong/kong/issues/11852" target="_blank" rel="noopener nofollow noreferrer ">#11852</a> </li> <li>Restored the <code class="language-plaintext highlighter-rouge">lapis</code> and <code class="language-plaintext highlighter-rouge">luarocks-admin</code> bins. <a href="https://github.com/Kong/kong/pull/11551" target="_blank" rel="noopener nofollow noreferrer ">#11551</a> </li> </ul> <h4 id="kong-manager-open-source-3">Kong Manager Open Source</h4> <ul> <li>Resolved an issue that caused incorrect port information to display in the Kong Manager. <a href="https://github.com/kong/kong-manager/pull/103" target="_blank" rel="noopener nofollow noreferrer ">#103</a>.</li> <li>Fixed a bug where the Proxy Caching plugin could not be installed in Kong Manager. <a href="https://github.com/kong/kong-manager/pull/104" target="_blank" rel="noopener nofollow noreferrer ">#104</a> </li> </ul> <h4 id="plugins-37">Plugins</h4> <ul> <li>Added a new handler for plugins to implement, where configs will be <code class="language-plaintext highlighter-rouge">nil</code> if there are no active configurations for the plugin. This change can be seen in the Acme, Prometheus, and Rate Limiting Advanced plugins.</li> <li>Kong Gateway now requires a license to use dynamic plugin ordering.</li> <li> <a href="/hub/kong-inc/mtls-auth/"><strong>Mutual TLS Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Fixed an issue to prevent caching network failures during revocation checks.</li> </ul> </li> <li> <a href="/hub/kong-inc/response-transformer/"><strong>Response Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">response-transformer</code>) <ul> <li>Resolved warning logs related to flooded JSON decoding issues.</li> </ul> </li> <li> <a href="/hub/kong-inc/canary"><strong>Canary</strong></a> (<code class="language-plaintext highlighter-rouge">canary</code>) <ul> <li>Removed the custom validator for <code class="language-plaintext highlighter-rouge">config.start</code> to allow setting it to a past time.</li> </ul> </li> <li> <a href="/hub/kong-inc/saml"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>) <ul> <li>When the Redis session storage is incorrectly configured, users now receive a 500 error instead of being redirected endlessly.</li> <li>Reduced the severity of <code class="language-plaintext highlighter-rouge">session was not found</code> messages to <code class="language-plaintext highlighter-rouge">info</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/mocking"><strong>Mocking</strong></a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Path parameters can now correctly match non-ASCII characters.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Fixed an issue where non <code class="language-plaintext highlighter-rouge">application/json</code> content-types were being rejected, even when the request body was not required.</li> <li>Fixed an issue where a null pointer exception could occur in certain scenarios when <code class="language-plaintext highlighter-rouge">notify_only_request_validation_failure</code> was set to true.</li> <li>Fixed the issue where path parameters couldn’t match non-ASCII characters.</li> <li>Fixed an issue where valid recursive schemas were always rejected.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed an issue that resulted in traces with invalid parent IDs when <code class="language-plaintext highlighter-rouge">balancer</code> instrumentation was enabled. <a href="https://github.com/Kong/kong/pull/11830" target="_blank" rel="noopener nofollow noreferrer ">#11830</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/tcp-log">TCP Log</a> (<code class="language-plaintext highlighter-rouge">tcp-log</code>) <ul> <li>Resolved an issue related to unnecessary handshakes when reusing TLS connections. <a href="https://github.com/Kong/kong/pull/11848" target="_blank" rel="noopener nofollow noreferrer ">#11848</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Plugin-level proxy configuration now takes effect when fetching IAM credentials in an EKS environment with IRSA. This improvement allows the EKS IRSA credential provider (<code class="language-plaintext highlighter-rouge">TokenFileWebIdentityCredentials</code>) to correctly route requests through the plugin-level proxy configuration when obtaining credentials from the AWS STS service. <a href="https://github.com/Kong/kong/pull/11551" target="_blank" rel="noopener nofollow noreferrer ">#11551</a> </li> <li>The plugin now caches the AWS Lambda service by lambda service related fields. <a href="https://github.com/kong/kong/pulls/11821" target="_blank" rel="noopener nofollow noreferrer ">#11821</a> </li> </ul> </li> </ul> <h4 id="pdk-11">PDK</h4> <ul> <li>Addressed several issues in Vault and refactored the Vault codebase.</li> <li>Fixed an issue where the response body would get repeated when <code class="language-plaintext highlighter-rouge">kong.response.get_raw_body()</code> was called multiple times in a request lifecycle. <a href="https://github.com/Kong/kong/pull/11424" target="_blank" rel="noopener nofollow noreferrer ">#11424</a> </li> <li>Tracing: Fixed an issue that resulted in some parent spans to end before their children due to different precision of their timestamps. <a href="https://github.com/Kong/kong/pull/11484" target="_blank" rel="noopener nofollow noreferrer ">#11484</a> </li> <li>Fixed a bug related to data interference between requests in the <code class="language-plaintext highlighter-rouge">kong.log.serialize</code> function. <a href="https://github.com/Kong/kong/issues/11566" target="_blank" rel="noopener nofollow noreferrer ">#11566</a> </li> </ul> <h3 id="dependencies-18">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">resty.openssl</code> from 0.8.23 to 0.8.25 <a href="https://github.com/Kong/kong/issues/11518" target="_blank" rel="noopener nofollow noreferrer ">#11518</a> </li> <li>Fixed incorrect LuaJIT register allocation for IR_*LOAD on ARM64 <a href="https://github.com/Kong/kong/issues/11638" target="_blank" rel="noopener nofollow noreferrer ">#11638</a> </li> <li>Fixed LDP/STP fusing for unaligned accesses on ARM64 <a href="https://github.com/Kong/kong/issues/11639" target="_blank" rel="noopener nofollow noreferrer ">#11639</a> </li> <li>Bump lua-kong-nginx-module from 0.6.0 to 0.8.0 <a href="https://github.com/Kong/kong/issues/11663" target="_blank" rel="noopener nofollow noreferrer ">#11663</a> </li> <li>Fix incorrect LuaJIT LDP/STP fusion on ARM64 <a href="https://github.com/Kong/kong/issues/11537" target="_blank" rel="noopener nofollow noreferrer ">#11537</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> from 1.6.2 to 1.6.3 <a href="https://github.com/Kong/kong/issues/11360" target="_blank" rel="noopener nofollow noreferrer ">#11360</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">openresty</code> from 1.21.4.1 to 1.21.4.2 <a href="https://github.com/Kong/kong/issues/11360" target="_blank" rel="noopener nofollow noreferrer ">#11360</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> from 1.3.1 to 1.3.5 <a href="https://github.com/Kong/kong/issues/11551" target="_blank" rel="noopener nofollow noreferrer ">#11551</a> <a href="https://github.com/Kong/kong/issues/11613" target="_blank" rel="noopener nofollow noreferrer ">#11613</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">wasmtime</code> version from 8.0.1 to 12.0.2 <a href="https://github.com/Kong/kong/issues/11738" target="_blank" rel="noopener nofollow noreferrer ">#11738</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">openssl</code> from 3.1.2 to 3.1.4 <a href="https://github.com/Kong/kong/issues/11844" target="_blank" rel="noopener nofollow noreferrer ">#11844</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-lapis</code> from 1.14.0.2 to 1.14.0.3 <a href="https://github.com/Kong/kong/issues/11849" target="_blank" rel="noopener nofollow noreferrer ">#11849</a> </li> <li>Bumped OpenID Connect plugin submodule <code class="language-plaintext highlighter-rouge">kong-openid-connect</code> from 2.5.5 to 2.5.9</li> <li>Kong CLI dependencies: <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">curl</code> from 8.3.0 to 8.4.0</li> <li>Bumped <code class="language-plaintext highlighter-rouge">nghttp2</code> from 1.56.0 to 1.57.0</li> </ul> </li> </ul> <h2 id="34316">3.4.3.16</h2> <p><strong>Release Date</strong> 2025/01/16</p> <h3 id="dependencies-19">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">libxml2</code> to 2.11.9 to address <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-40896" target="_blank" rel="noopener nofollow noreferrer ">CVE-2024-40896</a>.</li> </ul> <h2 id="34315">3.4.3.15</h2> <p><strong>Release Date</strong> 2025/01/10</p> <h3 id="fixes-24">Fixes</h3> <h4 id="core-24">Core</h4> <ul> <li>Fixed an issue where a certificate entity configured with a vault reference was occasionally not refreshed on time when initialized with an invalid string.</li> </ul> <h3 id="dependencies-20">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> from 0.8.1 to 0.8.2.</li> <li>Fixed an issue in the Lua Kong Nginx module, ensuring that the values in the cache remain valid and are updated in time.</li> </ul> <h2 id="34314">3.4.3.14</h2> <p><strong>Release Date</strong> 2024/12/17</p> <h3 id="fixes-25">Fixes</h3> <h4 id="core-25">Core</h4> <ul> <li>Fixed an issue where the workspace ID was not included in the plugin config in the plugins iterator.</li> <li>Fixed Vault initialization by postponing Vault reference resolution to a timer in the <code class="language-plaintext highlighter-rouge">init_worker</code> phase.</li> <li>Fixed an issue where using Hashicorp Vault AppRole authentication with a secret ID file would fail to read the secret ID.</li> </ul> <h4 id="plugins-38">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/graphql-rate-limiting-advanced/"><strong>GraphQL Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>) <ul> <li>Fixed an issue where the plugin could fail to authenticate to Redis correctly with vault-referenced Redis configuration.</li> </ul> </li> <li> <a href="/hub/kong-inc/mtls-auth/"><strong>mTLS Auth</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Fixed an issue where a 500 error occurred when Kong configuration changed with the mTLS plugin enabled.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue where counters of the overriding consumer groups weren’t fetched when the <code class="language-plaintext highlighter-rouge">window_size</code> was different and the workspace was non-default.</li> <li>Fixed an issue where, if multiple plugin instances sharing the same namespace enforced consumer groups and different <code class="language-plaintext highlighter-rouge">window_size</code>s were used in the consumer group overriding configs, then the rate limiting of some consumer groups would fall back to the <code class="language-plaintext highlighter-rouge">local</code> strategy. Now, every plugin instance sharing the same namespace can set a different <code class="language-plaintext highlighter-rouge">window_size</code>.</li> <li>Fixed an issue where the plugin could fail to authenticate to Redis correctly with Vault-referenced Redis configuration.</li> <li>Fixed an issue where plugin-stored items with a long expiration time caused <code class="language-plaintext highlighter-rouge">no memory</code> errors.</li> </ul> </li> </ul> <h2 id="34313">3.4.3.13</h2> <p><strong>Release Date</strong> 2024/11/15</p> <h3 id="features-19">Features</h3> <h4 id="core-26">Core</h4> <ul> <li> <p>Added support for AWS IAM role assuming in AWS IAM Database Authentication, with the following new configuration fields: <code class="language-plaintext highlighter-rouge">pg_iam_auth_assume_role_arn</code>, <code class="language-plaintext highlighter-rouge">pg_iam_auth_role_session_name</code>, <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_assume_role_arn</code>, and <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_role_session_name</code>.</p> </li> <li> <p>Added support for a configurable STS endpoint for RDS IAM Authentication, with the following new configuration fields: <code class="language-plaintext highlighter-rouge">pg_iam_auth_sts_endpoint_url</code> and <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_sts_endpoint_url</code>.</p> </li> <li> <p>Added support for a configurable STS endpoint for AWS Vault. This can either be configured by <code class="language-plaintext highlighter-rouge">vault_aws_sts_endpoint_url</code> as a global configuration, or <code class="language-plaintext highlighter-rouge">sts_endpoint_url</code> on a custom AWS Vault entity.</p> </li> </ul> <h4 id="plugins-39">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/aws-lambda"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>): <ul> <li>Added support for a configurable STS endpoint with the new configuration field <code class="language-plaintext highlighter-rouge">aws_sts_endpoint_url</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Increased the time resolution of sliding window weight calculation.</li> </ul> </li> </ul> <h3 id="fixes-26">Fixes</h3> <h4 id="core-27">Core</h4> <ul> <li>Fixed an issue where the Vault secret cache got refreshed during <code class="language-plaintext highlighter-rouge">resurrect_ttl</code> time and could not be fetched by other workers.</li> <li>Moved internal Unix sockets to a subdirectory (<code class="language-plaintext highlighter-rouge">sockets</code>) of the Kong prefix.</li> <li>Shortened the names of internal Unix sockets to avoid exceeding the socket name limit.</li> <li>Fixed an issue where AWS IAM assume role could not be used in AWS IAM database authentication by using the following fields: <ul> <li><code class="language-plaintext highlighter-rouge">pg_iam_auth_assume_role_arn</code></li> <li><code class="language-plaintext highlighter-rouge">pg_iam_auth_role_session_name</code></li> <li><code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_assume_role_arn</code></li> <li><code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_role_session_name</code></li> </ul> </li> <li>Fixed an issue where the STS endpoint could not be configured manually in RDS IAM Authentication, AWS Vault and AWS Lambda plugin. For RDS IAM authentication, it can be configured by <code class="language-plaintext highlighter-rouge">pg_iam_auth_sts_endpoint_url</code> and <code class="language-plaintext highlighter-rouge">pg_ro_iam_auth_sts_endpoint_url</code>. For AWS vault, it can be configured using <code class="language-plaintext highlighter-rouge">vault_aws_sts_endpoint_url</code> as a global configuration, or <code class="language-plaintext highlighter-rouge">sts_endpoint_url</code> on a custom AWS vault entity. For the AWS Lambda plugin, it can be configured using the <code class="language-plaintext highlighter-rouge">aws_sts_endpoint_url</code>.</li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">luarocks-admin</code> was not available in <code class="language-plaintext highlighter-rouge">/usr/local/bin</code>.</li> <li>Fixed an issue where analytics could break when the value type of rate limiting-related headers was not <code class="language-plaintext highlighter-rouge">integer</code>.</li> <li>Fixed an issue where the IAM auth token was not refreshed when the underlying AWS credential expired.</li> </ul> <h4 id="plugins-40">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/opentelemetry"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">header_type</code> being <code class="language-plaintext highlighter-rouge">nil</code> caused a log message concatenation error.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue where the sync timer could stop working due to a race condition.</li> <li>Fixed an issue where when the sliding window and <code class="language-plaintext highlighter-rouge">window_size</code> was very small, the precision of the rate limit wasn’t accurate enough.</li> </ul> </li> </ul> <h3 id="dependencies-21">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">LPEG</code> from 1.0.2 to 1.1.0 to keep the version consistent across all active branches. The version bump includes fixes like UTF-8 ranges, a larger limit for rules and matches, accumulator capture, and more.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> to 1.5.3 to fix a bug related to the STS regional endpoint.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-azure</code> to 1.6.1 to fix a <code class="language-plaintext highlighter-rouge">GET</code> request build issue, which was causing problems with Azure secret references.</li> <li>Made the RPM package relocatable with the default prefix set to <code class="language-plaintext highlighter-rouge">/</code>.</li> </ul> <h2 id="34312">3.4.3.12</h2> <p><strong>Release Date</strong> 2024/08/08</p> <h3 id="deprecations-3">Deprecations</h3> <ul> <li>Debian 10, CentOS 7, and RHEL 7 reached their End of Life (EOL) dates on June 30, 2024. As of this patch, Kong is not building Kong Gateway 3.4.x installation packages or Docker images for these operating systems. Kong is no longer providing official support for any Kong version running on these systems.</li> </ul> <h3 id="features-20">Features</h3> <h4 id="core-28">Core</h4> <ul> <li>Kong Gateway Enterprise container images are now produced with build provenance and signed using cosign. Signatures and attestations are published to the Docker Hub repository. Build provenance can be <a href="/gateway/3.4.x/kong-enterprise/provenance-verification/">verified by cosign/slsa-verifier</a> using the published attestations.</li> </ul> <h3 id="fixes-27">Fixes</h3> <h4 id="core-29">Core</h4> <ul> <li> <p>The <code class="language-plaintext highlighter-rouge">kong.logrotate</code> configuration file is no longer overwritten during upgrade.</p> <p>This change presents an additional prompt for Debian users upgrading via <code class="language-plaintext highlighter-rouge">apt</code> and <code class="language-plaintext highlighter-rouge">deb</code> packages. To accept the defaults provided by Kong in the package, use the following command, adjusting it to your architecture and the version you’re upgrading to:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="nv">DEBIAN_FRONTEND</span><span class="o">=</span>noninteractive apt upgrade kong-enterprise-edition_3.4.3.11_arm64.deb </code></pre></div> </div> </li> <li> <p>Fixed an issue where a new data plane couldn’t resolve a Vault reference after the first configuration push. This was happening due to issues with license pre-loading.</p> </li> </ul> <h4 id="plugins-41">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue where, if the <code class="language-plaintext highlighter-rouge">window_size</code> in a consumer group’s overriding config was different from the <code class="language-plaintext highlighter-rouge">window_size</code> in the plugin’s default config, the rate limiting of that consumer group would fall back to the local strategy.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Fixed an issue where an exception would be thrown when LDAP search failed.</li> </ul> </li> </ul> <h2 id="34311">3.4.3.11</h2> <p><strong>Release Date</strong> 2024/06/22</p> <h3 id="fixes-28">Fixes</h3> <ul> <li>Fixed an issue where the DNS client was incorrectly using the content of the <code class="language-plaintext highlighter-rouge">ADDITIONAL SECTION</code> in DNS responses.</li> </ul> <h2 id="34310">3.4.3.10</h2> <p><strong>Release Date</strong> 2024/06/18</p> <h3 id="known-issues-5">Known issues</h3> <ul> <li>There is an issue with the DNS client fix, where the DNS client incorrectly uses the content <code class="language-plaintext highlighter-rouge">ADDITIONAL SECTION</code> in DNS responses. To avoid this issue, install 3.4.3.11 instead of this patch.</li> </ul> <h3 id="fixes-29">Fixes</h3> <h4 id="admin-api-17">Admin API</h4> <ul> <li>The <code class="language-plaintext highlighter-rouge">/<workspace>/admins</code> endpoint was incorrectly used to return admins associated with a workspace based on their assigned RBAC roles. This has been fixed and now accurately returns admins according to their specific workspace associations.</li> </ul> <h3 id="dependencies-22">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-events</code> to 0.2.1.</li> </ul> <h2 id="3439">3.4.3.9</h2> <p><strong>Release Date</strong> 2024/06/08</p> <h3 id="features-21">Features</h3> <h4 id="admin-api-18">Admin API</h4> <ul> <li>Added LHS bracket filtering to search fields.</li> <li> <strong>Audit logs:</strong> <ul> <li>Added <code class="language-plaintext highlighter-rouge">request_timestamp</code> to <code class="language-plaintext highlighter-rouge">audit_objects</code>.</li> <li>Added before and after aliases for LHS Brackets filters.</li> <li> <code class="language-plaintext highlighter-rouge">audit_requests</code> and <code class="language-plaintext highlighter-rouge">audit_objects</code> can now be filtered by <code class="language-plaintext highlighter-rouge">request_timestamp</code>.</li> </ul> </li> </ul> <h3 id="fixes-30">Fixes</h3> <h4 id="admin-api-19">Admin API</h4> <ul> <li>Fixed an issue with the workspace listing API, which showed workspaces that the user didn’t have any roles in. The API now only shows workspaces that the user has access to.</li> </ul> <h4 id="core-30">Core</h4> <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">cluster_cert</code> or <code class="language-plaintext highlighter-rouge">cluster_ca_cert</code> was inserted into <code class="language-plaintext highlighter-rouge">lua_ssl_trusted_certificate</code> before being base64-decoded.</li> <li> <strong>Vitals</strong>: Fixed an issue where each data plane connecting to the control plane would trigger the creation of a redundant table rotater timer on the control plane.</li> <li> <strong>DNS Client</strong>: Fixed an issue where the Kong DNS client stored records with non-matching domain and type when parsing answers. It now ignores records when the RR type differs from that of the query when parsing answers.</li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">host_header</code> attribute of the upstream entity wouldn’t be set correctly as a Host header in requests to the upstream during connection retries.</li> <li>Built-in RBAC roles for admins (<code class="language-plaintext highlighter-rouge">admin</code> under the default workspace and <code class="language-plaintext highlighter-rouge">workspace-admin</code> under non-default workspaces) now disallow CRUD actions to <code class="language-plaintext highlighter-rouge">/groups</code> and <code class="language-plaintext highlighter-rouge">/groups/*</code> endpoints.</li> </ul> <h4 id="plugins-42">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed an issue where anonymous consumers were being cached as <code class="language-plaintext highlighter-rouge">nil</code> under a certain condition.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Timer spikes no longer occur when there is network instability with the central data store.</li> </ul> </li> </ul> <h3 id="dependencies-23">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-azure</code> from 1.4.1 to 1.5.0 to refine some error logging.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> from 1.6.4 to 1.6.5 to fix memory leak issues by reusing a timer for the same active healthcheck target instead of running many timers.</li> </ul> <h2 id="3438">3.4.3.8</h2> <p><strong>Release Date</strong> 2024/05/16</p> <h3 id="features-22">Features</h3> <h4 id="admin-api-20">Admin API</h4> <ul> <li>Changed the default ordering of <code class="language-plaintext highlighter-rouge">audit_requests</code> to sort by <code class="language-plaintext highlighter-rouge">request_timestamp</code> in descending order.</li> </ul> <h3 id="fixes-31">Fixes</h3> <h4 id="admin-api-21">Admin API</h4> <ul> <li>Fixed an issue where HTTP 500 errors were returned when paginating and sorting by timestamp fields (for example, <code class="language-plaintext highlighter-rouge">created_at</code>).</li> </ul> <h4 id="plugins-43">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>), <a href="/hub/kong-inc/websocket-size-limit/"><strong>WebSocket Size Limit</strong></a> (<code class="language-plaintext highlighter-rouge">websocket-size-limit</code>), <a href="/hub/kong-inc/websocket-validator/"><strong>WebSocket Validator</strong></a> (<code class="language-plaintext highlighter-rouge">websocket-validator</code>), <a href="/hub/kong-inc/xml-threat-protection/"><strong>XML Threat Protection</strong></a> (<code class="language-plaintext highlighter-rouge">xml-threat-protection</code>) <ul> <li>The priorities of these plugins have been updated to prevent collisions between plugins. The relative priority (and the order of execution) of bundled plugins remains unchanged.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li> <p>Refactored <code class="language-plaintext highlighter-rouge">kong/tools/public/rate-limiting</code>, adding the new interface <code class="language-plaintext highlighter-rouge">new_instance</code> to provide isolation between different plugins. The original interfaces remain unchanged for backward compatibility.</p> <p>If you are using custom Rate Limiting plugins based on this library, update the initialization code to the new format. For example: <code class="language-plaintext highlighter-rouge">'local ratelimiting = require("kong.tools.public.rate-limiting").new_instance("custom-plugin-name")'</code>. The old interface will be removed in the upcoming major release.</p> </li> </ul> </li> </ul> <h3 id="dependencies-24">Dependencies</h3> <ul> <li>Improved the robustness of <code class="language-plaintext highlighter-rouge">lua-cjson</code> when handling unexpected input.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-lua-resty-kafka</code> to 0.19 to support TCP socket keepalive.</li> </ul> <h2 id="3437">3.4.3.7</h2> <p><strong>Release Date</strong> 2024/04/23</p> <h3 id="features-23">Features</h3> <h4 id="plugins-44">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/application-registration/"><strong>Portal Application Registration</strong></a> (<code class="language-plaintext highlighter-rouge">application-registration</code>) <ul> <li>Added support for accessing the service using consumer credential authentication. To use this functionality, enable <code class="language-plaintext highlighter-rouge">enable_proxy_with_consumer_credential</code> (default is <code class="language-plaintext highlighter-rouge">false</code>).</li> </ul> </li> </ul> <h3 id="fixes-32">Fixes</h3> <h4 id="clustering-13">Clustering</h4> <ul> <li>Fixed an issue where event hooks were prematurely validated in hybrid mode. The fix delays the validation of event hooks to the point where event hooks are emitted.</li> </ul> <h4 id="core-31">Core</h4> <ul> <li>Fixed an issue with data planes in hybrid mode, where a certificate entity configured with a vault reference was occasionally not refreshed on time.</li> </ul> <h4 id="pdk-12">PDK</h4> <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">kong.request.get_forwarded_port</code> incorrectly returned a string from <code class="language-plaintext highlighter-rouge">ngx.ctx.host_port</code>. It now correctly returns a number.</li> </ul> <h3 id="dependencies-25">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-protobuf</code> to 0.5.1.</li> </ul> <h2 id="3436">3.4.3.6</h2> <p><strong>Release Date</strong> 2024/04/15</p> <h3 id="features-24">Features</h3> <h4 id="kong-manager-enterprise-4">Kong Manager Enterprise</h4> <ul> <li>Added support for Microsoft Azure’s KeyVault Secrets Engine.</li> </ul> <h4 id="plugins-45">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Added the new field <code class="language-plaintext highlighter-rouge">api_spec_encoded</code> to indicate whether the <code class="language-plaintext highlighter-rouge">api_spec</code> is URI-encoded.</li> </ul> </li> </ul> <h3 id="fixes-33">Fixes</h3> <h4 id="configuration-15">Configuration</h4> <ul> <li>Fixed an issue where an external plugin (Go, Javascript, or Python) would fail to apply a change to the plugin config via the Admin API.</li> </ul> <h4 id="kong-manager-enterprise-5">Kong Manager Enterprise</h4> <ul> <li>Fixed an issue where logging in failed when fields in the Developer Portal configuration <strong>Developer Meta Fields</strong> tab contained characters outside the Latin1 range.</li> <li>Fixed an issue where the admin account profile page returned a 404 error if the <code class="language-plaintext highlighter-rouge">admin_gui_path</code> wasn’t a slash.</li> </ul> <h4 id="plugins-46">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/acme/"><strong>ACME</strong></a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>Fixed an issue where the certificate was not successfully renewed during ACME renewal.</li> </ul> </li> <li> <a href="/hub/kong-inc/degraphql/"><strong>DeGraphQL</strong></a> (<code class="language-plaintext highlighter-rouge">degraphql</code>) <ul> <li>Fixed an issue where GraphQL variables were not being correctly parsed and coerced into their defined types.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue where any plugins using the <code class="language-plaintext highlighter-rouge">rate-limiting</code> library, when used together, would interfere with each other and fail to synchronize counter data to the central data store.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Improved robustness of parsing for short trace IDs.</li> </ul> </li> </ul> <h4 id="plugin-2">Plugin</h4> <h3 id="dependencies-26">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> to 0.8.1</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-luasocket</code> to 1.1.2 to fix <a href="https://github.com/lunarmodules/luasocket/issues/427" target="_blank" rel="noopener nofollow noreferrer ">luasocket#427</a> </li> </ul> <h2 id="3435">3.4.3.5</h2> <p><strong>Release Date</strong> 2024/03/21</p> <h3 id="breaking-changes-2">Breaking changes</h3> <ul> <li>In OpenSSL 3.2, the default SSL/TLS security level has been changed from 1 to 2. This means the security level is set to 112 bits of security. As a result, the following are prohibited: <ul> <li>RSA, DSA, and DH keys shorter than 2048 bits</li> <li>ECC keys shorter than 224 bits</li> <li>Any cipher suite using RC4</li> <li>SSL version 3 Additionally, compression is disabled.</li> </ul> </li> <li>The recent OpenResty bump includes TLS 1.3 and deprecates TLS 1.1. If you still need to support TLS 1.1, set the <a href="/gateway/3.4.x/reference/configuration/#ssl_cipher_suite"><code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code></a> setting to <code class="language-plaintext highlighter-rouge">old</code>.</li> </ul> <h3 id="features-25">Features</h3> <h4 id="configuration-16">Configuration</h4> <ul> <li>Added support for Microsoft Azure’s KeyVault Secrets Engine. Set it up using the <a href="/gateway/3.4.x/reference/configuration/#vault_azure_vault_uri"><code class="language-plaintext highlighter-rouge">vault_azure_*</code></a> configuration parameters.</li> <li>TLSv1.1 and lower is now disabled by default in OpenSSL 3.x.</li> </ul> <h4 id="core-32">Core</h4> <ul> <li>The expressions router now supports the <code class="language-plaintext highlighter-rouge">! (not)</code> operator, which allows creating routes like <code class="language-plaintext highlighter-rouge">!(http.path =^ "/a")</code> and <code class="language-plaintext highlighter-rouge">!(http.path == "/a" || http.path == "/b")</code>.</li> <li>Added support for the debug request header <code class="language-plaintext highlighter-rouge">X-Kong-Request-Debug-Output</code>, which lets you observe the time consumed by specific components in a given request. Enable it using the <a href="/gateway/3.4.x/reference/configuration/#request_debug"><code class="language-plaintext highlighter-rouge">request_debug</code></a> configuration parameter. This header helps you diagnose the cause of any latency in Kong Gateway. See the <a href="/gateway/3.4.x/production/debug-request/">Request Debugging</a> guide for more information.</li> <li>Kong Gateway now supports <a href="/gateway/3.4.x/key-concepts/routes/expressions/#matching-fields"><code class="language-plaintext highlighter-rouge">http.path.segments.len</code> and <code class="language-plaintext highlighter-rouge">http.path.segments.*</code></a> fields in the expressions router, which allows matching incoming (normalized) request paths by individual segments or ranges of segments, and checking the total number of segments.</li> <li>The <a href="/gateway/3.4.x/key-concepts/routes/expressions/#matching-fields"><code class="language-plaintext highlighter-rouge">net.src.*</code> and <code class="language-plaintext highlighter-rouge">net.dst.*</code></a> match fields are now accessible in HTTP routes defined using expressions.</li> <li>Modified the current AWS Vault backend to support <code class="language-plaintext highlighter-rouge">CredentialProviderChain</code> so that users can choose not to use <code class="language-plaintext highlighter-rouge">AK-SK</code> environment variables to grant IAM role permissions.</li> <li>The HashiCorp Vault secrets management backend now supports the AppRole authentication method.</li> <li>OSS features will now continue working with an expired license, and configured Kong Enterprise features will continue operating in read-only mode. Kong Gateway now logs a daily critical message when a license is expired and within the 30 days grace period.</li> <li>You can now use an RBAC token to authenticate while using <a href="/gateway/3.4.x/kong-manager/auth/oidc/mapping/">group mapping with Kong Manager</a> (for example, with OIDC or LDAP).</li> <li>Introduced the new endpoint <a href="/gateway/api/admin-ee/latest/#/Information/get-schemas-vaults-vault_name"><code class="language-plaintext highlighter-rouge">/schemas/vaults/:name</code></a> for retrieving the schema of a vault.</li> </ul> <h4 id="plugins-47">Plugins</h4> <ul> <li> <p>Plugins can now implement the <code class="language-plaintext highlighter-rouge">Plugin:configure(configs)</code> function, which is called when there is a change in plugin entities. It receives an array of current plugin configurations, or nil if there are no active configurations. Learn more about this function in the guide for <a href="/gateway/3.4.x/plugin-development/custom-logic/">Implementing Custom Logic</a> for plugins.</p> </li> <li> <a href="/hub/kong-inc/cors"><strong>CORS</strong></a> (<code class="language-plaintext highlighter-rouge">cors</code>) <ul> <li>Added support for the <code class="language-plaintext highlighter-rouge">Access-Control-Request-Private-Network</code> header in cross-origin pre-flight requests.</li> </ul> </li> <li> <a href="/hub/kong-inc/mtls-auth/"><strong>mTLS Auth</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Added a <code class="language-plaintext highlighter-rouge">default_consumer</code> option, which allows a default consumer to be used when the client certificate is valid but doesn’t match any existing consumers.</li> </ul> </li> </ul> <h3 id="fixes-34">Fixes</h3> <h4 id="configuration-17">Configuration</h4> <ul> <li>Set the security level of gRPC’s TLS to <code class="language-plaintext highlighter-rouge">0</code> when <code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code> is set to <code class="language-plaintext highlighter-rouge">old</code>.</li> <li>Added the missing <code class="language-plaintext highlighter-rouge">azure_vault</code> config options to the <code class="language-plaintext highlighter-rouge">kong.conf</code> file.</li> </ul> <h4 id="core-33">Core</h4> <ul> <li>Header value matching (<code class="language-plaintext highlighter-rouge">http.headers.*</code>) in the <code class="language-plaintext highlighter-rouge">expressions</code> router flavor is now case sensitive. This change doesn’t affect <code class="language-plaintext highlighter-rouge">traditional_compatible</code> mode where header value matching is always performed with the case ignored.</li> <li>Updated the file permission of <code class="language-plaintext highlighter-rouge">kong.logrotate</code> to 644.</li> <li>Expressions routes in <code class="language-plaintext highlighter-rouge">http</code> and <code class="language-plaintext highlighter-rouge">stream</code> subsystems now have stricter validation. Previously, they shared the same validation schema, so admins could configure expressions routes using fields like <code class="language-plaintext highlighter-rouge">http.path</code> even for stream routes. This is no longer allowed.</li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">rbac_role_entities</code> records of cascaded entities were not deleted when the entity was deleted.</li> <li>Reduce message push error logs when the <code class="language-plaintext highlighter-rouge">cluster_telemetry_endpoint</code> config is disabled.</li> <li>Vaults: Fixed an issue where the vault used the wrong (default) workspace identifier when retrieving a vault entity by prefix.</li> </ul> <h4 id="kong-manager-12">Kong Manager</h4> <ul> <li>Fixed the display of the remaining days of license expiration date.</li> <li>The user token input field is now concealed while editing an RBAC user.</li> <li>Fixed some issues with group mapping.</li> </ul> <h4 id="plugins-48">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/forward-proxy/"><strong>Forward Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>) <ul> <li>The plugin now falls back to the non-streaming proxy when the request body has already been read.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed an OTEL sampling mode Lua panic bug that occurred when the <code class="language-plaintext highlighter-rouge">http_response_header_for_traceid</code> option was enabled.</li> <li>Increased queue max batch size to 200.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Marked the <code class="language-plaintext highlighter-rouge">introspection_headers_values</code> as an encrypted and referenceable field.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue with <code class="language-plaintext highlighter-rouge">sync_rate</code> setting being used with the <code class="language-plaintext highlighter-rouge">redis</code> strategy. If the Redis connection is interrupted while <code class="language-plaintext highlighter-rouge">sync_rate = 0</code>, the plugin now accurately falls back to the <code class="language-plaintext highlighter-rouge">local</code> strategy.</li> <li>Fixed an issue where, if <code class="language-plaintext highlighter-rouge">sync_rate</code> was changed from a value greater than <code class="language-plaintext highlighter-rouge">0</code> to <code class="language-plaintext highlighter-rouge">0</code>, the namespace was cleared unexpectedly.</li> <li>Fixed some timer-related issues where the counter syncing timer couldn’t be created or destroyed properly.</li> <li>The plugin now creates counter syncing timers during plugin execution instead of plugin creation to reduce some meaningless error logs.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwt-signer/"><strong>JWT Signer</strong></a> (<code class="language-plaintext highlighter-rouge">jwt-signer</code>), <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>), <a href="/hub/kong-inc/oauth2-introspection/"><strong>OAuth 2.0 Introspection</strong></a> (<code class="language-plaintext highlighter-rouge">oauth2-introspection</code>), <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>), and <a href="/hub/kong-inc/saml"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>) <ul> <li>Added support for consumer group scoping by using the PDK <code class="language-plaintext highlighter-rouge">kong.client.authenticate</code> function.</li> </ul> </li> </ul> <h3 id="performance-5">Performance</h3> <h4 id="configuration-18">Configuration</h4> <ul> <li>Bumped the default values of <code class="language-plaintext highlighter-rouge">nginx_http_keepalive_requests</code> and <code class="language-plaintext highlighter-rouge">upstream_keepalive_max_requests</code> to 10000.</li> </ul> <h4 id="core-34">Core</h4> <ul> <li>Reuse match context between requests to avoid frequent memory allocation/deallocation.</li> </ul> <h3 id="dependencies-27">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">atc-router</code> from 1.2.0 to 1.6.0</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-openssl</code> from 1.2.0 to 1.2.1</li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-lua-resty-kafka</code> from 0.17 to 0.18</li> </ul> <h2 id="3434">3.4.3.4</h2> <p><strong>Release Date</strong> 2024/02/10</p> <h3 id="features-26">Features</h3> <h4 id="core-35">Core</h4> <ul> <li>Added support for namespaced authentication and user-defined authentication paths when using HashiCorp Vault on Kubernetes.</li> </ul> <h4 id="clustering-14">Clustering</h4> <ul> <li>Added resilience support for homogeneous data plane deployments. Data planes can now act as importers and exporters at the same time, and Kong Gateway will try to control the concurrency when exporting the config.</li> </ul> <h3 id="fixes-35">Fixes</h3> <h4 id="core-36">Core</h4> <ul> <li>Fixed an issue where workload identity didn’t work for dataplane resilience.</li> <li>Fixed an issue where the GCP backend vault would hide the error message when secrets couldn’t be fetched.</li> <li>Fixed an issue that caused spans to not be instrumented with <code class="language-plaintext highlighter-rouge">http.status_code</code> when the request was not proxied to an upstream.</li> </ul> <h4 id="configuration-19">Configuration</h4> <ul> <li>Fixed a data loss error caused by a weakly-typed <code class="language-plaintext highlighter-rouge">of</code> function in the <code class="language-plaintext highlighter-rouge">declarative_config_flattened</code> function.</li> </ul> <h4 id="plugins-49">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Fixed some cache-related issues which caused <code class="language-plaintext highlighter-rouge">groups_required</code> to return unexpected codes after a non-200 response.</li> <li>Fixed an issue where, if the credential was encoded with no username, Kong Gateway would return a 500 error code.</li> </ul> </li> </ul> <h3 id="dependencies-28">Dependencies</h3> <ul> <li>Bumped OpenSSL from 3.1.4 to 3.2.1 <a href="https://github.com/Kong/kong/issues/7762" target="_blank" rel="noopener nofollow noreferrer ">#7762</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">resty-openssl</code> from 0.8.25 to 1.2.0 <a href="https://github.com/Kong/kong/issues/7741" target="_blank" rel="noopener nofollow noreferrer ">#7741</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> from 1.3.5 to 1.3.6</li> </ul> <h2 id="3433">3.4.3.3</h2> <p><strong>Release Date</strong> 2024/01/17</p> <h3 id="features-27">Features</h3> <h4 id="core-37">Core</h4> <ul> <li>The Debian variant of Kong Gateway Docker image is now built using Debian 12. <a href="https://github.com/Kong/kong/issues/7672" target="_blank" rel="noopener nofollow noreferrer ">#7672</a> </li> </ul> <h4 id="admin-api-22">Admin API</h4> <ul> <li>Added the Kong Gateway edition to the root endpoint of the Admin API. <a href="https://github.com/Kong/kong/issues/7674" target="_blank" rel="noopener nofollow noreferrer ">#7674</a> </li> </ul> <h4 id="plugins-50">Plugins</h4> <ul> <li> <strong><a href="/hub/kong-inc/app-dynamics/">AppDynamics</a></strong>: Added <code class="language-plaintext highlighter-rouge">CONTROLLER_CERTIFICATE_FILE</code> and <code class="language-plaintext highlighter-rouge">CONTROLLER_CERTIFICATE_DIR</code> environment variable config for the AppDynamics plugin to use a self-signed certificate.</li> </ul> <h3 id="fixes-36">Fixes</h3> <h4 id="portal">Portal</h4> <ul> <li>Implemented relative URLs for portal root path redirection to prevent erroneous redirections to incorrect domains or protocols.</li> </ul> <h4 id="core-38">Core</h4> <ul> <li>Fixed an RBAC issue that required adding missing endpoints to all workspaces.</li> </ul> <h4 id="plugins-51">Plugins</h4> <ul> <li> <strong><a href="/hub/kong-inc/oas-validation/">OAS-Validation</a></strong>: Fixed an issue where cookie parameters were not being validated.</li> </ul> <h4 id="admin-api-23">Admin API</h4> <ul> <li>It is no longer possible for admins or RBAC users to update their own roles.</li> </ul> <h4 id="kong-manager-13">Kong Manager</h4> <ul> <li> <p>Fixed an issue where the dynamic ordering dropdown list didn’t show custom plugins.</p> </li> <li> <p>Fixed an issue where the role of the current workspace couldn’t be created by the role <code class="language-plaintext highlighter-rouge">workspace-super-admin</code>’s admin.</p> </li> </ul> <h3 id="dependencies-29">Dependencies</h3> <ul> <li> <p>Bumped <code class="language-plaintext highlighter-rouge">kong-redis-cluster</code> to 1.5.3</p> </li> <li> <p>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> to 1.6.4 to fix a bug where the health check module would not work correctly when multiple health check instances were not cleared.</p> </li> </ul> <h2 id="3432">3.4.3.2</h2> <p><strong>Release Date</strong> 2023/12/22</p> <h3 id="features-28">Features</h3> <h4 id="plugins-52">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>The plugin now supports decoding non-standard <code class="language-plaintext highlighter-rouge">asn1</code> integer and enumerated encoded with redundant leading padding.</li> </ul> </li> </ul> <h3 id="fixes-37">Fixes</h3> <h4 id="core-39">Core</h4> <ul> <li>Optimized the performance of querying plugins when accessing the <code class="language-plaintext highlighter-rouge">application_services/application_instances</code> endpoints.</li> </ul> <h4 id="kong-manager-14">Kong Manager</h4> <ul> <li>Fixed an issue where some services are missing from the Dev Portal’s application list in Kong Manager.</li> <li>Fixed an issue where clicking the spec upload input doesn’t trigger file selection.</li> </ul> <h2 id="3431">3.4.3.1</h2> <p><strong>Release Date</strong> 2023/12/15</p> <h3 id="breaking-changes-3">Breaking Changes</h3> <h4 id="plugins-53">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/saml"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>): Adjusted the priority of the SAML plugin to 1010 to correct the integration between the SAML plugin and other consumer-based plugins.</li> </ul> <h3 id="features-29">Features</h3> <h4 id="core-40">Core</h4> <ul> <li>A unique Request ID is now populated in the error log, access log, error templates, log serializer, and in a new X-Kong-Request-Id header (configurable for upstream/downstream using the <code class="language-plaintext highlighter-rouge">headers</code> and <code class="language-plaintext highlighter-rouge">headers_upstream</code> configuration options). <a href="https://github.com/Kong/kong/issues/7207" target="_blank" rel="noopener nofollow noreferrer ">#7207</a> </li> <li>The default value of the <a href="/gateway/3.4.x/reference/configuration/#dns_no_sync"><code class="language-plaintext highlighter-rouge">dns_no_sync</code></a> option has been changed to <code class="language-plaintext highlighter-rouge">off</code>.</li> </ul> <h4 id="plugins-54">Plugins</h4> <ul> <li> <p><a href="/hub/kong-inc/aws-lambda"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>): The AWS-Lambda plugin has been refactored by using <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> as an underlying AWS library. The refactor simplifies the AWS-Lambda plugin code base and adds support for multiple IAM authenticating scenarios. <a href="https://github.com/Kong/kong/issues/7079" target="_blank" rel="noopener nofollow noreferrer ">#7079</a></p> </li> <li> <p><a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>)</p> <ul> <li>Configurations <code class="language-plaintext highlighter-rouge">scopes</code>, <code class="language-plaintext highlighter-rouge">login_redirect_uri</code>, <code class="language-plaintext highlighter-rouge">logout_redirect_uri</code> can now be referenced as a secret in the Kong Vault.</li> <li>Extend <code class="language-plaintext highlighter-rouge">token_post_args_client</code> to support injection from headers.</li> </ul> </li> </ul> <h3 id="fixes-38">Fixes</h3> <h4 id="configuration-20">Configuration</h4> <ul> <li>Respect custom <code class="language-plaintext highlighter-rouge">proxy_access_log</code>. <a href="https://github.com/Kong/kong/issues/7436" target="_blank" rel="noopener nofollow noreferrer ">#7436</a> </li> </ul> <h4 id="core-41">Core</h4> <ul> <li>Print error message correctly when plugin fails. <a href="https://github.com/Kong/kong/issues/7079" target="_blank" rel="noopener nofollow noreferrer ">#7079</a> </li> <li>Fixed <code class="language-plaintext highlighter-rouge">ldoc</code> intermittent failure caused by LuaJIT error. <a href="https://github.com/Kong/kong/issues/7491" target="_blank" rel="noopener nofollow noreferrer ">#7491</a> </li> <li>Fixed Vault’s try function to avoid using semaphore in non-yieldable phases. <a href="https://github.com/Kong/kong/issues/7114" target="_blank" rel="noopener nofollow noreferrer ">#7114</a> </li> <li>Vault references can be used in DB-less mode in declarative config. <a href="https://github.com/Kong/kong/issues/7483" target="_blank" rel="noopener nofollow noreferrer ">#7483</a> </li> <li>Correctly invalidate caches based on names and IDs for consumer groups.</li> <li>Eliminated the asynchronous timer in syncQuery() to prevent hang risk.</li> <li>Fixed critical level logs when starting external plugin servers. Those logs cannot be suppressed due to the limitation of OpenResty. We choose to remove the socket availability detection feature.</li> </ul> <h4 id="admin-api-24">Admin API</h4> <ul> <li>Fixed an issue where unique violation errors were reported while trying to update the user_token with the same value on the same RBAC user.</li> </ul> <h4 id="kong-manager-15">Kong Manager</h4> <ul> <li>Fixed an issue where the Applications tab was not visible for services under non-default workspaces.</li> </ul> <h4 id="clustering-15">Clustering</h4> <ul> <li>Fixed an issue where the dataplane’s log serializer output has a workspace name under hybrid mode.</li> <li>Fixed an issue where the dataplane hostname is <code class="language-plaintext highlighter-rouge">nil</code> in Vitals under hybrid mode.</li> </ul> <h4 id="pdk-13">PDK</h4> <ul> <li>Fixed a bug related to data interference between requests in the <code class="language-plaintext highlighter-rouge">kong.log.serialize</code> function. <a href="https://github.com/Kong/kong/issues/7327" target="_blank" rel="noopener nofollow noreferrer ">#7327</a> </li> <li> <strong>Plugin Server</strong>: Fixed an issue where every request causes a new plugin instance to be created.</li> </ul> <h4 id="plugins-55">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/aws-lambda"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>): <ul> <li>Cached the AWS lambda service by those lambda service related fields. <a href="https://github.com/Kong/kong/issues/7079" target="_blank" rel="noopener nofollow noreferrer ">#7079</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/forward-proxy/"><strong>Forward Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>): <ul> <li>Fixed the issue where request payload is being discarded when payload exceeded the <code class="language-plaintext highlighter-rouge">client_body_buffer_size</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwe-decrypt/"><strong>JWE Decrypt</strong></a> (<code class="language-plaintext highlighter-rouge">jwe-decrypt</code>): <ul> <li>Fixed a typo in an error message.</li> </ul> </li> <li> <a href="/hub/kong-inc/mocking/"><strong>Mocking</strong></a> (<code class="language-plaintext highlighter-rouge">mocking</code>): <ul> <li>Fixed an issue where path parameter cannot match non-ascii characters.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>): <ul> <li>Fixed an issue where the plugin throws a runtime error when the ref parameter schema isn’t dereferenced. <a href="https://github.com/Kong/kong/issues/7543" target="_blank" rel="noopener nofollow noreferrer ">#7543</a> </li> <li>Fixed an issue where valid recursive schemas are always rejected.</li> <li>Fixed an issue that the plugin throws a runtime error while validating parameters with AnyType schema and style keyword defined.</li> <li>Fixed an issue where the nullable keyword did not take effect.</li> <li>Fixed an issue where the URI component escaped characters were incorrectly unescaped.</li> <li>Fixed an issue where path parameter cannot match non-ascii characters.</li> </ul> </li> <li> <a href="/hub/kong-inc/oauth2-introspection/"><strong>OAuth 2.0 Introspection</strong></a> (<code class="language-plaintext highlighter-rouge">oauth2-introspection</code>): <ul> <li>Marked the <code class="language-plaintext highlighter-rouge">authorization_value</code> in the <code class="language-plaintext highlighter-rouge">oauth2-introspection</code> plugin as an encrypted field.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>): <ul> <li>Fixed a issue where an 500 error is thrown when the Dev Portal is enabled with OIDC and the administrator logs in successfully and retrieves the session.</li> <li>Fixed the update time when calculating token expiry.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/"><strong>Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>): <ul> <li>Fixed an issue where all counters are synced to the same DB at the same rate. <a href="https://github.com/Kong/kong/issues/7314" target="_blank" rel="noopener nofollow noreferrer ">#7314</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/tcp-log"><strong>TCP Log</strong></a> (<code class="language-plaintext highlighter-rouge">tcp-log</code>): <ul> <li>Fixed an issue of unnecessary handshakes when reusing TLS connection. <a href="https://github.com/Kong/kong/issues/7114" target="_blank" rel="noopener nofollow noreferrer ">#7114</a> </li> </ul> </li> </ul> <h3 id="performance-6">Performance</h3> <h4 id="configuration-21">Configuration</h4> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">dns_stale_ttl</code> default to 1 hour so the stale DNS record can be used for a longer amount of time in case of resolver downtime.</li> </ul> <h3 id="dependencies-30">Dependencies</h3> <h4 id="core-42">Core</h4> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">openresty</code> from 1.21.4.1 to 1.21.4.3 <a href="https://github.com/Kong/kong/issues/7206" target="_blank" rel="noopener nofollow noreferrer ">#7206</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">resty-openssl</code> from 0.8.25 to 1.0.2 <a href="https://github.com/Kong/kong/issues/7417" target="_blank" rel="noopener nofollow noreferrer ">#7417</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> from 1.6.2 to 1.6.3 <a href="https://github.com/Kong/kong/issues/7206" target="_blank" rel="noopener nofollow noreferrer ">#7206</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> from 0.6.0 to 0.8.0 <a href="https://github.com/Kong/kong/issues/7207" target="_blank" rel="noopener nofollow noreferrer ">#7207</a> </li> <li>Bumped jq to 1.7</li> <li>Bumped luasec to 1.3.2</li> </ul> <h4 id="default-1">Default</h4> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> from 1.2.3 to 1.3.0 <a href="https://github.com/Kong/kong/issues/7079" target="_blank" rel="noopener nofollow noreferrer ">#7079</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> from 1.3.2 to 1.3.5 <a href="https://github.com/Kong/kong/issues/7318" target="_blank" rel="noopener nofollow noreferrer ">#7318</a> </li> </ul> <h2 id="3420">3.4.2.0</h2> <p><strong>Release date</strong> 2023/11/10</p> <h3 id="features-30">Features</h3> <h4 id="enterprise-2">Enterprise</h4> <ul> <li>License management: <ul> <li>Implemented a new grace period that lasts 30 days from the Kong Enterprise license expiration date. During the grace period all open source functionality will be available, and Enterprise functionality will be set to read-only mode.</li> <li>Added support for counters such as routes, plugins, licenses, and deployment information to the license report.</li> <li>Added a checksum to the output of the license endpoint.</li> </ul> </li> </ul> <h3 id="fixes-39">Fixes</h3> <h4 id="core-43">Core</h4> <ul> <li>Fixed an issue with the DNS client was not adhering to configured timeouts in a predictable manner. Also fixed a related issue that cause the DNS client to resolve incorrectly during transient network and DNS server failures. <a href="https://github.com/Kong/kong/pull/11386" target="_blank" rel="noopener nofollow noreferrer ">#11386</a> </li> <li>The default value of the <a href="/gateway/3.4.x/reference/configuration/#dns_no_sync"><code class="language-plaintext highlighter-rouge">dns_no_sync</code></a> option has been changed to <code class="language-plaintext highlighter-rouge">on</code>. <a href="https://github.com/kong/kong/pull/11871" target="_blank" rel="noopener nofollow noreferrer ">#11871</a>.</li> <li>Dismiss confusing log entry from Redis regarding rate limiting.</li> </ul> <h4 id="kong-manager-16">Kong Manager</h4> <ul> <li>Fixed an issue where some services were not showing the exact name or ID while configuring a route.</li> </ul> <h4 id="plugins-56">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed an issue that resulted in traces with invalid parent IDs when balancer instrumentation was enabled. <a href="https://github.com/Kong/kong/pull/11830" target="_blank" rel="noopener nofollow noreferrer ">#11830</a> </li> <li>Add hybrid mode compatibility for older DPs that don’t support the new <code class="language-plaintext highlighter-rouge">aws</code> header type. <a href="https://github.com/Kong/kong/pull/11686" target="_blank" rel="noopener nofollow noreferrer ">#11686</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/zipkin/"><strong>Zipkin</strong></a> (<code class="language-plaintext highlighter-rouge">zipkin</code>)</li> <li>Add hybrid mode compatibility for older DPs that don’t support the new <code class="language-plaintext highlighter-rouge">aws</code> header type. <a href="https://github.com/Kong/kong/pull/11686" target="_blank" rel="noopener nofollow noreferrer ">#11686</a> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed an issue with <code class="language-plaintext highlighter-rouge">using_pseudo_issuer</code>, where it was not used after it was propagated.</li> </ul> </li> </ul> <h3 id="dependencies-31">Dependencies</h3> <h4 id="enterprise-3">Enterprise</h4> <ul> <li>Bumped OpenSSL from 3.1.2 to 3.1.4</li> <li>Added troubleshooting tools to container images</li> <li>Bumped <code class="language-plaintext highlighter-rouge">ngx_wasm_module</code> version to prerelease-0.1.1</li> </ul> <h2 id="3411">3.4.1.1</h2> <p><strong>Release Date</strong> 2023/10/12</p> <h3 id="fixes-40">Fixes</h3> <h4 id="core-44">Core</h4> <ul> <li> <p>Applied Nginx patch for early detection of HTTP/2 stream reset attacks. This change is in direct response to the identified vulnerability <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-44487" target="_blank" rel="noopener nofollow noreferrer ">CVE-2023-44487</a>.</p> <p>See our <a href="https://konghq.com/blog/product-releases/novel-http2-rapid-reset-ddos-vulnerability-update" target="_blank" rel="noopener nofollow noreferrer ">blog post</a> for more details on this vulnerability and Kong’s responses to it.</p> </li> </ul> <h4 id="plugins-57">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/saml/"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>): Adjusted the severity of <code class="language-plaintext highlighter-rouge">session was not found</code> messages to <code class="language-plaintext highlighter-rouge">info</code>.</li> </ul> <h3 id="dependencies-32">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">libxml2</code> from 2.10.3 to 2.11.5</li> </ul> <h2 id="3410">3.4.1.0</h2> <p><strong>Release Date</strong> 2023/09/28</p> <h3 id="breaking-changes-4">Breaking Changes</h3> <ul> <li> <a href="/hub/kong-inc/graphql-rate-limiting-advanced/"><strong>GraphQL Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>): The schema validation has been updated so that Redis cluster mode is now supported. This schema change does not impact other implementations of this plugin.</li> </ul> <h3 id="features-31">Features</h3> <h4 id="core-45">Core</h4> <ul> <li>Support HTTP query parameters in expression routes.</li> </ul> <h4 id="plugins-58">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>): <ul> <li>New field <code class="language-plaintext highlighter-rouge">unauthorized_destroy_session</code>, which when set to true, destroys the session, by deleting the user’s session cookie, when the request is unauthorized. Default to <code class="language-plaintext highlighter-rouge">true</code>. Set to <code class="language-plaintext highlighter-rouge">false</code> to preserve the session.</li> <li>New field <code class="language-plaintext highlighter-rouge">using_pseudo_issuer</code>. When set to true, the plugin instance will not discover the configuration from the issuer.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>): A new value is added to the parameter <code class="language-plaintext highlighter-rouge">header_type</code>, enabling Kong to seamlessly inject Datadog headers into forwarded requests’ headers when communicating with upstream services.</li> </ul> <h3 id="fixes-41">Fixes</h3> <h4 id="core-46">Core</h4> <ul> <li>Removed a hardcoded proxy-wasm isolation level setting that was preventing the <code class="language-plaintext highlighter-rouge">nginx_http_proxy_wasm_isolation</code> configuration value from taking effect.</li> <li>Fixed an issue where the TTL of the Key Auth plugin didn’t work in DB-less and Hybrid mode.</li> <li>Fixed a problem where an abnormal socket connection will be reused when querying the Postgres database.</li> <li>Fixed an upstream SSL failure when plugins used a response handler.</li> <li>Fixed an issue with the <code class="language-plaintext highlighter-rouge">tls_passthrough</code> protocol did not work with the router expressions flavor.</li> <li>Fixed an issue where plugins would not trigger correctly when the authenticated consumer is part of multiple consumer groups.</li> <li>Fixed a keyring issue where a Kong node fails to send keyring material when using cluster strategy.</li> <li>Fixed an issue that will cause a failure to send tracing data to Datadog when the value of the <code class="language-plaintext highlighter-rouge">x-datadog-parent-id</code> header in requests is a short decimal string.</li> <li>Fixed the way RBAC retrieves group roles with a group name whose type is a number.</li> <li>Fixed critical level logs when starting external plugin servers. Those logs cannot be suppressed due to the limitation of OpenResty. We choose to remove the socket availability detection feature.</li> </ul> <h4 id="pdk-14">PDK</h4> <ul> <li>Fixed several issues in Vault and refactored the Vault code base: <ul> <li>Make DAOs fallback to an empty string when resolving Vault references fail</li> <li>Use node-level mutex when rotating references</li> <li>Refresh references on config changes</li> <li>Update plugin referenced values only once per request</li> <li>Pass only the valid config options to vault implementations</li> <li>Resolve multi-value secrets only once when rotating them</li> <li>Do not start vault secrets rotation timer on control planes</li> <li>Re-enable negative caching</li> <li>Reimplement the <code class="language-plaintext highlighter-rouge">kong.vault.try</code> function</li> <li>Remove references from rotation in case their configuration has changed</li> </ul> </li> <li>Tracing: fixed an issue that resulted in some parent spans to end before their children due to different precision of their timestamps.</li> </ul> <h4 id="plugin-3">Plugin</h4> <ul> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>): fix an issue that resulted in invalid parent IDs in the propagated tracing headers</li> <li> <a href="/hub/kong-inc/mtls-auth/"><strong>mTLS Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>): should not cache the network failure when performing a revocation check</li> <li> <a href="/hub/kong-inc/canary/"><strong>Canary</strong></a> (<code class="language-plaintext highlighter-rouge">canary</code>): allow the <code class="language-plaintext highlighter-rouge">start</code> field to be a time that occurs in the past.</li> <li> <a href="/hub/kong-inc/saml/"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>): When the Redis session storage is incorrectly configured, users now receive a 500 error instead of being redirected endlessly.</li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>): Fix the issue on token revocation on logout where the code was revoking the refresh token when it was supposed to revoke access token when using the discovered revocation endpoint.</li> </ul> <h3 id="kong-manager-17">Kong Manager</h3> <ul> <li>Kong Manager now links directly to the <a href="/gateway/api/admin-ee/3.4.0.x/">Gateway Admin API - EE (beta)</a> </li> </ul> <h3 id="dependencies-33">Dependencies</h3> <ul> <li>Fixed incorrect LuaJIT LDP/STP fusion on ARM64 which may sometimes cause incorrect logic.</li> </ul> <h2 id="3400">3.4.0.0</h2> <p><strong>Release Date</strong> 2023/08/09</p> <h3 id="breaking-changes-and-deprecations-5">Breaking changes and deprecations</h3> <ul> <li> <strong>Cassandra DB support removed:</strong> Cassandra DB support has been removed. It is no longer supported as a data store for Kong Gateway. <a href="https://github.com/Kong/kong/pull/10931" target="_blank" rel="noopener nofollow noreferrer ">#10931</a>.</li> <li> <strong>Alpine support removed:</strong> Alpine packages and Docker images based on Alpine are no longer supported. Starting with Kong Gateway 3.4.0.0, Kong is not building new Alpine images or packages. <a href="https://github.com/Kong/kong/pull/10926" target="_blank" rel="noopener nofollow noreferrer ">#10926</a> </li> <li> <p><strong>Ubuntu 18.04 support removed</strong>: Support for running Kong Gateway on Ubuntu 18.04 (“Bionic”) is now deprecated, as <a href="https://wiki.ubuntu.com/Releases" target="_blank" rel="noopener nofollow noreferrer ">Standard Support for Ubuntu 18.04 has ended as of June 2023</a>. Starting with Kong Gateway 3.4.0.0, Kong is not building new Ubuntu 18.04 images or packages, and Kong will not test package installation on Ubuntu 18.04.</p> <p>If you need to install Kong Gateway on Ubuntu 18.04, see the documentation for <a href="/gateway/3.1.x/install/linux/ubuntu/">previous versions</a>.</p> </li> <li>Amazon Linux 2022 artifacts are renamed to Amazon Linux 2023, based on AWS’s own renaming.</li> <li>LMDB encryption has been disabled. The option <code class="language-plaintext highlighter-rouge">declarative_config_encryption_mode</code> has been removed from <code class="language-plaintext highlighter-rouge">kong.conf</code>.</li> <li>The <code class="language-plaintext highlighter-rouge">/consumer_groups/:id/overrides</code> endpoint is deprecated in favor of a more generic plugin scoping mechanism. See the new <a href="/gateway/api/admin-ee/3.4.0.x/#/consumer_groups/get-consumer_groups">consumer groups</a> entity.</li> <li>Renamed the configuration property <code class="language-plaintext highlighter-rouge">admin_api_uri</code> to <code class="language-plaintext highlighter-rouge">admin_gui_api_url</code>. The old <code class="language-plaintext highlighter-rouge">admin_api_uri</code> property is considered deprecated and will be fully removed in a future version of Kong Gateway.</li> <li>The RHEL8 Docker image provided by Kong is replaced with the RHEL9 Docker image. The RHEL8 packages are still available <a href="https://cloudsmith.io/~kong/repos/gateway-34/packages/?q=distribution%3Arhel+AND+distribution%3A8" target="_blank" rel="noopener nofollow noreferrer ">from our package repository</a>.</li> </ul> <h3 id="features-32">Features</h3> <h4 id="deployment-1">Deployment</h4> <ul> <li>Kong Gateway is now available on <a href="https://cloudsmith.io/~kong/repos/gateway-34/packages/?q=distribution%3Arhel+AND+distribution%3A9" target="_blank" rel="noopener nofollow noreferrer ">RHEL 9</a>.</li> </ul> <h4 id="enterprise-4">Enterprise</h4> <ul> <li>Introduced the <a href="/gateway/latest/admin-api/workspaces/reference/#delete-a-workspace"><code class="language-plaintext highlighter-rouge">cascade</code></a> option for <code class="language-plaintext highlighter-rouge">/workspaces</code>, which lets you delete a workspace and all of its entities in one request.</li> <li>Consumer groups are now a core entity. With consumer groups, you can apply different configurations to select groups of consumers. The following plugins can now be scoped to consumer groups: <ul> <li>Rate Limiting Advanced</li> <li>Request Transformer and Request Transformer Advanced</li> <li>Response Transformer and Response Transformer Advanced</li> </ul> <p>See the documentation for <a href="/gateway/latest/kong-enterprise/consumer-groups/">consumer groups</a> to learn more.</p> </li> <li> <p>Added a new <code class="language-plaintext highlighter-rouge">ttl</code> option to vault configurations, allowing users to define the interval at which references are automatically re-fetched from the configured vault.</p> <p>See the documentation for <a href="/gateway/latest/kong-enterprise/secrets-management/secrets-rotation/">secrets rotation</a> to learn more.</p> </li> <li>The workspace name now appears in the logging payload.</li> </ul> <h4 id="kong-manager-18">Kong Manager</h4> <ul> <li> <p>Introduced the <strong>Kong Manager Open Source Edition (OSS)</strong>, a free and open-source UI for Kong Gateway OSS! <a href="https://github.com/Kong/kong/pull/11131" target="_blank" rel="noopener nofollow noreferrer ">#11131</a></p> <p><a href="/gateway/latest/kong-manager-oss/">Kong Manager OSS</a> allows you to view and edit all Kong Gateway objects using the Admin API. It interacts directly with the Kong Admin API and does not require a separate database. This UI provides a great way to see all of your Kong Gateway configuration at glance.</p> <p>Starting with 3.4.0.0, Kong Manager OSS is bundled with Kong Gateway OSS. Install a new Kong Gateway OSS instance to try it out!</p> <p>The quickest way to get started is using the <a href="https://github.com/Kong/kong-manager#getting-started" target="_blank" rel="noopener nofollow noreferrer ">quickstart script</a>.</p> <p>Check out the <a href="https://github.com/Kong/kong-manager" target="_blank" rel="noopener nofollow noreferrer ">Kong Manager OSS repo</a> to learn more about it.</p> </li> <li>Enhanced the user experience of editing pages for entities with a refined look and feel.</li> <li>Simplified the user path by removing the configuration pages for nested entities.</li> </ul> <h4 id="core-47">Core</h4> <ul> <li> <p><strong>Beta feature:</strong> Introduced the beta of WebAssembly (<code class="language-plaintext highlighter-rouge">proxy-wasm</code>). <a href="https://github.com/Kong/kong/pull/11218" target="_blank" rel="noopener nofollow noreferrer ">#11218</a></p> <p>This release integrates <a href="https://github.com/Kong/ngx_wasm_module" target="_blank" rel="noopener nofollow noreferrer "><code class="language-plaintext highlighter-rouge">Kong/ngx-wasm-module</code></a> into Kong Gateway.</p> </li> <li>The <code class="language-plaintext highlighter-rouge">/schemas</code> endpoint now returns additional information about cross-field validation as part of the schema. This should help tools that use the Admin API to perform better client-side validation.</li> <li>Enabled the <code class="language-plaintext highlighter-rouge">expressions</code> and <code class="language-plaintext highlighter-rouge">traditional_compatible</code> router flavors in the stream subsystem. <a href="https://github.com/Kong/kong/pull/11071" target="_blank" rel="noopener nofollow noreferrer ">#11071</a> </li> <li>The upstream <code class="language-plaintext highlighter-rouge">host_header</code> and router <code class="language-plaintext highlighter-rouge">preserve_host</code> configuration parameters now work in stream TLS proxy. <a href="https://github.com/Kong/kong/pull/11244" target="_blank" rel="noopener nofollow noreferrer ">#11244</a> </li> <li>In DB-less mode, the declarative schema is now fully initialized at startup instead of on-demand in the request path. This is most evident in decreased response latency when updating configuration via the <code class="language-plaintext highlighter-rouge">/config</code> API endpoint. <a href="https://github.com/Kong/kong/pull/10932" target="_blank" rel="noopener nofollow noreferrer ">#10932</a> </li> <li>Tracing: Added the new attribute <code class="language-plaintext highlighter-rouge">http.route</code> to HTTP request spans. <a href="https://github.com/Kong/kong/pull/10981" target="_blank" rel="noopener nofollow noreferrer ">#10981</a> </li> <li>Tracing: Added the span attribute <code class="language-plaintext highlighter-rouge">net.peer.name</code>, which records the upstream hostname if it’s available in <code class="language-plaintext highlighter-rouge">balancer_data.hostname</code>. Thanks <a href="https://github.com/backjo" target="_blank" rel="noopener nofollow noreferrer ">@backjo</a> for contributing this change. <a href="https://github.com/Kong/kong/pull/10729" target="_blank" rel="noopener nofollow noreferrer ">#10723</a> </li> <li>The default value of <code class="language-plaintext highlighter-rouge">lmdb_map_size</code> config has been bumped to <code class="language-plaintext highlighter-rouge">2048m</code> from <code class="language-plaintext highlighter-rouge">128m</code> to accommodate most commonly deployed config sizes in DB-less and hybrid modes. <a href="https://github.com/Kong/kong/pull/11047" target="_blank" rel="noopener nofollow noreferrer ">#11047</a> </li> <li>The default value of <code class="language-plaintext highlighter-rouge">cluster_max_payload</code> config has been bumped to <code class="language-plaintext highlighter-rouge">16m</code> from <code class="language-plaintext highlighter-rouge">4m</code> to accommodate most commonly deployed config sizes in hybrid mode. <a href="https://github.com/Kong/kong/pull/11090" target="_blank" rel="noopener nofollow noreferrer ">#11090</a> </li> <li>Removed Kong branding from the kong HTML error template. <a href="https://github.com/Kong/kong/pull/11150" target="_blank" rel="noopener nofollow noreferrer ">#11150</a> </li> </ul> <h4 id="plugins-59">Plugins</h4> <ul> <li>Validation for plugin queue related parameters has been improved. <a href="https://github.com/Kong/kong/pull/10840" target="_blank" rel="noopener nofollow noreferrer ">#10840</a> <ul> <li> <code class="language-plaintext highlighter-rouge">max_batch_size</code>, <code class="language-plaintext highlighter-rouge">max_entries</code>, and <code class="language-plaintext highlighter-rouge">max_bytes</code> are now declared as <code class="language-plaintext highlighter-rouge">integer</code> not <code class="language-plaintext highlighter-rouge">number</code>.</li> <li> <code class="language-plaintext highlighter-rouge">initial_retry_delay</code> and <code class="language-plaintext highlighter-rouge">max_retry_delay</code> must now be numbers greater than 0.001 (in seconds).</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>The <code class="language-plaintext highlighter-rouge">redis</code> strategy now catches strategy connection failures.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>This plugin now supports the error reason header. This header can be turned off by setting <code class="language-plaintext highlighter-rouge">expose_error_code</code> to <code class="language-plaintext highlighter-rouge">false</code>.</li> <li>OpenID Connect now supports adding scope to the token cache key by setting <code class="language-plaintext highlighter-rouge">token_cache_key_include_scope</code> to <code class="language-plaintext highlighter-rouge">true</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/kafka-log/"><strong>Kafka Log</strong></a> (<code class="language-plaintext highlighter-rouge">kafka-log</code>) <ul> <li>The Kafka Log plugin now supports the <code class="language-plaintext highlighter-rouge">custom_fields_by_lua</code> configuration for dynamic modification of log fields using Lua code.</li> </ul> </li> <li> <a href="/hub/kong-inc/graphql-rate-limiting-advanced/"><strong>GraphQL Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>) <ul> <li>The <code class="language-plaintext highlighter-rouge">host</code> field of this plugin now accepts Kong upstream targets.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Introduced support for the AWS X-Ray propagation header. The field <code class="language-plaintext highlighter-rouge">header_type</code>now accepts the <code class="language-plaintext highlighter-rouge">aws</code> value to handle this specific propagation header. <a href="https://github.com/Kong/kong/pull/11075" target="_blank" rel="noopener nofollow noreferrer ">#11075</a> </li> <li>The <code class="language-plaintext highlighter-rouge">endpoint</code> parameter is now referenceable, and can be stored as a secret in a vault. <a href="https://github.com/Kong/kong/pull/11220" target="_blank" rel="noopener nofollow noreferrer ">#11220</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/ip-restriction/"><strong>IP Restriction</strong></a> (<code class="language-plaintext highlighter-rouge">ip-restriction</code>) <ul> <li> <p>Added support for the <code class="language-plaintext highlighter-rouge">tcp</code>, <code class="language-plaintext highlighter-rouge">tls</code>, <code class="language-plaintext highlighter-rouge">grpc</code>, and <code class="language-plaintext highlighter-rouge">grpcs</code> protocols.</p> <p>Thanks <a href="https://github.com/scrudge" target="_blank" rel="noopener nofollow noreferrer ">@scrudge</a> for contributing this change. <a href="https://github.com/Kong/kong/pull/10245" target="_blank" rel="noopener nofollow noreferrer ">#10245</a></p> </li> </ul> </li> <li> <a href="/hub/kong-inc/prometheus/"><strong>Prometheus</strong></a> (<code class="language-plaintext highlighter-rouge">prometheus</code>)</li> <li>The Prometheus plugin has been optimized to reduce proxy latency impacts during scraping. <a href="https://github.com/Kong/kong/pull/10949" target="_blank" rel="noopener nofollow noreferrer ">#10949</a> <a href="https://github.com/Kong/kong/pull/11040" target="_blank" rel="noopener nofollow noreferrer ">#11040</a> <a href="https://github.com/Kong/kong/pull/11065" target="_blank" rel="noopener nofollow noreferrer ">#11065</a> </li> </ul> <h3 id="fixes-42">Fixes</h3> <h4 id="enterprise-5">Enterprise</h4> <ul> <li>Fixed a potential memory leak and reconnection problem which could occur when telemetry breaks down due to any exceptions in its <code class="language-plaintext highlighter-rouge">send</code> thread.</li> <li>Telemetry: Fixed issues that broke the telemetry websocket: <ul> <li>Fixed an issue that caused the telemetry websocket to be blocked by latency while flushing Vitals to database. By using a queue as a buffer, the process of receiving Vitals data from the data plane is now decoupled from the process of flushing Vitals to the database on the control plane.</li> <li>Fixed an issue that broke the telemetry websocket in Konnect mode due to unexpected payloads when the counter of requests equals zero.</li> </ul> </li> <li>Fixed an issue where you could receive an empty <code class="language-plaintext highlighter-rouge">request_id</code> when generating audit data.</li> <li>Fixed an error that occurred when the header <code class="language-plaintext highlighter-rouge">x-datadog-parent-id</code> wasn’t passed to Kong Gateway.</li> <li>Fixed a queueing-related issue that broke event hooks in 3.3.0.0.</li> <li>Updated the datafile library to make the SAML plugin work when Kong Gateway is controlled by systemd.</li> <li>Fixed an issue where a workspace couldn’t attach to the cache’s consumer well.</li> <li>Fixed a LuaJIT crash on Arm64 and enabled LuaJIT on M1.</li> <li>Fixed an issue where the license couldn’t load when pulling <code class="language-plaintext highlighter-rouge">KONG_LICENSE_DATA</code> from a vault.</li> </ul> <h4 id="kong-manager-19">Kong Manager</h4> <ul> <li>Fixed an issue where Kong Manager didn’t get the latest config when the Enterprise license was posted via the Admin API.</li> <li>Fixed incorrect CORS behavior that occurred when Kong Manager was integrated with the Portal GUI.</li> <li>Fixed an issue where OIDC in Kong Manager didn’t handle <code class="language-plaintext highlighter-rouge">invalid credentials</code> when providing the wrong username.</li> <li>Added an alert message in the <code class="language-plaintext highlighter-rouge">admins tab</code> page for <code class="language-plaintext highlighter-rouge">workspace access</code> while the <code class="language-plaintext highlighter-rouge">admin_auth</code> is set to <code class="language-plaintext highlighter-rouge">openid-connect</code>.</li> <li>Fixed an issue where the custom permission endpoint didn’t work for <code class="language-plaintext highlighter-rouge">/services/<service-name-or-id>/application_instances</code>.</li> </ul> <h4 id="dev-portal">Dev Portal</h4> <ul> <li>Fixed an issue on portal documentation pages, where disabling the Application Registration plugin didn’t remove the <strong>Register</strong> button from a service.</li> <li>Fixed an issue with viewing OAS docs in the in the Dev Portal, where the UI would hang when attempting to expand an API.</li> </ul> <h4 id="core-48">Core</h4> <ul> <li>Declarative config now performs proper uniqueness checks against its inputs. Previously, it would silently drop entries with conflicting primary/endpoint keys, or accept conflicting unique fields silently. <a href="https://github.com/Kong/kong/pull/11199" target="_blank" rel="noopener nofollow noreferrer ">#11199</a> </li> <li>Fixed a bug where a worker consuming dynamic log level setting events used the wrong reference for notice logging. <a href="https://github.com/Kong/kong/pull/10897" target="_blank" rel="noopener nofollow noreferrer ">#10897</a> </li> <li>Added a <code class="language-plaintext highlighter-rouge">User=</code> specification to the systemd unit definition so that Kong Gateway can be controlled by systemd again. <a href="https://github.com/Kong/kong/pull/11066" target="_blank" rel="noopener nofollow noreferrer ">#11066</a> </li> <li>Fixed a bug that caused the sampling rate to be applied to individual spans, producing split traces. <a href="https://github.com/Kong/kong/pull/11135" target="_blank" rel="noopener nofollow noreferrer ">#11135</a> </li> <li>Fixed a bug that caused the router to fail in <code class="language-plaintext highlighter-rouge">traditional_compatible</code> mode when a route with multiple paths and no service was created. <a href="https://github.com/Kong/kong/pull/11158" target="_blank" rel="noopener nofollow noreferrer ">#11158</a> </li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">expressions</code> router couldn’t work correctly when <code class="language-plaintext highlighter-rouge">route.protocols</code> is set to <code class="language-plaintext highlighter-rouge">grpc</code> or <code class="language-plaintext highlighter-rouge">grpcs</code>. <a href="https://github.com/Kong/kong/pull/11082" target="_blank" rel="noopener nofollow noreferrer ">#11082</a> </li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">expressions</code> router couldn’t configure HTTPS redirection. <a href="https://github.com/Kong/kong/pull/11166" target="_blank" rel="noopener nofollow noreferrer ">#11166</a> </li> <li>Made the <code class="language-plaintext highlighter-rouge">kong vault get</code> CLI command work in DB-less mode by injecting the necessary directives into the Kong CLI <code class="language-plaintext highlighter-rouge">nginx.conf</code>. <a href="https://github.com/Kong/kong/pull/11127" target="_blank" rel="noopener nofollow noreferrer ">#11127</a> <a href="https://github.com/Kong/kong/pull/11291" target="_blank" rel="noopener nofollow noreferrer ">#11291</a> </li> <li>Fixed an issue where a crashing Go plugin server process would cause subsequent requests proxied through Kong Gateway to execute Go plugins with inconsistent configurations. The issue only affects scenarios where the same Go plugin is applied to different route or service entities. <a href="https://github.com/Kong/kong/pull/11306" target="_blank" rel="noopener nofollow noreferrer ">#11306</a> </li> </ul> <h4 id="admin-api-25">Admin API</h4> <ul> <li>Fixed an issue that caused <code class="language-plaintext highlighter-rouge">POST /config?flatten_errors=1</code> to throw an exception and return a 500 error under certain circumstances. <a href="https://github.com/Kong/kong/pull/10896" target="_blank" rel="noopener nofollow noreferrer ">#10896</a> </li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">/schemas/plugins/validate</code> endpoint failed to validate valid plugin configuration when the key of <code class="language-plaintext highlighter-rouge">custom_fields_by_lua</code> contained dot (<code class="language-plaintext highlighter-rouge">.</code>) character(s). <a href="https://github.com/Kong/kong/pull/11091" target="_blank" rel="noopener nofollow noreferrer ">#11091</a> </li> </ul> <h4 id="status-api">Status API</h4> <ul> <li>Removed the database information from the status API when operating in DB-less mode or on the data plane. <a href="https://github.com/Kong/kong/pull/10995" target="_blank" rel="noopener nofollow noreferrer ">#10995</a> </li> </ul> <h4 id="plugins-60">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/oauth2-introspection/"><strong>OAuth 2.0 Introspection</strong></a> (<code class="language-plaintext highlighter-rouge">oauth2-introspection</code>) <ul> <li>Fixed an issue where the plugin failed when processing a request with JSON that is not a table.</li> </ul> </li> <li> <a href="/hub/kong-inc/grpc-gateway/"><strong>gRPC Gateway</strong></a> (<code class="language-plaintext highlighter-rouge">grpc-gateway</code>) <ul> <li>Fixed an issue where an array with one element would fail to be encoded.</li> <li>Fixed an issue where empty (all default value) messages couldn’t be unframed correctly. <a href="https://github.com/Kong/kong/pull/10836" target="_blank" rel="noopener nofollow noreferrer ">#10836</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/response-transformer/"><strong>Response Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">response-transformer</code>) and <a href="/hub/kong-inc/request-transformer-advanced/"><strong>Request Transformer Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">request-transformer-advanced</code>) <ul> <li>Fixed an issue where the plugin wouldn’t transform the response body when the upstream returned a Content-Type with a <code class="language-plaintext highlighter-rouge">+json</code> suffix as the subtype.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Changed some log levels from <code class="language-plaintext highlighter-rouge">notice</code> to <code class="language-plaintext highlighter-rouge">error</code> for better visibility.</li> <li>Correctly set the right table key on <code class="language-plaintext highlighter-rouge">log</code> and <code class="language-plaintext highlighter-rouge">message</code>.</li> <li>If an invalid opaque token is provided but verification fails, the plugin now prints the correct error.</li> </ul> </li> <li> <a href="/hub/kong-inc/mocking/"><strong>Mocking</strong></a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Fixed an issue where the plugin threw an error when the arbitrary elements were defined in the path node.</li> </ul> </li> <li> <a href="/hub/kong-inc/mtls-auth/"><strong>mTLS Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Fixed several revocation verification issues: <ul> <li>If <code class="language-plaintext highlighter-rouge">revocation_check_mode=IGNORE_CA_ERROR</code>, then the CRL revocation failure will be ignored.</li> <li>Once a CRL is added into the store, it will always do CRL revocation check with this CRL file.</li> <li>OCSP verification failed with <code class="language-plaintext highlighter-rouge">no issuer certificate in chain</code> error if the client only sent a leaf certificate.</li> <li> <code class="language-plaintext highlighter-rouge">http_timeout</code> wasn’t correctly set.</li> </ul> </li> <li>Optimized CRL revocation verification.</li> <li>Fixed an issue that would cause an unexpected error when <code class="language-plaintext highlighter-rouge">skip_consumer_lookup</code> is enabled and <code class="language-plaintext highlighter-rouge">authenticated_group_by</code> is set to <code class="language-plaintext highlighter-rouge">null</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/kafka-log/"><strong>Kafka Log</strong></a> (<code class="language-plaintext highlighter-rouge">kafka-log</code>) and <a href="/hub/kong-inc/kafka-upstream/"><strong>Kafka Upstream</strong></a> (<code class="language-plaintext highlighter-rouge">kafka-upstream</code>) <ul> <li>Fixed an issue where the plugin could lose connection to a broker when the broker leadership changed.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Fixed an issue where the plugin was unable to pass the validation even if path parameter was valid.</li> <li>Fixed an issue where the plugin always validated the request body even if the method spec had no <code class="language-plaintext highlighter-rouge">requestBody</code> defined.</li> <li>Fixed an issue where the comparison between large absolute value numbers could be incorrect due to the number being converted to exponential notation.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-validator/"><strong>Request Validator</strong></a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>Optimized the response message for invalid requests.</li> </ul> </li> <li> <a href="/hub/kong-inc/acme/"><strong>ACME</strong></a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>Fixed an issue where the sanity test didn’t work with <code class="language-plaintext highlighter-rouge">kong</code> storage in hybrid mode. <a href="https://github.com/Kong/kong/pull/10852" target="_blank" rel="noopener nofollow noreferrer ">#10852</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> <ul> <li>Fixed an issue that impacted the accuracy with the <code class="language-plaintext highlighter-rouge">redis</code> policy. Thanks <a href="https://github.com/giovanibrioni" target="_blank" rel="noopener nofollow noreferrer ">@giovanibrioni</a> for contributing this change. <a href="https://github.com/Kong/kong/pull/10559" target="_blank" rel="noopener nofollow noreferrer ">#10559</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/zipkin/"><strong>Zipkin</strong></a> (<code class="language-plaintext highlighter-rouge">zipkin</code>) <ul> <li>Fixed an issue where traces weren’t being generated correctly when instrumentations were enabled. <a href="https://github.com/Kong/kong/pull/10983" target="_blank" rel="noopener nofollow noreferrer ">#10983</a> </li> </ul> </li> </ul> <h3 id="dependencies-34">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-redis-cluster</code> from 1.5.0 to 1.5.1</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-ljsonschema</code> from 1.1.3 to 1.15</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-kafka</code> from 0.15 to 0.16</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> from 1.2.2 to 1.2.3</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-openssl</code> from 0.8.20 to 0.8.23 <a href="https://github.com/Kong/kong/pull/10837" target="_blank" rel="noopener nofollow noreferrer ">#10837</a> <a href="https://github.com/Kong/kong/pull/11099" target="_blank" rel="noopener nofollow noreferrer ">#11099</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-lapis</code> from 1.8.3.1 to 1.14.0.2 <a href="https://github.com/Kong/kong/pull/10841" target="_blank" rel="noopener nofollow noreferrer ">#10841</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-events</code> from 0.1.4 to 0.2.0 <a href="https://github.com/Kong/kong/pull/10883" target="_blank" rel="noopener nofollow noreferrer ">#10883</a> <a href="https://github.com/Kong/kong/pull/11083" target="_blank" rel="noopener nofollow noreferrer ">#11083</a> <a href="https://github.com/Kong/kong/pull/11214" target="_blank" rel="noopener nofollow noreferrer ">#11214</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-session</code> from 4.0.3 to 4.0.4 <a href="https://github.com/Kong/kong/pull/11011" target="_blank" rel="noopener nofollow noreferrer ">#11011</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">OpenSSL</code> from 1.1.1t to 3.1.1 <a href="https://github.com/Kong/kong/pull/10180" target="_blank" rel="noopener nofollow noreferrer ">#10180</a> <a href="https://github.com/Kong/kong/pull/11140" target="_blank" rel="noopener nofollow noreferrer ">#11140</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">pgmoon</code> from 1.16.0 to 1.16.2 (Kong’s fork) <a href="https://github.com/Kong/kong/pull/11181" target="_blank" rel="noopener nofollow noreferrer ">#11181</a> <a href="https://github.com/Kong/kong/pull/11229" target="_blank" rel="noopener nofollow noreferrer ">#11229</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">atc-router</code> from 1.0.5 to 1.2.0 <a href="https://github.com/Kong/kong/pull/10100" target="_blank" rel="noopener nofollow noreferrer ">#10100</a> <a href="https://github.com/Kong/kong/pull/11071" target="_blank" rel="noopener nofollow noreferrer ">#11071</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-lmdb</code> from 1.1.0 to 1.3.0 <a href="https://github.com/Kong/kong/pull/11227" target="_blank" rel="noopener nofollow noreferrer ">#11227</a> </li> </ul> <h3 id="known-issues-6">Known issues</h3> <ul> <li> <p>Some referenceable configuration fields, such as the <code class="language-plaintext highlighter-rouge">http_endpoint</code> field of the <code class="language-plaintext highlighter-rouge">http-log</code> plugin and the <code class="language-plaintext highlighter-rouge">endpoint</code> field of the <code class="language-plaintext highlighter-rouge">opentelemetry</code> plugin, do not accept reference values due to incorrect field validation.</p> </li> <li> <p>When adding new plugins to the existing installation (either manually or via the extension of <code class="language-plaintext highlighter-rouge">bundled</code> plugins), the <code class="language-plaintext highlighter-rouge">kong migrations finish</code> or <code class="language-plaintext highlighter-rouge">kong migrations up</code> must be run with the <code class="language-plaintext highlighter-rouge">-f</code> flag to forcefully upgrade the plugin schemas.</p> </li> </ul> <h2 id="3311">3.3.1.1</h2> <p><strong>Release Date</strong> 2023/10/12</p> <h3 id="breaking-changes-5">Breaking Changes</h3> <ul> <li> <p><strong>Ubuntu 18.04 support removed</strong>: Support for running Kong Gateway on Ubuntu 18.04 (“Bionic”) is now deprecated, as <a href="https://wiki.ubuntu.com/Releases" target="_blank" rel="noopener nofollow noreferrer ">Standard Support for Ubuntu 18.04 has ended as of June 2023</a>. Starting with Kong Gateway 3.2.2.4, Kong is not building new Ubuntu 18.04 images or packages, and Kong will not test package installation on Ubuntu 18.04.</p> <p>If you need to install Kong Gateway on Ubuntu 18.04, substitute a previous 3.2.x patch version in the <a href="/gateway/3.2.x/install/linux/ubuntu/">installation instructions</a>.</p> </li> <li>Amazon Linux 2022 artifacts are now labeled as Amazon Linux 2023, aligning with AWS’s renaming.</li> <li>CentOS packages are now removed from the release and are no longer supported in future versions.</li> </ul> <h3 id="features-33">Features</h3> <h4 id="plugins-61">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/graphql-rate-limiting-advanced/"><strong>GraphQL Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>) and <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>): The Redis strategy now catches strategy connection failures.</li> </ul> <h3 id="fixes-43">Fixes</h3> <h4 id="core-49">Core</h4> <ul> <li> <p>Applied Nginx patch for early detection of HTTP/2 stream reset attacks. This change is in direct response to the identified vulnerability <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-44487" target="_blank" rel="noopener nofollow noreferrer ">CVE-2023-44487</a>.</p> <p>See our <a href="https://konghq.com/blog/product-releases/novel-http2-rapid-reset-ddos-vulnerability-update" target="_blank" rel="noopener nofollow noreferrer ">blog post</a> for more details on this vulnerability and Kong’s responses to it.</p> </li> <li>Fixed an issue where an abnormal socket connection would be incorrectly reused when querying the PostgreSQL database.</li> <li>Fixed a keyring issue where Kong Gateway nodes would fail to send keyring data when using the cluster strategy.</li> <li>Fixed an issue where a crashing Go plugin server process would cause subsequent requests proxied through Kong Gateway to execute Go plugins with inconsistent configurations. The issue only affects scenarios where the same Go plugin is applied to different route or service entities.</li> <li>Fixed an issue that caused the sampling rate to be applied to individual spans, producing split traces.</li> <li>Fixed worker queue issues: <ul> <li>Worker queues now clear in batches when the worker is in shutdown mode and more data becomes immediately available, without waiting for <code class="language-plaintext highlighter-rouge">max_coalescing_delay</code>. <a href="https://github.com/Kong/kong/pull/11376" target="_blank" rel="noopener nofollow noreferrer ">#11376</a> </li> <li>Fixed a race condition in plugin queues that could crash the worker when <code class="language-plaintext highlighter-rouge">max_entries</code> was set to <code class="language-plaintext highlighter-rouge">max_batch_size</code>. <a href="https://github.com/Kong/kong/pull/11378" target="_blank" rel="noopener nofollow noreferrer ">#11378</a> </li> </ul> </li> <li>Added a <code class="language-plaintext highlighter-rouge">User=</code> specification to the systemd unit definition, enabling Kong Gateway to be controlled by systemd again. <a href="https://github.com/Kong/kong/pull/11066" target="_blank" rel="noopener nofollow noreferrer ">#11066</a> </li> </ul> <h4 id="plugins-62">Plugins</h4> <ul> <li> <p><a href="/hub/kong-inc/saml/"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>): Users will now receive a 500 error instead of being endlessly redirected when the Redis session storage is incorrectly configured.</p> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>): <ul> <li>The plugin now correctly sets the table key on <code class="language-plaintext highlighter-rouge">log</code> and <code class="language-plaintext highlighter-rouge">message</code>.</li> <li>When an invalid opaque token is provided and the verification fails, the plugin now prints the correct error message.</li> </ul> </li> <li> <p><a href="/hub/kong-inc/response-transformer-advanced/"><strong>Response Transformer Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">response-transformer-advanced</code>): The plugin no longer loads the response body when <code class="language-plaintext highlighter-rouge">if_status</code> doesn’t match the provided status.</p> </li> <li> <a href="/hub/kong-inc/mtls-auth/"><strong>mTLS Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>): Fixed an issue that caused the plugin to cache network failures when running certificate revocation checks.</li> </ul> <h3 id="dependencies-35">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">libxml2</code> from 2.10.2 to 2.11.5</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-kafka</code> from 0.15 to 0.16</li> <li>Bumped <code class="language-plaintext highlighter-rouge">OpenSSL</code> from 1.1.1t to 3.1.1</li> </ul> <h2 id="3310">3.3.1.0</h2> <p><strong>Release Date</strong> 2023/07/03</p> <h3 id="fixes-44">Fixes</h3> <ul> <li>Fixed a bug that causes <code class="language-plaintext highlighter-rouge">POST /config?flatten_errors=1</code> to throw an exception and return a 500 error under certain circumstances.</li> <li>Fixed a bug that would cause an error when the header <code class="language-plaintext highlighter-rouge">x-datadog-parent-id</code> is not passed to Kong.</li> <li>Fixed a queueing-related bug that meant the <code class="language-plaintext highlighter-rouge">event_hooks</code> did not fire and led to errors in the logs.</li> <li>Updated the datafile library that meant when Kong was started with systemd, the SAML plugin did not load.</li> <li>Fixed a bug that the anonymous report can’t be silenced by setting <code class="language-plaintext highlighter-rouge">anonymous_reports=false</code>.</li> <li>Fixed a Jenkins issue where <code class="language-plaintext highlighter-rouge">kong/kong-gateway:3.3.0.0-alpine</code> was missing <code class="language-plaintext highlighter-rouge">resty.dns.resolver</code> patch.</li> <li>Fixed an issue addressing occasional issues attaching a workspace with the cache’s consumer well.</li> </ul> <h4 id="plugins-63">Plugins</h4> <ul> <li>Fixed an issue with the Oauth 2.0 Introspection plugin where a request with JSON that is not a table failed.</li> </ul> <h3 id="deprecations-4">Deprecations</h3> <ul> <li> <p><strong>Alpine deprecation reminder:</strong> Kong has announced our intent to remove support for Alpine images and packages later this year. These images and packages are available in 3.2 and will continue to be available in 3.3. We will stop building Alpine images and packages in Kong Gateway 3.4.</p> </li> <li> <p><strong>Cassandra deprecation and removal reminder:</strong> Using Cassandra as a backend database for Kong Gateway is deprecated. It is planned for removal with Kong Gateway 3.4.</p> </li> </ul> <h2 id="3300">3.3.0.0</h2> <p><strong>Release Date</strong> 2023/05/19</p> <h3 id="breaking-changes-and-deprecations-6">Breaking changes and deprecations</h3> <ul> <li> <p><strong>Alpine deprecation reminder:</strong> Kong has announced our intent to remove support for Alpine images and packages later this year. These images and packages are still available in 3.3. We will stop building Alpine images and packages in Kong Gateway 3.4.</p> </li> <li> <p><strong>Cassandra deprecation and removal reminder:</strong> Using Cassandra as a backend database for Kong Gateway is deprecated. It is planned for removal with Kong Gateway 3.4.</p> </li> </ul> <h4 id="core-50">Core</h4> <ul> <li> <p>The <code class="language-plaintext highlighter-rouge">traditional_compat</code> router mode has been made more compatible with the behavior of <code class="language-plaintext highlighter-rouge">traditional</code> mode by splitting routes with multiple paths into multiple <code class="language-plaintext highlighter-rouge">atc</code> routes with separate priorities. Since the introduction of the new router in Kong Gateway 3.0, <code class="language-plaintext highlighter-rouge">traditional_compat</code> mode assigned only one priority to each route, even if different prefix path lengths and regular expressions were mixed in a route. This was not how multiple paths were handled in the <code class="language-plaintext highlighter-rouge">traditional</code> router and the behavior has now been changed so that a separate priority value is assigned to each path in a route. <a href="https://github.com/Kong/kong/pull/10615" target="_blank" rel="noopener nofollow noreferrer ">#10615</a></p> </li> <li> <p><strong>Tracing</strong>: <code class="language-plaintext highlighter-rouge">tracing_sampling_rate</code> now defaults to 0.01 (trace one of every 100 requests) instead of the previous 1 (trace all requests). Tracing all requests causes unnecessary resource drain for most production systems. <a href="https://github.com/Kong/kong/pull/10774" target="_blank" rel="noopener nofollow noreferrer ">#10774</a></p> </li> </ul> <h4 id="plugins-64">Plugins</h4> <ul> <li>Plugin batch queuing: <ul> <li> <p><a href="/hub/kong-inc/http-log/"><strong>HTTP Log</strong></a> (<code class="language-plaintext highlighter-rouge">http-log</code>), <a href="/hub/kong-inc/statsd/"><strong>StatsD</strong></a> (<code class="language-plaintext highlighter-rouge">statsd</code>), <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>), and <a href="/hub/kong-inc/datadog/"><strong>Datadog</strong></a> (<code class="language-plaintext highlighter-rouge">datadog</code>)</p> <p>The queuing system has been reworked, causing some plugin parameters to not function as expected anymore. If you use queues in these plugins, new parameters must be configured. See each plugin’s documentation for details.</p> </li> <li> <p>The module <code class="language-plaintext highlighter-rouge">kong.tools.batch_queue</code> has been renamed to <code class="language-plaintext highlighter-rouge">kong.tools.queue</code> and the API was changed. If your custom plugin uses queues, it must be updated to use the new API. <a href="https://github.com/Kong/kong/pull/10172" target="_blank" rel="noopener nofollow noreferrer ">#10172</a></p> </li> </ul> </li> <li> <a href="/hub/kong-inc/app-dynamics/"><strong>AppDynamics</strong></a> (<code class="language-plaintext highlighter-rouge">app-dynamics</code>) <ul> <li>The plugin version has been updated to match Kong Gateway’s version.</li> </ul> </li> <li> <a href="/hub/kong-inc/http-log/"><strong>HTTP Log</strong></a> (<code class="language-plaintext highlighter-rouge">http-log</code>) <ul> <li>If the log server responds with a 3xx HTTP status code, the plugin now considers it to be an error and retries according to the retry configuration. Previously, 3xx status codes would be interpreted as a success, causing the log entries to be dropped. <a href="https://github.com/Kong/kong/pull/10172" target="_blank" rel="noopener nofollow noreferrer ">#10172</a> </li> </ul> </li> <li> <strong><a href="/hub/kong-inc/pre-function/">Pre-function</a> (<code class="language-plaintext highlighter-rouge">pre-function</code>) and <a href="/hub/kong-inc/post-function/">Post-function</a></strong> (<code class="language-plaintext highlighter-rouge">post-function</code>) <ul> <li> <code class="language-plaintext highlighter-rouge">kong.cache</code> now points to a cache instance that is dedicated to the Serverless Functions plugins. It does not provide access to the global Kong Gateway cache. Access to certain fields in <code class="language-plaintext highlighter-rouge">kong.conf</code> has also been restricted. <a href="https://github.com/Kong/kong/pull/10417" target="_blank" rel="noopener nofollow noreferrer ">#10417</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/zipkin/"><strong>Zipkin</strong></a> (<code class="language-plaintext highlighter-rouge">zipkin</code>) This plugin now uses queues for internal buffering. The standard queue parameter set is available to control queuing behavior. <a href="https://github.com/Kong/kong/pull/10753" target="_blank" rel="noopener nofollow noreferrer ">#10753</a> </li> </ul> <h3 id="features-34">Features</h3> <h4 id="enterprise-6">Enterprise</h4> <ul> <li>When using the <a href="/gateway/latest/kong-enterprise/cp-outage-handling-faq/">data plane resilience feature</a>, the server-side certificate of the backend Amazon S3 or GCP Cloud Storage service will now be validated if it goes through HTTPS.</li> <li>When <a href="/gateway/latest/kong-enterprise/secrets-management/">managing secrets</a> with an AWS or GCP backend, the backend server’s certificate is now validated if it goes through HTTPS.</li> <li>Kong Enterprise now supports <a href="/gateway/latest/kong-enterprise/aws-iam-auth-to-rds-database/">using AWS IAM database authentication to connect to the Amazon RDS</a> (PostgreSQL) database.</li> <li>Kong Manager: <ul> <li>Kong Manager and Konnect now share the same UI for the navbar, sidebar, and all entity lists.</li> <li>Improved display for the routes list when the expressions router is enabled.</li> <li> <strong>CA Certificates</strong> and <strong>TLS Verify</strong> are now supported in the Kong Gateway service form.</li> <li>Added a GitHub star in the free mode navbar.</li> <li>Upgraded the Konnect CTA in free mode.</li> </ul> </li> <li>SBOM files in SPDX and CycloneDX are now generated for Kong Gateway’s Docker images.</li> </ul> <h4 id="kong-gateway-with-konnect">Kong Gateway with Konnect</h4> <ul> <li>You can now configure <a href="/konnect/runtime-manager/runtime-instances/custom-dp-labels/">labels for data planes</a> to provide metadata information for Konnect. <a href="https://github.com/Kong/kong/pull/10471" target="_blank" rel="noopener nofollow noreferrer ">#10471</a> </li> <li>Sending analytics to Konnect from Kong Gateway DB-less mode is now supported.</li> </ul> <h4 id="core-51">Core</h4> <ul> <li> <code class="language-plaintext highlighter-rouge">runloop</code> and <code class="language-plaintext highlighter-rouge">init</code> error response content types are now compliant with the <code class="language-plaintext highlighter-rouge">Accept</code> header value. <a href="https://github.com/Kong/kong/pull/10366" target="_blank" rel="noopener nofollow noreferrer ">#10366</a> </li> <li>You can now configure custom error templates. <a href="https://github.com/Kong/kong/pull/10374" target="_blank" rel="noopener nofollow noreferrer ">#10374</a> </li> <li>The maximum number of request headers, response headers, URI arguments, and POST arguments that are parsed by default can now be configured with the following new configuration parameters: <a href="/gateway/latest/reference/configuration/#lua_max_req_headers"><code class="language-plaintext highlighter-rouge">lua_max_req_headers</code></a>, <a href="/gateway/latest/reference/configuration/#lua_max_resp_headers"><code class="language-plaintext highlighter-rouge">lua_max_resp_headers</code></a>, <a href="/gateway/latest/reference/configuration/#lua_max_uri_args"><code class="language-plaintext highlighter-rouge">lua_max_uri_args</code></a>, and <a href="/gateway/latest/reference/configuration/#lua_max_post_args"><code class="language-plaintext highlighter-rouge">lua_max_post_args</code></a>. <a href="https://github.com/Kong/kong/pull/10443" target="_blank" rel="noopener nofollow noreferrer ">#10443</a> </li> <li>Added PostgreSQL triggers on the core entites and entities in bundled plugins to delete expired rows in an efficient and timely manner. <a href="https://github.com/Kong/kong/pull/10389" target="_blank" rel="noopener nofollow noreferrer ">#10389</a> </li> <li>Added support for configurable node IDs. <a href="https://github.com/Kong/kong/pull/10385" target="_blank" rel="noopener nofollow noreferrer ">#10385</a> </li> <li> <p>Request and response buffering options are now enabled for incoming HTTP 2.0 requests.</p> <p>Thanks <a href="https://github.com/PidgeyBE" target="_blank" rel="noopener nofollow noreferrer ">@PidgeyBE</a> for contributing this change. <a href="https://github.com/Kong/kong/pull/10204" target="_blank" rel="noopener nofollow noreferrer ">#10204</a> <a href="https://github.com/Kong/kong/pull/10595" target="_blank" rel="noopener nofollow noreferrer ">#10595</a></p> </li> <li>Added <code class="language-plaintext highlighter-rouge">KONG_UPSTREAM_DNS_TIME</code> to <code class="language-plaintext highlighter-rouge">ngx.ctx</code> to record the time it takes for DNS resolution when Kong proxies to an upstream. <a href="https://github.com/Kong/kong/pull/10355" target="_blank" rel="noopener nofollow noreferrer ">#10355</a> </li> <li>Dynamic log levels now have a default timeout of 60 seconds. <a href="https://github.com/Kong/kong/pull/10288" target="_blank" rel="noopener nofollow noreferrer ">#10288</a> </li> </ul> <h4 id="admin-api-26">Admin API</h4> <ul> <li>Added a new <code class="language-plaintext highlighter-rouge">updated_at</code> field for the following entities: <code class="language-plaintext highlighter-rouge">ca_certificates</code>, <code class="language-plaintext highlighter-rouge">certificates</code>, <code class="language-plaintext highlighter-rouge">consumers</code>, <code class="language-plaintext highlighter-rouge">targets</code>, <code class="language-plaintext highlighter-rouge">upstreams</code>, <code class="language-plaintext highlighter-rouge">plugins</code>, <code class="language-plaintext highlighter-rouge">workspaces</code>, <code class="language-plaintext highlighter-rouge">clustering_data_planes</code>, <code class="language-plaintext highlighter-rouge">consumer_group_consumers</code>, <code class="language-plaintext highlighter-rouge">consumer_group_plugins</code>, <code class="language-plaintext highlighter-rouge">consumer_groups</code>, <code class="language-plaintext highlighter-rouge">credentials</code>, <code class="language-plaintext highlighter-rouge">document_objects</code>, <code class="language-plaintext highlighter-rouge">event_hooks</code>, <code class="language-plaintext highlighter-rouge">files</code>, <code class="language-plaintext highlighter-rouge">group_rbac_roles</code>, <code class="language-plaintext highlighter-rouge">groups</code>, <code class="language-plaintext highlighter-rouge">keyring_meta</code>, <code class="language-plaintext highlighter-rouge">legacy_files</code>, <code class="language-plaintext highlighter-rouge">login_attempts</code>, <code class="language-plaintext highlighter-rouge">parameters</code>, <code class="language-plaintext highlighter-rouge">rbac_role_endpoints</code>, <code class="language-plaintext highlighter-rouge">rbac_role_entities</code>, <code class="language-plaintext highlighter-rouge">rbac_roles</code>, <code class="language-plaintext highlighter-rouge">rbac_users</code>, and <code class="language-plaintext highlighter-rouge">snis</code>. <a href="https://github.com/Kong/kong/pull/10400" target="_blank" rel="noopener nofollow noreferrer ">#10400</a> </li> <li>The <code class="language-plaintext highlighter-rouge">/upstreams/<upstream>/health?balancer_health=1</code> endpoint always shows the balancer health through a new attribute: <code class="language-plaintext highlighter-rouge">balancer_health</code>. This always returns <code class="language-plaintext highlighter-rouge">HEALTHY</code> or <code class="language-plaintext highlighter-rouge">UNHEALTHY</code>, reporting the true state of the balancer, even if the overall upstream health status is <code class="language-plaintext highlighter-rouge">HEALTHCHECKS_OFF</code>. This is useful for debugging. <a href="https://github.com/Kong/kong/pull/5885" target="_blank" rel="noopener nofollow noreferrer ">#5885</a> </li> <li> <strong>Beta</strong>: OpenAPI specs are now available for the Kong Gateway Admin API: <ul> <li><a href="/gateway/api/admin-oss/3.3.x/">Kong Gateway Admin API - OSS spec</a></li> <li><a href="/gateway/api/admin-ee/3.3.0.x/">Kong Gateway Admin API - Enterprise spec</a></li> </ul> </li> </ul> <h4 id="status-api-1">Status API</h4> <ul> <li> <p>The <code class="language-plaintext highlighter-rouge">status_listen</code> server has been enhanced with the addition of the <code class="language-plaintext highlighter-rouge">/status/ready</code> API for monitoring Kong Gateway’s health. This endpoint provides a <code class="language-plaintext highlighter-rouge">200</code> response upon receiving a <code class="language-plaintext highlighter-rouge">GET</code> request, but only if a valid, non-empty configuration is loaded and Kong Gateway is prepared to process user requests.</p> <p>Load balancers frequently utilize this functionality to ascertain Kong Gateway’s availability to distribute incoming requests. <a href="https://github.com/Kong/kong/pull/10610" target="_blank" rel="noopener nofollow noreferrer ">#10610</a> <a href="https://github.com/Kong/kong/pull/10787" target="_blank" rel="noopener nofollow noreferrer ">#10787</a></p> </li> <li> <p><strong>Beta</strong>: An OpenAPI spec is now available for the <a href="/gateway/api/status/v1/">Kong Gateway Status API</a>.</p> </li> </ul> <h4 id="pdk-15">PDK</h4> <ul> <li>The PDK now supports getting a plugin’s ID with <code class="language-plaintext highlighter-rouge">kong.plugin.get_id</code>. <a href="https://github.com/Kong/kong/pull/9903" target="_blank" rel="noopener nofollow noreferrer ">#9903</a> </li> <li>Tracing module: Renamed spans to simplify filtering on tracing backends. See <a href="/gateway/latest/plugin-development/pdk/kong.tracing/"><code class="language-plaintext highlighter-rouge">kong.tracing</code></a> for details. <a href="https://github.com/Kong/kong/pull/10577" target="_blank" rel="noopener nofollow noreferrer ">#10577</a> </li> </ul> <h4 id="plugins-65">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/acme/"><strong>ACME</strong></a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>This plugin now supports configuring an <code class="language-plaintext highlighter-rouge">account_key</code> in <code class="language-plaintext highlighter-rouge">keys</code> and <code class="language-plaintext highlighter-rouge">key_sets</code>. <a href="https://github.com/Kong/kong/pull/9746" target="_blank" rel="noopener nofollow noreferrer ">#9746</a> </li> <li>This plugin now supports configuring a <code class="language-plaintext highlighter-rouge">namespace</code> for Redis storage, which defaults to an empty string for backwards compatibility. <a href="https://github.com/Kong/kong/pull/10562" target="_blank" rel="noopener nofollow noreferrer ">#10562</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/proxy-cache/"><strong>Proxy Cache</strong></a> (<code class="language-plaintext highlighter-rouge">proxy-cache</code>) <ul> <li>Added the configuration parameter <code class="language-plaintext highlighter-rouge">ignore_uri_case</code> to allow handling the cache key URI as lowercase. <a href="https://github.com/Kong/kong/pull/10453" target="_blank" rel="noopener nofollow noreferrer ">#10453</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/proxy-cache-advanced/"><strong>Proxy Cache Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>) <ul> <li>Added wildcard and parameter match support for <code class="language-plaintext highlighter-rouge">content_type</code>.</li> <li>Added the configuration parameter <code class="language-plaintext highlighter-rouge">ignore_uri_case</code> to allow handling the cache key URI as lowercase. <a href="https://github.com/Kong/kong/pull/10453" target="_blank" rel="noopener nofollow noreferrer ">#10453</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/http-log/"><strong>HTTP Log</strong></a> (<code class="language-plaintext highlighter-rouge">http-log</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">application/json; charset=utf-8</code> option for the <code class="language-plaintext highlighter-rouge">Content-Type</code> header to support log collectors that require that character set declaration. <a href="https://github.com/Kong/kong/pull/10533" target="_blank" rel="noopener nofollow noreferrer ">#10533</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/datadog/"><strong>Datadog</strong></a> (<code class="language-plaintext highlighter-rouge">datadog</code>) <ul> <li>The <code class="language-plaintext highlighter-rouge">host</code> configuration parameter is now referenceable. <a href="https://github.com/Kong/kong/pull/10484" target="_blank" rel="noopener nofollow noreferrer ">#10484</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/zipkin/"><strong>Zipkin</strong></a> (<code class="language-plaintext highlighter-rouge">zipkin</code>) and <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>These plugins now convert <code class="language-plaintext highlighter-rouge">traceid</code> in HTTP response headers to hex format. <a href="https://github.com/Kong/kong/pull/10534" target="_blank" rel="noopener nofollow noreferrer ">#10534</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Spans are now correctly correlated in downstream Datadog traces. <a href="https://github.com/Kong/kong/pull/10531" target="_blank" rel="noopener nofollow noreferrer ">10531</a> </li> <li>Added the <code class="language-plaintext highlighter-rouge">header_type</code> field. Previously, the <code class="language-plaintext highlighter-rouge">header_type</code> was hardcoded to <code class="language-plaintext highlighter-rouge">preserve</code>. Now it can be set to one of the following values: <code class="language-plaintext highlighter-rouge">preserve</code>, <code class="language-plaintext highlighter-rouge">ignore</code>, <code class="language-plaintext highlighter-rouge">b3</code>, <code class="language-plaintext highlighter-rouge">b3-single</code>, <code class="language-plaintext highlighter-rouge">w3c</code>, <code class="language-plaintext highlighter-rouge">jaeger</code>, or <code class="language-plaintext highlighter-rouge">ot</code>. <a href="https://github.com/Kong/kong/pull/10620" target="_blank" rel="noopener nofollow noreferrer ">#10620</a> </li> <li>Added the new span attribute <code class="language-plaintext highlighter-rouge">http.client_ip</code> to capture the client IP when behind a proxy. <a href="https://github.com/Kong/kong/pull/10723" target="_blank" rel="noopener nofollow noreferrer ">#10723</a> </li> <li>Added the <code class="language-plaintext highlighter-rouge">http_response_header_for_traceid</code> configuration parameter. Setting a string value in this field sets a corresponding header in the response. <a href="https://github.com/Kong/kong/pull/10379" target="_blank" rel="noopener nofollow noreferrer ">#10379</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda/"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Added the configuration parameter <code class="language-plaintext highlighter-rouge">disable_https</code> to support scheme configuration on the lambda service API endpoint. <a href="https://github.com/Kong/kong/pull/9799" target="_blank" rel="noopener nofollow noreferrer ">#9799</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/request-transformer-advanced/"><strong>Request Transformer Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">request-transformer-advanced</code>) <ul> <li>The plugin now honors the following Kong Gateway configuration parameters: <a href="/gateway/latest/reference/configuration/#untrusted_lua"><code class="language-plaintext highlighter-rouge">untrusted_lua</code></a>, <a href="/gateway/latest/reference/configuration/#untrusted_lua_sandbox_requires"><code class="language-plaintext highlighter-rouge">untrusted_lua_sandbox_requires</code></a>, <a href="/gateway/latest/reference/configuration/#untrusted_lua_sandbox_environment"><code class="language-plaintext highlighter-rouge">untrusted_lua_sandbox_environment</code></a>. These parameters apply to advanced templates (Lua expressions).</li> </ul> </li> <li> <a href="/hub/kong-inc/request-validator/"><strong>Request Validator</strong></a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>Errors are now logged for validation failures.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwt-signer/"><strong>JWT Signer</strong></a> (<code class="language-plaintext highlighter-rouge">jwt-signer</code>) <ul> <li>Added the configuration field <code class="language-plaintext highlighter-rouge">add_claims</code>, which lets you add extra claims to JWT.</li> </ul> </li> </ul> <h3 id="fixes-45">Fixes</h3> <h4 id="enterprise-7">Enterprise</h4> <ul> <li>The Kong Enterprise systemd unit was incorrectly renamed to <code class="language-plaintext highlighter-rouge">kong.service</code> in 3.2.x.x versions. It has now been reverted back to <code class="language-plaintext highlighter-rouge">kong-enterprise-edition.service</code> to keep consistent with previous releases.</li> <li>Fixed an issue where Kong Gateway failed to generate a keyring when RBAC was enabled.</li> <li>Fixed <code class="language-plaintext highlighter-rouge">lua_ssl_verify_depth</code> in FIPS mode to match the same depth of normal mode.</li> <li>Removed the email field from the developer registration response.</li> <li>Websocket requests now generate balancer spans when tracing is enabled.</li> <li>Fixed an issue where management of licenses via the <code class="language-plaintext highlighter-rouge">/licenses/</code> endpoint would fail if the current license is not valid.</li> <li>Resolved an issue with the plugin iterator where sorting would become mixed up when dynamic reordering was applied. This fix ensures proper sorting behavior in all scenarios.</li> <li>Kong Manager: <ul> <li>Fixed an issue where changing the vault name in Kong Manager would throw an error.</li> <li>Fixed an issue with tabs, where vertical tab content became blank when selecting a tab that is currently active.</li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">/register</code> route occasionally jumped to <code class="language-plaintext highlighter-rouge">/login</code> instead.</li> <li>Removed the <strong>Custom Identifier</strong> field from the StatsD plugin. This field appeared in Kong Manager under Metrics, but the field doesn’t exist in the plugin’s schema.</li> </ul> </li> </ul> <h4 id="kong-gateway-with-konnect-1">Kong Gateway with Konnect</h4> <ul> <li>The standard expired license notification no longer appears in logs for data planes running in Konnect mode (<code class="language-plaintext highlighter-rouge">konnect_mode=on</code>), as it does not apply to them.</li> <li>New license alert behavior for data planes running in Konnect mode: <ul> <li>If there are at least 16 days left before expiration, no alerts are issued.</li> <li>If the license expires within 16 days, a warning level alert is issued every day.</li> <li>If the license is expired, a critical level alert is issued every day.</li> </ul> </li> </ul> <h4 id="core-52">Core</h4> <ul> <li>Fixed an issue where the upstream keepalive pool had a CRC32 collision. <a href="https://github.com/Kong/kong/pull/9856" target="_blank" rel="noopener nofollow noreferrer ">#9856</a> </li> <li>Hybrid mode: <ul> <li>Fixed an issue where the control plane didn’t downgrade configuration for the AWS Lambda and Zipkin plugins for older versions of data planes. <a href="https://github.com/Kong/kong/pull/10346" target="_blank" rel="noopener nofollow noreferrer ">#10346</a> </li> <li>Fixed an issue where the control plane didn’t rename fields correctly for the Session plugin for older versions of data planes. <a href="https://github.com/Kong/kong/pull/10352" target="_blank" rel="noopener nofollow noreferrer ">#10352</a> </li> </ul> </li> <li>Fixed an issue where validation of regex routes was occasionally skipped when the old-fashioned config style was used for DB-less Kong Gateway. <a href="https://github.com/Kong/kong/pull/10348" target="_blank" rel="noopener nofollow noreferrer ">#10348</a> </li> <li>Fixed an issue where tracing could cause unexpected behavior. <a href="https://github.com/Kong/kong/pull/10364" target="_blank" rel="noopener nofollow noreferrer ">#10364</a> </li> <li>Fixed an issue where balancer passive healthchecks would use the wrong status code when Kong Gateway changed the status code from the upstream in the <code class="language-plaintext highlighter-rouge">header_filter</code> phase. <a href="https://github.com/Kong/kong/pull/10325" target="_blank" rel="noopener nofollow noreferrer ">#10325</a> <a href="https://github.com/Kong/kong/pull/10592" target="_blank" rel="noopener nofollow noreferrer ">#10592</a> </li> <li>Fixed an issue where schema validations failing in a nested record did not propagate the error correctly. <a href="https://github.com/Kong/kong/pull/10449" target="_blank" rel="noopener nofollow noreferrer ">#10449</a> </li> <li>Fixed an issue where dangling Unix sockets would prevent Kong Gateway from restarting in Docker containers if it was not cleanly stopped. <a href="https://github.com/Kong/kong/pull/10468" target="_blank" rel="noopener nofollow noreferrer ">#10468</a> </li> <li>Fixed an issue where the sorting function for traditional router sources or destinations led to <code class="language-plaintext highlighter-rouge">invalid order function for sorting</code> errors. <a href="https://github.com/Kong/kong/pull/10514" target="_blank" rel="noopener nofollow noreferrer ">#10514</a> </li> <li>Fixed the UDP socket leak in <code class="language-plaintext highlighter-rouge">resty.dns.client</code> caused by frequent DNS queries. <a href="https://github.com/Kong/kong/pull/10691" target="_blank" rel="noopener nofollow noreferrer ">#10691</a> </li> <li>Fixed a typo in the mlcache option <code class="language-plaintext highlighter-rouge">shm_set_tries</code>. <a href="https://github.com/Kong/kong/pull/10712" target="_blank" rel="noopener nofollow noreferrer ">#10712</a> </li> <li>Fixed an issue where a slow startup of the Go plugin server caused a deadlock. <a href="https://github.com/Kong/kong/pull/10561" target="_blank" rel="noopener nofollow noreferrer ">#10561</a> </li> <li>Tracing: <ul> <li>Fixed an issue that caused the <code class="language-plaintext highlighter-rouge">sampled</code> flag of incoming propagation headers to be handled incorrectly and only affect some spans. <a href="https://github.com/Kong/kong/pull/10655" target="_blank" rel="noopener nofollow noreferrer ">#10655</a> </li> <li>Fixed an issue that was preventing <code class="language-plaintext highlighter-rouge">http_client</code> spans from being created for OpenResty HTTP client requests. <a href="https://github.com/Kong/kong/pull/10680" target="_blank" rel="noopener nofollow noreferrer ">#10680</a> </li> <li>Fixed an approximation issue that resulted in reduced precision of the balancer span start and end times. <a href="https://github.com/Kong/kong/pull/10681" target="_blank" rel="noopener nofollow noreferrer ">#10681</a> </li> <li> <code class="language-plaintext highlighter-rouge">tracing_sampling_rate</code> now defaults to 0.01 (trace one of every 100 requests) instead of the previous 1 (trace all requests). Tracing all requests causes unnecessary resource drain for most production systems. <a href="https://github.com/Kong/kong/pull/10774" target="_blank" rel="noopener nofollow noreferrer ">#10774</a> </li> </ul> </li> <li>Fixed an issue with vault references, which caused Kong Gateway to error out when trying to stop. <a href="https://github.com/Kong/kong/pull/10775" target="_blank" rel="noopener nofollow noreferrer ">#10775</a> </li> <li>Fixed an issue where vault configuration stayed sticky and cached even when configurations were changed. <a href="https://github.com/Kong/kong/pull/10776" target="_blank" rel="noopener nofollow noreferrer ">#10776</a> </li> <li>Fixed the following PostgreSQL TTL clean-up timer issues: <ul> <li>Timers will now only run on traditional and control plane nodes that have enabled the Admin API. <a href="https://github.com/Kong/kong/pull/10405" target="_blank" rel="noopener nofollow noreferrer ">#10405</a> </li> <li>Kong Gateway now runs a batch delete loop on each TTL-enabled table with a number of <code class="language-plaintext highlighter-rouge">50.000</code> rows per batch. <a href="https://github.com/Kong/kong/pull/10407" target="_blank" rel="noopener nofollow noreferrer ">#10407</a> </li> <li>The cleanup job now runs every 5 minutes instead of every 60 seconds. <a href="https://github.com/Kong/kong/pull/10389" target="_blank" rel="noopener nofollow noreferrer ">#10389</a> </li> <li>Kong Gateway now deletes expired rows based on the database server-side timestamp to avoid potential problems caused by the differences in clock time between Kong Gateway and the database server. <a href="https://github.com/Kong/kong/pull/10389" target="_blank" rel="noopener nofollow noreferrer ">#10389</a> </li> </ul> </li> <li>Fixed an issue where an empty value for the URI argument <code class="language-plaintext highlighter-rouge">custom_id</code> crashed the <code class="language-plaintext highlighter-rouge">/consumer</code> API. <a href="https://github.com/Kong/kong/pull/10475" target="_blank" rel="noopener nofollow noreferrer ">#10475</a> </li> </ul> <h4 id="pdk-16">PDK</h4> <ul> <li> <code class="language-plaintext highlighter-rouge">request.get_uri_captures</code> now returns the unnamed part tagged as an array for jsonification. <a href="https://github.com/Kong/kong/pull/10390" target="_blank" rel="noopener nofollow noreferrer ">#10390</a> </li> <li>Fixed an issue for tracing PDK where the sampling rate didn’t work. <a href="https://github.com/Kong/kong/pull/10485" target="_blank" rel="noopener nofollow noreferrer ">#10485</a> </li> </ul> <h4 id="plugins-66">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/jwe-decrypt/"><strong>JWE Decrypt</strong></a> (<code class="language-plaintext highlighter-rouge">jwe-decrypt</code>), <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>), and <a href="/hub/kong-inc/vault-auth/"><strong>Vault Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">vault-auth</code>) <ul> <li>Added the missing schema field <code class="language-plaintext highlighter-rouge">protocols</code> for <code class="language-plaintext highlighter-rouge">jwe-decrypt</code>, <code class="language-plaintext highlighter-rouge">oas-validation</code>, and <code class="language-plaintext highlighter-rouge">vault-auth</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> <ul> <li>The <code class="language-plaintext highlighter-rouge">redis</code> rate limiting strategy now returns an error when Redis Cluster is down.</li> <li>Fixed an issue where the rate limiting <code class="language-plaintext highlighter-rouge">cluster_events</code> broadcast the wrong data in traditional cluster mode.</li> <li>The control plane no longer creates namespace or syncs.</li> </ul> </li> <li> <a href="/hub/kong-inc/statsd-advanced/"><strong>StatsD Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">statsd-advanced</code>) <ul> <li>Changed the plugin’s name to <code class="language-plaintext highlighter-rouge">statsd-advanced</code> instead of <code class="language-plaintext highlighter-rouge">statsd</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/"><strong>LDAP Authentication Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>The plugin now performs authentication before authorization, and returns a 403 HTTP code when a user isn’t in the authorized groups.</li> <li>The plugin now supports setting the groups to an empty array when groups are not empty.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed an issue where reconfiguring the plugin didn’t take effect.</li> <li>Fixed an issue that caused spans to be propagated incorrectly resulting in the wrong hierarchy being rendered on tracing backends. <a href="https://github.com/Kong/kong/pull/10663" target="_blank" rel="noopener nofollow noreferrer ">#10663</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/request-validator/"><strong>Request Validator</strong></a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>Fixed an issue where the validation function for the <code class="language-plaintext highlighter-rouge">allowed_content_types</code> parameter was too strict, making it impossible to use media types that contained a <code class="language-plaintext highlighter-rouge">-</code> character.</li> </ul> </li> <li> <a href="/hub/kong-inc/forward-proxy/"><strong>Forward Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>) <ul> <li>Fixed an issue which caused the wrong <code class="language-plaintext highlighter-rouge">latencies.proxy</code> to be used in the logging plugins. This plugin now evaluates <code class="language-plaintext highlighter-rouge">ctx.WAITING_TIME</code> in the forward proxy instead of doing it in the subsequent phase.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-termination/"><strong>Request Termination</strong></a> (<code class="language-plaintext highlighter-rouge">request-termination</code>) <ul> <li>Fixed an issue with the <code class="language-plaintext highlighter-rouge">echo</code> option, which caused the plugin to not return the <code class="language-plaintext highlighter-rouge">uri-captures</code>. <a href="https://github.com/Kong/kong/pull/10390" target="_blank" rel="noopener nofollow noreferrer ">#10390</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/request-transformer/"><strong>Request Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">request-transformer</code>) <ul> <li>Fixed an issue where requests would intermittently be proxied with incorrect query parameters. <a href="https://github.com/Kong/kong/pull/10539" target="_blank" rel="noopener nofollow noreferrer ">10539</a> </li> <li>The plugin now honors the value of the <code class="language-plaintext highlighter-rouge">untrusted_lua</code> configuration parameter. <a href="https://github.com/Kong/kong/pull/10327" target="_blank" rel="noopener nofollow noreferrer ">#10327</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/oauth2/"><strong>OAuth2</strong></a> (<code class="language-plaintext highlighter-rouge">oauth2</code>) <ul> <li>Fixed an issue where the OAuth2 token was being cached as <code class="language-plaintext highlighter-rouge">nil</code> if the wrong service was accessed first. <a href="https://github.com/Kong/kong/pull/10522" target="_blank" rel="noopener nofollow noreferrer ">#10522</a> </li> <li>This plugin now prevents an authorization code created by one plugin instance from being exchanged for an access token created by a different plugin instance. <a href="https://github.com/Kong/kong/pull/10011" target="_blank" rel="noopener nofollow noreferrer ">#10011</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/grpc-gateway/"><strong>gRPC Gateway</strong></a> (<code class="language-plaintext highlighter-rouge">grpc-gateway</code>) <ul> <li>Fixed an issue where having a <code class="language-plaintext highlighter-rouge">null</code> value in the JSON payload caused an uncaught exception to be thrown during <code class="language-plaintext highlighter-rouge">pb.encode</code>. <a href="https://github.com/Kong/kong/pull/10687" target="_blank" rel="noopener nofollow noreferrer ">#10687</a> </li> <li>Fixed an issue where empty arrays in JSON were incorrectly encoded as <code class="language-plaintext highlighter-rouge">"{}"</code>. They are now encoded as <code class="language-plaintext highlighter-rouge">"[]"</code> to comply with standards. <a href="https://github.com/Kong/kong/pull/10790" target="_blank" rel="noopener nofollow noreferrer ">#10790</a> </li> </ul> </li> </ul> <h3 id="dependencies-36">Dependencies</h3> <ul> <li>Updated the datafile library dependency to fix the following issues: <ul> <li>Kong Gateway didn’t work when installed on a read-only file system.</li> <li>Kong Gateway didn’t work when started from systemd.</li> </ul> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-session</code> from 4.0.2 to 4.0.3 <a href="https://github.com/Kong/kong/pull/10338" target="_blank" rel="noopener nofollow noreferrer ">#10338</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-protobuf</code> from 0.3.3 to 0.5.0 <a href="https://github.com/Kong/kong/pull/10413" target="_blank" rel="noopener nofollow noreferrer ">#10137</a> <a href="https://github.com/Kong/kong/pull/10790" target="_blank" rel="noopener nofollow noreferrer ">#10790</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-timer-ng</code> from 0.2.3 to 0.2.5 <a href="https://github.com/Kong/kong/pull/10419" target="_blank" rel="noopener nofollow noreferrer ">#10419</a> <a href="https://github.com/Kong/kong/pull/10664" target="_blank" rel="noopener nofollow noreferrer ">#10664</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-openssl</code> from 0.8.17 to 0.8.20 <a href="https://github.com/Kong/kong/pull/10463" target="_blank" rel="noopener nofollow noreferrer ">#10463</a> <a href="https://github.com/Kong/kong/pull/10476" target="_blank" rel="noopener nofollow noreferrer ">#10476</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-http</code> from 0.17.0.beta.1 to 0.17.1 <a href="https://github.com/Kong/kong/pull/10547" target="_blank" rel="noopener nofollow noreferrer ">#10547</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> from 1.1.2 to 1.2.2</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-gcp</code> from 0.0.11 to 0.0.12</li> <li>Bumped <code class="language-plaintext highlighter-rouge">LuaSec</code> from 1.2.0 to 1.3.1 <a href="https://github.com/Kong/kong/pull/10528" target="_blank" rel="noopener nofollow noreferrer ">#10528</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-acme</code> from 0.10.1 to 0.11.0 <a href="https://github.com/Kong/kong/pull/10562" target="_blank" rel="noopener nofollow noreferrer ">#10562</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-events</code> from 0.1.3 to 0.1.4 <a href="https://github.com/Kong/kong/pull/10634" target="_blank" rel="noopener nofollow noreferrer ">#10634</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> from 0.5.1 to 0.6.0 <a href="https://github.com/Kong/kong/pull/10288" target="_blank" rel="noopener nofollow noreferrer ">#10288</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-lmdb</code> from 1.0.0 to 1.1.0 <a href="https://github.com/Kong/kong/pull/10766" target="_blank" rel="noopener nofollow noreferrer ">#10766</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-openid-connect</code> from 2.5.4 to 2.5.5</li> </ul> <h3 id="known-issues-7">Known Issues</h3> <ul> <li> <p>Due to known issues, Kong recommends not enabling page-level LMDB encryption in versions 3.0.x-3.3.x.</p> <p>Don’t set <code class="language-plaintext highlighter-rouge">declarative_config_encryption_mode</code>; leave it at its default value of <code class="language-plaintext highlighter-rouge">off</code>. Continue relying on disk-level encryption to encrypt the configuration on disk.</p> </li> <li> <p>When sending an invalid configuration to the <code class="language-plaintext highlighter-rouge">/config</code> endpoint while running in DB-less mode and with <code class="language-plaintext highlighter-rouge">flatten_errors=1</code> set, Kong Gateway incorrectly returns a 500. This should be a 400 because the configuration is invalid.</p> </li> <li> <p>When the OpenID Connect (OIDC) plugin is configured to reference HashiCorp Vault in the <code class="language-plaintext highlighter-rouge">config.client_secret</code> field (for example, <code class="language-plaintext highlighter-rouge">{vault://hcv/clientSecret}</code>), it does not look up the secret correctly.</p> </li> </ul> <h2 id="3225">3.2.2.5</h2> <p><strong>Release Date</strong> 2023/10/12</p> <h3 id="fixes-46">Fixes</h3> <h4 id="core-53">Core</h4> <ul> <li> <p>Applied Nginx patch for early detection of HTTP/2 stream reset attacks. This change is in direct response to the identified vulnerability <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-44487" target="_blank" rel="noopener nofollow noreferrer ">CVE-2023-44487</a>.</p> <p>See our <a href="https://konghq.com/blog/product-releases/novel-http2-rapid-reset-ddos-vulnerability-update" target="_blank" rel="noopener nofollow noreferrer ">blog post</a> for more details on this vulnerability and Kong’s responses to it.</p> </li> <li>Fixed a keyring issue where Kong Gateway nodes would fail to send keyring data when using the cluster strategy.</li> <li>Fixed an issue where an abnormal socket connection would be incorrectly reused when querying the PostgreSQL database.</li> <li>Added a <code class="language-plaintext highlighter-rouge">User=</code> specification to the systemd unit definition, enabling Kong Gateway to be controlled by systemd again. <a href="https://github.com/Kong/kong/pull/11066" target="_blank" rel="noopener nofollow noreferrer ">#11066</a> </li> </ul> <h4 id="plugins-67">Plugins</h4> <ul> <li> <p><a href="/hub/kong-inc/mtls-auth/"><strong>mTLS Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>): Fixed an issue that caused the plugin to cache network failures when running certificate revocation checks.</p> </li> <li> <p><a href="/hub/kong-inc/saml/"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>): Users will now receive a 500 error instead of being endlessly redirected when the Redis session storage is incorrectly configured.</p> </li> </ul> <h3 id="dependencies-37">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">libxml2</code> from 2.10.2 to 2.11.5</li> </ul> <h2 id="3224">3.2.2.4</h2> <p><strong>Release Date</strong> 2023/09/15</p> <h3 id="breaking-changes-and-deprecations-7">Breaking changes and deprecations</h3> <ul> <li> <p><strong>Ubuntu 18.04 support removed</strong>: Support for running Kong Gateway on Ubuntu 18.04 (“Bionic”) is now deprecated, as <a href="https://wiki.ubuntu.com/Releases" target="_blank" rel="noopener nofollow noreferrer ">Standard Support for Ubuntu 18.04 has ended as of June 2023</a>. Starting with Kong Gateway 3.2.2.4, Kong is not building new Ubuntu 18.04 images or packages, and Kong will not test package installation on Ubuntu 18.04.</p> <p>If you need to install Kong Gateway on Ubuntu 18.04, substitute a previous 3.2.x patch version in the <a href="/gateway/3.2.x/install/linux/ubuntu/">installation instructions</a>.</p> </li> <li>Amazon Linux 2022 artifacts are renamed to Amazon Linux 2023, based on AWS’s own renaming.</li> <li>CentOS packages are now removed from the release and are no longer supported in future versions.</li> </ul> <h3 id="fixes-47">Fixes</h3> <h4 id="enterprise-8">Enterprise</h4> <ul> <li>Updated the datafile library to make the SAML plugin work again when Kong is controlled by systemd.</li> <li>Fixed an issue where the anonymous report couldn’t be silenced by setting <code class="language-plaintext highlighter-rouge">anonymous_reports=false</code>.</li> <li>Fixed an issue where a crashing Go plugin server process would cause subsequent requests proxied through Kong to execute Go plugins with inconsistent configurations. The issue only affected scenarios where the same Go plugin is applied to different route or service entities.</li> </ul> <h4 id="plugins-68">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Correctly set the right table key on <code class="language-plaintext highlighter-rouge">log</code> and <code class="language-plaintext highlighter-rouge">message</code>.</li> <li>If an invalid opaque token is provided but verification fails, print the correct error.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/"><strong>Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>) <ul> <li>The redis rate limiting strategy now returns an error when Redis Cluster is down.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>The control plane no longer attempts to create namespace or synchronize counters with Redis.</li> </ul> </li> <li> <a href="/hub/kong-inc/response-transformer-advanced/"><strong>Response Transformer Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">response-transformer-advanced</code>) <ul> <li>Does not load response body when <code class="language-plaintext highlighter-rouge">if_status</code> does not match.</li> </ul> </li> </ul> <h4 id="kong-manager-20">Kong Manager</h4> <ul> <li>Fixed an issue where the Zipkin plugin prevented users from editing the <code class="language-plaintext highlighter-rouge">static_tags</code> configuration.</li> <li>Fixed an issue where the unavailable Datadog Tracing plugin displayed on the plugin installation page.</li> <li>Fixed an issue where some metrics were missing from the StatsD plugin.</li> <li>Fixed an issue where locale files were not found when using a non-default <code class="language-plaintext highlighter-rouge">admin_gui_path</code> configuration.</li> <li>Fixed an issue where endpoint permissions for application instances did not work as expected.</li> <li>Fixed an issue where some icons were shown as unreadable symbols and characters.</li> <li>Fixed an issue where users were redirected to pages under the default workspace when clicking links for services or routes of entities residing in other workspaces.</li> <li>Fixed an issue that failed to redirect OpenID Connect in Kong Manager if it was provided with an incorrect username.</li> </ul> <h3 id="dependencies-38">Dependencies</h3> <ul> <li> <code class="language-plaintext highlighter-rouge">lua-resty-kafka</code> is bumped from 0.15 to 0.16</li> <li>Bumped <code class="language-plaintext highlighter-rouge">OpenSSL</code> from 1.1.1t to 3.1.1</li> </ul> <h2 id="3223">3.2.2.3</h2> <p><strong>Release Date</strong> 2023/06/07</p> <h3 id="fixes-48">Fixes</h3> <ul> <li>Fixed an error with the <code class="language-plaintext highlighter-rouge">/config</code> endpoint. If <code class="language-plaintext highlighter-rouge">flatten_errors=1</code> was set and an invalid config was sent to the endpoint, a 500 error was incorrectly returned.</li> </ul> <h3 id="deprecations-5">Deprecations</h3> <ul> <li> <strong>Alpine deprecation reminder:</strong> Kong has announced our intent to remove support for Alpine images and packages later this year. These images and packages are available in 3.2 and will continue to be available in 3.3. We will stop building Alpine images and packages in Kong Gateway 3.4.</li> </ul> <h2 id="3222">3.2.2.2</h2> <p><strong>Release Date</strong> 2023/05/19</p> <h3 id="fixes-49">Fixes</h3> <h4 id="core-54">Core</h4> <ul> <li>Fixed the OpenResty <code class="language-plaintext highlighter-rouge">ngx.print</code> chunk encoding duplicate free buffer issue that led to the corruption of chunk-encoded response data. <a href="https://github.com/Kong/kong/pull/10816" target="_blank" rel="noopener nofollow noreferrer ">#10816</a> <a href="https://github.com/Kong/kong/pull/10824" target="_blank" rel="noopener nofollow noreferrer ">#10824</a> </li> <li>Fixed the UDP socket leak in <code class="language-plaintext highlighter-rouge">resty.dns.client</code> caused by frequent DNS queries. <a href="https://github.com/Kong/kong/pull/10691" target="_blank" rel="noopener nofollow noreferrer ">#10691</a> </li> </ul> <h4 id="plugins-69">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed the log flooding issue caused by low <code class="language-plaintext highlighter-rouge">sync_rate</code> settings.</li> </ul> </li> </ul> <h2 id="3221">3.2.2.1</h2> <p><strong>Release Date</strong> 2023/04/03</p> <h3 id="fixes-50">Fixes</h3> <ul> <li>Fixed the Dynatrace implementation. Due to a build system issue, Kong Gateway 3.2.x packages prior to 3.2.2.1 didn’t contain the debug symbols that Dynatrace requires.</li> </ul> <h3 id="deprecations-6">Deprecations</h3> <ul> <li> <strong>Alpine deprecation reminder:</strong> Kong has announced our intent to remove support for Alpine images and packages later this year. These images and packages are available in 3.2 and will continue to be available in 3.3. We will stop building Alpine images and packages in Kong Gateway 3.4.</li> </ul> <h2 id="3220">3.2.2.0</h2> <p><strong>Release Date</strong> 2023/03/22</p> <h3 id="fixes-51">Fixes</h3> <h4 id="enterprise-9">Enterprise</h4> <ul> <li>In Kong 3.2.1.0 and 3.2.1.1, <code class="language-plaintext highlighter-rouge">alpine</code> and <code class="language-plaintext highlighter-rouge">ubuntu</code> ARM64 artifacts incorrectly handled HTTP/2 requests, causing the protocol to fail. These artifacts have been removed.</li> <li>Added the default logrotate file <code class="language-plaintext highlighter-rouge">/etc/logrotate.d/kong-enterprise-edition</code>. This file was missing in all 3.x versions of Kong Gateway prior to this release.</li> </ul> <h4 id="plugins-70">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/saml/"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>) <ul> <li>The SAML plugin now works on read-only file systems.</li> <li>The SAML plugin can now handle the field <code class="language-plaintext highlighter-rouge">session_auth_ttl</code> (removed since 3.2.0.0).</li> </ul> </li> <li>Datadog Tracing plugin: We found some late-breaking issues with the Datadog Tracing plugin and elected to remove it from the 3.2 release. We plan to add the plugin back with the issues fixed in a later release.</li> </ul> <h3 id="known-issues-8">Known issues</h3> <ul> <li>Due to changes in GPG keys, using yum to install this release triggers a <code class="language-plaintext highlighter-rouge">Public key for kong-enterprise-edition-3.2.1.0.rhel7.amd64.rpm is not installed</code> error. The package <em>is</em> signed, however, it’s signed with a different (rotated) key from the metadata service, which triggers the error in yum. To avoid this error, manually download the package from <a href="https://cloudsmith.io/~kong/repos" target="_blank" rel="noopener nofollow noreferrer ">https://cloudsmith.io/~kong/repos</a> and install it.</li> </ul> <h2 id="3210">3.2.1.0</h2> <p><strong>Release Date</strong> 2023/02/28</p> <h3 id="deprecations-7">Deprecations</h3> <ul> <li> <p>Deprecated Alpine Linux images and packages.</p> <p>Kong is announcing our intent to remove support for Alpine images and packages later this year. These images and packages are available in 3.2 and will continue to be available in 3.3. We will stop building Alpine images and packages in Kong Gateway 3.4.</p> </li> </ul> <h3 id="breaking-changes-6">Breaking changes</h3> <ul> <li> <p>The default PostgreSQL SSL version has been bumped to TLS 1.2. In <code class="language-plaintext highlighter-rouge">kong.conf</code>:</p> <ul> <li>The default <a href="/gateway/latest/reference/configuration/#postgres-settings"><code class="language-plaintext highlighter-rouge">pg_ssl_version</code></a> is now <code class="language-plaintext highlighter-rouge">tlsv1_2</code>.</li> <li>Constrained the valid values of this configuration option to only accept the following: <code class="language-plaintext highlighter-rouge">tlsv1_1</code>, <code class="language-plaintext highlighter-rouge">tlsv1_2</code>, <code class="language-plaintext highlighter-rouge">tlsv1_3</code> or <code class="language-plaintext highlighter-rouge">any</code>.</li> </ul> <p>This mirrors the setting <code class="language-plaintext highlighter-rouge">ssl_min_protocol_version</code> in PostgreSQL 12.x and onward. See the <a href="https://postgresqlco.nf/doc/en/param/ssl_min_protocol_version/" target="_blank" rel="noopener nofollow noreferrer ">PostgreSQL documentation</a> for more information about that parameter.</p> <p>To use the default setting in <code class="language-plaintext highlighter-rouge">kong.conf</code>, verify that your Postgres server supports TLS 1.2 or higher versions, or set the TLS version yourself. TLS versions lower than <code class="language-plaintext highlighter-rouge">tlsv1_2</code> are already deprecated and considered insecure from PostgreSQL 12.x onward.</p> </li> <li> <p>Added the <a href="/gateway/latest/reference/configuration/#allow_debug_header"><code class="language-plaintext highlighter-rouge">allow_debug_header</code></a> configuration property to <code class="language-plaintext highlighter-rouge">kong.conf</code> to constrain the <code class="language-plaintext highlighter-rouge">Kong-Debug</code> header for debugging. This option defaults to <code class="language-plaintext highlighter-rouge">off</code>.</p> <p>If you were previously relying on the <code class="language-plaintext highlighter-rouge">Kong-Debug</code> header to provide debugging information, set <code class="language-plaintext highlighter-rouge">allow_debug_header: on</code> to continue doing so.</p> </li> <li> <p><a href="/hub/kong-inc/jwt/"><strong>JWT plugin</strong></a> (<code class="language-plaintext highlighter-rouge">jwt</code>)</p> <ul> <li>The JWT plugin now denies any request that has different tokens in the JWT token search locations. <a href="https://github.com/Kong/kong/pull/9946" target="_blank" rel="noopener nofollow noreferrer ">#9946</a> </li> </ul> </li> <li> <p>Sessions library upgrade <a href="https://github.com/Kong/kong/pull/10199" target="_blank" rel="noopener nofollow noreferrer ">#10199</a>:</p> <ul> <li> <p>The <a href="https://github.com/bungle/lua-resty-session" target="_blank" rel="noopener nofollow noreferrer "><code class="language-plaintext highlighter-rouge">lua-resty-session</code></a> library has been upgraded to v4.0.0. This version includes a full rewrite of the session library, and is not backwards compatible.</p> <p>This library is used by the following plugins: <a href="/hub/kong-inc/session/"><strong>Session</strong></a>, <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a>, and <a href="/hub/kong-inc/saml/"><strong>SAML</strong></a>. This also affects any session configuration that uses the Session or OpenID Connect plugin in the background, including sessions for Kong Manager and Dev Portal.</p> <p>All existing sessions are invalidated when upgrading to this version. For sessions to work as expected in this version, all nodes must run Kong Gateway 3.2.x or later. For that reason, we recommend that during upgrades, proxy nodes with mixed versions run for as little time as possible. During that time, the invalid sessions could cause failures and partial downtime.</p> </li> <li> <p>Parameters:</p> <ul> <li>The new parameter <code class="language-plaintext highlighter-rouge">idling_timeout</code>, which replaces <code class="language-plaintext highlighter-rouge">cookie_lifetime</code>, now has a default value of 900. Unless configured differently, sessions expire after 900 seconds (15 minutes) of idling.</li> <li>The new parameter <code class="language-plaintext highlighter-rouge">absolute_timeout</code> has a default value of 86400. Unless configured differently, sessions expire after 86400 seconds (24 hours).</li> <li>Many session parameters have been renamed or removed. Although your configuration will continue to work as previously configured, we recommend adjusting your configuration to avoid future unexpected behavior. Refer to the <a href="/gateway/latest/upgrade/#session-library-upgrade">upgrade guide for 3.2</a> for all session configuration changes and guidance on how to convert your existing session configuration.</li> </ul> </li> </ul> </li> </ul> <h3 id="features-35">Features</h3> <ul> <li>Changed the underlying operating system (OS) for our convenience Docker tags (for example, <code class="language-plaintext highlighter-rouge">latest</code>, <code class="language-plaintext highlighter-rouge">3.2.1.0</code>, <code class="language-plaintext highlighter-rouge">3.2</code>) from Debian to Ubuntu.</li> </ul> <h4 id="core-55">Core</h4> <ul> <li>When <code class="language-plaintext highlighter-rouge">router_flavor</code> is set to<code class="language-plaintext highlighter-rouge">traditional_compatible</code>, Kong Gateway verifies routes created using the expression router instead of the traditional router to ensure created routes are compatible. <a href="https://github.com/Kong/kong/pull/9987" target="_blank" rel="noopener nofollow noreferrer ">#9987</a> </li> <li>In DB-less mode, the <code class="language-plaintext highlighter-rouge">/config</code> API endpoint can now flatten all schema validation errors into a single array using the optional <code class="language-plaintext highlighter-rouge">flatten_errors</code> query parameter. <a href="https://github.com/Kong/kong/pull/10161" target="_blank" rel="noopener nofollow noreferrer ">#10161</a> </li> <li>The upstream entity now has a new load balancing algorithm option: <a href="/gateway/latest/how-kong-works/load-balancing/#balancing-algorithms"><code class="language-plaintext highlighter-rouge">latency</code></a>. This algorithm chooses a target based on the response latency of each target from prior requests. <a href="https://github.com/Kong/kong/pull/9787" target="_blank" rel="noopener nofollow noreferrer ">#9787</a> </li> <li>The Nginx <code class="language-plaintext highlighter-rouge">charset</code> directive can now be configured with Nginx directive injections. Set it in Kong Gateway’s configuration with <a href="/gateway/latest/reference/configuration/#nginx_http_charset"><code class="language-plaintext highlighter-rouge">nginx_http_charset</code></a> <a href="https://github.com/Kong/kong/pull/10111" target="_blank" rel="noopener nofollow noreferrer ">#10111</a> </li> <li>The services upstream TLS configuration is now extended to the stream subsystem. <a href="https://github.com/Kong/kong/pull/9947" target="_blank" rel="noopener nofollow noreferrer ">#9947</a> </li> <li>Added the new configuration parameter <a href="/gateway/latest/reference/configuration/#ssl_session_cache_size"><code class="language-plaintext highlighter-rouge">ssl_session_cache_size</code></a>, which lets you set the Nginx directive <code class="language-plaintext highlighter-rouge">ssl_session_cache</code>. This configuration parameter defaults to <code class="language-plaintext highlighter-rouge">10m</code>. Thanks <a href="https://github.com/michbeck100" target="_blank" rel="noopener nofollow noreferrer ">Michael Kotten</a> for contributing this change. <a href="https://github.com/Kong/kong/pull/10021" target="_blank" rel="noopener nofollow noreferrer ">#10021</a> </li> <li> <a href="/gateway/latest/reference/configuration/#status_listen"><code class="language-plaintext highlighter-rouge">status_listen</code></a> now supports HTTP2. <a href="https://github.com/Kong/kong/pull/9919" target="_blank" rel="noopener nofollow noreferrer ">#9919</a> </li> <li>The shared Redis connector now supports username + password authentication for cluster connections, improving on the existing single-node connection support. This automatically applies to all plugins using the shared Redis configuration.</li> </ul> <h4 id="enterprise-10">Enterprise</h4> <ul> <li> <strong>FIPS Support</strong>: <ul> <li> <p>The OpenID Connect, Key Authentication - Encrypted, and JWT Signer plugins are now <a href="/gateway/latest/kong-enterprise/fips-support/">FIPS 140-2 compliant</a>.</p> <p>If you are migrating from Kong Gateway 3.1 to 3.2 in FIPS mode and are using the <code class="language-plaintext highlighter-rouge">key-auth-enc</code> plugin, you should send <a href="/hub/kong-inc/key-auth-enc/#create-a-key">PATCH or POST requests</a> to all existing <code class="language-plaintext highlighter-rouge">key-auth-enc</code> credentials to re-hash them in SHA256.</p> </li> <li> <p>FIPS-compliant Kong Gateway packages now support PostgreSQL SSL connections.</p> </li> </ul> </li> </ul> <h5 id="kong-manager-21">Kong Manager</h5> <ul> <li>Improved the editor for expression fields. Any fields using the expression router now have syntax highlighting, autocomplete, and route validation.</li> <li>Improved audit logs by adding <code class="language-plaintext highlighter-rouge">rbac_user_name</code> and <code class="language-plaintext highlighter-rouge">request_source</code>. By combining the data in the new <code class="language-plaintext highlighter-rouge">request_source</code> field with the <code class="language-plaintext highlighter-rouge">path</code> field, you can now determine login and logout events from the logs. See the documentation for more detail on <a href="/gateway/latest/kong-enterprise/audit-log/#kong-manager-authentication">interpreting audit logs</a>.</li> <li>License information can now be copied or downloaded into a file from Kong Manager.</li> <li>Kong Manager now supports the <code class="language-plaintext highlighter-rouge">POST</code> method for OIDC-based authentication.</li> <li>Keys and key sets can now be configured in Kong Manager.</li> <li>Optimized the color scheme for <code class="language-plaintext highlighter-rouge">http</code> method badges.</li> </ul> <h4 id="plugins-71">Plugins</h4> <ul> <li> <p><strong>Plugin entity</strong>: Added an optional <code class="language-plaintext highlighter-rouge">instance_name</code> field, which identifies a particular plugin entity. <a href="https://github.com/Kong/kong/pull/10077" target="_blank" rel="noopener nofollow noreferrer ">#10077</a></p> </li> <li> <a href="/hub/kong-inc/zipkin/"><strong>Zipkin</strong></a> (<code class="language-plaintext highlighter-rouge">zipkin</code>) <ul> <li>Added support for setting the durations of Kong phases as span tags through the configuration property <code class="language-plaintext highlighter-rouge">phase_duration_flavor</code>. <a href="https://github.com/Kong/kong/pull/9891" target="_blank" rel="noopener nofollow noreferrer ">#9891</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/http-log/"><strong>HTTP Log</strong></a> (<code class="language-plaintext highlighter-rouge">http-log</code>) <ul> <li>The <code class="language-plaintext highlighter-rouge">headers</code> configuration parameter is now referenceable, which means it can be securely stored in a vault. <a href="https://github.com/Kong/kong/pull/9948" target="_blank" rel="noopener nofollow noreferrer ">#9948</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda/"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Added the configuration parameter <code class="language-plaintext highlighter-rouge">aws_imds_protocol_version</code>, which lets you select the IMDS protocol version. This option defaults to <code class="language-plaintext highlighter-rouge">v1</code> and can be set to <code class="language-plaintext highlighter-rouge">v2</code> to enable IMDSv2. <a href="https://github.com/Kong/kong/pull/9962" target="_blank" rel="noopener nofollow noreferrer ">#9962</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>This plugin can now be scoped to individual services, routes, and consumers. <a href="https://github.com/Kong/kong/pull/10096" target="_blank" rel="noopener nofollow noreferrer ">#10096</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/statsd/"><strong>StatsD</strong></a> (<code class="language-plaintext highlighter-rouge">statsd</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">tag_style</code> configuration parameter, which allows the plugin to send metrics with <a href="https://github.com/prometheus/statsd_exporter#tagging-extensions" target="_blank" rel="noopener nofollow noreferrer ">tags</a>. The parameter defaults to <code class="language-plaintext highlighter-rouge">nil</code>, which means that no tags are added to the metrics. <a href="https://github.com/Kong/kong/pull/10118" target="_blank" rel="noopener nofollow noreferrer ">#10118</a> </li> </ul> </li> <li> <p><a href="/hub/kong-inc/session/"><strong>Session</strong></a> (<code class="language-plaintext highlighter-rouge">session</code>), <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>), and <a href="/hub/kong-inc/saml/"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>)</p> <ul> <li> <p>These plugins now use <code class="language-plaintext highlighter-rouge">lua-resty-session</code> v4.0.0.</p> <p>This update includes new session functionalities such as configuring audiences to manage multiple sessions in a single cookie, global timeout, and persistent cookies.</p> <p>Due to this update, there are also a number of deprecated and removed parameters in these plugins. See the invidividual plugin documentation for the full list of changed parameters in each plugin.</p> <ul> <li><a href="/hub/kong-inc/session/#changelog">Session changelog</a></li> <li><a href="/hub/kong-inc/openid-connect/#changelog">OpenID Connect changelog</a></li> <li><a href="/hub/kong-inc/saml/#changelog">SAML changelog</a></li> </ul> </li> </ul> </li> <li> <a href="/hub/kong-inc/graphql-rate-limiting-advanced/"><strong>GraphQL Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>) and <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>In hybrid and DB-less modes, these plugins now support <code class="language-plaintext highlighter-rouge">sync_rate = -1</code> with any strategy, including the default <code class="language-plaintext highlighter-rouge">cluster</code> strategy.</li> </ul> </li> <li> <a href="/hub/kong-inc/opa/"><strong>OPA</strong></a> (<code class="language-plaintext highlighter-rouge">opa</code>) <ul> <li>This plugin can now handle custom messages from the OPA server.</li> </ul> </li> <li> <a href="/hub/kong-inc/canary/"><strong>Canary</strong></a> (<code class="language-plaintext highlighter-rouge">canary</code>) <ul> <li>Added a default value for the <code class="language-plaintext highlighter-rouge">start</code> field in the canary plugin. If not set, the start time defaults to the current timestamp.</li> </ul> </li> <li> <strong>Improved Plugin Documentation</strong> <ul> <li>Split the plugin compatibility table into a <a href="/hub/plugins/compatibility/">technical compatibility page</a> and a <a href="/hub/plugins/license-tiers/">license tiers</a> page.</li> <li>Updated the plugin compatibility information for more clarity on <a href="/hub/plugins/compatibility/#protocols">supported network protocols</a> and on <a href="/hub/plugins/compatibility/#scopes">entity scopes</a>.</li> <li>Revised docs for the following plugins to include examples: <ul> <li><a href="/hub/kong-inc/cors/">CORS</a></li> <li><a href="/hub/kong-inc/file-log/">File Log</a></li> <li><a href="/hub/kong-inc/http-log/">HTTP Log</a></li> <li><a href="/hub/kong-inc/jwt-signer/">JWT Signer</a></li> <li><a href="/hub/kong-inc/key-auth/">Key Auth</a></li> <li><a href="/hub/kong-inc/openid-connect/">OpenID Connect</a></li> <li><a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a></li> <li><a href="/hub/kong-inc/saml/">SAML</a></li> <li><a href="/hub/kong-inc/statsd/">StatsD</a></li> </ul> </li> </ul> </li> </ul> <h3 id="fixes-52">Fixes</h3> <h4 id="core-56">Core</h4> <ul> <li>Added back PostgreSQL <code class="language-plaintext highlighter-rouge">FLOOR</code> function when calculating <code class="language-plaintext highlighter-rouge">ttl</code>, so <code class="language-plaintext highlighter-rouge">ttl</code> is always returned as a whole integer. <a href="https://github.com/Kong/kong/pull/9960" target="_blank" rel="noopener nofollow noreferrer ">#9960</a> </li> <li>Exposed PostreSQL connection pool configuration. <a href="https://github.com/Kong/kong/pull/9603" target="_blank" rel="noopener nofollow noreferrer ">#9603</a> </li> <li> <strong>Nginx template</strong>: The default charset is no longer added to the <code class="language-plaintext highlighter-rouge">Content-Type</code> response header when the upstream response doesn’t contain it. <a href="https://github.com/Kong/kong/pull/9905" target="_blank" rel="noopener nofollow noreferrer ">#9905</a> </li> <li>Fixed an issue where, after a valid declarative configuration was loaded, the configuration hash was incorrectly set to the value <code class="language-plaintext highlighter-rouge">00000000000000000000000000000000</code>. <a href="https://github.com/Kong/kong/pull/9911" target="_blank" rel="noopener nofollow noreferrer ">#9911</a> </li> <li>Updated the batch queues module so that queues no longer grow without bounds if their consumers fail to process the entries. Instead, old batches are now dropped and an error is logged. <a href="https://github.com/Kong/kong/pull/10247" target="_blank" rel="noopener nofollow noreferrer ">#10247</a> </li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">X-Kong-Upstream-Status</code> couldn’t be emitted when a response was buffered. <a href="https://github.com/Kong/kong/pull/10056" target="_blank" rel="noopener nofollow noreferrer ">#10056</a> </li> <li>Improved the error message for invalid JWK entries. <a href="https://github.com/Kong/kong/pull/9904" target="_blank" rel="noopener nofollow noreferrer ">#9904</a> </li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">#</code> character wasn’t parsed correctly from environment variables and vault references. <a href="https://github.com/Kong/kong/pull/10132" target="_blank" rel="noopener nofollow noreferrer ">10132</a> </li> <li>Fixed an issue where control plane didn’t downgrade configuration for the AWS Lambda and Zipkin plugins for older versions of data planes. <a href="https://github.com/Kong/kong/pull/10346" target="_blank" rel="noopener nofollow noreferrer ">#10346</a> </li> <li>Fixed an issue in DB-less mode, where validation of regex routes could be skipped when using a configuration format older than <code class="language-plaintext highlighter-rouge">3.0</code>. <a href="https://github.com/Kong/kong/pull/10348" target="_blank" rel="noopener nofollow noreferrer ">#10348</a> </li> </ul> <h4 id="enterprise-11">Enterprise</h4> <ul> <li>Fixed an issue where the forward proxy between the data plane and the control plane didn’t support telemetry port 8006.</li> <li>Fix the PostgreSQL mTLS error <code class="language-plaintext highlighter-rouge">bad client cert type</code>.</li> <li>Fixed issues with the Admin API’s <code class="language-plaintext highlighter-rouge">/licenses</code> endpoint: <ul> <li>The Enterprise license wasn’t being picked up by other nodes in a cluster.</li> <li>Vitals routes weren’t accessible.</li> <li>Vitals wasn’t showing up in hybrid mode.</li> </ul> </li> <li>Fixed RBAC issues: <ul> <li>Fixed an issue where workspace admins couldn’t add rate limiting policies to consumer groups.</li> <li>Fixed an issue where workspace admins in one workspace would have admin rights in other workspaces. Workspace admins are now correctly restricted to their own workspaces.</li> <li>Fixed a role precedence issue with RBAC. RBAC rules involving deny (negative) rules now correctly take precedence over allow (non-negative) roles.</li> </ul> </li> </ul> <h5 id="vitals">Vitals</h5> <ul> <li>Fixed an issue where Vitals wasn’t tracking the status codes of service-less routes.</li> <li>Fixed the Admin API error <code class="language-plaintext highlighter-rouge">/vitals/reports/:entity_type is not available</code>.</li> </ul> <h5 id="kong-manager-22">Kong Manager</h5> <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">404 Not Found</code> errors were triggered while updating the service, route, or consumer bound to a scoped plugin.</li> <li>Moved the <code class="language-plaintext highlighter-rouge">tags</code> field out of the advanced fields section for certificate, route, and upstream configuration pages. The tags field is now visible without needing to expand to see all fields.</li> <li>Improved the user interface for Keys and Key Sets entities.</li> <li>You can now add tags for consumer groups in Kong Manager.</li> <li>Fixed an issue where the plugin <strong>Copy JSON</strong> button didn’t copy the full configuration.</li> <li>Fixed an issue where the password reset form didn’t check for matching passwords and allowed mismatched passwords to be submitted.</li> <li>Added a link to the upgrade prompt for Konnect or Enterprise.</li> <li>Fixed an issue where any IdP user could log into Kong Manager, regardless of their role or group membership. These users could see the Workspaces Overview dashboard with the default workspace, but they couldn’t do anything else. Now, if IdP users with no groups or roles attempt to log into Kong Manager, they will be denied access.</li> </ul> <h4 id="plugins-72">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/zipkin/"><strong>Zipkin</strong></a> (<code class="language-plaintext highlighter-rouge">zipkin</code>) <ul> <li>Fixed an issue where the global plugin’s sample ratio overrode the route-specific ratio. <a href="https://github.com/Kong/kong/pull/9877" target="_blank" rel="noopener nofollow noreferrer ">#9877</a> </li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">trace-id</code> and <code class="language-plaintext highlighter-rouge">parent-id</code> strings with decimals were not processed correctly.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwt/"><strong>JWT</strong></a> (<code class="language-plaintext highlighter-rouge">jwt</code>) <ul> <li> <p>This plugin now denies requests that have different tokens in the JWT token search locations.</p> <p>Thanks Jackson ‘Che-Chun’ Kuo from Latacora for reporting this issue. <a href="https://github.com/Kong/kong/pull/9946" target="_blank" rel="noopener nofollow noreferrer ">#9946</a></p> </li> </ul> </li> <li> <a href="/hub/kong-inc/datadog/"><strong>Datadog</strong></a> (<code class="language-plaintext highlighter-rouge">datadog</code>),<a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>), and <a href="/hub/kong-inc/statsd/"><strong>StatsD</strong></a> (<code class="language-plaintext highlighter-rouge">statsd</code>) <ul> <li>Fixed an issue in these plugins’ batch queue processing, where metrics would be published multiple times. This caused a memory leak, where memory usage would grow without limit. <a href="https://github.com/Kong/kong/pull/10052" target="_blank" rel="noopener nofollow noreferrer ">#10052</a> <a href="https://github.com/Kong/kong/pull/10044" target="_blank" rel="noopener nofollow noreferrer ">#10044</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed non-compliances to specification: <ul> <li>For <code class="language-plaintext highlighter-rouge">http.uri</code> in spans, the field is now the full HTTP URI. <a href="https://github.com/Kong/kong/pull/10036" target="_blank" rel="noopener nofollow noreferrer ">#10036</a> </li> <li> <code class="language-plaintext highlighter-rouge">http.status_code</code> is now present on spans for requests that have a status code. <a href="https://github.com/Kong/kong/pull/10160" target="_blank" rel="noopener nofollow noreferrer ">#10160</a> </li> <li> <code class="language-plaintext highlighter-rouge">http.flavor</code> is now a string value, not a double. <a href="https://github.com/Kong/kong/pull/10160" target="_blank" rel="noopener nofollow noreferrer ">#10160</a> </li> </ul> </li> <li>Fixed an issue with getting the traces of other formats, where the trace ID reported and propagated could be of incorrect length. This caused traces originating from Kong Gateway to incorrectly connect with the target service, causing Kong Gateway and the target service to submit separate traces. <a href="https://github.com/Kong/kong/pull/10332" target="_blank" rel="noopener nofollow noreferrer ">#10332</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/oauth2/"><strong>OAuth2</strong></a> (<code class="language-plaintext highlighter-rouge">oauth2</code>) <ul> <li> <code class="language-plaintext highlighter-rouge">refresh_token_ttl</code> is now limited to a range between <code class="language-plaintext highlighter-rouge">0</code> and <code class="language-plaintext highlighter-rouge">100000000</code> by the schema validator. Previously, numbers that were too large caused requests to fail. <a href="https://github.com/Kong/kong/pull/10068" target="_blank" rel="noopener nofollow noreferrer ">#10068</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/"><strong>OpenID Connect</strong></a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed an issue where it was not possible to specify an anonymous consumer by name.</li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">authorization_cookie_httponly</code> and <code class="language-plaintext highlighter-rouge">session_cookie_httponly</code> parameters would always be set to <code class="language-plaintext highlighter-rouge">true</code>, even if they were configured as <code class="language-plaintext highlighter-rouge">false</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Matched the plugin’s behavior to the Rate Limiting plugin. When an <code class="language-plaintext highlighter-rouge">HTTP 429</code> status code was returned, rate limiting related headers were missed from the PDK module <code class="language-plaintext highlighter-rouge">kong.response.exit()</code>. This made the plugin incompatible with other Kong components like the Exit Transformer plugin.</li> </ul> </li> <li> <a href="/hub/kong-inc/response-transformer/"><strong>Response Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">response-transformer</code>) <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">allow.json</code> configuration parameter couldn’t use nested JSON object and array syntax.</li> </ul> </li> <li> <a href="/hub/kong-inc/mocking/"><strong>Mocking</strong></a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Fixed UUID pattern matching.</li> </ul> </li> <li> <a href="/hub/kong-inc/saml/"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>) <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">session_cookie_httponly</code> parameter would always be set to <code class="language-plaintext highlighter-rouge">true</code>, even if it was configured as <code class="language-plaintext highlighter-rouge">false</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/key-auth-enc/"><strong>Key Authentication Encrypted</strong></a> (<code class="language-plaintext highlighter-rouge">key-auth-enc</code>) <ul> <li>Fixed the <code class="language-plaintext highlighter-rouge">ttl</code> parameter. You can now set <code class="language-plaintext highlighter-rouge">ttl</code> for an encrypted key.</li> <li>Fixed an issue where this plugin didn’t accept tags.</li> </ul> </li> </ul> <h3 id="dependencies-39">Dependencies</h3> <ul> <li>Bumped<code class="language-plaintext highlighter-rouge">lua-resty-openssl</code> from 0.8.15 to 0.8.17</li> <li>Bumped <code class="language-plaintext highlighter-rouge">libexpat</code> from 2.4.9 to 2.5.0</li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-openid-connect</code> from v2.5.0 to v2.5.2</li> <li>Bumped <code class="language-plaintext highlighter-rouge">openssl</code> from 1.1.1q to 1.1.1t</li> <li> <code class="language-plaintext highlighter-rouge">libyaml</code> is no longer built with Kong Gateway. System <code class="language-plaintext highlighter-rouge">libyaml</code> is used instead.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">luarocks</code> from 3.9.1 to 3.9.2 <a href="https://github.com/Kong/kong/pull/9942" target="_blank" rel="noopener nofollow noreferrer ">#9942</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">atc-router</code> from 1.0.1 to 1.0.5 <a href="https://github.com/Kong/kong/pull/9925" target="_blank" rel="noopener nofollow noreferrer ">#9925</a> <a href="https://github.com/Kong/kong/pull/10143" target="_blank" rel="noopener nofollow noreferrer ">#10143</a> <a href="https://github.com/Kong/kong/pull/10208" target="_blank" rel="noopener nofollow noreferrer ">#10208</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-openssl</code> from 0.8.15 to 0.8.17 <a href="https://github.com/Kong/kong/pull/9583" target="_blank" rel="noopener nofollow noreferrer ">#9583</a> <a href="https://github.com/Kong/kong/pull/10144" target="_blank" rel="noopener nofollow noreferrer ">#10144</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> from 0.5.0 to 0.5.1 <a href="https://github.com/Kong/kong/pull/10181" target="_blank" rel="noopener nofollow noreferrer ">#10181</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-session</code> from 3.10 to 4.0.0 <a href="https://github.com/Kong/kong/pull/10199" target="_blank" rel="noopener nofollow noreferrer ">#10199</a> <a href="https://github.com/Kong/kong/pull/10230" target="_blank" rel="noopener nofollow noreferrer ">#10230</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">libxml</code> from 2.10.2 to 2.10.3 to resolve <a href="https://nvd.nist.gov/vuln/detail/cve-2022-40303" target="_blank" rel="noopener nofollow noreferrer ">CVE-2022-40303</a> and <a href="https://nvd.nist.gov/vuln/detail/cve-2022-40304" target="_blank" rel="noopener nofollow noreferrer ">CVE-2022-40304</a> </li> </ul> <h2 id="3116">3.1.1.6</h2> <p><strong>Release Date</strong> 2023/10/12</p> <h3 id="fixes-53">Fixes</h3> <h4 id="core-57">Core</h4> <ul> <li> <p>Applied Nginx patch for early detection of HTTP/2 stream reset attacks. This change is in direct response to the identified vulnerability <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-44487" target="_blank" rel="noopener nofollow noreferrer ">CVE-2023-44487</a>.</p> <p>See our <a href="https://konghq.com/blog/product-releases/novel-http2-rapid-reset-ddos-vulnerability-update" target="_blank" rel="noopener nofollow noreferrer ">blog post</a> for more details on this vulnerability and Kong’s responses to it.</p> </li> </ul> <h3 id="dependencies-40">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">libxml2</code> from 2.10.2 to 2.11.5</li> </ul> <h2 id="3115">3.1.1.5</h2> <p><strong>Release Date</strong> 2023/08/25</p> <h3 id="features-36">Features</h3> <ul> <li>The Redis strategy of Rate Limiting now catches connection failures.</li> <li>Added the parameter <code class="language-plaintext highlighter-rouge">admin_auto_create</code> for automatically creating a Kong admin.</li> <li>Kong Manager supports the <code class="language-plaintext highlighter-rouge">POST</code> response method for OIDC based authentication</li> </ul> <h3 id="fixes-54">Fixes</h3> <h4 id="enterprise-12">Enterprise</h4> <ul> <li>Fixed an issue with the plugin iterator where sorting would become mixed up when dynamic reordering was applied. This fix ensures proper sorting behavior in all scenarios.</li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">resty.dns.client</code> leaked UDP sockets.</li> <li>Fixed a bug where setting <code class="language-plaintext highlighter-rouge">anonymous_reports=false</code> would not silence anonymous reports.</li> <li>Fixed an issue with hybrid mode where vitals and analytics could not communicate through the cluster telemetry endpoint.</li> <li>Fixed the HTTP2 request handle in ARM artifacts.</li> <li>Fixed the OpenResty <code class="language-plaintext highlighter-rouge">ngx.print</code> chunk encoding duplicate free buffer issue that led to the corruption of chunk-encoded response data. <a href="https://github.com/Kong/kong/pull/10816" target="_blank" rel="noopener nofollow noreferrer ">#10816</a><a href="https://github.com/Kong/kong/pull/10824" target="_blank" rel="noopener nofollow noreferrer ">#10824</a> </li> <li>Fixed an issue where a crashing Go plugin server process would cause subsequent requests proxied through Kong to execute Go plugins with inconsistent configurations. The issue only affects scenarios where the same Go plugin is applied to different route or service entities.</li> <li>Fixed the Dynatrace implementation.</li> </ul> <p><strong>Kong Manager</strong>:</p> <ul> <li>Fixed an issue where configuration links would redirect users to the default workspace.</li> <li>Fixed an issue with Kong Manager when using OpenID Connect where passing invalid credentials was not resulting in a redirect.</li> </ul> <h4 id="plugins-73">Plugins</h4> <ul> <li>Request Transformer Advanced: Fixed an issue that was causing some requests to be proxied with the wrong query parameters.</li> <li>Response Transformer Advanced: Fixed an issue where large decimals were rounded when the plugin was being used.</li> <li>Rate Limiting Advanced: <ul> <li>Fixed an issue where the control plane was trying to sync the rate-limiting-advanced counters with Redis.</li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">rl cluster_events</code> broadcasted the wrong data in traditional cluster mode.</li> </ul> </li> <li>Oauth2: Fixed a bug that <code class="language-plaintext highlighter-rouge">refresh_token</code> could be shared across instances.</li> </ul> <h3 id="dependencies-41">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">OpenSSL</code> from 1.1.1t to 3.1.1</li> <li>Bumped<code class="language-plaintext highlighter-rouge">lua-resty-openssl</code> from 0.8.15 to 0.8.22</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-kafka</code> from 0.15 to 0.16</li> </ul> <h2 id="3114">3.1.1.4</h2> <p><strong>Release Date</strong> 2023/05/16</p> <h3 id="features-37">Features</h3> <ul> <li>Kong Manager with OIDC: <ul> <li>Added the configuration option <a href="/gateway/latest/kong-manager/auth/oidc/mapping/"><code class="language-plaintext highlighter-rouge">admin_auto_create</code></a> to enable or disable automatic admin creation. This option is <code class="language-plaintext highlighter-rouge">true</code> by default.</li> </ul> </li> </ul> <h3 id="fixes-55">Fixes</h3> <h4 id="core-58">Core</h4> <ul> <li>Fixed the UDP socket leak in <code class="language-plaintext highlighter-rouge">resty.dns.client</code> caused by frequent DNS queries. <a href="https://github.com/Kong/kong/pull/10691" target="_blank" rel="noopener nofollow noreferrer ">#10691</a> </li> <li>Hybrid mode: Fixed an issue where Vitals/Analytics couldn’t communicate through the cluster telemetry endpoint.</li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">alpine</code> and <code class="language-plaintext highlighter-rouge">ubuntu</code> ARM64 artifacts incorrectly handled HTTP/2 requests, causing the protocol to fail.</li> <li>Fixed the OpenResty <code class="language-plaintext highlighter-rouge">ngx.print</code> chunk encoding duplicate free buffer issue that led to the corruption of chunk-encoded response data. <a href="https://github.com/Kong/kong/pull/10816" target="_blank" rel="noopener nofollow noreferrer ">#10816</a> <a href="https://github.com/Kong/kong/pull/10824" target="_blank" rel="noopener nofollow noreferrer ">#10824</a> </li> <li>Fixed the Dynatrace implementation. Due to a build system issue, Kong Gateway 3.1.x packages prior to 3.1.1.4 didn’t contain the debug symbols that Dynatrace requires.</li> </ul> <h4 id="enterprise-13">Enterprise</h4> <p><strong>Kong Manager</strong>:</p> <ul> <li>Fixed configuration fields for the StatsD plugin: <ul> <li>Added missing metric fields: <code class="language-plaintext highlighter-rouge">consumer_identifier</code>, <code class="language-plaintext highlighter-rouge">service_identifier</code>, and <code class="language-plaintext highlighter-rouge">workspace_identifier</code>.</li> <li>Removed the non-existent <code class="language-plaintext highlighter-rouge">custom_identifier</code> field.</li> </ul> </li> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">Copy JSON</code> for a plugin didn’t copy the full plugin configuration.</li> <li>Fixed an issue where the Zipkin plugin didn’t allow the addition of <code class="language-plaintext highlighter-rouge">static_tags</code> through the Kong Manager UI.</li> <li>Added missing default values to the Vault configuration page.</li> <li> <p>Fixed the broken Konnect link in free mode banners.</p> </li> <li>OIDC authentication issues: <ul> <li>The <code class="language-plaintext highlighter-rouge">/auth</code> endpoint, used by Kong Manager for OIDC authentication, now correctly supports the HTTP POST method.</li> <li>Fixed an issue with OIDC authentication in Kong Manager, where the default roles (<code class="language-plaintext highlighter-rouge">workspace-super-admin</code>, <code class="language-plaintext highlighter-rouge">workspace-read-only</code>, <code class="language-plaintext highlighter-rouge">workspace-portal-admin</code>, and <code class="language-plaintext highlighter-rouge">workspace-admin</code>) were missing from any newly created workspace.</li> <li>Fixed an issue where users with newly registered Dev Portal accounts created through OIDC were unable to log into Dev Portal until the Kong Gateway container was restarted. This happened when <code class="language-plaintext highlighter-rouge">by_username_ignore_case</code> was set to <code class="language-plaintext highlighter-rouge">true</code>, which incorrectly caused consumers to always load from cache.</li> </ul> </li> </ul> <h4 id="plugins-74">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/request-transformer-advanced/"><strong>Request Transformer Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">request-transformer-advanced</code>) <ul> <li>Fixed an issue that was causing some requests to be proxied with the wrong query parameters.</li> </ul> </li> </ul> <h2 id="3113">3.1.1.3</h2> <p><strong>Release Date</strong> 2023/01/30</p> <h3 id="fixes-56">Fixes</h3> <h4 id="enterprise-14">Enterprise</h4> <ul> <li>Fixed the accidental removal of the <code class="language-plaintext highlighter-rouge">ca-certificates</code> dependency from packages and images. This prevented SSL connections from using common root certificate authorities.</li> </ul> <h3 id="upgrades">Upgrades</h3> <p>You can now directly upgrade to Kong Gateway 3.1.1.3 from 2.8.x.x. Previously, you had to upgrade to 3.0.x first, then upgrade to the latest 3.x version.</p> <h2 id="3112">3.1.1.2</h2> <p><strong>Release Date</strong> 2023/01/24</p> <h3 id="features-38">Features</h3> <h4 id="enterprise-15">Enterprise</h4> <ul> <li> <strong>Dev Portal</strong>: <ul> <li>The Dev Portal API now supports an optional <code class="language-plaintext highlighter-rouge">fields</code> query parameter on the <code class="language-plaintext highlighter-rouge">/files</code> endpoint. This parameter lets you specify which file object fields should be included in the response.</li> </ul> </li> </ul> <h4 id="core-59">Core</h4> <ul> <li> <p>When <code class="language-plaintext highlighter-rouge">router_flavor</code> is <code class="language-plaintext highlighter-rouge">traditional_compatible</code>, verify routes created using the Expression router instead of the traditional router to ensure created routes are actually compatible. <a href="https://github.com/Kong/kong/pull/10088" target="_blank" rel="noopener nofollow noreferrer ">#10088</a></p> </li> <li> <p><code class="language-plaintext highlighter-rouge">kong migrations up</code> now reports routes that are incompatible with the 3.0 router and stops the migration progress so that admins have a chance to adjust them.</p> <p><a href="https://github.com/Kong/kong/pull/10092" target="_blank" rel="noopener nofollow noreferrer ">#10092</a> <a href="https://github.com/Kong/kong/pull/10101" target="_blank" rel="noopener nofollow noreferrer ">#10101</a></p> </li> </ul> <h3 id="fixes-57">Fixes</h3> <h4 id="enterprise-16">Enterprise</h4> <ul> <li> <strong>Kong Manager</strong>: <ul> <li>Fixed issues with the plugin list: <ul> <li>Added missing icons and categories for the TLS Handshake Modifier and TLS Metadata Headers plugins.</li> <li>Removed entries for the following deprecated plugins: Kubernetes Sidecar Injector, Collector, and Upstream TLS.</li> <li>Removed Apache OpenWhisk plugin from Kong Manager. This plugin must be <a href="/hub/kong-inc/openwhisk/">installed manually via LuaRocks</a>.</li> <li>Removed the internal-only Konnect Application Auth plugin.</li> </ul> </li> <li>Fixed an issue where Kong Manager would occasionally log out while redirecting to other pages or refreshing the page when OpenID Connect was used as the authentication method.</li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">404 Not Found</code> errors were triggered while updating the service, route, or consumer bound to a scoped plugin.</li> <li>Fixed an issue where admins with the permission <code class="language-plaintext highlighter-rouge">['create'] /services/*/plugins</code> couldn’t create plugins under a service.</li> <li>Fixed an issue where viewing a consumer group in any workspace other than <code class="language-plaintext highlighter-rouge">default</code> would cause a <code class="language-plaintext highlighter-rouge">404 Not Found</code> error.</li> </ul> </li> </ul> <h4 id="core-60">Core</h4> <ul> <li>Fixed an issue where regexes generated in inso would not work in Kong Gateway.</li> <li>Bumped <code class="language-plaintext highlighter-rouge">atc-router</code> to <code class="language-plaintext highlighter-rouge">1.0.2</code> to address the potential worker crash issue. <a href="https://github.com/Kong/kong/pull/9927" target="_blank" rel="noopener nofollow noreferrer ">#9927</a> </li> </ul> <h4 id="hybrid-mode">Hybrid mode</h4> <ul> <li>Fixed an issue where Vitals data was not showing up after a license was deployed using the <code class="language-plaintext highlighter-rouge">/licenses</code> endpoint. Kong Gateway now triggers an event that allows the Vitals subsystem to be reinitialized during license preload.</li> <li>Fixed an issue where the forward proxy between data planes and the control plane didn’t support the telemetry port <code class="language-plaintext highlighter-rouge">8006</code>.</li> <li>Reverted the removal of WebSocket protocol support for configuration sync. Backwards compatibility with 2.8.x.x data planes has been restored. <a href="https://github.com/Kong/kong/pull/10067" target="_blank" rel="noopener nofollow noreferrer ">#10067</a> </li> </ul> <h4 id="plugins-75">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/datadog/"><strong>Datadog</strong></a> (<code class="language-plaintext highlighter-rouge">datadog</code>),<a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>), and <a href="/hub/kong-inc/statsd/"><strong>StatsD</strong></a> (<code class="language-plaintext highlighter-rouge">statsd</code>) <ul> <li>Fixed an issue in these plugins’ batch queue processing, where metrics would be published multiple times. This caused a memory leak, where memory usage would grow without limit.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue with the <code class="language-plaintext highlighter-rouge">local</code> strategy, which was not working correctly when <code class="language-plaintext highlighter-rouge">window_size</code> was set to <code class="language-plaintext highlighter-rouge">fixed</code>, and the cache would expire while the window was still valid.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Added the OAS Validation plugin back into the bundled plugins list. The plugin is now available by default with no extra configuration necessary through <code class="language-plaintext highlighter-rouge">kong.conf</code>.</li> <li>Fixed an issue where the plugin returned the wrong error message when failing to get the path schema spec.</li> <li>Fixed a <code class="language-plaintext highlighter-rouge">500</code> error that occurred when the response body schema had no content field.</li> </ul> </li> <li> <a href="/hub/kong-inc/mtls-auth/"><strong>mTLS Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Fixed an issue where the plugin used the old route caches after routes were updated.</li> </ul> </li> </ul> <h3 id="deprecations-8">Deprecations</h3> <ul> <li>Support for the <code class="language-plaintext highlighter-rouge">/vitals/reports/:entity_type</code> endpoint is deprecated. Use one of the following endpoints from the Vitals API instead: <ul> <li>For <code class="language-plaintext highlighter-rouge">/vitals/reports/consumer</code>, use <code class="language-plaintext highlighter-rouge">/{workspace_name}/vitals/status_codes/by_consumer</code> instead</li> <li>For <code class="language-plaintext highlighter-rouge">/vitals/reports/service</code>, use <code class="language-plaintext highlighter-rouge">/{workspace_name}/vitals/status_codes/by_service</code> instead</li> <li>For <code class="language-plaintext highlighter-rouge">/vitals/reports/hostname</code>, use <code class="language-plaintext highlighter-rouge">/{workspace_name}/vitals/nodes</code> instead</li> </ul> <p>See the <a href="/gateway/latest/kong-enterprise/analytics/#vitals-api">Vitals documentation</a> for more detail.</p> </li> </ul> <h3 id="known-issues-9">Known issues</h3> <ul> <li> <p>The <code class="language-plaintext highlighter-rouge">ca-certificates</code> dependency is missing from packages and images. This prevents SSL connections from using common root certificate authorities.</p> <p>Upgrade to 3.1.1.3 to resolve.</p> </li> </ul> <h2 id="3100">3.1.0.0</h2> <p><strong>Release Date</strong> 2022/12/06</p> <h3 id="features-39">Features</h3> <h4 id="enterprise-17">Enterprise</h4> <ul> <li> <p>You can now specify the namespaces of HashiCorp Vaults for secrets management.</p> </li> <li>Added support for HashiCorp Vault backends to retrieve a vault token from a Kubernetes service account. See the following configuration parameters: <ul> <li><a href="/gateway/latest/reference/configuration/#keyring_vault_auth_method"><code class="language-plaintext highlighter-rouge">keyring_vault_auth_method</code></a></li> <li><a href="/gateway/latest/reference/configuration/#keyring_vault_kube_role"><code class="language-plaintext highlighter-rouge">keyring_vault_kube_role</code></a></li> <li><a href="/gateway/latest/reference/configuration/#keyring_vault_kube_api_token_file"><code class="language-plaintext highlighter-rouge">keyring_vault_kube_api_token_file</code></a></li> </ul> </li> <li>FIPS 140-2 packages: <ul> <li>Kong Gateway Enterprise now provides <a href="/gateway/latest/kong-enterprise/fips-support/">FIPS 140-2 compliant packages for Red Hat Enterprise 8 and Ubuntu 22.04</a>.</li> <li>Kong Gateway FIPS distributions now support TLS connections to the PostgreSQL database.</li> </ul> </li> <li> <p>You can now <a href="/gateway/latest/kong-enterprise/consumer-groups/#delete-consumer-group-configurations">delete consumer group configurations</a> without deleting the group or the consumers in it.</p> </li> <li> <strong>Kong Manager</strong>: <ul> <li>You can now configure the base path for Kong Manager, for example: <code class="language-plaintext highlighter-rouge">localhost:8445/manager</code>. This allows you to proxy all traffic through Kong Gateway. For example, you can proxy both API and Kong Manager traffic from one port. In addition, using the new Kong Manager base path allows you to add plugins to control access to Kong Manager. For more information, see <a href="/gateway/latest/kong-manager/enable/">Enable Kong Manager</a>.</li> <li>You can now create consumer groups in Kong Manager. This allows you to define any number of rate limiting tiers and apply them to subsets of consumers instead of managing each consumer individually. For more information, see <a href="/gateway/latest/kong-manager/consumer-groups/">Create Consumer Groups in Kong Manager</a>.</li> <li>You can now add <code class="language-plaintext highlighter-rouge">key-auth-enc</code> credentials to a consumer.</li> <li>OpenID Connect plugin: More authorization variables have been added to the <strong>Authorization</strong> tab.</li> <li>The Kong Manager overview tab has been optimized for performance.</li> <li>You can now configure vaults for managing secrets through Kong Manager. Use the new Vaults menu to set up and manage any vaults that Kong Gateway supports. See the <a href="/gateway/latest/kong-enterprise/secrets-management/backends/">Vault Backends references</a> for descriptions of all the configuration options.</li> <li>Added support for interfacing with dynamic plugin ordering.</li> <li>Added the ability to view details about certificates.</li> <li>Added tooltips to plugin UI with field descriptions.</li> <li>Added support for persisting the page size of lists across pages and provided more options for page sizes.</li> </ul> </li> </ul> <h4 id="core-61">Core</h4> <ul> <li>Allow <code class="language-plaintext highlighter-rouge">kong.conf</code> SSL properties to be stored in vaults or environment variables. Allow such properties to be configured directly as content or base64 encoded content. <a href="https://github.com/Kong/kong/pull/9253" target="_blank" rel="noopener nofollow noreferrer ">#9253</a> </li> <li>Added support for full entity transformations in schemas. <a href="https://github.com/Kong/kong/pull/9431" target="_blank" rel="noopener nofollow noreferrer ">#9431</a> </li> <li>The schema <code class="language-plaintext highlighter-rouge">map</code> type field can now be marked as referenceable. <a href="https://github.com/Kong/kong/pull/9611" target="_blank" rel="noopener nofollow noreferrer ">#9611</a> </li> <li>Added support for <a href="/gateway/latest/production/logging/update-log-level-dynamically/">dynamically changing the log level</a>. <a href="https://github.com/Kong/kong/pull/9744" target="_blank" rel="noopener nofollow noreferrer ">#9744</a> </li> <li>Added support for the <code class="language-plaintext highlighter-rouge">keys</code> and <code class="language-plaintext highlighter-rouge">key-sets</code> entities. These are used for managing asymmetric keys in various formats (JWK, PEM). For more information, see <a href="/gateway/latest/reference/key-management/">Key management</a>. <a href="https://github.com/Kong/kong/pull/9737" target="_blank" rel="noopener nofollow noreferrer ">#9737</a> </li> </ul> <h4 id="hybrid-mode-1">Hybrid Mode</h4> <ul> <li>Data plane node IDs will now persist across restarts. <a href="https://github.com/Kong/kong/pull/9067" target="_blank" rel="noopener nofollow noreferrer ">#9067</a> </li> <li>Added HTTP CONNECT forward proxy support for hybrid mode connections. New configuration options <code class="language-plaintext highlighter-rouge">cluster_use_proxy</code>, <code class="language-plaintext highlighter-rouge">proxy_server</code> and <code class="language-plaintext highlighter-rouge">proxy_server_ssl_verify</code> are added. For more information, see <a href="/gateway/latest/production/networking/cp-dp-proxy/">CP/DP Communication through a Forward Proxy</a>. <a href="https://github.com/Kong/kong/pull/9758" target="_blank" rel="noopener nofollow noreferrer ">#9758</a> <a href="https://github.com/Kong/kong/pull/9773" target="_blank" rel="noopener nofollow noreferrer ">#9773</a> </li> </ul> <h4 id="performance-7">Performance</h4> <ul> <li>Increase the default value of <code class="language-plaintext highlighter-rouge">lua_regex_cache_max_entries</code>. A warning will be thrown when there are too many regex routes and <code class="language-plaintext highlighter-rouge">router_flavor</code> is <code class="language-plaintext highlighter-rouge">traditional</code>. <a href="https://github.com/Kong/kong/pull/9624" target="_blank" rel="noopener nofollow noreferrer ">#9624</a> </li> <li>Add batch queue into the Datadog and StatsD plugins to reduce timer usage. <a href="https://github.com/Kong/kong/pull/9521" target="_blank" rel="noopener nofollow noreferrer ">#9521</a> </li> </ul> <h4 id="os-support">OS support</h4> <ul> <li>Kong Gateway now supports Amazon Linux 2022 with Enterprise packages.</li> <li>Kong Gateway now supports Ubuntu 22.04 with both open-source and Enterprise packages.</li> </ul> <h4 id="pdk-17">PDK</h4> <ul> <li>Extend <code class="language-plaintext highlighter-rouge">kong.client.tls.request_client_certificate</code> to support setting the Distinguished Name (DN) list hints of the accepted CA certificates. <a href="https://github.com/Kong/kong/pull/9768" target="_blank" rel="noopener nofollow noreferrer ">#9768</a> </li> </ul> <h4 id="plugins-76">Plugins</h4> <p><strong>New plugins:</strong></p> <ul> <li> <a href="/hub/kong-inc/app-dynamics/"><strong>AppDynamics</strong></a> (<code class="language-plaintext highlighter-rouge">app-dynamics</code>) <ul> <li>Integrate Kong Gateway with the AppDynamics APM Platform.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwe-decrypt/"><strong>JWE Decrypt</strong></a> (<code class="language-plaintext highlighter-rouge">jwe-decrypt</code>) <ul> <li>Allows you to decrypt an inbound token (JWE) in a request.</li> </ul> </li> <li> <a href="/hub/kong-inc/oas-validation/"><strong>OAS Validation</strong></a> (<code class="language-plaintext highlighter-rouge">oas-validation</code>) <ul> <li>Validate HTTP requests and responses based on an OpenAPI 3.0 or Swagger API Specification.</li> </ul> </li> <li> <a href="/hub/kong-inc/saml/"><strong>SAML</strong></a> (<code class="language-plaintext highlighter-rouge">saml</code>) <ul> <li>Provides SAML v2.0 authentication and authorization between a service provider (Kong Gateway) and an identity provider (IdP).</li> </ul> </li> <li> <a href="/hub/kong-inc/xml-threat-protection/"><strong>XML Threat Protection</strong></a> (<code class="language-plaintext highlighter-rouge">xml-threat-protection</code>) <ul> <li>This new plugin allows you to reduce the risk of XML attacks by checking the structure of XML payloads. This validates maximum complexity (depth of the tree), maximum size of elements and attributes.</li> </ul> </li> </ul> <p><strong>Updates to existing plugins:</strong></p> <ul> <li> <a href="/hub/kong-inc/acme/"><strong>ACME</strong></a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>Added support for Redis SSL, through configuration properties <code class="language-plaintext highlighter-rouge">config.storage_config.redis.ssl</code>, <code class="language-plaintext highlighter-rouge">config.storage_config.redis.ssl_verify</code>, and <code class="language-plaintext highlighter-rouge">config.storage_config.redis.ssl_server_name</code>. <a href="https://github.com/Kong/kong/pull/9626" target="_blank" rel="noopener nofollow noreferrer ">#9626</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda/"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Added <code class="language-plaintext highlighter-rouge">requestContext</code> field into <code class="language-plaintext highlighter-rouge">awsgateway_compatible</code> input data <a href="https://github.com/Kong/kong/pull/9380" target="_blank" rel="noopener nofollow noreferrer ">#9380</a> </li> </ul> </li> <li> <a href="/hub/#authentication"><strong>Authentication plugins</strong></a>: <ul> <li>The <code class="language-plaintext highlighter-rouge">anonymous</code> field can now be configured as the username of the consumer. This field allows you to configure a string to use as an “anonymous” consumer if authentication fails.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Added referenceable attribute to the <code class="language-plaintext highlighter-rouge">headers</code> field that could be stored in vaults. <a href="https://github.com/Kong/kong/pull/9611" target="_blank" rel="noopener nofollow noreferrer ">#9611</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/forward-proxy/"><strong>Forward Proxy</strong></a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>) <ul> <li> <p><code class="language-plaintext highlighter-rouge">x_headers</code> field added. This field indicates how the plugin handles the headers <code class="language-plaintext highlighter-rouge">X-Real-IP</code>, <code class="language-plaintext highlighter-rouge">X-Forwarded-For</code>, <code class="language-plaintext highlighter-rouge">X-Forwarded-Proto</code>, <code class="language-plaintext highlighter-rouge">X-Forwarded-Host</code>, and <code class="language-plaintext highlighter-rouge">X-Forwarded-Port</code>.</p> <p>The field can take one of the following options:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">append</code>: append information from this hop in the chain to those headers. This is the default setting.</li> <li> <code class="language-plaintext highlighter-rouge">transparent</code>: leave the headers unchanged, as if the the Kong Gateway was not a proxy.</li> <li> <code class="language-plaintext highlighter-rouge">delete</code>: remove all the headers, as if the Kong Gateway was the originating client.</li> </ul> <p>Note that all options respect the trusted IP setting, and will ignore headers from the last hop in the chain if they are not from clients with trusted IPs.</p> </li> </ul> </li> <li> <a href="/hub/kong-inc/mocking/"><strong>Mocking</strong></a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">included_status_codes</code> and <code class="language-plaintext highlighter-rouge">random_status_code</code> fields. These allow you to configure the HTTP status codes for the plugin.</li> <li>The plugin now lets you auto-generate a random response based on the schema definition without defining examples.</li> <li>You can now control behavior or obtain a specific response by sending behavioral headers: <code class="language-plaintext highlighter-rouge">X-Kong-Mocking-Delay</code>, <code class="language-plaintext highlighter-rouge">X-Kong-Mocking-Example-Id</code>, and <code class="language-plaintext highlighter-rouge">X-Kong-Mocking-Status-Code</code>.</li> <li>This plugin now supports: <ul> <li>MIME types priority match</li> <li>All HTTP codes</li> <li><code class="language-plaintext highlighter-rouge">$ref</code></li> </ul> </li> </ul> </li> <li> <a href="/hub/kong-inc/mtls-auth/"><strong>mTLS Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">config.send_ca_dn</code> configuration parameter to support sending CA DNs in the <code class="language-plaintext highlighter-rouge">CertificateRequest</code> message during SSL handshakes.</li> <li>Added the <code class="language-plaintext highlighter-rouge">allow_partial_chain</code> configuration parameter to allow certificate verification with only an intermediate certificate.</li> </ul> </li> <li> <a href="/hub/kong-inc/opa/"><strong>OPA</strong></a> (<code class="language-plaintext highlighter-rouge">OPA</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">include_uri_captures_in_opa_input</code> field. When this field is set to true, the <a href="/gateway/latest/reference/proxy/#using-regex-in-paths">regex capture groups</a> captured on the Kong Gateway route’s path field in the current request (if any) are included as input to OPA.</li> </ul> </li> <li> <a href="/hub/kong-inc/proxy-cache-advanced/"><strong>Proxy Cache Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>) <ul> <li>Added support for integrating with Redis clusters through the <code class="language-plaintext highlighter-rouge">config.redis.cluster_addresses</code> configuration property.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/"><strong>Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>) <ul> <li>The HTTP status code and response body for rate-limited requests can now be customized. Thanks, <a href="https://github.com/utix" target="_blank" rel="noopener nofollow noreferrer ">@utix</a>! <a href="https://github.com/Kong/kong/pull/8930" target="_blank" rel="noopener nofollow noreferrer ">#8930</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Added support for deleting customer groups using the API.</li> <li>Added <code class="language-plaintext highlighter-rouge">config.disable_penalty</code> to control whether to count <code class="language-plaintext highlighter-rouge">429</code> or not in sliding window mode.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-transformer-advanced/"><strong>Request Transformer Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">request-transformer-advanced</code>) <ul> <li>Added support for navigating nested JSON objects and arrays when transforming a JSON payload.</li> <li>The plugin now supports vault references.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-validator/"><strong>Request Validator</strong></a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>The plugin now supports the <code class="language-plaintext highlighter-rouge">charset</code> option for the <code class="language-plaintext highlighter-rouge">config.allowed_content_types</code> parameter.</li> </ul> </li> <li> <a href="/hub/kong-inc/response-ratelimiting/"><strong>Response Rate Limiting</strong></a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Added support for Redis SSL through configuration properties <code class="language-plaintext highlighter-rouge">redis_ssl</code> (can be set to <code class="language-plaintext highlighter-rouge">true</code> or <code class="language-plaintext highlighter-rouge">false</code>), <code class="language-plaintext highlighter-rouge">ssl_verify</code>, and <code class="language-plaintext highlighter-rouge">ssl_server_name</code>. Thanks, <a href="https://github.com/dominikkukacka" target="_blank" rel="noopener nofollow noreferrer ">@dominikkukacka</a>! <a href="https://github.com/Kong/kong/pull/8595" target="_blank" rel="noopener nofollow noreferrer ">#8595</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/route-transformer-advanced/"><strong>Route Transformer Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">route-transformer-advanced</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">config.escape_path</code> configuration parameter, which lets you escape the transformed path.</li> </ul> </li> <li> <a href="/hub/kong-inc/session/"><strong>Session</strong></a> (<code class="language-plaintext highlighter-rouge">session</code>) <ul> <li>Added new config <code class="language-plaintext highlighter-rouge">cookie_persistent</code>, which allows the browser to persist cookies even if the browser is closed. This defaults to <code class="language-plaintext highlighter-rouge">false</code> which means cookies are not persisted across browser restarts. Thanks <a href="https://github.com/tschaume" target="_blank" rel="noopener nofollow noreferrer ">@tschaume</a> for this contribution! <a href="https://github.com/Kong/kong/pull/8187" target="_blank" rel="noopener nofollow noreferrer ">#8187</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/vault-auth/"><strong>Vault Authentication</strong></a> (<code class="language-plaintext highlighter-rouge">vault-auth</code>) <ul> <li>Added support for KV Secrets Engine v2.</li> </ul> </li> <li> <a href="/hub/kong-inc/zipkin/"><strong>Zipkin</strong></a> (<code class="language-plaintext highlighter-rouge">zipkin</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">response_header_for_traceid</code> field in Zipkin plugin. The plugin sets the corresponding header in the response if the field is specified with a string value. <a href="https://github.com/Kong/kong/pull/9173" target="_blank" rel="noopener nofollow noreferrer ">#9173</a> </li> </ul> </li> <li>WebSocket service/route support was added for logging plugins: <ul> <li>http-log</li> <li>file-log</li> <li>udp-log</li> <li>tcp-log</li> <li>loggly</li> <li>syslog</li> <li>kafka-log</li> </ul> </li> </ul> <h3 id="known-limitations">Known limitations</h3> <ul> <li>With Dynamic log levels, if you set log-level to <code class="language-plaintext highlighter-rouge">alert</code> you will still see <code class="language-plaintext highlighter-rouge">info</code> and <code class="language-plaintext highlighter-rouge">error</code> entries in the logs.</li> </ul> <h3 id="fixes-58">Fixes</h3> <h4 id="enterprise-18">Enterprise</h4> <ul> <li>Fixed an issue where the RBAC token was not re-hashed after an update on the <code class="language-plaintext highlighter-rouge">user_token</code> field.</li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">admin_gui_auth_conf</code> wouldn’t accept a JSON-formatted value, and was therefore unable to use vault references to secrets.</li> <li>Fixed an issue where Admin GUI logs were not stored in the correct log file.</li> <li>Fixed an issue where Kong Gateway was unable to start in free Enterprise mode while using vaults.</li> <li>Updated the response body for the <code class="language-plaintext highlighter-rouge">TRACE</code> method request.</li> <li>Targets with a weight of <code class="language-plaintext highlighter-rouge">0</code> are no longer included in health checks, and checking their status via the <code class="language-plaintext highlighter-rouge">upstreams/<upstream>/health</code> endpoint results in the status <code class="language-plaintext highlighter-rouge">HEALTHCHECK_OFF</code>. Previously, the <code class="language-plaintext highlighter-rouge">upstreams/<upstream>/health</code> endpoint was incorrectly reporting targets with <code class="language-plaintext highlighter-rouge">weight=0</code> as <code class="language-plaintext highlighter-rouge">HEALTHY</code>, and the health check was reporting the same targets as <code class="language-plaintext highlighter-rouge">UNDEFINED</code>.</li> <li>Updated the Admin API response status code from <code class="language-plaintext highlighter-rouge">500</code> to <code class="language-plaintext highlighter-rouge">200</code> when the database is down.</li> <li>Fixed an issue when passing a license from the control plane to the data plane using the Admin API <code class="language-plaintext highlighter-rouge">/licenses</code> endpoint.</li> <li>In hybrid mode, fixed a license issue where entity validation would fail when the license entity was not processed first.</li> <li>Fixed a Websockets issue with redirects. Now, Kong Gateway redirects <code class="language-plaintext highlighter-rouge">ws</code> requests to <code class="language-plaintext highlighter-rouge">wss</code> for <code class="language-plaintext highlighter-rouge">wss</code>-only routes for parity with HTTP/HTTPS.</li> <li> <strong>Kong Manager</strong>: <ul> <li>Added logging for all Kong Manager access logs.</li> <li>Fixed an issue where the <strong>New Workspace</strong> button was occasionally unusable.</li> <li>Fixed the name display of plugin configurations in Kong Manager.</li> <li>Fixed an issue where some items were missing from the suggestion list when there were many items present.</li> <li>Removed the deprecated Vitals Reports feature from Kong Manager.</li> <li>Fixed an issue where admins with permissions to interact with scoped entities, such as routes and services, couldn’t perform operations as expected.</li> <li>Fixed an issue where admins with the <code class="language-plaintext highlighter-rouge">/admins</code> permission were forced to log out after signing in.</li> <li>Fixed a performance issue where admins with a large number of workspace permissions caused Kong Manager to load slowly.</li> </ul> </li> </ul> <h4 id="core-62">Core</h4> <ul> <li>Fixed an issue where external plugins crashing with unhandled exceptions would cause high CPU utilization after the automatic restart. <a href="https://github.com/Kong/kong/pull/9384" target="_blank" rel="noopener nofollow noreferrer ">#9384</a> </li> <li>Added <code class="language-plaintext highlighter-rouge">use_srv_name</code> options to upstream for balancer. <a href="https://github.com/Kong/kong/pull/9430" target="_blank" rel="noopener nofollow noreferrer ">#9430</a> </li> <li>Fixed an issue in <code class="language-plaintext highlighter-rouge">header_filter</code> instrumentation where the span was not correctly created. <a href="https://github.com/Kong/kong/pull/9434" target="_blank" rel="noopener nofollow noreferrer ">#9434</a> </li> <li>Fixed an issue in router building in <code class="language-plaintext highlighter-rouge">traditional_compatible</code> mode. When the field contained an empty table, the generated expression was invalid. <a href="https://github.com/Kong/kong/pull/9451" target="_blank" rel="noopener nofollow noreferrer ">#9451</a> </li> <li>Fixed an issue in router rebuilding where when the <code class="language-plaintext highlighter-rouge">paths</code> field is invalid, the router’s mutex is not released properly. <a href="https://github.com/Kong/kong/pull/9480" target="_blank" rel="noopener nofollow noreferrer ">#9480</a> </li> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">kong docker-start</code> would fail if <code class="language-plaintext highlighter-rouge">KONG_PREFIX</code> was set to a relative path. <a href="https://github.com/Kong/kong/pull/9337" target="_blank" rel="noopener nofollow noreferrer ">#9337</a> </li> <li>Fixed an issue with error-handling and process cleanup in <code class="language-plaintext highlighter-rouge">kong start</code>. <a href="https://github.com/Kong/kong/pull/9337" target="_blank" rel="noopener nofollow noreferrer ">#9337</a> </li> <li>Fixed issue with prefix path normalization. <a href="https://github.com/Kong/kong/pull/9760" target="_blank" rel="noopener nofollow noreferrer ">#9760</a> </li> <li>Increased the maximum request argument number of the Admin API from 100 to 1000. The Admin API now returns a <code class="language-plaintext highlighter-rouge">400</code> error if request parameters reach the limitation instead of truncating any parameters over the limit. <a href="https://github.com/Kong/kong/pull/9510" target="_blank" rel="noopener nofollow noreferrer ">#9510</a> </li> <li>Paging size parameter is now propagated to next page if specified in current request. <a href="https://github.com/Kong/kong/pull/9503" target="_blank" rel="noopener nofollow noreferrer ">#9503</a> </li> </ul> <h4 id="hybrid-mode-2">Hybrid Mode</h4> <ul> <li>Fixed a race condition that could cause configuration push events to be dropped when the first data plane connection was established with a control plane worker. <a href="https://github.com/Kong/kong/pull/9616" target="_blank" rel="noopener nofollow noreferrer ">#9616</a> </li> </ul> <h4 id="cli-7">CLI</h4> <ul> <li>Fixed slow CLI performance due to pending timer jobs. <a href="https://github.com/Kong/kong/pull/9536" target="_blank" rel="noopener nofollow noreferrer ">#9536</a> </li> </ul> <h4 id="pdk-18">PDK</h4> <ul> <li>Added support for <code class="language-plaintext highlighter-rouge">kong.request.get_uri_captures</code> (<code class="language-plaintext highlighter-rouge">kong.request.getUriCaptures</code>) <a href="https://github.com/Kong/kong/pull/9512" target="_blank" rel="noopener nofollow noreferrer ">#9512</a> </li> <li>Fixed parameter type of <code class="language-plaintext highlighter-rouge">kong.service.request.set_raw_body</code> (<code class="language-plaintext highlighter-rouge">kong.service.request.setRawBody</code>), return type of <code class="language-plaintext highlighter-rouge">kong.service.response.get_raw_body</code>(<code class="language-plaintext highlighter-rouge">kong.service.request.getRawBody</code>), and body parameter type of <code class="language-plaintext highlighter-rouge">kong.response.exit</code> to bytes. Note that the old version of the go PDK is incompatible after this change. <a href="https://github.com/Kong/kong/pull/9526" target="_blank" rel="noopener nofollow noreferrer ">#9526</a> </li> </ul> <h4 id="plugins-77">Plugins</h4> <ul> <li>Added the missing <code class="language-plaintext highlighter-rouge">protocols</code> field to the following plugin schemas: <ul> <li>Azure Functions (<code class="language-plaintext highlighter-rouge">azure-functions</code>)</li> <li>gRPC Gateway (<code class="language-plaintext highlighter-rouge">grpc-gateway</code>)</li> <li>gRPC Web (<code class="language-plaintext highlighter-rouge">grpc-web</code>)</li> <li>Serverless pre-function (<code class="language-plaintext highlighter-rouge">pre-function</code>)</li> <li>Prometheus (<code class="language-plaintext highlighter-rouge">prometheus</code>)</li> <li>Proxy Caching (<code class="language-plaintext highlighter-rouge">proxy-cache</code>)</li> <li>Request Transformer (<code class="language-plaintext highlighter-rouge">request-transformer</code>)</li> <li>Session (<code class="language-plaintext highlighter-rouge">session</code>)</li> <li>Zipkin (<code class="language-plaintext highlighter-rouge">zipkin</code>)</li> </ul> <p><a href="https://github.com/Kong/kong/pull/9525" target="_blank" rel="noopener nofollow noreferrer ">#9525</a></p> </li> <li> <a href="/hub/kong-inc/aws-lambda/"><strong>AWS Lambda</strong></a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Fixed an issue that was causing inability to read environment variables in ECS environment. <a href="https://github.com/Kong/kong/pull/9460" target="_blank" rel="noopener nofollow noreferrer ">#9460</a> </li> <li>Specifying a null value for the <code class="language-plaintext highlighter-rouge">isBase64Encoded</code> field in lambda output now results in a more obvious error log entry with a <code class="language-plaintext highlighter-rouge">502</code> code. <a href="https://github.com/Kong/kong/pull/9598" target="_blank" rel="noopener nofollow noreferrer ">#9598</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/azure-functions/"><strong>Azure Functions</strong></a> (<code class="language-plaintext highlighter-rouge">azure-functions</code>) <ul> <li>Fixed an issue where calls made by this plugin would fail in the following situations: <ul> <li>The plugin was associated with a route that had no service.</li> <li>The route’s associated service had a <code class="language-plaintext highlighter-rouge">path</code> value. <a href="https://github.com/Kong/kong/pull/9177" target="_blank" rel="noopener nofollow noreferrer ">#9177</a> </li> </ul> </li> </ul> </li> <li> <a href="/hub/kong-inc/http-log/"><strong>HTTP Log</strong></a> (<code class="language-plaintext highlighter-rouge">http-log</code>) <ul> <li>Fixed an issue where queue ID serialization did not include <code class="language-plaintext highlighter-rouge">queue_size</code> and <code class="language-plaintext highlighter-rouge">flush_timeout</code>. <a href="https://github.com/Kong/kong/pull/9789" target="_blank" rel="noopener nofollow noreferrer ">#9789</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/mocking/"><strong>Mocking</strong></a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Fixed an issue with <code class="language-plaintext highlighter-rouge">accept</code> headers not being split and not working with wildcards. The <code class="language-plaintext highlighter-rouge">;q=</code> (q-factor weighting) of <code class="language-plaintext highlighter-rouge">accept</code> headers is now supported.</li> </ul> </li> <li> <a href="/hub/kong-inc/opa/"><strong>OPA</strong></a> (<code class="language-plaintext highlighter-rouge">opa</code>) <ul> <li>Removed redundant deprecated code from the plugin.</li> </ul> </li> <li> <a href="/hub/kong-inc/opentelemetry/"><strong>OpenTelemetry</strong></a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>) <ul> <li>Fixed an issue that the default propagation header was not configured to <code class="language-plaintext highlighter-rouge">w3c</code> correctly. <a href="https://github.com/Kong/kong/pull/9457" target="_blank" rel="noopener nofollow noreferrer ">#9457</a> </li> <li>Replaced the worker-level table cache with <code class="language-plaintext highlighter-rouge">BatchQueue</code> to avoid data race. <a href="https://github.com/Kong/kong/pull/9504" target="_blank" rel="noopener nofollow noreferrer ">#9504</a> </li> <li>Fixed an issue that the <code class="language-plaintext highlighter-rouge">parent_id</code> was not set on the span when propagating w3c traceparent. <a href="https://github.com/Kong/kong/pull/9628" target="_blank" rel="noopener nofollow noreferrer ">#9628</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/proxy-cache-advanced/"><strong>Proxy Cache Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">proxy-cached-advanced</code>) <ul> <li>The plugin now catches the error when Kong Gateway connects to Redis SSL port <code class="language-plaintext highlighter-rouge">6379</code> with <code class="language-plaintext highlighter-rouge">config.ssl=false</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>The plugin now ensures that shared dict TTL is higher than <code class="language-plaintext highlighter-rouge">config.sync_rate</code>, otherwise Kong Gateway would lose all request counters in shared dict.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-transformer/"><strong>Request Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">request-transformer</code>) <ul> <li>Fixed a bug when header renaming would override the existing header and cause unpredictable results. <a href="https://github.com/Kong/kong/pull/9442" target="_blank" rel="noopener nofollow noreferrer ">#9442</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/request-termination/"><strong>Request Termination</strong></a> (<code class="language-plaintext highlighter-rouge">request-termination</code>) <ul> <li>The plugin no longer allows setting <code class="language-plaintext highlighter-rouge">status_code</code> to <code class="language-plaintext highlighter-rouge">null</code>. <a href="https://github.com/Kong/kong/pull/9400" target="_blank" rel="noopener nofollow noreferrer ">#9400</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/response-transformer/"><strong>Response Transformer</strong></a> (<code class="language-plaintext highlighter-rouge">response-transformer</code>) <ul> <li>Fixed the bug that the plugin would break when receiving an unexpected body. <a href="https://github.com/Kong/kong/pull/9463" target="_blank" rel="noopener nofollow noreferrer ">#9463</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/zipkin/"><strong>Zipkin</strong></a> (<code class="language-plaintext highlighter-rouge">zipkin</code>) <ul> <li>Fixed an issue where Zipkin plugin couldn’t parse OT baggage headers due to an invalid OT baggage pattern. <a href="https://github.com/Kong/kong/pull/9280" target="_blank" rel="noopener nofollow noreferrer ">#9280</a> </li> </ul> </li> </ul> <h3 id="breaking-changes-7">Breaking changes</h3> <h4 id="hybrid-mode-3">Hybrid mode</h4> <ul> <li>The legacy hybrid configuration protocol has been removed in favor of the wRPC protocol introduced in 3.0.0.0. Rolling upgrades from 2.8.x.y to 3.1.0.0 are not supported. Operators must upgrade to 3.0.x.x before they can perform a rolling upgrade to 3.1.0.0. For more information, see <a href="/gateway/3.1.x/upgrade/">Upgrade Kong Gateway 3.1.x</a>. <a href="https://github.com/Kong/kong/pull/9740" target="_blank" rel="noopener nofollow noreferrer ">#9740</a> </li> </ul> <h2 id="3010">3.0.1.0</h2> <p><strong>Release Date</strong> 2022/11/02</p> <h3 id="features-40">Features</h3> <h4 id="plugins-78">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/request-transformer-advanced/">Request Transformer Advanced</a> (<code class="language-plaintext highlighter-rouge">request-transformer-advanced</code>) <ul> <li>Values stored in <code class="language-plaintext highlighter-rouge">key:value</code> pairs in this plugin’s configuration are now referenceable, which means they can be stored as <a href="/gateway/latest/kong-enterprise/secrets-management/">secrets</a> in a vault.</li> </ul> </li> </ul> <h3 id="fixes-59">Fixes</h3> <h4 id="enterprise-19">Enterprise</h4> <ul> <li> <strong>Kong Manager</strong>: <ul> <li>Removed the endpoint <code class="language-plaintext highlighter-rouge">all_routes</code> from configurable RBAC endpoint permissions. This endpoint was erroneously appearing in the endpoints list, and didn’t configure anything.</li> <li>Fixed an issue that allowed unauthorized IDP users to log in to Kong Manager. These users had no access to any resources in Kong Manager, but were able to go beyond the login screen.</li> <li>Fixed an issue where, in an environment with a valid Enterprise license, admins with no access to the <code class="language-plaintext highlighter-rouge">default</code> workspace would see a message prompting them to upgrade to Kong Enterprise.</li> <li>Fixed pagination issues with Kong Manager tables.</li> <li>Fixed broken <code class="language-plaintext highlighter-rouge">Learn more</code> links.</li> <li>Fixed an issue with group to role mapping, where it didn’t support group names with spaces.</li> <li>Fixed the Cross Site Scripting (XSS) security vulnerability in the Kong Manager UI.</li> <li>Fixed an RBAC issue where permissions applied to specific endpoints (for example, an individual service or route) were not reflected in the Kong Manager UI.</li> <li>Removed New Relic from Kong Manager. Previously, <code class="language-plaintext highlighter-rouge">VUE_APP_NEW_RELIC_LICENSE_KEY</code> and <code class="language-plaintext highlighter-rouge">VUE_APP_SEGMENT_WRITE_KEY</code> were being exposed in Kong Manager with invalid values.</li> <li>Removed the action dropdown menu on service and route pages for read-only users.</li> <li>Fixed the <strong>Edit Configuration</strong> button for Dev Portal applications.</li> <li>Fixed an RBAC issue where the roles page listed deleted roles.</li> <li>Fixed an issue where the orphaned roles would remain after deleting a workspace and cause the <strong>Teams</strong> > <strong>Admins</strong> page to break.</li> <li>Added the missing <strong>Copy JSON</strong> button for plugin configuration.</li> <li>Fixed an issue where the <strong>New Workspace</strong> button on the global workspace dashboard wasn’t clickable on the first page load.</li> <li>Removed the ability to add multiple documents per service from the UI. Each service only supports one document, so the UI now reflects that.</li> <li>The Upstream Timeout plugin now has an icon and is part of the Traffic Control category.</li> <li>Fixed an error that would occur when attempting to delete ACL credentials from the consumer credentials list. This happened because the name of the plugin, <code class="language-plaintext highlighter-rouge">acl</code>, and its endpoint, <code class="language-plaintext highlighter-rouge">/acls</code>, don’t match.</li> <li>Fixed a caching issue with Dev Portal, where enabling or disabling the Dev Portal for a workspace wouldn’t change the Kong Manager menu.</li> </ul> </li> <li>Unpinned the version of <code class="language-plaintext highlighter-rouge">alpine</code> used in the <code class="language-plaintext highlighter-rouge">kong/kong-gateway</code> Docker image. Previously, the version was pinned to 3.10, which was creating outdated <code class="language-plaintext highlighter-rouge">alpine</code> builds.</li> </ul> <h4 id="core-63">Core</h4> <ul> <li> <p>Fixed an issue with how Kong initializes <code class="language-plaintext highlighter-rouge">resty.events</code>. The code was previously using <code class="language-plaintext highlighter-rouge">ngx.config.prefix()</code> to determine the listening socket path to provide to the resty.events module. This caused breakage when Nginx was started with a relative path prefix. This meant that you couldn’t start 3.0.x with the same default configuration as 2.8.x.</p> <p>Instead of using <code class="language-plaintext highlighter-rouge">ngx.config.prefix()</code>, Kong will now prefer the <code class="language-plaintext highlighter-rouge">kong.configuration.prefix</code> when available, as it is already normalized to an absolute path. If <code class="language-plaintext highlighter-rouge">kong.configuration.prefix</code> is not defined, the result of <code class="language-plaintext highlighter-rouge">ngx.config.prefix()</code> will be used after resolving it to an absolute path. <a href="https://github.com/Kong/kong/pull/9337" target="_blank" rel="noopener nofollow noreferrer ">#9337</a></p> </li> <li> <p>Fixed an issue with secret management references for HashiCorp Vault. By default, Kong passes secrets to the Nginx using environment variables when using <code class="language-plaintext highlighter-rouge">kong start</code>. Nginx was being started directly without calling <code class="language-plaintext highlighter-rouge">kong start</code>, so the secrets were not available at initialization. <a href="https://github.com/Kong/kong/pull/9478" target="_blank" rel="noopener nofollow noreferrer ">#9478</a></p> </li> <li> <p>Fixed the Amazon Linux RPM installation instructions.</p> </li> </ul> <h2 id="3000">3.0.0.0</h2> <p><strong>Release Date</strong> 2022/09/09</p> <blockquote class="important"> <p><strong>Important</strong>: Kong Gateway 3.0.0.0 is a major release and contains breaking changes. Review the <a href="#breaking-changes-and-deprecations">breaking changes and deprecations</a> and the <a href="#known-limitations">known limitations</a> before attempting to <a href="/gateway/latest/upgrade/">upgrade</a>.</p> </blockquote> <h3 id="features-41">Features</h3> <h4 id="enterprise-20">Enterprise</h4> <ul> <li> <p>Kong Gateway now supports <a href="/gateway/3.0.x/kong-enterprise/plugin-ordering/">dynamic plugin ordering</a>. You can change a plugin’s static priority by specifying the order in which plugins run. This lets you run plugins such as <code class="language-plaintext highlighter-rouge">rate-limiting</code> before authentication plugins.</p> </li> <li> <p>Kong Gateway now offers a FIPS package. The package replaces the primary library, OpenSSL, with <a href="https://boringssl.googlesource.com/boringssl/" target="_blank" rel="noopener nofollow noreferrer ">BoringSSL</a>, which at its core uses the FIPS 140-2 compliant BoringCrypto for cryptographic operations.</p> <p>To enable FIPS mode, set <a href="/gateway/3.0.x/reference/configuration/#fips"><code class="language-plaintext highlighter-rouge">fips</code></a> to <code class="language-plaintext highlighter-rouge">on</code>. FIPS mode is only supported in Ubuntu 20.04.</p> <blockquote class="note"> <p><strong>Note</strong>: The Kong Gateway FIPS package is not currently compatible with SSL connections to PostgreSQL.</p> </blockquote> </li> <li> <p>Kong Gateway now includes WebSocket validation functionality. Websockets are a type of persistent connection that works on top of HTTP.</p> <p>Previously, Kong Gateway 2.x supported limited WebSocket connections, where plugins only ran during the initial connection phase instead of for each frame. Now, Kong Gateway provides more control over WebSocket traffic by implementing plugins that target WebSocket frames.</p> <p>This release includes:</p> <ul> <li> <a href="/gateway/3.0.x/admin-api/#service-object">Service</a> and <a href="/gateway/3.0.x/admin-api/#route-object">route</a> support for <code class="language-plaintext highlighter-rouge">ws</code> and <code class="language-plaintext highlighter-rouge">wss</code> protocols</li> <li>Two new plugins: <a href="/hub/kong-inc/websocket-size-limit/">WebSocket Size Limit</a> and <a href="/hub/kong-inc/websocket-validator/">WebSocket Validator</a> </li> <li>WebSocket plugin development capabilities (<strong>Beta feature</strong>) <ul> <li>PDK modules: <a href="/gateway/3.0.x/plugin-development/pdk/kong.websocket.client/">kong.websocket.client</a> and <a href="/gateway/3.0.x/plugin-development/pdk/kong.websocket.upstream/">kong.websocket.upstream</a> </li> <li><a href="/gateway/3.0.x/plugin-development/custom-logic/#websocket-plugin-development">New plugin handlers</a></li> </ul> </li> </ul> <p>Learn how to develop WebSocket plugins with our <a href="/gateway/3.0.x/plugin-development/custom-logic/#websocket-plugin-development">plugin development guide</a>.</p> </li> <li> <p>In this release, Kong Manager ships a with a refactored design and improved user experience.</p> <p>Notable changes:</p> <ul> <li>Reworked workspace dashboards, both for specific workspaces and at the multi-workspace level.</li> <li>License metrics now appear at the top of overview pages.</li> <li>Restructured the layout and navigation to make workspace selection a secondary concern.</li> <li>Grayed out portal buttons when you don’t have permissions.</li> <li>Added license level to phone home metrics.</li> <li>Added more tooltips.</li> </ul> </li> <li> <a href="/gateway/3.0.x/kong-enterprise/secrets-management/">Secrets management</a> is now generally available. <ul> <li>Added GCP integration support for the secrets manager. GCP is now available as a vault backend.</li> <li>The <code class="language-plaintext highlighter-rouge">/vaults-beta</code> entity has been deprecated and replaced with the <code class="language-plaintext highlighter-rouge">/vaults</code> entity. <a href="https://github.com/Kong/kong/pull/8871" target="_blank" rel="noopener nofollow noreferrer ">#8871</a> <a href="https://github.com/Kong/kong/pull/9217" target="_blank" rel="noopener nofollow noreferrer ">#9217</a> </li> </ul> </li> <li> <p>Kong Gateway now provides slim and UBI images. Slim images are docker containers built with a minimal set of installed packages to run Kong Gateway. From 3.0 onward, Kong Docker images will only contain software required to run the Gateway. This ensures that false positive vulnerabilities don’t get flagged during security scanning.</p> <p>If you want to retain or add other dependencies, you can <a href="/gateway/3.0.x/install/docker/build-custom-images/">build custom Kong Docker images</a>.</p> </li> <li> <p>The base OS for our convenience docker tags (for example, <code class="language-plaintext highlighter-rouge">latest</code>, <code class="language-plaintext highlighter-rouge">3.0.0.0</code>, <code class="language-plaintext highlighter-rouge">3.0</code>) has switched from Alpine to Debian.</p> </li> <li> <p>Added key recovery for keyring encryption. This exposes a new endpoint for the Admin API, <a href="/gateway/3.0.x/admin-api/db-encryption/#recover-keyring-from-database"><code class="language-plaintext highlighter-rouge">/keyring/recover</code></a>, and requires <a href="/gateway/3.0.x/reference/configuration/#keyring_recovery_public_key"><code class="language-plaintext highlighter-rouge">keyring_recovery_public_key</code></a> to be set in <code class="language-plaintext highlighter-rouge">kong.conf</code>.</p> </li> <li> <p>You can now encrypt declarative configuration files on data planes in DB-less and hybrid modes using <a href="https://www.rfc-editor.org/rfc/rfc5288.html" target="_blank" rel="noopener nofollow noreferrer ">AES-256-GCM</a> or <a href="https://www.rfc-editor.org/rfc/rfc7539.html" target="_blank" rel="noopener nofollow noreferrer ">chacha20-poly1305</a> encryption algorithms.</p> <p>Set your desired encryption mode with the <a href="/gateway/3.0.x/reference/configuration/#declarative_config_encryption_mode"><code class="language-plaintext highlighter-rouge">declarative_config_encryption_mode</code></a> configuration parameter.</p> </li> </ul> <h4 id="core-64">Core</h4> <ul> <li> <p>This release introduces a new router implementation: <code class="language-plaintext highlighter-rouge">atc-router</code>. This router is written in Rust, a powerful routing language that can handle complex routing requirements. The new router can be used in traditional-compatible mode, or use the new expression-based language.</p> <p>With the new router, we have:</p> <ul> <li>Reduced router rebuild time when changing Kong’s configuration</li> <li>Increased runtime performance when routing requests</li> <li>Reduced P99 latency from 1.5s to 0.1s with 10,000 routes</li> </ul> <p>Learn more about the router:</p> <ul> <li><a href="/gateway/3.0.x/key-concepts/routes/expressions/">Configure routes using expressions</a></li> <li><a href="/gateway/3.0.x/reference/expressions-language/language-references/">Router Expressions Language reference</a></li> <li><a href="https://github.com/Kong/kong/pull/8938" target="_blank" rel="noopener nofollow noreferrer ">#8938</a></li> </ul> </li> <li>Implemented delayed response in stream mode. <a href="https://github.com/Kong/kong/pull/6878" target="_blank" rel="noopener nofollow noreferrer ">#6878</a> </li> <li>Added <code class="language-plaintext highlighter-rouge">cache_key</code> on target entity for uniqueness detection. <a href="https://github.com/Kong/kong/pull/8179" target="_blank" rel="noopener nofollow noreferrer ">#8179</a> </li> <li> <p>Introduced the tracing API, which is compatible with OpenTelemetry API specs, and adds built-in instrumentations.</p> <p>The tracing API is intended to be used with a external exporter plugin. Built-in instrumentation types and sampling rate are configurable through the <a href="/gateway/3.0.x/reference/configuration/#opentelemetry_tracing"><code class="language-plaintext highlighter-rouge">opentelemetry_tracing</code></a> and <a href="/gateway/3.0.x/reference/configuration/#opentelemetry_tracing_sampling_rate"><code class="language-plaintext highlighter-rouge">opentelemetry_tracing_sampling_rate</code></a> options. <a href="https://github.com/Kong/kong/pull/8724" target="_blank" rel="noopener nofollow noreferrer ">#8724</a></p> </li> <li>Added <code class="language-plaintext highlighter-rouge">path</code>, <code class="language-plaintext highlighter-rouge">uri_capture</code>, and <code class="language-plaintext highlighter-rouge">query_arg</code> options to upstream <code class="language-plaintext highlighter-rouge">hash_on</code> for load balancing. <a href="https://github.com/Kong/kong/pull/8701" target="_blank" rel="noopener nofollow noreferrer ">#8701</a> </li> <li>Introduced Unix domain socket-based <code class="language-plaintext highlighter-rouge">lua-resty-events</code> to replace shared memory-based <code class="language-plaintext highlighter-rouge">lua-resty-worker-events</code>. <a href="https://github.com/Kong/kong/pull/8890" target="_blank" rel="noopener nofollow noreferrer ">#8890</a> </li> <li>Introduced the <code class="language-plaintext highlighter-rouge">table_name</code> field for entities. This field lets you specify a table name. Previously, the name was deduced by the entity <code class="language-plaintext highlighter-rouge">name</code> attribute. <a href="https://github.com/Kong/kong/pull/9182" target="_blank" rel="noopener nofollow noreferrer ">#9182</a> </li> <li>Added <code class="language-plaintext highlighter-rouge">headers</code> on active health checks for upstreams. <a href="https://github.com/Kong/kong/pull/8255" target="_blank" rel="noopener nofollow noreferrer ">#8255</a> </li> <li>Target entities using hostnames were resolved when they were not needed. Now when a target is removed or updated, the DNS record associated with it is removed from the list of hostnames to be resolved. <a href="https://github.com/Kong/kong/pull/8497" target="_blank" rel="noopener nofollow noreferrer ">#8497</a> <a href="https://github.com/Kong/kong/pull/9265" target="_blank" rel="noopener nofollow noreferrer ">9265</a> </li> <li>Improved error handling and debugging info in the DNS code. <a href="https://github.com/Kong/kong/pull/8902" target="_blank" rel="noopener nofollow noreferrer ">#8902</a> </li> <li>Kong Gateway will now attempt to recover from an unclean shutdown by detecting and removing dangling Unix sockets in the prefix directory. <a href="https://github.com/Kong/kong/pull/9254" target="_blank" rel="noopener nofollow noreferrer ">#9254</a> </li> <li>A new CLI command, <code class="language-plaintext highlighter-rouge">kong migrations status</code>, generates the migration status in a JSON file.</li> <li>Removed the warning for <code class="language-plaintext highlighter-rouge">AAAA</code> being experimental with <code class="language-plaintext highlighter-rouge">dns_order</code>.</li> </ul> <h4 id="performance-8">Performance</h4> <ul> <li>Kong Gateway does not register unnecessary event handlers on hybrid mode control plane nodes anymore. <a href="https://github.com/Kong/kong/pull/8452" target="_blank" rel="noopener nofollow noreferrer ">#8452</a>.</li> <li>Use the new timer library to improve performance, except for the plugin server. <a href="https://github.com/Kong/kong/pull/8912" target="_blank" rel="noopener nofollow noreferrer ">#8912</a> </li> <li>Increased the use of caching for DNS queries by activating <code class="language-plaintext highlighter-rouge">additional_section</code> by default. <a href="https://github.com/Kong/kong/pull/8895" target="_blank" rel="noopener nofollow noreferrer ">#8895</a> </li> <li> <code class="language-plaintext highlighter-rouge">pdk.request.get_header</code> has been changed to a faster implementation. It doesn’t fetch all headers every time it’s called. <a href="https://github.com/Kong/kong/pull/8716" target="_blank" rel="noopener nofollow noreferrer ">#8716</a> </li> <li>Conditional rebuilding of the router, plugins iterator, and balancer on data planes. <a href="https://github.com/Kong/kong/pull/8519" target="_blank" rel="noopener nofollow noreferrer ">#8519</a>, <a href="https://github.com/Kong/kong/pull/8671" target="_blank" rel="noopener nofollow noreferrer ">#8671</a> </li> <li>Made configuration loading code more cooperative by yielding. <a href="https://github.com/Kong/kong/pull/8888" target="_blank" rel="noopener nofollow noreferrer ">#8888</a> </li> <li>Use the LuaJIT encoder instead of JSON to serialize values faster in LMDB. <a href="https://github.com/Kong/kong/pull/8942" target="_blank" rel="noopener nofollow noreferrer ">#8942</a> </li> <li>Made inflating and JSON decoding non-concurrent, which avoids blocking and makes data plane reloads faster. <a href="https://github.com/Kong/kong/pull/8959" target="_blank" rel="noopener nofollow noreferrer ">#8959</a> </li> <li>Stopped duplication of some events. <a href="https://github.com/Kong/kong/pull/9082" target="_blank" rel="noopener nofollow noreferrer ">#9082</a> </li> <li>Improved performance of configuration hash calculation by using <code class="language-plaintext highlighter-rouge">string.buffer</code> and <code class="language-plaintext highlighter-rouge">tablepool</code>. <a href="https://github.com/Kong/kong/pull/9073" target="_blank" rel="noopener nofollow noreferrer ">#9073</a> </li> <li>Reduced cache usage in DB-less mode by not using the Kong cache for routes and services in LMDB. <a href="https://github.com/Kong/kong/pull/8972" target="_blank" rel="noopener nofollow noreferrer ">#8972</a> </li> </ul> <h4 id="admin-api-27">Admin API</h4> <ul> <li>Added a new <code class="language-plaintext highlighter-rouge">/timers</code> Admin API endpoint to get timer statistics and worker info. <a href="https://github.com/Kong/kong/pull/8912" target="_blank" rel="noopener nofollow noreferrer ">#8912</a> <a href="https://github.com/Kong/kong/pull/8999" target="_blank" rel="noopener nofollow noreferrer ">#8999</a> </li> <li>The <code class="language-plaintext highlighter-rouge">/</code> endpoint now includes plugin priority. <a href="https://github.com/Kong/kong/pull/8821" target="_blank" rel="noopener nofollow noreferrer ">#8821</a> </li> </ul> <h4 id="hybrid-mode-4">Hybrid Mode</h4> <ul> <li>Added wRPC protocol support. Configuration synchronization now happens over wRPC. wRPC is an RPC protocol that encodes with ProtoBuf and transports with WebSocket. <a href="https://github.com/Kong/kong/pull/8357" target="_blank" rel="noopener nofollow noreferrer ">#8357</a> <ul> <li>To keep compatibility with earlier versions, added support for the control plane to fall back to the previous protocol to support older data planes. <a href="https://github.com/Kong/kong/pull/8834" target="_blank" rel="noopener nofollow noreferrer ">#8834</a> </li> <li>Added support to negotiate services supported with wRPC protocol. We will support more services in the future. <a href="https://github.com/Kong/kong/pull/8926" target="_blank" rel="noopener nofollow noreferrer ">#8926</a> </li> </ul> </li> <li>Declarative configuration exports now happen inside a transaction in PostgreSQL. <a href="https://github.com/Kong/kong/pull/8586" target="_blank" rel="noopener nofollow noreferrer ">#8586</a> </li> </ul> <h4 id="plugins-79">Plugins</h4> <ul> <li> <p>Starting with version 3.0, all bundled plugin versions are the same as the Kong Gateway version. <a href="https://github.com/Kong/kong/pull/8772" target="_blank" rel="noopener nofollow noreferrer ">#8772</a></p> <p><a href="/hub/">Plugin documentation</a> now refers to the Kong Gateway version instead of the individual plugin version.</p> </li> <li> <strong>New plugins</strong>: <ul> <li> <p><a href="/hub/kong-inc/opentelemetry/">OpenTelemetry</a> (<code class="language-plaintext highlighter-rouge">opentelemetry</code>)</p> <p>Export tracing instrumentations to any OTLP/HTTP compatible backend. <code class="language-plaintext highlighter-rouge">opentelemetry_tracing</code> configuration must be enabled to collect the core tracing spans of Kong Gateway. <a href="https://github.com/Kong/kong/pull/8826" target="_blank" rel="noopener nofollow noreferrer ">#8826</a></p> </li> <li> <p><a href="/hub/kong-inc/tls-handshake-modifier/">TLS Handshake Modifier</a> (<code class="language-plaintext highlighter-rouge">tls-handshake-modifier</code>)</p> <p>Make certificates available to other plugins acting on the same request.</p> </li> <li> <p><a href="/hub/kong-inc/tls-metadata-headers/">TLS Metadata Headers</a> (<code class="language-plaintext highlighter-rouge">tls-metadata-headers</code>)</p> <p>Proxy TLS client certificate metadata to upstream services via HTTP headers.</p> </li> <li> <p><a href="/hub/kong-inc/websocket-size-limit/">WebSocket Size Limit</a> (<code class="language-plaintext highlighter-rouge">websocket-size-limit</code>)</p> <p>Allows operators to specify a maximum size for incoming WebSocket messages.</p> </li> <li> <p><a href="/hub/kong-inc/websocket-validator/">WebSocket Validator</a> (<code class="language-plaintext highlighter-rouge">websocket-validator</code>)</p> <p>Validate individual WebSocket messages against a user-specified schema before proxying them.</p> </li> </ul> </li> <li> <a href="/hub/kong-inc/acme/">ACME</a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>Added the <code class="language-plaintext highlighter-rouge">allow_any_domain</code> field. It defaults to false and if set to true, the gateway will ignore the <code class="language-plaintext highlighter-rouge">domains</code> field. <a href="https://github.com/Kong/kong/pull/9047" target="_blank" rel="noopener nofollow noreferrer ">#9047</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda/">AWS Lambda</a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Added support for cross-account invocation through the <code class="language-plaintext highlighter-rouge">aws_assume_role_arn</code> and <code class="language-plaintext highlighter-rouge">aws_role_session_name</code> configuration parameters. <a href="https://github.com/Kong/kong/pull/8900" target="_blank" rel="noopener nofollow noreferrer ">#8900</a> </li> <li>The plugin now accepts string type <code class="language-plaintext highlighter-rouge">statusCode</code> as a valid return when working in proxy integration mode. <a href="https://github.com/Kong/kong/pull/8765" target="_blank" rel="noopener nofollow noreferrer ">#8765</a> </li> <li>The plugin now separates AWS credential cache by the IAM role ARN. <a href="https://github.com/Kong/kong/pull/8907" target="_blank" rel="noopener nofollow noreferrer ">#8907</a> </li> </ul> </li> <li>Collector (<code class="language-plaintext highlighter-rouge">collector</code>) <ul> <li>The deprecated Collector plugin has been removed.</li> </ul> </li> <li> <a href="/hub/kong-inc/degraphql/">DeGraphQL</a> (<code class="language-plaintext highlighter-rouge">degraphql</code>) <ul> <li>The GraphQL server path is now configurable with the <code class="language-plaintext highlighter-rouge">graphql_server_path</code> configuration parameter.</li> </ul> </li> <li> <a href="/hub/kong-inc/kafka-upstream/">Kafka Upstream</a> (<code class="language-plaintext highlighter-rouge">kafka-upstream</code>) and <a href="/hub/kong-inc/kafka-log">Kafka Log</a> (<code class="language-plaintext highlighter-rouge">kafka-log</code>) <ul> <li>Added support for the <code class="language-plaintext highlighter-rouge">SCRAM-SHA-512</code> authentication mechanism.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/">LDAP Authentication Advanced</a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>This plugin now allows authorization based on group membership. The new configuration parameter, <code class="language-plaintext highlighter-rouge">groups_required</code>, is an array of string elements that indicates the groups that users must belong to for the request to be authorized.</li> <li>The character <code class="language-plaintext highlighter-rouge">.</code> is now allowed in group attributes.</li> <li>The character <code class="language-plaintext highlighter-rouge">:</code> is now allowed in the password field.</li> </ul> </li> <li> <a href="/hub/kong-inc/mtls-auth/">mTLS Authentication</a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Introduced certificate revocation list (CRL) and OCSP server support with the following parameters: <code class="language-plaintext highlighter-rouge">http_proxy_host</code>, <code class="language-plaintext highlighter-rouge">http_proxy_port</code>, <code class="language-plaintext highlighter-rouge">https_proxy_host</code>, and <code class="language-plaintext highlighter-rouge">https_proxy_port</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/opa/">OPA</a> (<code class="language-plaintext highlighter-rouge">opa</code>) <ul> <li> <p>New configuration parameter <code class="language-plaintext highlighter-rouge">include_body_in_opa_input</code>: When enabled, include the raw body as a string in the OPA input at <code class="language-plaintext highlighter-rouge">input.request.http.body</code> and the body size at <code class="language-plaintext highlighter-rouge">input.request.http.body_size</code>.</p> </li> <li> <p>New configuration parameter <code class="language-plaintext highlighter-rouge">include_parsed_json_body_in_opa_input</code>: When enabled and content-type is <code class="language-plaintext highlighter-rouge">application/json</code>, the parsed JSON will be added to the OPA input at <code class="language-plaintext highlighter-rouge">input.request.http.parsed_body</code>.</p> </li> </ul> </li> <li> <a href="/hub/kong-inc/prometheus/">Prometheus</a> (<code class="language-plaintext highlighter-rouge">prometheus</code>) <ul> <li>High cardinality metrics are now disabled by default.</li> <li>Decreased performance penalty to proxy traffic when collecting metrics.</li> <li>The following metric names were adjusted to add units to standardize where possible: <ul> <li> <code class="language-plaintext highlighter-rouge">http_status</code> to <code class="language-plaintext highlighter-rouge">http_requests_total</code>.</li> <li> <p><code class="language-plaintext highlighter-rouge">latency</code> to <code class="language-plaintext highlighter-rouge">kong_request_latency_ms</code> (HTTP), <code class="language-plaintext highlighter-rouge">kong_upstream_latency_ms</code>, <code class="language-plaintext highlighter-rouge">kong_kong_latency_ms</code>, and <code class="language-plaintext highlighter-rouge">session_duration_ms</code> (stream).</p> <p>Kong latency and upstream latency can operate at orders of different magnitudes. Separate these buckets to reduce memory overhead.</p> </li> <li> <code class="language-plaintext highlighter-rouge">kong_bandwidth</code> to <code class="language-plaintext highlighter-rouge">kong_bandwidth_bytes</code>.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_http_current_connections</code> and <code class="language-plaintext highlighter-rouge">nginx_stream_current_connections</code> were merged into to <code class="language-plaintext highlighter-rouge">nginx_hconnections_total</code> (or <code class="language-plaintext highlighter-rouge">nginx_current_connections</code>?)</li> <li> <p><code class="language-plaintext highlighter-rouge">request_count</code> and <code class="language-plaintext highlighter-rouge">consumer_status</code> were merged into http_requests_total.</p> <p>If the <code class="language-plaintext highlighter-rouge">per_consumer</code> config is set to <code class="language-plaintext highlighter-rouge">false</code>, the <code class="language-plaintext highlighter-rouge">consumer</code> label will be empty. If the <code class="language-plaintext highlighter-rouge">per_consumer</code> config is <code class="language-plaintext highlighter-rouge">true</code>, the <code class="language-plaintext highlighter-rouge">consumer</code> label will be filled.</p> </li> </ul> </li> <li>Removed the following metric: <code class="language-plaintext highlighter-rouge">http_consumer_status</code> </li> <li>New metrics: <ul> <li> <code class="language-plaintext highlighter-rouge">session_duration_ms</code>: monitoring stream connections.</li> <li> <code class="language-plaintext highlighter-rouge">node_info</code>: Single gauge set to 1 that outputs the node’s ID and Kong Gateway version.</li> </ul> </li> <li> <code class="language-plaintext highlighter-rouge">http_requests_total</code> has a new label, <code class="language-plaintext highlighter-rouge">source</code>. It can be set to <code class="language-plaintext highlighter-rouge">exit</code>, <code class="language-plaintext highlighter-rouge">error</code>, or <code class="language-plaintext highlighter-rouge">service</code>.</li> <li>All memory metrics have a new label: <code class="language-plaintext highlighter-rouge">node_id</code>.</li> <li>Updated the Grafana dashboard that comes packaged with Kong</li> </ul> </li> <li> <a href="/hub/kong-inc/statsd/">StatsD</a> (<code class="language-plaintext highlighter-rouge">statsd</code>) <ul> <li> <strong>Newly open-sourced plugin capabilities</strong>: All capabilities of the <a href="/hub/kong-inc/statsd-advanced/">StatsD Advanced</a> plugin are now bundled in the <a href="https://docs.konghq.com/hub/kong-inc/statsd" target="_blank" rel="noopener nofollow noreferrer ">StatsD</a> plugin. <a href="https://github.com/Kong/kong/pull/9046" target="_blank" rel="noopener nofollow noreferrer ">#9046</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/zipkin/">Zipkin</a> (<code class="language-plaintext highlighter-rouge">zipkin</code>) <ul> <li>Added support for including the HTTP path in the span name with the <code class="language-plaintext highlighter-rouge">http_span_name</code> configuration parameter. <a href="https://github.com/Kong/kong/pull/8150" target="_blank" rel="noopener nofollow noreferrer ">#8150</a> </li> <li>Added support for socket connect and send/read timeouts through the <code class="language-plaintext highlighter-rouge">connect_timeout</code>, <code class="language-plaintext highlighter-rouge">send_timeout</code>, and <code class="language-plaintext highlighter-rouge">read_timeout</code> configuration parameters. This can help mitigate <code class="language-plaintext highlighter-rouge">ngx.timer</code> saturation when upstream collectors are unavailable or slow. <a href="https://github.com/Kong/kong/pull/8735" target="_blank" rel="noopener nofollow noreferrer ">#8735</a> </li> </ul> </li> </ul> <h4 id="configuration-22">Configuration</h4> <ul> <li>You can now configure <code class="language-plaintext highlighter-rouge">openresty_path</code> to allow developers and operators to specify the OpenResty installation to use when running Kong Gateway, instead of using the system-installed OpenResty. <a href="https://github.com/Kong/kong/pull/8412" target="_blank" rel="noopener nofollow noreferrer ">#8412</a> </li> <li>Added <code class="language-plaintext highlighter-rouge">ipv6only</code> to listen options <code class="language-plaintext highlighter-rouge">admin_listen</code>, <code class="language-plaintext highlighter-rouge">proxy_listen</code>, and <code class="language-plaintext highlighter-rouge">stream_listen</code>. <a href="https://github.com/Kong/kong/pull/9225" target="_blank" rel="noopener nofollow noreferrer ">#9225</a> </li> <li>Added <code class="language-plaintext highlighter-rouge">so_keepalive</code> to listen options <code class="language-plaintext highlighter-rouge">admin_listen</code>, <code class="language-plaintext highlighter-rouge">proxy_listen</code>, and <code class="language-plaintext highlighter-rouge">stream_listen</code>. <a href="https://github.com/Kong/kong/pull/9225" target="_blank" rel="noopener nofollow noreferrer ">#9225</a> </li> <li>Add LMDB DB-less configuration persistence and removed the JSON-based configuration cache for faster startup time. <a href="https://github.com/Kong/kong/pull/8670" target="_blank" rel="noopener nofollow noreferrer ">#8670</a> </li> <li> <code class="language-plaintext highlighter-rouge">nginx_events_worker_connections=auto</code> now has a lower bound of 1024. <a href="https://github.com/Kong/kong/pull/9276" target="_blank" rel="noopener nofollow noreferrer ">#9276</a> </li> <li> <code class="language-plaintext highlighter-rouge">nginx_main_worker_rlimit_nofile=auto</code> now has a lower bound of 1024. <a href="https://github.com/Kong/kong/pull/9276" target="_blank" rel="noopener nofollow noreferrer ">#9276</a> </li> </ul> <h4 id="pdk-19">PDK</h4> <ul> <li>Added new PDK function: <code class="language-plaintext highlighter-rouge">kong.request.get_start_time()</code>. This function returns the request start time, in Unix epoch milliseconds. <a href="https://github.com/Kong/kong/pull/8688" target="_blank" rel="noopener nofollow noreferrer ">#8688</a> </li> <li>The function <code class="language-plaintext highlighter-rouge">kong.db.*.cache_key()</code> now falls back to <code class="language-plaintext highlighter-rouge">.id</code> if nothing from <code class="language-plaintext highlighter-rouge">cache_key</code> is found. <a href="https://github.com/Kong/kong/pull/8553" target="_blank" rel="noopener nofollow noreferrer ">#8553</a> </li> </ul> <h3 id="known-limitations-1">Known limitations</h3> <ul> <li>Kong Manager does not currently support the following features: <ul> <li>Secrets management</li> <li>Plugin ordering</li> <li>Expression-based routing</li> </ul> </li> <li>Blue-green migration from 2.8.x (and below) to 3.0.x is not supported. <ul> <li>This is a known issue planned to be fixed in the next 2.8 release. If this is a requirement for upgrading, Kong operators should upgrade to that version before beginning a upgrade to 3.0.0.0.</li> <li>See <a href="/gateway/latest/upgrade/">Upgrade Kong Gateway</a> for more details.</li> </ul> </li> <li> <p>OpenTracing: There is an issue with <code class="language-plaintext highlighter-rouge">nginx-opentracing</code> in this release, so it is not recommended to upgrade yet if you are an OpenTracing user. This will be rectified in an upcoming patch/minor release.</p> </li> <li>The Kong Gateway FIPS package is not currently compatible with SSL connections to PostgreSQL.</li> </ul> <h3 id="breaking-changes-and-deprecations-8">Breaking changes and deprecations</h3> <h4 id="deployment-2">Deployment</h4> <ul> <li>Deprecated and stopped producing Amazon Linux 1 containers and packages. Amazon Linux 1 <a href="https://aws.amazon.com/blogs/aws/update-on-amazon-linux-ami-end-of-life" target="_blank" rel="noopener nofollow noreferrer ">reached end-of-life on December 31, 2020</a>. <a href="https://github.com/Kong/docs.konghq.com/pull/3966" target="_blank" rel="noopener nofollow noreferrer ">Kong/docs.konghq.com #3966</a> </li> <li>Deprecated and stopped producing Debian 8 (Jessie) containers and packages. Debian 8 reached end-of-life in June 30, 2020. <a href="https://github.com/Kong/kong-build-tools/pull/448" target="_blank" rel="noopener nofollow noreferrer ">Kong/kong-build-tools #448</a> </li> </ul> <h4 id="core-65">Core</h4> <ul> <li> <p>As of 3.0, Kong Gateway’s schema library’s <code class="language-plaintext highlighter-rouge">process_auto_fields</code> function will not make deep copies of data that is passed to it when the given context is <code class="language-plaintext highlighter-rouge">select</code>. This was done to avoid excessive deep copying of tables where we believe the data most of the time comes from a driver like <code class="language-plaintext highlighter-rouge">pgmoon</code> or <code class="language-plaintext highlighter-rouge">lmdb</code>.</p> <p>If a custom plugin relied on <code class="language-plaintext highlighter-rouge">process_auto_fields</code> not overriding the given table, it must make its own copy before passing it to the function now. <a href="https://github.com/Kong/kong/pull/8796" target="_blank" rel="noopener nofollow noreferrer ">#8796</a></p> </li> <li>The deprecated <code class="language-plaintext highlighter-rouge">shorthands</code> field in Kong plugin or DAO schemas was removed in favor of the typed <code class="language-plaintext highlighter-rouge">shorthand_fields</code>. If your custom schemas still use <code class="language-plaintext highlighter-rouge">shorthands</code>, you need to update them to use <code class="language-plaintext highlighter-rouge">shorthand_fields</code>. <a href="https://github.com/Kong/kong/pull/8815" target="_blank" rel="noopener nofollow noreferrer ">#8815</a> </li> <li>The support for <code class="language-plaintext highlighter-rouge">legacy = true/false</code> attribute was removed from Kong schemas and Kong field schemas. <a href="https://github.com/Kong/kong/pull/8958" target="_blank" rel="noopener nofollow noreferrer ">#8958</a> </li> <li>The deprecated alias of <code class="language-plaintext highlighter-rouge">Kong.serve_admin_api</code> was removed. If your custom Nginx templates still use it, change it to <code class="language-plaintext highlighter-rouge">Kong.admin_content</code>. <a href="https://github.com/Kong/kong/pull/8815" target="_blank" rel="noopener nofollow noreferrer ">#8815</a> </li> <li>The Kong singletons module <code class="language-plaintext highlighter-rouge">kong.singletons</code> was removed in favor of the PDK <code class="language-plaintext highlighter-rouge">kong.*</code>. <a href="https://github.com/Kong/kong/pull/8874" target="_blank" rel="noopener nofollow noreferrer ">#8874</a> </li> <li>The data plane configuration cache was removed. Configuration persistence is now done automatically with LMDB. <a href="https://github.com/Kong/kong/pull/8704" target="_blank" rel="noopener nofollow noreferrer ">#8704</a> </li> <li> <code class="language-plaintext highlighter-rouge">ngx.ctx.balancer_address</code> was removed in favor of <code class="language-plaintext highlighter-rouge">ngx.ctx.balancer_data</code>. <a href="https://github.com/Kong/kong/pull/9043" target="_blank" rel="noopener nofollow noreferrer ">#9043</a> </li> <li>The normalization rules for <code class="language-plaintext highlighter-rouge">route.path</code> have changed. Kong Gateway now stores the unnormalized path, but the regex path always pattern-matches with the normalized URI. Previously, Kong Gateway replaced percent-encoding in the regex path pattern to ensure different forms of URI matches. That is no longer supported. Except for the reserved characters defined in <a href="https://datatracker.ietf.org/doc/html/rfc3986#section-2.2" target="_blank" rel="noopener nofollow noreferrer ">rfc3986</a>, write all other characters without percent-encoding. <a href="https://github.com/Kong/kong/pull/9024" target="_blank" rel="noopener nofollow noreferrer ">#9024</a> </li> <li>Kong Gateway no longer uses a heuristic to guess whether a <code class="language-plaintext highlighter-rouge">route.path</code> is a regex pattern. From 3.0 onward, all regex paths must start with the <code class="language-plaintext highlighter-rouge">"~"</code> prefix, and all paths that don’t start with <code class="language-plaintext highlighter-rouge">"~"</code> will be considered plain text. The migration process should automatically convert the regex paths when upgrading from 2.x to 3.0. <a href="https://github.com/Kong/kong/pull/9027" target="_blank" rel="noopener nofollow noreferrer ">#9027</a> </li> <li> <p>Bumped the version number (<code class="language-plaintext highlighter-rouge">_format_version</code>) of declarative configuration to <code class="language-plaintext highlighter-rouge">3.0</code> for changes on <code class="language-plaintext highlighter-rouge">route.path</code>. Declarative configurations using older versions are upgraded to <code class="language-plaintext highlighter-rouge">3.0</code> during migrations.</p> <blockquote class="important"> <p><strong>Do not sync (<code class="language-plaintext highlighter-rouge">deck sync</code>) declarative configuration files from 2.8 or earlier to 3.0.</strong> Old configuration files will overwrite the configuration and create compatibility issues. To grab the updated configuration, <code class="language-plaintext highlighter-rouge">deck dump</code> the 3.0 file after migrations are completed.</p> </blockquote> <p><a href="https://github.com/Kong/kong/pull/9078" target="_blank" rel="noopener nofollow noreferrer ">#9078</a></p> </li> <li>Tags may now contain space characters. <a href="https://github.com/Kong/kong/pull/9143" target="_blank" rel="noopener nofollow noreferrer ">#9143</a> </li> <li>Support for the <code class="language-plaintext highlighter-rouge">nginx-opentracing</code> module is deprecated as of <code class="language-plaintext highlighter-rouge">3.0</code> and will be removed from Kong in <code class="language-plaintext highlighter-rouge">4.0</code> (see the <a href="#known-limitations">Known Limitations</a> section for additional information).</li> <li>We removed regex <a href="https://www.regular-expressions.info/lookaround.html" target="_blank" rel="noopener nofollow noreferrer ">look-around</a> and <a href="https://www.regular-expressions.info/backref.html" target="_blank" rel="noopener nofollow noreferrer ">backreferences</a> support in the the atc-router. These are rarely used features and removing support for them improves the speed of our regex matching. If your current regexes use look-around or backreferences you will receive an error when attempting to start Kong, showing exactly what regex is incompatible. Users can either switch to the <code class="language-plaintext highlighter-rouge">traditional</code> router flavor or change the regex to remove look-around / backreferences.</li> </ul> <h4 id="admin-api-28">Admin API</h4> <ul> <li>The Admin API endpoint <code class="language-plaintext highlighter-rouge">/vitals/reports</code> has been removed.</li> <li> <code class="language-plaintext highlighter-rouge">POST</code> requests on <code class="language-plaintext highlighter-rouge">/targets</code> endpoints are no longer able to update existing entities. They are only able to create new ones. <a href="https://github.com/Kong/kong/pull/8596" target="_blank" rel="noopener nofollow noreferrer ">#8596</a>, <a href="https://github.com/Kong/kong/pull/8798" target="_blank" rel="noopener nofollow noreferrer ">#8798</a>. If you have scripts that use <code class="language-plaintext highlighter-rouge">POST</code> requests to modify <code class="language-plaintext highlighter-rouge">/targets</code>, change them to <code class="language-plaintext highlighter-rouge">PUT</code> requests to the appropriate endpoints before updating to Kong Gateway 3.0.</li> <li>Insert and update operations on duplicated targets return a <code class="language-plaintext highlighter-rouge">409</code> error. <a href="https://github.com/Kong/kong/pull/8179" target="_blank" rel="noopener nofollow noreferrer ">#8179</a>, <a href="https://github.com/Kong/kong/pull/8768" target="_blank" rel="noopener nofollow noreferrer ">#8768</a> </li> <li>The list of reported plugins available on the server now returns a table of metadata per plugin instead of a boolean <code class="language-plaintext highlighter-rouge">true</code>. <a href="https://github.com/Kong/kong/pull/8810" target="_blank" rel="noopener nofollow noreferrer ">#8810</a> </li> </ul> <h4 id="pdk-20">PDK</h4> <ul> <li>The <code class="language-plaintext highlighter-rouge">kong.request.get_path()</code> PDK function now performs path normalization on the string that is returned to the caller. The raw, non-normalized version of the request path can be fetched via <code class="language-plaintext highlighter-rouge">kong.request.get_raw_path()</code>. <a href="https://github.com/Kong/kong/pull/8823" target="_blank" rel="noopener nofollow noreferrer ">#8823</a> </li> <li> <code class="language-plaintext highlighter-rouge">pdk.response.set_header()</code>, <code class="language-plaintext highlighter-rouge">pdk.response.set_headers()</code>, <code class="language-plaintext highlighter-rouge">pdk.response.exit()</code> now ignore and emit warnings for manually set <code class="language-plaintext highlighter-rouge">Transfer-Encoding</code> headers. <a href="https://github.com/Kong/kong/pull/8698" target="_blank" rel="noopener nofollow noreferrer ">#8698</a> </li> <li>The PDK is no longer versioned. <a href="https://github.com/Kong/kong/pull/8585" target="_blank" rel="noopener nofollow noreferrer ">#8585</a> </li> <li>The JavaScript PDK now returns <code class="language-plaintext highlighter-rouge">Uint8Array</code> for <code class="language-plaintext highlighter-rouge">kong.request.getRawBody</code>, <code class="language-plaintext highlighter-rouge">kong.response.getRawBody</code>, and <code class="language-plaintext highlighter-rouge">kong.service.response.getRawBody</code>. The Python PDK returns <code class="language-plaintext highlighter-rouge">bytes</code> for <code class="language-plaintext highlighter-rouge">kong.request.get_raw_body</code>, <code class="language-plaintext highlighter-rouge">kong.response.get_raw_body</code>, and <code class="language-plaintext highlighter-rouge">kong.service.response.get_raw_body</code>. Previously, these functions returned strings. <a href="https://github.com/Kong/kong/pull/8623" target="_blank" rel="noopener nofollow noreferrer ">#8623</a> </li> <li>The <code class="language-plaintext highlighter-rouge">go_pluginserver_exe</code> and <code class="language-plaintext highlighter-rouge">go_plugins_dir</code> directives are no longer supported. <a href="https://github.com/Kong/kong/pull/8552" target="_blank" rel="noopener nofollow noreferrer ">#8552</a>. If you are using <a href="https://github.com/Kong/go-pluginserver" target="_blank" rel="noopener nofollow noreferrer ">Go plugin server</a>, migrate your plugins to use the <a href="https://github.com/Kong/go-pdk" target="_blank" rel="noopener nofollow noreferrer ">Go PDK</a> before upgrading.</li> </ul> <h4 id="plugins-80">Plugins</h4> <ul> <li>DAOs in plugins must be listed in an array, so that their loading order is explicit. Loading them in a hash-like table is no longer supported. <a href="https://github.com/Kong/kong/pull/8988" target="_blank" rel="noopener nofollow noreferrer ">#8988</a> </li> <li>Plugins MUST now have a valid <code class="language-plaintext highlighter-rouge">PRIORITY</code> (integer) and <code class="language-plaintext highlighter-rouge">VERSION</code> (“x.y.z” format) field in their <code class="language-plaintext highlighter-rouge">handler.lua</code> file, otherwise the plugin will fail to load. <a href="https://github.com/Kong/kong/pull/8836" target="_blank" rel="noopener nofollow noreferrer ">#8836</a> </li> <li>The old <code class="language-plaintext highlighter-rouge">kong.plugins.log-serializers.basic</code> library was removed in favor of the PDK function <code class="language-plaintext highlighter-rouge">kong.log.serialize</code>. Upgrade your plugins to use the PDK. <a href="https://github.com/Kong/kong/pull/8815" target="_blank" rel="noopener nofollow noreferrer ">#8815</a> </li> <li>The support for deprecated legacy plugin schemas was removed. If your custom plugins still use the old (<code class="language-plaintext highlighter-rouge">0.x era</code>) schemas, you are now forced to upgrade them. <a href="https://github.com/Kong/kong/pull/8815" target="_blank" rel="noopener nofollow noreferrer ">#8815</a> </li> <li> <p>Updated the priority for some plugins.</p> <p>This is important for those who run custom plugins as it may affect the sequence in which your plugins are executed. This does not change the order of execution for plugins in a standard Kong Gateway installation.</p> <p>Old and new plugin priority values:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">acme</code> changed from <code class="language-plaintext highlighter-rouge">1007</code> to <code class="language-plaintext highlighter-rouge">1705</code> </li> <li> <code class="language-plaintext highlighter-rouge">basic-auth</code> changed from <code class="language-plaintext highlighter-rouge">1001</code> to <code class="language-plaintext highlighter-rouge">1100</code> </li> <li> <code class="language-plaintext highlighter-rouge">canary</code> changed from <code class="language-plaintext highlighter-rouge">13</code> to <code class="language-plaintext highlighter-rouge">20</code> </li> <li> <code class="language-plaintext highlighter-rouge">degraphql</code> changed from <code class="language-plaintext highlighter-rouge">1005</code> to <code class="language-plaintext highlighter-rouge">1500</code> </li> <li> <code class="language-plaintext highlighter-rouge">graphql-proxy-cache-advanced</code> changed from <code class="language-plaintext highlighter-rouge">100</code> to <code class="language-plaintext highlighter-rouge">99</code> </li> <li> <code class="language-plaintext highlighter-rouge">hmac-auth</code> changed from <code class="language-plaintext highlighter-rouge">1000</code> to <code class="language-plaintext highlighter-rouge">1030</code> </li> <li> <code class="language-plaintext highlighter-rouge">jwt</code> changed from <code class="language-plaintext highlighter-rouge">1005</code> to <code class="language-plaintext highlighter-rouge">1450</code> </li> <li> <code class="language-plaintext highlighter-rouge">jwt-signer</code> changed from <code class="language-plaintext highlighter-rouge">999</code> to <code class="language-plaintext highlighter-rouge">1020</code>.</li> <li> <code class="language-plaintext highlighter-rouge">key-auth</code> changed from <code class="language-plaintext highlighter-rouge">1003</code> to <code class="language-plaintext highlighter-rouge">1250</code> </li> <li> <code class="language-plaintext highlighter-rouge">key-auth-advanced</code> changed from <code class="language-plaintext highlighter-rouge">1003</code> to <code class="language-plaintext highlighter-rouge">1250</code> </li> <li> <code class="language-plaintext highlighter-rouge">ldap-auth</code> changed from <code class="language-plaintext highlighter-rouge">1002</code> to <code class="language-plaintext highlighter-rouge">1200</code> </li> <li> <code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code> changed from <code class="language-plaintext highlighter-rouge">1002</code> to <code class="language-plaintext highlighter-rouge">1200</code> </li> <li> <code class="language-plaintext highlighter-rouge">mtls-auth</code> changed from <code class="language-plaintext highlighter-rouge">1006</code> to <code class="language-plaintext highlighter-rouge">1600</code> </li> <li> <code class="language-plaintext highlighter-rouge">oauth2</code> changed from <code class="language-plaintext highlighter-rouge">1004</code> to <code class="language-plaintext highlighter-rouge">1400</code> </li> <li> <code class="language-plaintext highlighter-rouge">openid-connect</code> changed from <code class="language-plaintext highlighter-rouge">1000</code> to <code class="language-plaintext highlighter-rouge">1050</code> </li> <li> <code class="language-plaintext highlighter-rouge">rate-limiting</code> changed from <code class="language-plaintext highlighter-rouge">901</code> to <code class="language-plaintext highlighter-rouge">910</code> </li> <li> <code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code> changed from <code class="language-plaintext highlighter-rouge">902</code> to <code class="language-plaintext highlighter-rouge">910</code> </li> <li> <code class="language-plaintext highlighter-rouge">route-by-header</code> changed from <code class="language-plaintext highlighter-rouge">2000</code> to <code class="language-plaintext highlighter-rouge">850</code> </li> <li> <code class="language-plaintext highlighter-rouge">route-transformer-advanced</code> changed from <code class="language-plaintext highlighter-rouge">800</code> to <code class="language-plaintext highlighter-rouge">780</code> </li> <li> <code class="language-plaintext highlighter-rouge">pre-function</code> changed from <code class="language-plaintext highlighter-rouge">+inf</code> to <code class="language-plaintext highlighter-rouge">1000000</code> </li> <li> <code class="language-plaintext highlighter-rouge">vault-auth</code> changed from <code class="language-plaintext highlighter-rouge">1003</code> to <code class="language-plaintext highlighter-rouge">1350</code> </li> </ul> </li> <li> <p>Kong plugins no longer support <code class="language-plaintext highlighter-rouge">CREDENTIAL_USERNAME</code> (<code class="language-plaintext highlighter-rouge">X-Credential-Username</code>). Use the constant <code class="language-plaintext highlighter-rouge">CREDENTIAL_IDENTIFIER</code> (<code class="language-plaintext highlighter-rouge">X-Credential-Identifier</code>) when setting the upstream headers for a credential. <a href="https://github.com/Kong/kong/pull/8815" target="_blank" rel="noopener nofollow noreferrer ">#8815</a></p> </li> <li> <a href="/hub/kong-inc/acl/">ACL</a> (<code class="language-plaintext highlighter-rouge">acl</code>), <a href="/hub/kong-inc/bot-detection/">Bot Detection</a> (<code class="language-plaintext highlighter-rouge">bot-detection</code>), and <a href="/hub/kong-inc/ip-restriction/">IP Restriction</a> (<code class="language-plaintext highlighter-rouge">ip-restriction</code>) <ul> <li>Removed the deprecated <code class="language-plaintext highlighter-rouge">blacklist</code> and <code class="language-plaintext highlighter-rouge">whitelist</code> configuration parameters. <a href="https://github.com/Kong/kong/pull/8560" target="_blank" rel="noopener nofollow noreferrer ">#8560</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/acme/">ACME</a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>The default value of the <code class="language-plaintext highlighter-rouge">auth_method</code> configuration parameter is now <code class="language-plaintext highlighter-rouge">token</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda/">AWS Lambda</a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>The AWS region is now required. You can set it through the plugin configuration with the <code class="language-plaintext highlighter-rouge">aws_region</code> field parameter, or with environment variables.</li> <li>The plugin now allows <code class="language-plaintext highlighter-rouge">host</code> and <code class="language-plaintext highlighter-rouge">aws_region</code> fields to be set at the same time, and always applies the SigV4 signature. <a href="https://github.com/Kong/kong/pull/8082" target="_blank" rel="noopener nofollow noreferrer ">#8082</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/http-log/">HTTP Log</a> (<code class="language-plaintext highlighter-rouge">http-log</code>) <ul> <li>The <code class="language-plaintext highlighter-rouge">headers</code> field now only takes a single string per header name, where it previously took an array of values. <a href="https://github.com/Kong/kong/pull/6992" target="_blank" rel="noopener nofollow noreferrer ">#6992</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/jwt/">JWT</a> (<code class="language-plaintext highlighter-rouge">jwt</code>) <ul> <li>The authenticated JWT is no longer put into the nginx context (<code class="language-plaintext highlighter-rouge">ngx.ctx.authenticated_jwt_token</code>). Custom plugins which depend on that value being set under that name must be updated to use Kong’s shared context instead (<code class="language-plaintext highlighter-rouge">kong.ctx.shared.authenticated_jwt_token</code>) before upgrading to 3.0.</li> </ul> </li> <li> <a href="/hub/kong-inc/prometheus/">Prometheus</a> (<code class="language-plaintext highlighter-rouge">prometheus</code>) <ul> <li>High cardinality metrics are now disabled by default.</li> <li>Decreased performance penalty to proxy traffic when collecting metrics.</li> <li>The following metric names were adjusted to add units to standardize where possible: <ul> <li> <code class="language-plaintext highlighter-rouge">http_status</code> to <code class="language-plaintext highlighter-rouge">http_requests_total</code>.</li> <li> <p><code class="language-plaintext highlighter-rouge">latency</code> to <code class="language-plaintext highlighter-rouge">kong_request_latency_ms</code> (HTTP), <code class="language-plaintext highlighter-rouge">kong_upstream_latency_ms</code>, <code class="language-plaintext highlighter-rouge">kong_kong_latency_ms</code>, and <code class="language-plaintext highlighter-rouge">session_duration_ms</code> (stream).</p> <p>Kong latency and upstream latency can operate at orders of different magnitudes. Separate these buckets to reduce memory overhead.</p> </li> <li> <code class="language-plaintext highlighter-rouge">kong_bandwidth</code> to <code class="language-plaintext highlighter-rouge">kong_bandwidth_bytes</code>.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_http_current_connections</code> and <code class="language-plaintext highlighter-rouge">nginx_stream_current_connections</code> were merged into to <code class="language-plaintext highlighter-rouge">nginx_connections_total</code>.</li> <li> <p><code class="language-plaintext highlighter-rouge">request_count</code> and <code class="language-plaintext highlighter-rouge">consumer_status</code> were merged into <code class="language-plaintext highlighter-rouge">http_requests_total</code>.</p> <p>If the <code class="language-plaintext highlighter-rouge">per_consumer</code> config is set to <code class="language-plaintext highlighter-rouge">false</code>, the <code class="language-plaintext highlighter-rouge">consumer</code> label will be empty. If the <code class="language-plaintext highlighter-rouge">per_consumer</code> config is <code class="language-plaintext highlighter-rouge">true</code>, the <code class="language-plaintext highlighter-rouge">consumer</code> label will be filled.</p> </li> </ul> </li> <li>Removed the following metric: <code class="language-plaintext highlighter-rouge">http_consumer_status</code> </li> <li>New metrics: <ul> <li> <code class="language-plaintext highlighter-rouge">session_duration_ms</code>: monitoring stream connections.</li> <li> <code class="language-plaintext highlighter-rouge">node_info</code>: Single gauge set to 1 that outputs the node’s ID and Kong Gateway version.</li> </ul> </li> <li> <code class="language-plaintext highlighter-rouge">http_requests_total</code> has a new label, <code class="language-plaintext highlighter-rouge">source</code>. It can be set to <code class="language-plaintext highlighter-rouge">exit</code>, <code class="language-plaintext highlighter-rouge">error</code>, or <code class="language-plaintext highlighter-rouge">service</code>.</li> <li>All memory metrics have a new label: <code class="language-plaintext highlighter-rouge">node_id</code>.</li> <li>Updated the Grafana dashboard that comes packaged with Kong <a href="https://github.com/Kong/kong/pull/8712" target="_blank" rel="noopener nofollow noreferrer ">#8712</a> </li> <li>The plugin doesn’t export status codes, latencies, bandwidth and upstream health check metrics by default. They can still be turned on manually by setting <code class="language-plaintext highlighter-rouge">status_code_metrics</code>, <code class="language-plaintext highlighter-rouge">lantency_metrics</code>, <code class="language-plaintext highlighter-rouge">bandwidth_metrics</code> and <code class="language-plaintext highlighter-rouge">upstream_health_metrics</code> respectively. <a href="https://github.com/Kong/kong/pull/9028" target="_blank" rel="noopener nofollow noreferrer ">#9028</a> </li> </ul> </li> <li> <strong><a href="/hub/kong-inc/pre-function/">Pre-function</a> (<code class="language-plaintext highlighter-rouge">pre-function</code>) and <a href="/hub/kong-inc/post-function/">Post-function</a></strong> (<code class="language-plaintext highlighter-rouge">post-function</code>) <ul> <li>Removed the deprecated <code class="language-plaintext highlighter-rouge">config.functions</code> configuration parameter from the Serverless Functions plugins’ schemas. Use the <code class="language-plaintext highlighter-rouge">config.access</code> phase instead. <a href="https://github.com/Kong/kong/pull/8559" target="_blank" rel="noopener nofollow noreferrer ">#8559</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/statsd/">StatsD</a> (<code class="language-plaintext highlighter-rouge">statsd</code>): <ul> <li>Any metric name that is related to a service now has a <code class="language-plaintext highlighter-rouge">service.</code> prefix: <code class="language-plaintext highlighter-rouge">kong.service.<service_identifier>.request.count</code>. <ul> <li>The metric <code class="language-plaintext highlighter-rouge">kong.<service_identifier>.request.status.<status></code> has been renamed to <code class="language-plaintext highlighter-rouge">kong.service.<service_identifier>.status.<status></code>.</li> <li>The metric <code class="language-plaintext highlighter-rouge">kong.<service_identifier>.user.<consumer_identifier>.request.status.<status></code> has been renamed to <code class="language-plaintext highlighter-rouge">kong.service.<service_identifier>.user.<consumer_identifier>.status.<status></code>.</li> </ul> </li> <li>The metric <code class="language-plaintext highlighter-rouge">*.status.<status>.total</code> from metrics <code class="language-plaintext highlighter-rouge">status_count</code> and <code class="language-plaintext highlighter-rouge">status_count_per_user</code> has been removed.</li> </ul> <p><a href="https://github.com/Kong/kong/pull/9046" target="_blank" rel="noopener nofollow noreferrer ">#9046</a></p> </li> <li> <a href="/hub/kong-inc/rate-limiting/">Rate Limiting</a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>), <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>), and <a href="/hub/kong-inc/response-ratelimiting/">Response Rate Limiting</a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>): <ul> <li>The default policy is now local for all deployment modes. <a href="https://github.com/Kong/kong/pull/9344" target="_blank" rel="noopener nofollow noreferrer ">#9344</a> </li> </ul> </li> <li> <strong>Deprecated</strong>: <a href="/hub/kong-inc/statsd-advanced/">StatsD Advanced</a> (<code class="language-plaintext highlighter-rouge">statsd-advanced</code>): <ul> <li>The StatsD Advanced plugin has been deprecated and will be removed in 4.0. All capabilities are now available in the <a href="/hub/kong-inc/statsd/">StatsD</a> plugin.</li> </ul> </li> <li> <a href="/hub/kong-inc/proxy-cache/">Proxy Cache</a> (<code class="language-plaintext highlighter-rouge">proxy-cache</code>), <a href="/hub/kong-inc/proxy-cache-advanced/">Proxy Cache Advanced</a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>), and <a href="/hub/kong-inc/graphql-proxy-cache-advanced/">GraphQL Proxy Cache Advanced</a> (<code class="language-plaintext highlighter-rouge">graphql-proxy-cache-advanced</code>) <ul> <li>These plugins don’t store response data in <code class="language-plaintext highlighter-rouge">ngx.ctx.proxy_cache_hit</code> anymore. Logging plugins that need the response data must now read it from <code class="language-plaintext highlighter-rouge">kong.ctx.shared.proxy_cache_hit</code>. <a href="https://github.com/Kong/kong/pull/8607" target="_blank" rel="noopener nofollow noreferrer ">#8607</a> </li> </ul> </li> </ul> <h4 id="configuration-23">Configuration</h4> <ul> <li>The Kong constant <code class="language-plaintext highlighter-rouge">CREDENTIAL_USERNAME</code> with the value of <code class="language-plaintext highlighter-rouge">X-Credential-Username</code> has been removed. <a href="https://github.com/Kong/kong/pull/8815" target="_blank" rel="noopener nofollow noreferrer ">#8815</a> </li> <li>The default value of <code class="language-plaintext highlighter-rouge">lua_ssl_trusted_certificate</code> has changed to <code class="language-plaintext highlighter-rouge">system</code> <a href="https://github.com/Kong/kong/pull/8602" target="_blank" rel="noopener nofollow noreferrer ">#8602</a> to automatically load the trusted CA list from the system CA store.</li> <li>It is no longer possible to use a <code class="language-plaintext highlighter-rouge">.lua</code> format to import a declarative configuration file from the <code class="language-plaintext highlighter-rouge">kong</code> CLI tool. Only JSON and YAML formats are supported. If your update procedure with Kong Gateway involves executing <code class="language-plaintext highlighter-rouge">kong config db_import config.lua</code>, convert the <code class="language-plaintext highlighter-rouge">config.lua</code> file into a <code class="language-plaintext highlighter-rouge">config.json</code> or <code class="language-plaintext highlighter-rouge">config.yml</code> file before upgrading. <a href="https://github.com/Kong/kong/pull/8898" target="_blank" rel="noopener nofollow noreferrer ">#8898</a> </li> <li>The data plane config cache mechanism and its related configuration options (<code class="language-plaintext highlighter-rouge">data_plane_config_cache_mode</code> and <code class="language-plaintext highlighter-rouge">data_plane_config_cache_path</code>) have been removed in favor of LMDB.</li> </ul> <h4 id="migrations">Migrations</h4> <ul> <li>The migration helper library (mostly used for Cassandra migrations) is no longer supplied with Kong Gateway. <a href="https://github.com/Kong/kong/pull/8781" target="_blank" rel="noopener nofollow noreferrer ">#8781</a> </li> <li>PostgreSQL migrations can now have an <code class="language-plaintext highlighter-rouge">up_f</code> part like Cassandra migrations, designating a function to call. The <code class="language-plaintext highlighter-rouge">up_f</code> part is invoked after the <code class="language-plaintext highlighter-rouge">up</code> part has been executed against the database for both PostgreSQL and Cassandra.</li> </ul> <h3 id="fixes-60">Fixes</h3> <h4 id="enterprise-21">Enterprise</h4> <ul> <li> <p>Fixed an issue with keyring encryption, where the control plane would crash if any errors occurred during the initialization of the <a href="/gateway/latest/kong-enterprise/db-encryption/">keyring module</a>.</p> </li> <li> <p>Fixed an issue where the keyring module was not decrypting keys after a soft reload.</p> </li> <li>Fixed pagination issues: <ul> <li>Fixed a consumer pagination issue.</li> <li>Fixed an issue that appeared when loading the second page while iterating over a foreign key field using the DAO. <a href="https://github.com/Kong/kong/pull/9255" target="_blank" rel="noopener nofollow noreferrer ">#9255</a> </li> </ul> </li> <li> <p>Fixed service route update failures that occurred after restarting a control plane.</p> </li> <li> <strong>Vitals</strong>: <ul> <li>Disabled <code class="language-plaintext highlighter-rouge">phone_home</code> for <code class="language-plaintext highlighter-rouge">anonymous_reports</code> on the data plane.</li> <li>The Kong Gateway version information is now sent in the telemetry request query parameter.</li> </ul> </li> <li> <strong>Kong Manager</strong>: <ul> <li>Fixed the workspace dashboard’s loading state. Previously, a dashboard with no request data and an existing service would still prompt users to add a service.</li> <li>Fixed an issue where Kong Manager allowed selection of metrics not supported by the Datadog plugin.</li> <li>Fixed the values accepted for upstream configuration in Kong Manager. Previously, fields that were supposed to accept decimals would only accept whole numbers.</li> <li>Fixed an issue where you couldn’t save or update <code class="language-plaintext highlighter-rouge">pre-function</code> plugin configuration when the updated value contained a comma (<code class="language-plaintext highlighter-rouge">,</code>).</li> <li>The service name field on the Service Contracts page now correctly shows the service display name. Previously, it showed the service ID.</li> <li>Fixed an issue where, after updating the CA certificate, the page wouldn’t return to the certificate view.</li> <li>Fixed an issue where the port was missing from the service URL on the service overview page.</li> <li>Fixed an issue where switching between workspace dashboard pages would not update the Dev Portal URL.</li> <li>Fixed issues with plugins: <ul> <li>The Exit Transformer plugin can now load Lua functions added through Kong Manager.</li> <li>The CORS plugin now treats regexes properly for the <code class="language-plaintext highlighter-rouge">config.origins</code> field.</li> <li>The Datadog plugin now accepts an array for the <code class="language-plaintext highlighter-rouge">tags</code> field. Previously, it was incorrectly expecting a string.</li> </ul> </li> <li>Fixed an <code class="language-plaintext highlighter-rouge">HTTP 500</code> error that occurred when sorting routes by the <strong>Hosts</strong> column, then clicking <strong>Next</strong> on a paginated listing.</li> <li>Fixed an issue that prevented developer role assignments from displaying in Kong Manager. When viewing a role under the Permissions tab in the Dev Portal section, the list of developers wouldn’t update when a new developer was added. Kong Manager was constructing the wrong URL when retrieving Dev Portal assignees.</li> <li>Fixed an issue where admins couldn’t switch workspaces if they didn’t have an roles in the default workspace.</li> <li>Fixed a display issue with Dev Portal settings in Kong Manager.</li> <li>Improved the error that appeared when trying to view admin roles without permissions for the resource. Instead of displaying <code class="language-plaintext highlighter-rouge">404 workspace not found</code>, the error now informs the user that they don’t have access to view roles.</li> </ul> </li> <li>Fixed an issue where the data plane would reload and lose its license after an Nginx reload.</li> <li> <p>Fixed issues in dependencies:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">kong-gql</code>: Fixed variable definitions to handle non-nullable/list-type variables correctly.</li> <li> <code class="language-plaintext highlighter-rouge">lua-resty-openssl-aux-module</code>: Fixed an issue with getting <code class="language-plaintext highlighter-rouge">SSL_CTX</code> from a request.</li> </ul> </li> </ul> <h4 id="core-66">Core</h4> <ul> <li>The schema validator now correctly converts <code class="language-plaintext highlighter-rouge">null</code> from declarative configurations to <code class="language-plaintext highlighter-rouge">nil</code>. <a href="https://github.com/Kong/kong/pull/8483" target="_blank" rel="noopener nofollow noreferrer ">#8483</a> </li> <li>Kong now reschedules router and plugin iterator timers only after finishing the previous execution, avoiding unnecessary concurrent executions. <a href="https://github.com/Kong/kong/pull/8567" target="_blank" rel="noopener nofollow noreferrer ">#8567</a> </li> <li>External plugins now handle returned JSON with null member correctly. <a href="https://github.com/Kong/kong/pull/8611" target="_blank" rel="noopener nofollow noreferrer ">#8611</a> </li> <li>Fixed an issue where the address of an environment variable could change but the code didn’t check that it was fixed after init. <a href="https://github.com/Kong/kong/pull/8581" target="_blank" rel="noopener nofollow noreferrer ">#8581</a> </li> <li>Fixed an issue where the Go plugin server instance would not be updated after a restart. <a href="https://github.com/Kong/kong/pull/8547" target="_blank" rel="noopener nofollow noreferrer ">#8547</a> </li> <li>Fixed an issue on trying to reschedule the DNS resolving timer when Kong was being reloaded. <a href="https://github.com/Kong/kong/pull/8702" target="_blank" rel="noopener nofollow noreferrer ">#8702</a> </li> <li>The private stream API has been rewritten to allow for larger message payloads. <a href="https://github.com/Kong/kong/pull/8641" target="_blank" rel="noopener nofollow noreferrer ">#8641</a> </li> <li>Fixed an issue that the client certificate sent to the upstream was not updated when using the <code class="language-plaintext highlighter-rouge">PATCH</code> method. <a href="https://github.com/Kong/kong/pull/8934" target="_blank" rel="noopener nofollow noreferrer ">#8934</a> </li> <li>Fixed an issue where the control plane and wRPC module interaction would cause Kong to crash when calling <code class="language-plaintext highlighter-rouge">export_deflated_reconfigure_payload</code> without a <code class="language-plaintext highlighter-rouge">pcall</code>. <a href="https://github.com/Kong/kong/pull/8668" target="_blank" rel="noopener nofollow noreferrer ">#8668</a> </li> <li>Moved all <code class="language-plaintext highlighter-rouge">.proto</code> files to <code class="language-plaintext highlighter-rouge">/usr/local/kong/include</code> and ordered by priority. <a href="https://github.com/Kong/kong/pull/8914" target="_blank" rel="noopener nofollow noreferrer ">#8914</a> </li> <li>Fixed an issue that caused unexpected 404 errors when creating or updating configs with invalid options. <a href="https://github.com/Kong/kong/pull/8831" target="_blank" rel="noopener nofollow noreferrer ">#8831</a> </li> <li>Fixed an issue that caused crashes when calling some PDK APIs. <a href="https://github.com/Kong/kong/pull/8604" target="_blank" rel="noopener nofollow noreferrer ">#8604</a> </li> <li>Fixed an issue that caused crashes when go PDK calls returned arrays. <a href="https://github.com/Kong/kong/pull/8891" target="_blank" rel="noopener nofollow noreferrer ">#8891</a> </li> <li>Plugin servers now shutdown gracefully when Kong exits. <a href="https://github.com/Kong/kong/pull/8923" target="_blank" rel="noopener nofollow noreferrer ">#8923</a> </li> <li>CLI now prompts with <code class="language-plaintext highlighter-rouge">[y/n]</code> instead of <code class="language-plaintext highlighter-rouge">[Y/n]</code>, as it does not take <code class="language-plaintext highlighter-rouge">y</code> as default. <a href="https://github.com/Kong/kong/pull/9114" target="_blank" rel="noopener nofollow noreferrer ">#9114</a> </li> <li>Improved the error message that appears when Kong can’t connect to Cassandra on init. <a href="https://github.com/Kong/kong/pull/8847" target="_blank" rel="noopener nofollow noreferrer ">#8847</a> </li> <li>Fixed an issue where the Vault subschema wasn’t loaded in the <code class="language-plaintext highlighter-rouge">off</code> strategy. <a href="https://github.com/Kong/kong/pull/9174" target="_blank" rel="noopener nofollow noreferrer ">#9174</a> </li> <li>The schema now runs select transformations before <code class="language-plaintext highlighter-rouge">process_auto_fields</code>. <a href="https://github.com/Kong/kong/pull/9049" target="_blank" rel="noopener nofollow noreferrer ">#9049</a> </li> <li>Fixed an issue where Kong Gateway would use too many timers to keep track of upstreams when <code class="language-plaintext highlighter-rouge">worker_consistency = eventual</code>. <a href="https://github.com/Kong/kong/pull/8694" target="_blank" rel="noopener nofollow noreferrer ">#8694</a>, <a href="https://github.com/Kong/kong/pull/8858" target="_blank" rel="noopener nofollow noreferrer ">#8858</a> </li> <li>Fixed an issue where it wasn’t possible to set target status using only a hostname for targets set only by their hostname. <a href="https://github.com/Kong/kong/pull/8797" target="_blank" rel="noopener nofollow noreferrer ">#8797</a> </li> <li>Fixed an issue where cache entries of some entities were not being properly invalidated after a cascade delete. <a href="https://github.com/Kong/kong/pull/9261" target="_blank" rel="noopener nofollow noreferrer ">#9261</a> </li> <li>Running <code class="language-plaintext highlighter-rouge">kong start</code> when Kong Gateway is already running no longer overwrites the existing <code class="language-plaintext highlighter-rouge">.kong_env</code> file <a href="https://github.com/Kong/kong/pull/9254" target="_blank" rel="noopener nofollow noreferrer ">#9254</a> </li> </ul> <h4 id="admin-api-29">Admin API</h4> <ul> <li>The Admin API now supports <code class="language-plaintext highlighter-rouge">HTTP/2</code> when requesting <code class="language-plaintext highlighter-rouge">/status</code>. <a href="https://github.com/Kong/kong/pull/8690" target="_blank" rel="noopener nofollow noreferrer ">#8690</a> </li> <li>Fixed an issue where the Admin API didn’t display <code class="language-plaintext highlighter-rouge">Allow</code> and <code class="language-plaintext highlighter-rouge">Access-Control-Allow-Methods</code> headers with <code class="language-plaintext highlighter-rouge">OPTIONS</code> requests.</li> </ul> <h4 id="plugins-81">Plugins</h4> <ul> <li> <p>Plugins with colliding priorities have now deterministic sorting based on their name. <a href="https://github.com/Kong/kong/pull/8957" target="_blank" rel="noopener nofollow noreferrer ">#8957</a></p> </li> <li> <p>External plugins: Kong Gateway now handles logging better when a plugin instance loses the <code class="language-plaintext highlighter-rouge">instances_id</code> in an event handler. <a href="https://github.com/Kong/kong/pull/8652" target="_blank" rel="noopener nofollow noreferrer ">#8652</a></p> </li> <li> <a href="/hub/kong-inc/acme/">ACME</a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>The default value of the <code class="language-plaintext highlighter-rouge">auth_method</code> configuration parameter is now set to <code class="language-plaintext highlighter-rouge">token</code>. <a href="https://github.com/Kong/kong/pull/8565" target="_blank" rel="noopener nofollow noreferrer ">#8565</a> </li> <li>Added a cache for <code class="language-plaintext highlighter-rouge">domains_matcher</code>. <a href="https://github.com/Kong/kong/pull/9048" target="_blank" rel="noopener nofollow noreferrer ">#9048</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/http-log/">HTTP Log</a> (<code class="language-plaintext highlighter-rouge">http-log</code>) <ul> <li>Log output is now restricted to the workspace the plugin is running in. Previously, the plugin could log requests from outside of its workspace.</li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda/">AWS Lambda</a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Removed the deprecated <code class="language-plaintext highlighter-rouge">proxy_scheme</code> field from the plugin’s schema. <a href="https://github.com/Kong/kong/pull/8566" target="_blank" rel="noopener nofollow noreferrer ">#8566</a> </li> <li>Changed the path from <code class="language-plaintext highlighter-rouge">request_uri</code> to <code class="language-plaintext highlighter-rouge">upstream_uri</code> to fix an issue where the URI could not follow a rule defined by the Request Transformer plugin. <a href="https://github.com/Kong/kong/pull/9058" target="_blank" rel="noopener nofollow noreferrer ">#9058</a> <a href="https://github.com/Kong/kong/pull/9129" target="_blank" rel="noopener nofollow noreferrer ">#9129</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/forward-proxy/">Forward Proxy</a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>) <ul> <li>Fixed a proxy authentication error caused by incorrect base64 encoding.</li> <li>Use lowercase when overwriting the Nginx request host header.</li> <li>The plugin now allows multi-value response headers.</li> </ul> </li> <li> <a href="/hub/kong-inc/grpc-gateway/">gRPC Gateway</a> (<code class="language-plaintext highlighter-rouge">grpc-gateway</code>) <ul> <li>Fixed the handling of boolean fields from URI arguments. <a href="https://github.com/Kong/kong/pull/9180" target="_blank" rel="noopener nofollow noreferrer ">#9180</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/hmac-auth/">HMAC Authentication</a> (<code class="language-plaintext highlighter-rouge">hmac-auth</code>) <ul> <li>Removed deprecated signature format using <code class="language-plaintext highlighter-rouge">ngx.var.uri</code>. <a href="https://github.com/Kong/kong/pull/8558" target="_blank" rel="noopener nofollow noreferrer ">#8558</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth/">LDAP Authentication</a> (<code class="language-plaintext highlighter-rouge">ldap-auth</code>) <ul> <li>Refactored ASN.1 parser using OpenSSL API through FFI. <a href="https://github.com/Kong/kong/pull/8663" target="_blank" rel="noopener nofollow noreferrer ">#8663</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/">LDAP Authentication Advanced</a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Fixed an issue where Kong Manager LDAP authentication failed when <code class="language-plaintext highlighter-rouge">base_dn</code> was the domain root.</li> </ul> </li> <li> <a href="/hub/kong-inc/mocking/">Mocking</a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">204</code> responses were not handled correctly and you would see the following error: <code class="language-plaintext highlighter-rouge">"No examples exist in API specification for this resource"</code>.</li> <li> <code class="language-plaintext highlighter-rouge">204</code> response specs now support empty content elements.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/">OpenID Connect</a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) openid-connect <ul> <li>Fixed an issue with <code class="language-plaintext highlighter-rouge">kong_oauth2</code> consumer mapping.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/">Rate Limiting</a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>) and <a href="/hub/kong-inc/response-ratelimiting/">Response Rate Limiting</a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Fixed a PostgreSQL deadlock issue that occurred when the <code class="language-plaintext highlighter-rouge">cluster</code> policy was used with two or more metrics (for example, <code class="language-plaintext highlighter-rouge">second</code> and <code class="language-plaintext highlighter-rouge">day</code>.) <a href="https://github.com/Kong/kong/pull/8968" target="_blank" rel="noopener nofollow noreferrer ">#8968</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed error handling when calling <code class="language-plaintext highlighter-rouge">get_window</code> and added more buffer on the window reserve.</li> <li>Fixed error handling for plugin strategy configuration when in hybrid or DB-less mode and strategy is set to <code class="language-plaintext highlighter-rouge">cluster</code>.</li> </ul> </li> <li> <strong><a href="/hub/kong-inc/pre-function/">Pre-function</a> (<code class="language-plaintext highlighter-rouge">pre-function</code>) and <a href="/hub/kong-inc/post-function/">Post-function</a></strong> (<code class="language-plaintext highlighter-rouge">post-function</code>) <ul> <li>Fixed a problem that could cause a crash. <a href="https://github.com/Kong/kong/pull/9269" target="_blank" rel="noopener nofollow noreferrer ">#9269</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/syslog/">Syslog</a> (<code class="language-plaintext highlighter-rouge">syslog</code>) <ul> <li>The <code class="language-plaintext highlighter-rouge">conf.facility</code> default value is now set to <code class="language-plaintext highlighter-rouge">user</code>. <a href="https://github.com/Kong/kong/pull/8564" target="_blank" rel="noopener nofollow noreferrer ">#8564</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/zipkin/">Zipkin</a> (<code class="language-plaintext highlighter-rouge">zipkin</code>) <ul> <li>Fixed the balancer spans’ duration to include the connection time from Nginx to the upstream. <a href="https://github.com/Kong/kong/pull/8848" target="_blank" rel="noopener nofollow noreferrer ">#8848</a> </li> <li>Corrected the calculation of the header filter start time. <a href="https://github.com/Kong/kong/pull/9230" target="_blank" rel="noopener nofollow noreferrer ">#9230</a> </li> <li>Made the plugin compatible with the latest <a href="https://www.jaegertracing.io/docs/1.29/client-libraries/#tracespan-identity" target="_blank" rel="noopener nofollow noreferrer ">Jaeger header spec</a>, which makes <code class="language-plaintext highlighter-rouge">parent_id</code> optional. <a href="https://github.com/Kong/kong/pull/8352" target="_blank" rel="noopener nofollow noreferrer ">#8352</a> </li> </ul> </li> </ul> <h4 id="clustering-16">Clustering</h4> <ul> <li>The cluster listener now uses the value of <code class="language-plaintext highlighter-rouge">admin_error_log</code> for its log file instead of <code class="language-plaintext highlighter-rouge">proxy_error_log</code>. <a href="https://github.com/Kong/kong/pull/8583" target="_blank" rel="noopener nofollow noreferrer ">#8583</a> </li> <li>Fixed a typo in some business logic that checks the Kong role before setting a value in cache at startup. <a href="https://github.com/Kong/kong/pull/9060" target="_blank" rel="noopener nofollow noreferrer ">#9060</a> </li> <li>Fixed an issue in hybrid mode where, if a service was set to <code class="language-plaintext highlighter-rouge">enabled: false</code> and that service had a route with an enabled plugin, any new data planes would receive empty configuration. <a href="https://github.com/Kong/kong/pull/8816" target="_blank" rel="noopener nofollow noreferrer ">#8816</a> </li> <li>Localized <code class="language-plaintext highlighter-rouge">config_version</code> to avoid a race condition from the new yielding config loading code. <a href="https://github.com/Kong/kong/pull/8818" target="_blank" rel="noopener nofollow noreferrer ">#8188</a> </li> </ul> <h4 id="pdk-21">PDK</h4> <ul> <li> <code class="language-plaintext highlighter-rouge">kong.response.get_source()</code> now returns an error instead of an exit when plugin throws a runtime exception in the access phase. <a href="https://github.com/Kong/kong/pull/8599" target="_blank" rel="noopener nofollow noreferrer ">#8599</a> </li> <li> <p><code class="language-plaintext highlighter-rouge">kong.tools.uri.normalize()</code> now escapes reserved and unreserved characters more accurately. <a href="https://github.com/Kong/kong/pull/8140" target="_blank" rel="noopener nofollow noreferrer ">#8140</a></p> </li> <li>RFC3987 validation on route paths was removed, allowing operators to create a route with an invalid path URI like <code class="language-plaintext highlighter-rouge">/something|</code> which can not match any incoming request. This validation will be added back in a future release.</li> </ul> <h3 id="dependencies-42">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">openresty</code> from 1.19.9.1 to 1.21.4.1 <a href="https://github.com/Kong/kong/pull/8850" target="_blank" rel="noopener nofollow noreferrer ">#8850</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">pgmoon</code> from 1.13.0 to 1.15.0 <a href="https://github.com/Kong/kong/pull/8908" target="_blank" rel="noopener nofollow noreferrer ">#8908</a> <a href="https://github.com/Kong/kong/pull/8429" target="_blank" rel="noopener nofollow noreferrer ">#8429</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">openssl</code> from 1.1.1n to 1.1.1q <a href="https://github.com/Kong/kong/pull/9074" target="_blank" rel="noopener nofollow noreferrer ">#9074</a> <a href="https://github.com/Kong/kong/pull/8544" target="_blank" rel="noopener nofollow noreferrer ">#8544</a> <a href="https://github.com/Kong/kong/pull/8752" target="_blank" rel="noopener nofollow noreferrer ">#8752</a> <a href="https://github.com/Kong/kong/pull/8994" target="_blank" rel="noopener nofollow noreferrer ">#8994</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">resty.openssl</code> from 0.8.8 to 0.8.10 <a href="https://github.com/Kong/kong/pull/8592" target="_blank" rel="noopener nofollow noreferrer ">#8592</a> <a href="https://github.com/Kong/kong/pull/8753" target="_blank" rel="noopener nofollow noreferrer ">#8753</a> <a href="https://github.com/Kong/kong/pull/9023" target="_blank" rel="noopener nofollow noreferrer ">#9023</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">inspect</code> from 3.1.2 to 3.1.3 <a href="https://github.com/Kong/kong/pull/8589" target="_blank" rel="noopener nofollow noreferrer ">#8589</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">resty.acme</code> from 0.7.2 to 0.8.1 <a href="https://github.com/Kong/kong/pull/8680" target="_blank" rel="noopener nofollow noreferrer ">#8680</a> <a href="https://github.com/Kong/kong/pull/9165" target="_blank" rel="noopener nofollow noreferrer ">#9165</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">luarocks</code> from 3.8.0 to 3.9.1 <a href="https://github.com/Kong/kong/pull/8700" target="_blank" rel="noopener nofollow noreferrer ">#8700</a> <a href="https://github.com/Kong/kong/pull/9204" target="_blank" rel="noopener nofollow noreferrer ">#9204</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">luasec</code> from 1.0.2 to 1.2.0 <a href="https://github.com/Kong/kong/pull/8754" target="_blank" rel="noopener nofollow noreferrer ">#8754</a> <a href="https://github.com/Kong/kong/pull/9205" target="_blank" rel="noopener nofollow noreferrer ">#8754</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">resty.healthcheck</code> from 1.5.0 to 1.6.1 <a href="https://github.com/Kong/kong/pull/8755" target="_blank" rel="noopener nofollow noreferrer ">#8755</a> <a href="https://github.com/Kong/kong/pull/9018" target="_blank" rel="noopener nofollow noreferrer ">#9018</a> <a href="https://github.com/Kong/kong/pull/9150" target="_blank" rel="noopener nofollow noreferrer ">#9150</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">resty.cassandra</code> from 1.5.1 to 1.5.2 <a href="https://github.com/Kong/kong/pull/8845" target="_blank" rel="noopener nofollow noreferrer ">#8845</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">penlight</code> from 1.12.0 to 1.13.1 <a href="https://github.com/Kong/kong/pull/9206" target="_blank" rel="noopener nofollow noreferrer ">#9206</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-mlcache</code> from 2.5.0 to 2.6.0 <a href="https://github.com/Kong/kong/pull/9287" target="_blank" rel="noopener nofollow noreferrer ">#9287</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lodash</code> for Dev Portal from 4.17.11 to 4.17.21</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lodash</code> for Kong Manager from 4.17.15 to 4.17.21</li> </ul> <h2 id="28413">2.8.4.13</h2> <p><strong>Release Date</strong> 2024/09/20</p> <h3 id="breaking-changes-8">Breaking Changes</h3> <h4 id="dependencies-43">Dependencies</h4> <ul> <li>Fixed RPM relocation by setting the default prefix to <code class="language-plaintext highlighter-rouge">/</code>, and added a symbolic link for <code class="language-plaintext highlighter-rouge">resty</code> to handle missing <code class="language-plaintext highlighter-rouge">/usr/local/bin</code> in <code class="language-plaintext highlighter-rouge">PATH</code>.</li> </ul> <h3 id="fixes-61">Fixes</h3> <h4 id="core-67">Core</h4> <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">luarocks-admin</code> was not available in <code class="language-plaintext highlighter-rouge">/usr/local/bin</code>.</li> </ul> <h4 id="plugins-82">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue where the sync timer could stop working due to a race condition.</li> </ul> </li> </ul> <h2 id="28412">2.8.4.12</h2> <p><strong>Release Date</strong> 2024/07/29</p> <h3 id="breaking-changes-and-deprecations-9">Breaking changes and deprecations</h3> <ul> <li>Debian 10 and RHEL 7 reached their End of Life (EOL) dates on June 30, 2024. As of this patch, Kong is not building Kong Gateway 2.8.x installation packages or Docker images for these operating systems. Kong is no longer providing official support for any Kong version running on these systems.</li> </ul> <h3 id="fixes-62">Fixes</h3> <ul> <li>AWS2 x86_64 is now cross-built.</li> <li>Cleaned up build code for deprecated packages.</li> <li>Made the RPM package relocatable.</li> </ul> <h2 id="28411">2.8.4.11</h2> <p><strong>Release Date</strong> 2024/06/22</p> <h3 id="fixes-63">Fixes</h3> <ul> <li>Fixed an issue where the DNS client was incorrectly using the content of the <code class="language-plaintext highlighter-rouge">ADDITIONAL SECTION</code> in DNS responses.</li> </ul> <h2 id="28410">2.8.4.10</h2> <p><strong>Release Date</strong> 2024/06/18</p> <h3 id="known-issues-10">Known issues</h3> <ul> <li>There is an issue with the DNS client fix, where the DNS client incorrectly uses the content <code class="language-plaintext highlighter-rouge">ADDITIONAL SECTION</code> in DNS responses. To avoid this issue, install 2.8.4.11 instead of this patch.</li> </ul> <h3 id="features-42">Features</h3> <ul> <li>Added a Docker image for RHEL 8.</li> </ul> <h3 id="fixes-64">Fixes</h3> <h4 id="core-68">Core</h4> <ul> <li> <strong>DNS Client</strong>: Fixed an issue where the Kong DNS client stored records with non-matching domain and type when parsing answers. It now ignores records when the RR type differs from that of the query when parsing answers.</li> <li> <strong>Vitals</strong>: Fixed an issue where each data plane connecting to the control plane would trigger the creation of a redundant table rotater timer on the control plane.</li> </ul> <h4 id="plugins-83">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/rate-limiting-advanced/"><strong>Rate Limiting Advanced</strong></a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li> <p>Refactored <code class="language-plaintext highlighter-rouge">kong/tools/public/rate-limiting</code>, adding the new interface <code class="language-plaintext highlighter-rouge">new_instance</code> to provide isolation between different plugins. The original interfaces remain unchanged for backward compatibility.</p> <p>If you are using custom Rate Limiting plugins based on this library, update the initialization code to the new format. For example: <code class="language-plaintext highlighter-rouge">local ratelimiting = require("kong.tools.public.rate-limiting").new_instance("custom-plugin-name")</code>. The old interface will be removed in the upcoming major release.</p> </li> </ul> </li> </ul> <h3 id="dependencies-44">Dependencies</h3> <ul> <li>Improved the robustness of <code class="language-plaintext highlighter-rouge">lua-cjson</code> when handling unexpected input.</li> </ul> <h2 id="2849">2.8.4.9</h2> <p><strong>Release Date</strong> 2024/04/19</p> <h3 id="fixes-65">Fixes</h3> <h4 id="core-69">Core</h4> <ul> <li>Fixed an issue where vault configuration stayed sticky and cached even when configurations were changed.</li> </ul> <h4 id="pdk-22">PDK</h4> <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">kong.request.get_forwarded_port</code> incorrectly returned a string from <code class="language-plaintext highlighter-rouge">ngx.ctx.host_portand</code>. It now correctly returns a number.</li> </ul> <h4 id="plugins-84">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/degraphql/"><strong>DeGraphQL</strong></a> (<code class="language-plaintext highlighter-rouge">degraphql</code>) <ul> <li>Fixed an issue where GraphQL variables were not being correctly parsed and coerced into their defined types.</li> </ul> </li> </ul> <h2 id="2848">2.8.4.8</h2> <p><strong>Release Date</strong> 2024/03/26</p> <h3 id="features-43">Features</h3> <h4 id="configuration-24">Configuration</h4> <ul> <li>TLSv1.1 and lower is now disabled by default in OpenSSL 3.x.</li> <li> <strong>Performance:</strong> Bumped the default values of <code class="language-plaintext highlighter-rouge">nginx_http_keepalive_requests</code> and <code class="language-plaintext highlighter-rouge">upstream_keepalive_max_requests</code> to <code class="language-plaintext highlighter-rouge">10000</code>. These changes are optimized to work better in systems with high throughput. In a low-throughput setting, these new settings may have visible effects in load balancing, where it can take more requests to start using all the upstreams than before.</li> </ul> <h3 id="fixes-66">Fixes</h3> <h4 id="configuration-25">Configuration</h4> <ul> <li>Fixed an issue where an external plugin (Go, Javascript, or Python) would fail to apply a change to the plugin config via the Admin API.</li> <li>Set the security level of gRPC’s TLS to <code class="language-plaintext highlighter-rouge">0</code> when <code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code> is set to <code class="language-plaintext highlighter-rouge">old</code>.</li> </ul> <h4 id="core-70">Core</h4> <ul> <li>Updated the file permission of <code class="language-plaintext highlighter-rouge">kong.logrotate</code> to 644.</li> <li>Fixed the missing router section for the output of request debugging.</li> <li>Fixed a issue where the <code class="language-plaintext highlighter-rouge">/metrics</code> endpoint would throw an error when database was down.</li> <li>Fixed the UDP socket leak of the DNS module.</li> </ul> <h4 id="plugins-85">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/ldap-auth-advanced/">LDAP Auth Advanced</a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Fixed some cache-related issues which caused <code class="language-plaintext highlighter-rouge">groups_required</code> to return unexpected codes after a non-200 response.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue where, if <code class="language-plaintext highlighter-rouge">sync_rate</code> was set to <code class="language-plaintext highlighter-rouge">0</code> and the <code class="language-plaintext highlighter-rouge">redis</code> strategy was in use, the plugin did not properly revert to the <code class="language-plaintext highlighter-rouge">local</code> strategy if the Redis connection was interrupted.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/">Rate Limiting</a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>), <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>), <a href="/hub/kong-inc/graphql-rate-limiting-advanced/">GraphQL Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>), and <a href="/hub/kong-inc/response-ratelimiting/">Response Rate Limiting</a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Fixed an issue where any plugins using the <code class="language-plaintext highlighter-rouge">rate-limiting</code> library, when used together, would interfere with each other and fail to synchronize counter data to the central data store.</li> </ul> </li> </ul> <h3 id="dependencies-45">Dependencies</h3> <ul> <li>Bumped OpenSSL from 3.1.4 to 3.1.5</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-kong-nginx-module</code> to 0.2.3</li> <li>Bumped <code class="language-plaintext highlighter-rouge">kong-lua-resty-kafka</code> to 0.18</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-luasocket</code> to 1.1.2 to fix <a href="https://github.com/lunarmodules/luasocket/issues/427" target="_blank" rel="noopener nofollow noreferrer ">luasocket#427</a> </li> </ul> <h2 id="2847">2.8.4.7</h2> <p><strong>Release Date</strong> 2024/02/08</p> <h3 id="fixes-67">Fixes</h3> <h4 id="plugins-86">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed timer-related issues where the counter syncing timer couldn’t be created or destroyed properly.</li> <li>The plugin now creates counter syncing timers when being executed instead of at plugin creation time, which reduces meaningless error logs.</li> <li>The plugin now returns <code class="language-plaintext highlighter-rouge">info</code> and <code class="language-plaintext highlighter-rouge">log</code> level messages when Redis connections fail. These error messages were previously missing.</li> <li>The plugin now checks for query errors in the Redis pipeline.</li> <li>Fixed an issue where changing <code class="language-plaintext highlighter-rouge">sync_rate</code> from a value greater than 0 to 0 would clear the namespace unexpectedly.</li> </ul> </li> </ul> <h2 id="2846">2.8.4.6</h2> <p><strong>Release Date</strong> 2024/01/17</p> <h3 id="fixes-68">Fixes</h3> <h4 id="core-71">Core</h4> <ul> <li>Respect custom <code class="language-plaintext highlighter-rouge">proxy_access_log</code>. <a href="https://github.com/Kong/kong/issues/7437" target="_blank" rel="noopener nofollow noreferrer ">#7437</a> </li> <li>Fixed intermittent ldoc failures caused by a LuaJIT error. <a href="https://github.com/Kong/kong/issues/7492" target="_blank" rel="noopener nofollow noreferrer ">#7492</a> </li> </ul> <h4 id="enterprise-22">Enterprise</h4> <ul> <li>Bumped the <code class="language-plaintext highlighter-rouge">dns_stale_ttl</code> default to 1 hour so that stale DNS records can be used for a longer period of time in case of resolver downtime.</li> <li>Fixed a bug where a vault with a GCP backend would hide the error message when secrets couldn’t be fetched.</li> <li>Fixed an issue where a GCP vault couldn’t fetch secrets due to SSL verification failure in CLI mode. Users who use secrets management based on GCP should also ensure the <code class="language-plaintext highlighter-rouge">system</code> CA store is included in the <code class="language-plaintext highlighter-rouge">lua_ssl_trusted_certificate</code> configuration.</li> </ul> <h4 id="plugins-87">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/openid-connect/">OpenID Connect</a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Updated the time used when calculating token expiration.</li> </ul> </li> </ul> <h3 id="dependencies-46">Dependencies</h3> <h4 id="core-72">Core</h4> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">resty-openssl</code> from 0.8.25 to 1.0.2. <a href="https://github.com/Kong/kong/issues/7414" target="_blank" rel="noopener nofollow noreferrer ">#7414</a> </li> <li>Bumped the Alpine base image from 3.16 to 3.19. <a href="https://github.com/Kong/kong/issues/7732" target="_blank" rel="noopener nofollow noreferrer ">#7732</a> </li> </ul> <h4 id="enterprise-23">Enterprise</h4> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-healthcheck</code> to 1.6.4 to fix a bug where the health check module wouldn’t work correctly when multiple health check instances weren’t cleared.</li> </ul> <h2 id="2845">2.8.4.5</h2> <p><strong>Release Date</strong> 2023/11/28</p> <h3 id="features-44">Features</h3> <h4 id="core-73">Core</h4> <ul> <li>Added support for observing the time consumed by some components in the given request.</li> <li>Added a unique Request ID that is now populated in the error log, access log, error templates, log serializer, and a new <code class="language-plaintext highlighter-rouge">X-Kong-Request-Id</code> header. This configuration can be customized for upstreams and downstreams using the <a href="/gateway/2.8.x/reference/configuration/#headers"><code class="language-plaintext highlighter-rouge">headers</code></a> and <a href="/gateway/2.8.x/reference/configuration/#headers_upstream"><code class="language-plaintext highlighter-rouge">headers_upstream</code></a> configuration options. <a href="https://github.com/Kong/kong/pull/11663" target="_blank" rel="noopener nofollow noreferrer ">#11663</a> </li> </ul> <h4 id="enterprise-24">Enterprise</h4> <ul> <li>License management: <ul> <li>Added support for counters such as routes, plugins, licenses, and deployment information to the license report.</li> <li>Added a checksum to the output of the license endpoint.</li> </ul> </li> </ul> <h4 id="plugins-88">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/openid-connect/">OpenID Connect</a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Added the new field <code class="language-plaintext highlighter-rouge">unauthorized_destroy_session</code>. When set to <code class="language-plaintext highlighter-rouge">true</code>, it destroys the session when receiving an unauthorized request by deleting the user’s session cookie.</li> </ul> </li> </ul> <h3 id="fixes-69">Fixes</h3> <h4 id="core-74">Core</h4> <ul> <li>Dismissed confusing debug log from the Redis rate limiting tool.</li> <li>Removed the asynchronous timer in <code class="language-plaintext highlighter-rouge">syncQuery()</code> to prevent hang risk.</li> <li>Updated the DNS client to follow configured timeouts in a more predictable manner.</li> <li>Ensured pluginserver protobuf includes are placed in the correct path in packages.</li> <li>Added missing support for consumer group tags.</li> <li>Fixed an issue that caused Kong Gateway to fail to start if <code class="language-plaintext highlighter-rouge">proxy_access_log</code> is <code class="language-plaintext highlighter-rouge">off</code>.</li> <li>Removed asynchronous timer in <code class="language-plaintext highlighter-rouge">syncQuery()</code> to prevent hang risk.</li> <li>Fixed an issue that called <code class="language-plaintext highlighter-rouge">store_connection</code> without passing <code class="language-plaintext highlighter-rouge">self</code>.</li> <li>Kong Gateway now uses deep copies of route, service, and consumer objects for log serialization.</li> <li>Added support for the debug request header <code class="language-plaintext highlighter-rouge">X-Kong-Request-Debug-Output</code>, which lets you observe the time consumed by specific components in a given request. Enable it using the <a href="/gateway/2.8.x/reference/configuration/#request_debug"><code class="language-plaintext highlighter-rouge">request_debug</code></a> configuration parameter. This header helps you diagnose the cause of any latency in Kong Gateway. See the <a href="/gateway/latest/production/debug-request/">Request Debugging</a> guide for more information. <a href="https://github.com/Kong/kong/pull/11627" target="_blank" rel="noopener nofollow noreferrer ">#11627</a> </li> <li>Fixed an issue that caused a failure to broadcast keyring material when using the cluster strategy.</li> <li>Addressed a problem where an abnormal socket connection would be reused when querying the PostgreSQL database.</li> <li>Fixed a plugin server issue that triggered invalidation when the instance was reset.</li> </ul> <h4 id="enterprise-25">Enterprise</h4> <ul> <li>Fixed an issue with the local variable <code class="language-plaintext highlighter-rouge">pkey</code> shadowing the package <code class="language-plaintext highlighter-rouge">pkey</code>. This caused the <code class="language-plaintext highlighter-rouge">attempt to call field 'new' (a nil value)</code> error message to display when calling <code class="language-plaintext highlighter-rouge">pkey.new</code>.</li> </ul> <h4 id="plugins-89">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/mtls-auth/">mTLS Authentication</a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Fixed an issue to prevent caching network failures during revocation checks.</li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda/">AWS-Lambda</a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Gradually initializes AWS library on a first use to remove startup delay caused by AWS metadata discovery.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/">OpenID Connect</a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Now allows preserving the session when there’s a <code class="language-plaintext highlighter-rouge">401</code>.</li> <li>Fixed an issue with token revocation on logout, where the code was revoking the refresh token instead of the access token when using the discovered revocation endpoint.</li> </ul> </li> <li>Collector (<code class="language-plaintext highlighter-rouge">collector</code>) <ul> <li>Fixed an issue where Kong Gateway couldn’t start after upgrading to versions greater than or equal to 2.8.4.1 because the deprecated Collector plugin was still being used.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-validator/">Request Validator</a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">allowed_content_types</code> configuration was unable to contain the <code class="language-plaintext highlighter-rouge">-</code> character.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/">Rate Limiting</a>(<code class="language-plaintext highlighter-rouge">rate-limiting</code>) <ul> <li>Dismissed confusing log entry from Redis regarding rate limiting.</li> </ul> </li> <li> <a href="/hub/kong-inc/prometheus/">Prometheus</a> (<code class="language-plaintext highlighter-rouge">prometheus</code>) <ul> <li>Reduced upstream health iteration latency spike during scrape.</li> </ul> </li> </ul> <h4 id="admin-api-30">Admin API</h4> <ul> <li>Fixed an issue where unique violation errors were reported while trying to update the <code class="language-plaintext highlighter-rouge">user_token</code> with the same value on the same RBAC user.</li> <li>Unique violations are no longer reported on <code class="language-plaintext highlighter-rouge">user_token</code> self updates.</li> </ul> <h3 id="dependencies-47">Dependencies</h3> <h4 id="core-75">Core</h4> <ul> <li>Bumped lua-kong-nginx-module from 0.2.0 to 0.2.2.</li> <li>Bumped lua-resty-aws from 1.3.2 to 1.3.5.</li> <li>Patched nginx-1.19.9_06-set-ssl-option-ignore-unexpected-eof</li> </ul> <h4 id="enterprise-26">Enterprise</h4> <ul> <li>Bumped jq to 1.7.</li> <li>Bumped OpenSSL to 3.1.4.</li> <li>The Postgres socket now closes actively when timeout happens during the query. <a href="https://github.com/Kong/kong/pull/11480" target="_blank" rel="noopener nofollow noreferrer ">#11480</a> </li> <li>Added Dynatrace testcase.</li> <li>Deprecated uses of <code class="language-plaintext highlighter-rouge">mockbin.com</code>.</li> <li>Include <code class="language-plaintext highlighter-rouge">.proto</code> files in 2.8 packages.</li> <li>Update COPYRIGHT file for 2.8.</li> </ul> <h4 id="kong-manager-enterprise-6">Kong Manager Enterprise</h4> <ul> <li>Bumped kong_admin to v0.14.26 for GW v2.8.4.5.</li> <li>Upgraded moment.js to v2.29.4 to fix a known CVE vulnerability.</li> </ul> <h2 id="2844">2.8.4.4</h2> <p><strong>Release Date</strong> 2023/10/12</p> <h3 id="fixes-70">Fixes</h3> <h4 id="core-76">Core</h4> <ul> <li> <p>Applied Nginx patch for early detection of HTTP/2 stream reset attacks. This change is in direct response to the identified vulnerability <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-44487" target="_blank" rel="noopener nofollow noreferrer ">CVE-2023-44487</a>.</p> <p>See our <a href="https://konghq.com/blog/product-releases/novel-http2-rapid-reset-ddos-vulnerability-update" target="_blank" rel="noopener nofollow noreferrer ">blog post</a> for more details on this vulnerability and Kong’s responses to it.</p> </li> </ul> <h2 id="2843">2.8.4.3</h2> <p><strong>Release Date</strong> 2023/09/18</p> <h3 id="breaking-changes-and-deprecations-10">Breaking changes and deprecations</h3> <ul> <li> <p><strong>Ubuntu 18.04 support removed</strong>: Support for running Kong Gateway on Ubuntu 18.04 (“Bionic”) is now deprecated, as <a href="https://wiki.ubuntu.com/Releases" target="_blank" rel="noopener nofollow noreferrer ">Standard Support for Ubuntu 18.04 has ended as of June 2023</a>. Starting with Kong Gateway 2.8.4.3, Kong is not building new Ubuntu 18.04 images or packages, and Kong will not test package installation on Ubuntu 18.04.</p> </li> <li> <p>Amazon Linux 2022 artifacts are renamed to Amazon Linux 2023, based on AWS’s own renaming.</p> </li> </ul> <h3 id="features-45">Features</h3> <h4 id="plugins-90">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/aws-lambda/">AWS-Lambda</a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>The AWS Lambda plugin has been refactored by using <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> as an underlying AWS library. The refactor simplifies the AWS Lambda plugin codebase and adds support for multiple IAM authenticating scenarios.</li> </ul> </li> </ul> <h3 id="fixes-71">Fixes</h3> <h4 id="core-77">Core</h4> <ul> <li>Fixed an issue that prevented the <code class="language-plaintext highlighter-rouge">dbless-reconfigure</code> anonymous report type from respecting anonymous reports with the setting <code class="language-plaintext highlighter-rouge">anonymous_reports=false</code>.</li> <li>Fixed an issue where you couldn’t create developers using the Admin API in a non-default workspace in Kong Gateway 2.8.4.2.</li> <li>Fixed an issue with Redis catching rate limiting strategy connection failures.</li> </ul> <h4 id="plugins-91">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue that caused the plugin to trigger rate limiting unpredictably.</li> <li>Fixed an issue where Kong Gateway produced a log of error log entries when multiple Rate Limiting Advanced plugins shared the same namespace.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/">OpenID Connect</a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed an issue that caused the plugin to return logs with <code class="language-plaintext highlighter-rouge">invalid introspection results</code> when decoding a bearer token.</li> </ul> </li> <li> <a href="/hub/kong-inc/response-transformer-advanced/">Response Transformer Advanced</a> (<code class="language-plaintext highlighter-rouge">response-transformer-advanced</code>) <ul> <li>Fixed an issue that caused the response body to load when the <code class="language-plaintext highlighter-rouge">if_status</code> didn’t match.</li> </ul> </li> </ul> <h4 id="pdk-23">PDK</h4> <ul> <li>Fixed a bug in the exit hook that caused customized headers to be lost.</li> </ul> <h3 id="performance-9">Performance</h3> <h4 id="configuration-26">Configuration</h4> <ul> <li>Bumped the default value of <code class="language-plaintext highlighter-rouge">upstream_keepalive_pool_size</code> to 512 and <code class="language-plaintext highlighter-rouge">upstream_keepalive_max_requests</code> to 1000.</li> </ul> <h3 id="dependencies-48">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-protobuf</code> from 0.3.3 to 0.4.2</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> from 1.0.0 to 1.3.1</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-gcp</code> from 0.0.5 to 0.0.13</li> </ul> <h2 id="2842">2.8.4.2</h2> <p><strong>Release Date</strong> 2023/07/07</p> <h3 id="fixes-72">Fixes</h3> <ul> <li>Fixed a bug where internal redirects, such as those produced by the <code class="language-plaintext highlighter-rouge">error_page</code> directive, could interfere with worker process handling the request when <em>buffered proxying</em> is being used.</li> </ul> <h4 id="kong-manager-23">Kong Manager</h4> <ul> <li>Fixed an issue where the Zipkin plugin didn’t allow the addition of <code class="language-plaintext highlighter-rouge">static_tags</code> through the Kong Manager UI.</li> <li>Fixed an issue where some of the icons were not rendering correctly.</li> </ul> <h4 id="plugins-92">Plugins</h4> <ul> <li>Fixed an issue with the Oauth 2.0 Introspection plugin where a request with JSON that is not a table failed.</li> <li>Fixed an issue where the slow startup of the Go plugin server caused a deadlock.</li> </ul> <h3 id="dependencies-49">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">OpenSSL</code> from 1.1.1t to 3.1.1</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lodash</code> for Dev Portal from 4.17.11 to 4.17.21</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lodash</code> for Kong Manager from 4.17.15 to 4.17.21</li> </ul> <h2 id="2841">2.8.4.1</h2> <p><strong>Release Date</strong> 2023/05/25</p> <h3 id="breaking-changes-9">Breaking Changes</h3> <h4 id="plugins-93">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/request-validator/">Request Validator</a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>The plugin now allows requests carrying a <code class="language-plaintext highlighter-rouge">content-type</code> with a parameter to match its <code class="language-plaintext highlighter-rouge">content-type</code> without a parameter.</li> </ul> </li> </ul> <h3 id="features-46">Features</h3> <ul> <li>Redis Cluster: Added username and password authentication to Redis Cluster 6 and later versions.</li> </ul> <h3 id="fixes-73">Fixes</h3> <ul> <li>Fixed an issue where the RBAC token was not re-hashed after an update on the <code class="language-plaintext highlighter-rouge">user_token</code> field.</li> <li>Fixed the Dynatrace implementation. Due to a build system issue, Kong Gateway 2.8.4 packages prior to 2.8.4.1 didn’t contain the debug symbols that Dynatrace requires.</li> </ul> <h4 id="plugins-94">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/forward-proxy/">Forward Proxy</a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>) <ul> <li>Fixed an issue which occurred when receiving an HTTP <code class="language-plaintext highlighter-rouge">408</code> from the upstream through a forward proxy. Nginx exited the process with this code, which resulted in Nginx ending the request without any contents.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-validator/">Request Validator</a> (<code class="language-plaintext highlighter-rouge">request-validator</code>) <ul> <li>The plugin now allows requests carrying a <code class="language-plaintext highlighter-rouge">content-type</code> with a parameter to match its <code class="language-plaintext highlighter-rouge">content-type</code> without a parameter.</li> </ul> </li> </ul> <h3 id="dependencies-50">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">pgmoon</code> from 2.2.0.1 to 2.3.2.0.</li> </ul> <h2 id="2840">2.8.4.0</h2> <p><strong>Release Date</strong> 2023/03/28</p> <h3 id="features-47">Features</h3> <h4 id="plugins-95">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/aws-lambda/">AWS Lambda</a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Added the configuration parameter <code class="language-plaintext highlighter-rouge">aws_imds_protocol_version</code>, which lets you select the IMDS protocol version. This option defaults to <code class="language-plaintext highlighter-rouge">v1</code> and can be set to <code class="language-plaintext highlighter-rouge">v2</code> to enable IMDSv2. <a href="https://github.com/Kong/kong/pull/9962" target="_blank" rel="noopener nofollow noreferrer ">#9962</a> </li> </ul> </li> </ul> <h3 id="fixes-74">Fixes</h3> <h4 id="enterprise-27">Enterprise</h4> <ul> <li>Fixed an issue where the OpenTracing module was not included in the Amazon Linux 2 package.</li> <li>Hybrid mode: Fixed an issue where enabling encryption on a data plane would cause the data plane to stop working after a restart.</li> <li>Fixed the systemd unit file, which was incorrectly named <code class="language-plaintext highlighter-rouge">kong.service</code> in 2.8.1.x and later versions. It has been renamed back to <code class="language-plaintext highlighter-rouge">kong-enterprise-edition.service</code> to align with previous versions.</li> </ul> <h5 id="kong-manager-24">Kong Manager</h5> <ul> <li>Fix the character limit error <code class="language-plaintext highlighter-rouge">[postgres] ERROR: value too long for type character(32)</code> that occurred while enabling the Dev Portal. The character limit was shorter than the length of the autogenerated UUID.</li> <li>The <code class="language-plaintext highlighter-rouge">/auth</code> endpoint, used by Kong Manager for OIDC authentication, now correctly supports the HTTP POST method.</li> <li>Fixed an issue where users with newly registered Dev Portal accounts created through OIDC were unable to log into Dev Portal until the Kong Gateway container was restarted.</li> </ul> <h4 id="core-78">Core</h4> <ul> <li>Fixed the Ubuntu ARM64 image, which was broken in 2.8.2.x and later versions.</li> <li>Router: Fixed an issue where the router used stale data when workers were respawned. <a href="https://github.com/Kong/kong/pull/9396" target="_blank" rel="noopener nofollow noreferrer ">#9396</a> <a href="https://github.com/Kong/kong/pull/9485" target="_blank" rel="noopener nofollow noreferrer ">#9485</a> </li> <li>Update the batch queues module so that queues no longer grow without bounds if their consumers fail to process the entries. Instead, old batches are now dropped and an error is logged. <a href="https://github.com/Kong/kong/pull/10247" target="_blank" rel="noopener nofollow noreferrer ">#10247</a> </li> </ul> <h4 id="plugins-96">Plugins</h4> <ul> <li>Added the missing <code class="language-plaintext highlighter-rouge">protocols</code> field to the following plugin schemas: <ul> <li>Azure Functions (<code class="language-plaintext highlighter-rouge">azure-functions</code>)</li> <li>gRPC Gateway (<code class="language-plaintext highlighter-rouge">grpc-gateway</code>)</li> <li>gRPC Web (<code class="language-plaintext highlighter-rouge">grpc-web</code>)</li> <li>Serverless pre-function (<code class="language-plaintext highlighter-rouge">pre-function</code>)</li> <li>Prometheus (<code class="language-plaintext highlighter-rouge">prometheus</code>)</li> <li>Proxy Caching (<code class="language-plaintext highlighter-rouge">proxy-cache</code>)</li> <li>Request Transformer (<code class="language-plaintext highlighter-rouge">request-transformer</code>)</li> <li>Session (<code class="language-plaintext highlighter-rouge">session</code>)</li> <li>Zipkin (<code class="language-plaintext highlighter-rouge">zipkin</code>)</li> </ul> <p><a href="https://github.com/Kong/kong/pull/9525" target="_blank" rel="noopener nofollow noreferrer ">#9525</a></p> </li> <li> <a href="/hub/kong-inc/http-log/">HTTP Log</a> (<code class="language-plaintext highlighter-rouge">http-log</code>) <ul> <li>Fixed an issue in this plugin’s batch queue processing, where metrics would be published multiple times. This caused a memory leak, where memory usage would grow without limit. <a href="https://github.com/Kong/kong/pull/10052" target="_blank" rel="noopener nofollow noreferrer ">#10052</a> <a href="https://github.com/Kong/kong/pull/10044" target="_blank" rel="noopener nofollow noreferrer ">#10044</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/mtls-auth/">mTLS Authentication</a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Fixed an issue where the plugin used the old route caches after routes were updated.</li> </ul> </li> <li> <a href="/hub/kong-inc/key-auth-enc">Key Authentication - Encrypted</a> (<code class="language-plaintext highlighter-rouge">key-auth-enc</code>) <ul> <li>Fixed an issue where using an API key that exists in multiple workspaces caused a 401 error. This occurred because of a caching issue.</li> </ul> </li> </ul> <h2 id="2824">2.8.2.4</h2> <p><strong>Release Date</strong> 2023/01/23</p> <h3 id="fixes-75">Fixes</h3> <ul> <li>Kong Gateway now statically links the BoringSSL PCRE library. This fixes an issue introduced in 2.8.2.3, where the BoringSSL library was dynamically linked, causing regex compilation to fail when routing requests with some versions of the library.</li> </ul> <h2 id="2823">2.8.2.3</h2> <p><strong>Release Date</strong> 2023/01/06</p> <h3 id="fixes-76">Fixes</h3> <h4 id="enterprise-28">Enterprise</h4> <p><strong>Kong Manager:</strong></p> <ul> <li>Fixed a role precedence issue with RBAC. RBAC rules involving deny (negative) rules now correctly take precedence over allow (non-negative) roles.</li> <li>Fixed workspace filtering pagination on the overview page.</li> </ul> <h4 id="core-79">Core</h4> <ul> <li>Fixed a router issue where, in an environment with more than 50,000 routes, attempting to update a route caused a <code class="language-plaintext highlighter-rouge">500</code> error response.</li> <li>Fixed a timer leak that occurred whenever the generic messaging protocol connection broke in hybrid mode.</li> <li>Fixed a <code class="language-plaintext highlighter-rouge">tlshandshake</code> method error that occurred when SSL was configured on PostgreSQL, and the Kong Gateway had <code class="language-plaintext highlighter-rouge">stream_listen</code> configured with a stream proxy.</li> </ul> <h4 id="plugins-97">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/http-log/">HTTP Log</a> (<code class="language-plaintext highlighter-rouge">http-log</code>) <ul> <li>Fixed the <code class="language-plaintext highlighter-rouge">could not update kong admin</code> internal error caused by empty headers. This error occurred when using this plugin with the Kong Ingress Controller.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwt/">JWT</a> (<code class="language-plaintext highlighter-rouge">jwt</code>) <ul> <li>Fixed an issue where the JWT plugin could potentially forward an unverified token to the upstream.</li> </ul> </li> <li> <a href="/hub/kong-inc/jwt-signer/">JWT Signer</a> (<code class="language-plaintext highlighter-rouge">jwt-signer</code>) <ul> <li>Fixed the error <code class="language-plaintext highlighter-rouge">attempt to call local 'err' (a string value)</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/mocking/">Mocking</a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Fixed UUID pattern matching.</li> </ul> </li> <li> <a href="/hub/kong-inc/prometheus/">Prometheus</a> (<code class="language-plaintext highlighter-rouge">prometheus</code>) <ul> <li>Provided options to reduce the plugin’s impact on performance. Added new <code class="language-plaintext highlighter-rouge">kong.conf</code> options to switch high cardinality metrics <code class="language-plaintext highlighter-rouge">on</code> or <code class="language-plaintext highlighter-rouge">off</code>: <a href="/gateway/2.8.x/reference/configuration/#prometheus_plugin_status_code_metrics"><code class="language-plaintext highlighter-rouge">prometheus_plugin_status_code_metrics</code></a>, <a href="/gateway/2.8.x/reference/configuration/#prometheus_plugin_latency_metrics"><code class="language-plaintext highlighter-rouge">prometheus_plugin_latency_metrics</code></a>, <a href="/gateway/2.8.x/reference/configuration/#prometheus_plugin_bandwidth_metrics"><code class="language-plaintext highlighter-rouge">prometheus_plugin_bandwidth_metrics</code></a>, and <a href="/gateway/2.8.x/reference/configuration/#prometheus_plugin_upstream_health_metrics"><code class="language-plaintext highlighter-rouge">prometheus_plugin_upstream_health_metrics</code></a>.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed a maintenance cycle lock leak in the <code class="language-plaintext highlighter-rouge">kong_locks</code> dictionary. Kong Gateway now clears old namespaces from the maintenance cycle schedule when a namespace is updated.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-transformer/">Request Transformer</a> (<code class="language-plaintext highlighter-rouge">request-transformer</code>) <ul> <li>Fixed an issue where empty arrays were being converted to empty objects. Empty arrays are now preserved.</li> </ul> </li> </ul> <h3 id="known-limitations-2">Known limitations</h3> <ul> <li>A required PCRE library is dynamically linked, where prior versions statically linked the library. Depending on the system PCRE version, this may cause regex compilation to fail when routing requests. Starting in 2.8.2.4 and later, Kong Gateway will return to statically linking the PCRE library.</li> </ul> <h2 id="2822">2.8.2.2</h2> <p><strong>Release Date</strong> 2022/12/01</p> <h3 id="fixes-77">Fixes</h3> <h4 id="core-80">Core</h4> <p>Timer issue fixes:</p> <ul> <li> <p>Added batch queues for the Datadog and StatsD plugins to reduce timer usage, fixing a <code class="language-plaintext highlighter-rouge">lua_max_running_timers are not enough</code> timer error.</p> <p>Whenever a request was processed, a new running timer was instantly created during the log phase. This was causing a shortage of timers under heavy traffic and led to unpredictable consequences, where internal timers were killed randomly and couldn’t recover automatically. This would then trigger a <code class="language-plaintext highlighter-rouge">lua_max_running_timers are not enough</code> timer error and cause data planes to crash.</p> <p><a href="https://github.com/Kong/kong/pull/9521" target="_blank" rel="noopener nofollow noreferrer ">#9521</a></p> </li> <li> <p>Fixed a timer leak that occurred whenever the generic messaging protocol connection would break in hybrid mode.</p> </li> </ul> <h2 id="2821">2.8.2.1</h2> <p><strong>Release Date</strong> 2022/11/21</p> <h3 id="fixes-78">Fixes</h3> <h4 id="enterprise-29">Enterprise</h4> <ul> <li> <strong>Kong Manager:</strong> <ul> <li>Fixed an issue where admins needed the specific <code class="language-plaintext highlighter-rouge">rbac/role</code> permission to edit RBAC roles. Now, admins can edit RBAC roles with the <code class="language-plaintext highlighter-rouge">/admins</code> permission.</li> <li>Fixed an issue where the client certificate ID didn’t display properly in the upstream update form.</li> <li>Fixed an issue in the service documents UI which allowed users to upload multiple documents. Since each service only supports one document, the documents would not display correctly. Uploading a new document now overrides the previous document.</li> <li>Fixed an issue where the <strong>New Workspace</strong> button on the global workspace dashboard wasn’t clickable on the first page load.</li> <li>Fixed an RBAC issue where the roles page listed deleted roles.</li> <li>Removed New Relic from Kong Manager. Previously, <code class="language-plaintext highlighter-rouge">VUE_APP_NEW_RELIC_LICENSE_KEY</code> and <code class="language-plaintext highlighter-rouge">VUE_APP_SEGMENT_WRITE_KEY</code> were being exposed in Kong Manager with invalid values.</li> <li>Fixed an RBAC issue where permissions applied to specific endpoints (for example, an individual service or route) were not reflected in the Kong Manager UI.</li> <li>Fixed an issue with group to role mapping, where it didn’t support group names with spaces.</li> <li>Fixed an issue with individual workspace dashboards, where right-clicking on <strong>View All</strong> and choosing “Open Link in New Tab” or “Copy Link” for services, routes, and plugins redirected to the default workspace and caused an <code class="language-plaintext highlighter-rouge">HTTP 404</code> error.</li> </ul> </li> <li> <strong>Dev Portal</strong>: Fixed an issue where Dev Portal response examples weren’t rendered when media type was vendor-specific.</li> </ul> <h4 id="core-81">Core</h4> <ul> <li> <p>Targets with a weight of <code class="language-plaintext highlighter-rouge">0</code> are no longer included in health checks, and checking their status via the <code class="language-plaintext highlighter-rouge">upstreams/<upstream>/health</code> endpoint results in the status <code class="language-plaintext highlighter-rouge">HEALTHCHECK_OFF</code>. Previously, the <code class="language-plaintext highlighter-rouge">upstreams/<upstream>/health</code> endpoint was incorrectly reporting targets with <code class="language-plaintext highlighter-rouge">weight=0</code> as <code class="language-plaintext highlighter-rouge">HEALTHY</code>, and the health check was reporting the same targets as <code class="language-plaintext highlighter-rouge">UNDEFINED</code>.</p> </li> <li> <p>Fixed the default <code class="language-plaintext highlighter-rouge">logrotate</code> configuration, which lacked permissions to access logs.</p> </li> </ul> <h4 id="plugins-98">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/kafka-upstream/">Kafka Upstream</a> (<code class="language-plaintext highlighter-rouge">kafka-upstream</code>) <ul> <li>Fixed the <code class="language-plaintext highlighter-rouge">Bad Gateway</code> error that would occur when using the Kafka Upstream plugin with the configuration <code class="language-plaintext highlighter-rouge">producer_async=false</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/response-transformer/">Response Transformer</a> (<code class="language-plaintext highlighter-rouge">response-transformer</code>) <ul> <li>Fixed an issue where the plugin couldn’t process string responses.</li> </ul> </li> <li> <a href="/hub/kong-inc/mtls-auth/">mTLS Authentication</a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Fixed an issue where the plugin was causing requests to silently fail on Kong Gateway data planes.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-transformer/">Request Transformer</a> (<code class="language-plaintext highlighter-rouge">request-transformer</code>) <ul> <li>Fixed an issue where empty arrays were being converted to empty objects. Empty arrays are now preserved.</li> </ul> </li> <li> <a href="/hub/kong-inc/azure-functions/">Azure Functions</a> (<code class="language-plaintext highlighter-rouge">azure-functions</code>) <ul> <li>Fixed an issue where calls made by this plugin would fail in the following situations: <ul> <li>The plugin was associated with a route that had no service.</li> <li>The route’s associated service had a <code class="language-plaintext highlighter-rouge">path</code> value.</li> </ul> </li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/">LDAP Auth Advanced</a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Fixed an issue where operational attributes referenced by <code class="language-plaintext highlighter-rouge">group_member_attribute</code> weren’t returned in search query results.</li> </ul> </li> </ul> <h2 id="2820">2.8.2.0</h2> <p><strong>Release Date</strong> 2022/10/12</p> <h3 id="fixes-79">Fixes</h3> <h4 id="enterprise-30">Enterprise</h4> <ul> <li> <strong>Kong Manager</strong>: <ul> <li>Fixed an issue where workspaces with zero roles were not correctly sorted by the number of roles.</li> <li>Fixed the Cross Site Scripting (XSS) security vulnerability in the Kong Manager UI.</li> <li>Fixed an issue where registering an admin without <code class="language-plaintext highlighter-rouge">admin_gui_auth</code> set resulted in a <code class="language-plaintext highlighter-rouge">500</code> error.</li> <li>Fixed an issue that allowed unauthorized IDP users to log in to Kong Manager. These users had no access to any resources in Kong Manager, but were able to go beyond the login screen.</li> </ul> </li> <li>Fixed OpenSSL vulnerabilities <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-2097" target="_blank" rel="noopener nofollow noreferrer ">CVE-2022-2097</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-2068" target="_blank" rel="noopener nofollow noreferrer ">CVE-2022-2068</a>.</li> <li>Hybrid mode: Fixed an issue with consumer groups, where the control plane wasn’t sending the correct number of consumer entries to data planes.</li> <li>Hybrid mode: Fixed an issue where sending a <code class="language-plaintext highlighter-rouge">PATCH</code> request to update a route after restarting a control plane caused a 500 error response.</li> </ul> <h4 id="plugins-99">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/aws-lambda/">AWS Lambda</a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Fixed an issue where the plugin couldn’t read environment variables in the ECS environment, causing permission errors.</li> </ul> </li> <li> <a href="/hub/kong-inc/forward-proxy/">Forward Proxy</a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>) <ul> <li>If the <code class="language-plaintext highlighter-rouge">https_proxy</code> configuration parameter is not set, it now defaults to <code class="language-plaintext highlighter-rouge">http_proxy</code> to avoid DNS errors.</li> </ul> </li> <li> <a href="/hub/kong-inc/graphql-proxy-cache-advanced/">GraphQL Proxy Cache Advanced</a> (<code class="language-plaintext highlighter-rouge">graphql-proxy-cache-advanced</code>) and <a href="/hub/kong-inc/proxy-cache-advanced/">Proxy Cache Advanced</a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>) <ul> <li>Fixed the error <code class="language-plaintext highlighter-rouge">function cannot be called in access phase (only in: log)</code>, which was preventing the plugin from working consistently.</li> </ul> </li> <li> <a href="/hub/kong-inc/graphql-rate-limiting-advanced/">GraphQL Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>) <ul> <li>The plugin now returns a <code class="language-plaintext highlighter-rouge">500</code> error when using the <code class="language-plaintext highlighter-rouge">cluster</code> strategy in hybrid or DB-less modes instead of crashing.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/">LDAP Authentication Advanced</a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>The characters <code class="language-plaintext highlighter-rouge">.</code> and <code class="language-plaintext highlighter-rouge">:</code> are now allowed in group attributes.</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/">OpenID Connect</a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed issues with OIDC role mapping where admins couldn’t be added to more than one workspace, and permissions were not being updated.</li> </ul> </li> <li> <a href="/hub/kong-inc/request-transformer-advanced/">Request Transformer Advanced</a> (<code class="language-plaintext highlighter-rouge">request-transformer-advanced</code>) <ul> <li>Fixed an issue where empty arrays were being converted to empty objects. Empty arrays are now preserved.</li> </ul> </li> <li> <a href="/hub/kong-inc/route-transformer-advanced/">Route Transformer Advanced</a> (<code class="language-plaintext highlighter-rouge">route-transformer-advanced</code>) <ul> <li>Fixed an issue where URIs that included <code class="language-plaintext highlighter-rouge">%20</code> or a whitespace would return a <code class="language-plaintext highlighter-rouge">400 Bad Request</code>.</li> </ul> </li> </ul> <h2 id="2814">2.8.1.4</h2> <p><strong>Release Date</strong> 2022/08/23</p> <ul> <li> <p>Fixed vulnerabilities <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-37434" target="_blank" rel="noopener nofollow noreferrer ">CVE-2022-37434</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-24975" target="_blank" rel="noopener nofollow noreferrer ">CVE-2022-24975</a>.</p> </li> <li> <p>When using secrets management in free mode, only the <a href="/gateway/2.8.x/plan-and-deploy/security/secrets-management/backends/env/">environment variable</a> backend is available. AWS, GCP, and HashiCorp vault backends require an Enterprise license.</p> </li> <li>Fixed an issue in Kong Manager where entity detail pages were empty and didn’t list existing entities. The following entities were affected: <ul> <li>Route lists on service pages</li> <li>Upstreams</li> <li>Certificates</li> <li>SNIs</li> <li>RBAC roles</li> </ul> </li> <li>Fixed an issue where the browser hung when creating an upstream with the existing host and port.</li> </ul> <h4 id="plugins-100">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/openid-connect/">OpenID Connect</a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Fixed a caching issue in hybrid mode, where the data plane node would try to retrieve a new JWK from the IdP every time. The data plane node now looks for a cached JWK first.</li> </ul> </li> <li> <a href="/hub/kong-inc/proxy-cache-advanced/">Proxy Caching Advanced</a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>) <ul> <li>Fixed an issue that prevented users from removing the cluster addresses on an existing configuration.</li> </ul> </li> </ul> <h3 id="dependencies-51">Dependencies</h3> <ul> <li>Bump <code class="language-plaintext highlighter-rouge">lua-resty-aws</code> version to 0.5.4 to reduce memory usage when AWS vault is enabled. <a href="https://github.com/Kong/lua-resty-aws/pull/23" target="_blank" rel="noopener nofollow noreferrer ">#23</a> </li> <li>Bump <code class="language-plaintext highlighter-rouge">lua-resty-gcp</code> version to 0.0.5 to reduce memory usage when GCP vault is enabled. <a href="https://github.com/Kong/lua-resty-gcp/pull/7" target="_blank" rel="noopener nofollow noreferrer ">#7</a> </li> </ul> <h2 id="2813">2.8.1.3</h2> <p><strong>Release Date</strong> 2022/08/05</p> <h3 id="features-48">Features</h3> <h4 id="enterprise-31">Enterprise</h4> <ul> <li>Added GCP integration support for the secrets manager. GCP is now available as a vault backend.</li> </ul> <h4 id="plugins-101">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/aws-lambda/">AWS Lambda</a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Added support for cross-account invocation through the <code class="language-plaintext highlighter-rouge">aws_assume_role_arn</code> and <code class="language-plaintext highlighter-rouge">aws_role_session_name</code> configuration parameters. <a href="https://github.com/Kong/kong/pull/8900" target="_blank" rel="noopener nofollow noreferrer ">#8900</a> </li> </ul> </li> </ul> <h3 id="fixes-80">Fixes</h3> <h4 id="enterprise-32">Enterprise</h4> <ul> <li>Fixed an issue with excessive log file disk utilization on control planes.</li> <li>Fixed an issue with keyring encryption, where keyring was not decrypting keys after a soft reload.</li> <li>The router now detects static route collisions inside the current workspace, as well as with other workspaces.</li> <li>When using a custom plugin in a hybrid mode deployment, the control plane now detects compatibility issues and stops sending the plugin configuration to data planes that can’t use it. The control plane continues sending the custom plugin configuration to compatible data planes.</li> <li>Optimized the Kong PDK function <code class="language-plaintext highlighter-rouge">kong.response.get_source()</code>.</li> </ul> <h4 id="kong-manager-25">Kong Manager</h4> <ul> <li>Fixed an issue with admin creation. Previously, when an admin was created with no roles, the admin would have access to the first workspace listed alphabetically.</li> <li>Fixed several issues with SNI listing. Previously, the SNI list was empty after sorting by the SSL certificate ID field. In 2.8.1.1, the SSL certificate ID field in the SNI list was empty.</li> </ul> <h4 id="plugins-102">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/mocking/">Mocking</a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Fixed an issue where the plugin didn’t accept empty values in examples.</li> </ul> </li> <li> <a href="/hub/kong-inc/acme/">ACME</a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li>The <code class="language-plaintext highlighter-rouge">domains</code> plugin parameter can now be left empty. When <code class="language-plaintext highlighter-rouge">domains</code> is empty, all TLDs are allowed. Previously, the parameter was labelled as optional, but leaving it empty meant that the plugin retrieved no certificates at all.</li> </ul> </li> <li> <a href="/hub/kong-inc/response-transformer-advanced/">Response Transformer Advanced</a> (<code class="language-plaintext highlighter-rouge">response-transformer-advanced</code>) <ul> <li>Fixed an issue with nested array parsing.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed an issue with <code class="language-plaintext highlighter-rouge">cluster</code> strategy timestamp precision in Cassandra.</li> </ul> </li> </ul> <h2 id="2812">2.8.1.2</h2> <p><strong>Release Date</strong> 2022/07/15</p> <h3 id="fixes-81">Fixes</h3> <h4 id="enterprise-33">Enterprise</h4> <ul> <li>Fixed an issue in hybrid mode where, if a service was set to <code class="language-plaintext highlighter-rouge">enabled: false</code> and that service had a route with an enabled plugin, any new data planes would receive empty configuration.</li> <li>Fixed a timer leak that occurred when <code class="language-plaintext highlighter-rouge">worker_consistency</code> was set to <code class="language-plaintext highlighter-rouge">eventual</code> in <code class="language-plaintext highlighter-rouge">kong.conf</code>. This issue caused timers to be exhausted and failed to start any other timers used by Kong Gateway, resulting in a <code class="language-plaintext highlighter-rouge">too many pending timers</code> error.</li> <li>Fixed memory leaks coming from <code class="language-plaintext highlighter-rouge">lua-resty-lock</code>.</li> <li>Fixed global plugins can operate out of the workspace scope</li> </ul> <h4 id="kong-manager-and-dev-portal">Kong Manager and Dev Portal</h4> <ul> <li>Fixed an issue where Kong Manager did not display all Dev Portal developers in the organization.</li> <li>Fixed an issue that prevented developer role assignments from displaying in Kong Manager. When viewing a role under the Permissions tab in the Dev Portal section, the list of developers wouldn’t update when a new developer was added. Kong Manager was constructing the wrong URL when retrieving Dev Portal assignees.</li> <li>Fixed empty string handling in Kong Manager. Previously, Kong Manager was handling empty strings as <code class="language-plaintext highlighter-rouge">""</code> instead of a null value.</li> <li>Improved Kong Manager styling by fixing an issue where content didn’t fit on object detail pages.</li> <li>Fixed an issue that sometimes prevented clicking Kong Manager links and buttons in Safari.</li> <li>Fixed an issue where users were being navigated to the object detail page after clicking on the “Copy ID” button from the object list.</li> <li>Fixed an issue where the number of requests and error rate were not correctly displaying when Vitals was disabled.</li> </ul> <h4 id="plugins-103">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/rate-limiting/">Rate Limiting</a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>) and <a href="/hub/kong-inc/response-ratelimiting/">Response Rate Limiting</a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Fixed a PostgreSQL deadlock issue that occurred when the <code class="language-plaintext highlighter-rouge">cluster</code> policy was used with two or more metrics (for example, <code class="language-plaintext highlighter-rouge">second</code> and <code class="language-plaintext highlighter-rouge">day</code>.)</li> </ul> </li> <li> <a href="/hub/kong-inc/http-log/">HTTP Log</a> (<code class="language-plaintext highlighter-rouge">http-log</code>) <ul> <li>Log output is now restricted to the workspace the plugin is running in. Previously, the plugin could log requests from outside of its workspace.</li> </ul> </li> <li> <a href="/hub/kong-inc/mocking/">Mocking</a> (<code class="language-plaintext highlighter-rouge">mocking</code>) <ul> <li>Fixed an issue where <code class="language-plaintext highlighter-rouge">204</code> responses were not handled correctly and you would see the following error: <code class="language-plaintext highlighter-rouge">"No examples exist in API specification for this resource"</code>.</li> <li> <code class="language-plaintext highlighter-rouge">204</code> response specs now support empty content elements.</li> </ul> </li> </ul> <h3 id="deprecated">Deprecated</h3> <ul> <li> <p><strong>Amazon Linux 1</strong>: Support for running Kong Gateway on Amazon Linux 1 is now deprecated, as the <a href="https://aws.amazon.com/blogs/aws/update-on-amazon-linux-ami-end-of-life" target="_blank" rel="noopener nofollow noreferrer ">Amazon Linux (1) AMI has ended standard support as of December 31, 2020</a>. Starting with Kong Gateway 3.0.0.0, Kong is not building new Amazon Linux 1 images or packages, and Kong will not test package installation on Amazon Linux 1.</p> <p>If you need to install Kong Gateway on Amazon Linux 1, see the documentation for <a href="/gateway/2.8.x/install-and-run/amazon-linux/">previous versions</a>.</p> </li> <li> <p><strong>Debian 8</strong>: Support for running Kong Gateway on Debian 8 (“Jessie”) is now deprecated, as Debian 8 (“Jessie”) has reached End of Life (EOL). Starting with Kong Gateway 3.0.0.0, Kong is not building new Debian 8 (“Jessie”) images or packages, and Kong will not test package installation on Debian 8 (“Jessie”).</p> <p>If you need to install Kong Gateway on Debian 8 (“Jessie”), see the documentation for <a href="/gateway/2.8.x/install-and-run/debian/">previous versions</a>.</p> </li> <li> <p><strong>Ubuntu 16.04</strong>: Support for running Kong Gateway on Ubuntu 16.04 (“Xenial”) is now deprecated, as <a href="https://wiki.ubuntu.com/Releases" target="_blank" rel="noopener nofollow noreferrer ">Standard Support for Ubuntu 16.04 has ended as of April, 2021</a>. Starting with Kong Gateway 3.0.0.0, Kong is not building new Ubuntu 16.04 images or packages, and Kong will not test package installation on Ubuntu 16.04.</p> <p>If you need to install Kong Gateway on Ubuntu 16.04, see the documentation for <a href="/gateway/2.8.x/install-and-run/ubuntu/">previous versions</a>.</p> </li> </ul> <h2 id="2811">2.8.1.1</h2> <p><strong>Release Date</strong> 2022/05/27</p> <h3 id="features-49">Features</h3> <h4 id="enterprise-34">Enterprise</h4> <ul> <li>You can now enable application status and application request emails for the Developer Portal using the following configuration parameters: <ul> <li> <a href="/gateway/latest/reference/configuration/#portal_application_status_email"><code class="language-plaintext highlighter-rouge">portal_application_status_email</code></a>: Enable to send application request status update emails to developers.</li> <li> <a href="/gateway/latest/reference/configuration/#portal_application_request_email"><code class="language-plaintext highlighter-rouge">portal_application_request_email</code></a>: Enable to send service access request emails to users specified in <code class="language-plaintext highlighter-rouge">smtp_admin_emails</code>.</li> <li> <a href="/gateway/latest/reference/configuration/#portal_smtp_admin_emails"><code class="language-plaintext highlighter-rouge">portal_smtp_admin_emails</code></a>: Specify the email addresses to send portal admin emails to, overriding values set in <code class="language-plaintext highlighter-rouge">smtp_admin_emails</code>.</li> </ul> </li> <li>Added the ability to use <code class="language-plaintext highlighter-rouge">email.developer_meta</code> fields in portal email templates. For example, <code class="language-plaintext highlighter-rouge">{{email.developer_meta.preferred_name}}</code>.</li> </ul> <h4 id="plugins-104">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/aws-lambda/">AWS Lambda</a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>When working in proxy integration mode, the <code class="language-plaintext highlighter-rouge">statusCode</code> field now accepts string datatypes.</li> </ul> </li> <li> <a href="/hub/kong-inc/mtls-auth/">mTLS Authentication</a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>) <ul> <li>Introduced certificate revocation list (CRL) and OCSP server support with the following parameters: <code class="language-plaintext highlighter-rouge">http_proxy_host</code>, <code class="language-plaintext highlighter-rouge">http_proxy_port</code>, <code class="language-plaintext highlighter-rouge">https_proxy_host</code>, and <code class="language-plaintext highlighter-rouge">https_proxy_port</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/kafka-upstream/">Kafka Upstream</a> (<code class="language-plaintext highlighter-rouge">kafka-upstream</code>) and <a href="/hub/kong-inc/kafka-log/">Kafka Log</a> (<code class="language-plaintext highlighter-rouge">kafka-log</code>) <ul> <li>Added support for the <code class="language-plaintext highlighter-rouge">SCRAM-SHA-512</code> authentication mechanism.</li> </ul> </li> </ul> <h3 id="fixes-82">Fixes</h3> <h4 id="enterprise-35">Enterprise</h4> <ul> <li> <p>Improved Kong Admin API and Kong Manager performance for organizations with many entities.</p> </li> <li> <p>Fixed an issue with keyring encryption, where the control plane would crash if any errors occurred during the initialization of the <a href="/gateway/latest/plan-and-deploy/security/db-encryption/">keyring module</a>.</p> </li> <li> <p>Fixed an issue where Kong Manager did not display all RBAC users and Consumers in the organization.</p> </li> <li> <p>Fixed an issue where some areas in a row of a list were not clickable.</p> </li> </ul> <h4 id="plugins-105">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Fixed rate limiting advanced errors that appeared when the Rate Limiting Advanced plugin was not in use.</li> <li>Fixed an error where rate limiting counters were not updating response headers due to incorrect key expiration tracking. Redis key expiration is now tracked properly in <code class="language-plaintext highlighter-rouge">lua_shared_dict kong_rate_limiting_counters</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/forward-proxy/">Forward Proxy</a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>) <ul> <li>Fixed an <code class="language-plaintext highlighter-rouge">invalid header value</code> error for HTTPS requests. The plugin now accepts multi-value response headers.</li> <li>Fixed an error where basic authentication headers containing the <code class="language-plaintext highlighter-rouge">=</code> character weren’t forwarded.</li> <li>Fixed request errors that occurred when a scheme had no proxy set. The <code class="language-plaintext highlighter-rouge">https</code> proxy now falls back to the <code class="language-plaintext highlighter-rouge">http</code> proxy if not specified, and the <code class="language-plaintext highlighter-rouge">http</code> proxy falls back to <code class="language-plaintext highlighter-rouge">https</code>.</li> </ul> </li> <li> <a href="/hub/kong-inc/graphql-rate-limiting-advanced/">GraphQL Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>) <ul> <li>Fixed <code class="language-plaintext highlighter-rouge">deserialize_parse_tree</code> logic when building GraphQL AST with non-nullable or list types.</li> </ul> </li> </ul> <h2 id="2810">2.8.1.0</h2> <p><strong>Release Date</strong> 2022/04/07</p> <h3 id="fixes-83">Fixes</h3> <h4 id="enterprise-36">Enterprise</h4> <ul> <li>Fixed an issue with RBAC where <code class="language-plaintext highlighter-rouge">endpoint=/kong workspace=*</code> would not let the <code class="language-plaintext highlighter-rouge">/kong</code> endpoint be accessed from all workspaces</li> <li>Fixed an issue with RBAC where admins without a top level <code class="language-plaintext highlighter-rouge">endpoint=*</code> permission could not add any RBAC rules, even if they had <code class="language-plaintext highlighter-rouge">endpoint=/rbac</code> permissions. These admins can now add RBAC rules for their current workspace only.</li> <li>Kong Manager <ul> <li>Serverless functions can now be saved when there is a comma in the provided value</li> <li>Custom plugins now show an Edit button when viewing the plugin configuration</li> <li>Editing Dev Portal permissions no longer returns a 404 error</li> <li>Fix an issue where admins with access to only non-default workspaces could not see any workspaces</li> <li>Show the workspace name when an admin only has access to non-default workspaces</li> <li>Add support for table filtering and sorting when using Cassandra</li> <li>Support the # character in RBAC tokens on the RBAC edit page</li> <li>Performing an action on an upstream target no longer leads to a 404 error</li> </ul> </li> <li>Developer Portal <ul> <li>Information about the current session is now bound to an nginx worker thread. This prevents data leaks when a worker is handling multiple requests at the same time</li> </ul> </li> <li>Keys are no longer rotated unexpectedly when a node restarts</li> <li>Add cache when performing RBAC token verification</li> <li>The log message “plugins iterator was changed while rebuilding it” was incorrectly logged as an <code class="language-plaintext highlighter-rouge">error</code>. This release converts it to the <code class="language-plaintext highlighter-rouge">info</code> log level.</li> <li>Fixed a 500 error when rate limiting counters are full with the Rate Limiting Advanced plugin</li> <li>Improved the performance of the router, plugins iterator and balancer by adding conditional rebuilding</li> </ul> <h4 id="plugins-106">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/http-log/">HTTP Log</a> (<code class="language-plaintext highlighter-rouge">http-log</code>) <ul> <li>Include provided query string parameters when sending logs to the <code class="language-plaintext highlighter-rouge">http_endpoint</code> </li> </ul> </li> <li> <a href="/hub/kong-inc/forward-proxy/">Forward Proxy</a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>) <ul> <li>Use lowercase when overwriting the <code class="language-plaintext highlighter-rouge">host</code> header</li> </ul> </li> <li> <a href="/hub/kong-inc/statsd-advanced/">StatsD Advanced</a> (<code class="language-plaintext highlighter-rouge">statsd-advanced</code>) <ul> <li>Added support for setting <code class="language-plaintext highlighter-rouge">workspace_identifier</code> to <code class="language-plaintext highlighter-rouge">workspace_name</code> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li>Skip namespace creation if the plugin is not enabled. This prevents the error “[rate-limiting-advanced] no shared dictionary was specified” being logged.</li> </ul> </li> <li> <a href="/hub/kong-inc/ldap-auth-advanced/">LDAP Auth Advanced</a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>) <ul> <li>Support passwords that contain a <code class="language-plaintext highlighter-rouge">:</code> character</li> </ul> </li> <li> <a href="/hub/kong-inc/openid-connect/">OpenID Connect</a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>) <ul> <li>Provide valid upstream headers e.g. <code class="language-plaintext highlighter-rouge">X-Consumer-Id</code>, <code class="language-plaintext highlighter-rouge">X-Consumer-Username</code> </li> </ul> </li> <li> <a href="/hub/kong-inc/jwt-signer/">JWT Signer</a> (<code class="language-plaintext highlighter-rouge">jwt-signer</code>) <ul> <li>Implement the <code class="language-plaintext highlighter-rouge">enable_hs_signatures</code> option to enable JWTs signed with HMAC algorithms</li> </ul> </li> </ul> <h3 id="dependencies-52">Dependencies</h3> <ul> <li>Bumped <code class="language-plaintext highlighter-rouge">openssl</code> from 1.1.1k to 1.1.1n to resolve CVE-2022-0778 <a href="https://github.com/Kong/kong/pull/8635" target="_blank" rel="noopener nofollow noreferrer ">#8635</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">openresty</code> from 1.19.3.2 to 1.19.9.1 <a href="https://github.com/Kong/kong/pull/7727" target="_blank" rel="noopener nofollow noreferrer ">#7727</a> </li> </ul> <h2 id="2800">2.8.0.0</h2> <p><strong>Release Date</strong> 2022/03/02</p> <h3 id="features-50">Features</h3> <h4 id="enterprise-37">Enterprise</h4> <ul> <li>Improved tables in Kong Manager: (for PostgreSQL-backed instances only) <ul> <li>Click on a table row to access the entry instead of using the old <strong>View</strong> icon.</li> <li>Search and filter tables through the <strong>Filters</strong> dropdown, which is located above the table.</li> <li>Sort any table by clicking on a column title.</li> <li>Tables now have pagination.</li> </ul> </li> <li>Kong Manager with OIDC: <ul> <li>Added the configuration option <a href="/gateway/latest/configure/auth/kong-manager/oidc-mapping/"><code class="language-plaintext highlighter-rouge">admin_auto_create_rbac_token_disabled</code></a> to enable or disable RBAC tokens when automatically creating admins with OpenID Connect.</li> </ul> </li> <li>If a license is present,<code class="language-plaintext highlighter-rouge">license_key</code> is now included in the <code class="language-plaintext highlighter-rouge">api</code> signal for <a href="/gateway/latest/reference/configuration/#anonymous_reports"><code class="language-plaintext highlighter-rouge">anonymous_reports</code></a>.</li> </ul> <h4 id="dev-portal-1">Dev Portal</h4> <ul> <li>The new <code class="language-plaintext highlighter-rouge">/developers/export</code> endpoint lets you export the list of developers and their statuses into CSV format.</li> </ul> <h4 id="core-82">Core</h4> <ul> <li> <p><strong>Beta feature</strong>: Kong Gateway 2.8.0.0 introduces <a href="/gateway/latest/kong-enterprise/secrets-management/">secrets management and vault support</a>. You can now store confidential values such as usernames and passwords as secrets in secure vaults. Kong Gateway can then reference these secrets, making your environment more secure.</p> <p>The beta includes <code class="language-plaintext highlighter-rouge">get</code> support for the following vault implementations:</p> <ul> <li><a href="/gateway/latest/kong-enterprise/secrets-management/backends/aws-sm/">AWS Secrets Manager</a></li> <li><a href="/gateway/latest/kong-enterprise/secrets-management/backends/hashicorp-vault/">HashiCorp Vault</a></li> <li><a href="/gateway/latest/kong-enterprise/secrets-management/backends/env/">Environment variable</a></li> </ul> <p>As part of this support, some plugins have certain fields marked as <em>referenceable</em>. See the plugin section of the Kong Gateway 2.8 changelog for details.</p> <p>Test out secrets management using the <a href="/gateway/latest/kong-enterprise/secrets-management/getting-started/">getting started guide</a>, and check out the documentation for the Kong Admin API <a href="/gateway/latest/admin-api/#vaults-beta-entity"><code class="language-plaintext highlighter-rouge">/vaults-beta</code> entity</a>.</p> <blockquote class="important"> <p>This feature is in beta. It has limited support and implementation details may change. This means it is intended for testing in staging environments only, and <strong>should not</strong> be deployed in production environments.</p> </blockquote> </li> <li> <p>You can customize the transparent dynamic TLS SNI name.</p> <p>Thanks, <a href="https://github.com/Murphy-hub" target="_blank" rel="noopener nofollow noreferrer ">@Murphy-hub</a>! <a href="https://github.com/Kong/kong/pull/8196" target="_blank" rel="noopener nofollow noreferrer ">#8196</a></p> </li> <li> <p>Routes now support matching headers with regular expressions.</p> <p>Thanks, <a href="https://github.com/vanhtuan0409" target="_blank" rel="noopener nofollow noreferrer ">@vanhtuan0409</a>! <a href="https://github.com/Kong/kong/pull/6079" target="_blank" rel="noopener nofollow noreferrer ">#6079</a></p> </li> <li> <p>You can now configure <a href="/gateway/latest/reference/configuration/#cluster_max_payload"><code class="language-plaintext highlighter-rouge">cluster_max_payload</code></a> for hybrid mode deployments. This configuration option sets the maximum payload size allowed to be sent across from the control plane to the data plane. If your environment has large configurations that generate <code class="language-plaintext highlighter-rouge">payload too big</code> errors and don’t get applied to the data planes, use this setting to adjust the limit.</p> <p>Thanks, <a href="https://github.com/andrewgkew" target="_blank" rel="noopener nofollow noreferrer ">@andrewgkew</a>! <a href="https://github.com/Kong/kong/pull/8337" target="_blank" rel="noopener nofollow noreferrer ">#8337</a></p> </li> </ul> <h4 id="performance-10">Performance</h4> <ul> <li> <p>Improved the calculation of declarative configuration hash for big configurations. The new method is faster and uses less memory. <a href="https://github.com/Kong/kong/pull/8204" target="_blank" rel="noopener nofollow noreferrer ">#8204</a></p> </li> <li> <p>Multiple improvements in the Router, including:</p> <ul> <li>The router builds twice as fast</li> <li>Failures are cached and discarded faster (negative caching)</li> <li>Routes with header matching are cached</li> </ul> <p>These changes should be particularly noticeable when rebuilding in DB-less environments. <a href="https://github.com/Kong/kong/pull/8087" target="_blank" rel="noopener nofollow noreferrer ">#8087</a> <a href="https://github.com/Kong/kong/pull/8010" target="_blank" rel="noopener nofollow noreferrer ">#8010</a></p> </li> </ul> <h4 id="admin-api-31">Admin API</h4> <ul> <li>The current declarative configuration hash is now returned by the <code class="language-plaintext highlighter-rouge">status</code> endpoint when Kong node is running in DB-less or data plane mode. <a href="https://github.com/Kong/kong/pull/8214" target="_blank" rel="noopener nofollow noreferrer ">#8214</a> <a href="https://github.com/Kong/kong/pull/8425" target="_blank" rel="noopener nofollow noreferrer ">#8425</a> </li> </ul> <h4 id="plugins-107">Plugins</h4> <ul> <li> <a href="/hub/kong-inc/canary/">Canary</a> (<code class="language-plaintext highlighter-rouge">canary</code>) <ul> <li>Added the ability to configure <code class="language-plaintext highlighter-rouge">canary_by_header_name</code>. This parameter accepts a header name that, when present on a request, overrides the configured canary functionality. <ul> <li>If the configured header is present with the value <code class="language-plaintext highlighter-rouge">always</code>, the request will always go to the canary upstream.</li> <li>If the header is present with the value <code class="language-plaintext highlighter-rouge">never</code>, the request will never go to the canary upstream.</li> </ul> </li> </ul> </li> <li> <a href="/hub/kong-inc/prometheus/">Prometheus</a> (<code class="language-plaintext highlighter-rouge">prometheus</code>) <ul> <li>Added three new metrics: <ul> <li> <code class="language-plaintext highlighter-rouge">kong_db_entities_total</code> (gauge): total number of entities in the database.</li> <li> <code class="language-plaintext highlighter-rouge">kong_db_entity_count_errors</code> (counter): measures the number of errors encountered during the measurement of <code class="language-plaintext highlighter-rouge">kong_db_entities_total</code>.</li> <li> <code class="language-plaintext highlighter-rouge">kong_nginx_timers</code> (gauge): total number of Nginx timers, in Running or Pending state. Tracks <code class="language-plaintext highlighter-rouge">ngx.timer.running_count()</code> and <code class="language-plaintext highlighter-rouge">ngx.timer.pending_count()</code>. <a href="https://github.com/Kong/kong/pull/8387" target="_blank" rel="noopener nofollow noreferrer ">#8387</a> </li> </ul> </li> </ul> </li> <li> <p><a href="/hub/kong-inc/openid-connect/">OpenID Connect</a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>)</p> <ul> <li> <p>Added Redis ACL support (Redis v6.0.0+) for storing and retrieving a session. Use the <code class="language-plaintext highlighter-rouge">session_redis_username</code> and <code class="language-plaintext highlighter-rouge">session_redis_password</code> configuration parameters to configure it.</p> <blockquote class="important"> <p>These parameters replace the <code class="language-plaintext highlighter-rouge">session_redis_auth</code> field, which is now <strong>deprecated</strong> and planned to be removed in 3.x.x.</p> </blockquote> </li> <li> <p>Added support for distributed claims. Set the <code class="language-plaintext highlighter-rouge">resolve_distributed_claims</code> configuration parameter to <code class="language-plaintext highlighter-rouge">true</code> to tell OIDC to explicitly resolve distributed claims.</p> <p>Distributed claims are represented by the <code class="language-plaintext highlighter-rouge">_claim_names</code> and <code class="language-plaintext highlighter-rouge">_claim_sources</code> members of the JSON object containing the claims.</p> </li> <li> <p><strong>Beta feature:</strong> The <code class="language-plaintext highlighter-rouge">client_id</code>, <code class="language-plaintext highlighter-rouge">client_secret</code>, <code class="language-plaintext highlighter-rouge">session_secret</code>, <code class="language-plaintext highlighter-rouge">session_redis_username</code>, and <code class="language-plaintext highlighter-rouge">session_redis_password</code> configuration fields are now marked as referenceable, which means they can be securely stored as <a href="/gateway/latest/kong-enterprise/secrets-management/getting-started/">secrets</a> in a vault. References must follow a <a href="/gateway/latest/kong-enterprise/secrets-management/reference-format/">specific format</a>.</p> </li> </ul> </li> <li> <p><a href="/hub/kong-inc/forward-proxy/">Forward Proxy Advanced</a> (<code class="language-plaintext highlighter-rouge">forward-proxy</code>)</p> <ul> <li> <p>Added <code class="language-plaintext highlighter-rouge">http_proxy_host</code>, <code class="language-plaintext highlighter-rouge">http_proxy_port</code>, <code class="language-plaintext highlighter-rouge">https_proxy_host</code>, and <code class="language-plaintext highlighter-rouge">https_proxy_port</code> configuration parameters for mTLS support.</p> <blockquote class="important"> <p>These parameters replace the <code class="language-plaintext highlighter-rouge">proxy_port</code> and <code class="language-plaintext highlighter-rouge">proxy_host</code> fields, which are now <strong>deprecated</strong> and planned to be removed in 3.x.x.</p> </blockquote> </li> <li> <p>The <code class="language-plaintext highlighter-rouge">auth_password</code> and <code class="language-plaintext highlighter-rouge">auth_username</code> configuration fields are now marked as referenceable, which means they can be securely stored as <a href="/gateway/latest/kong-enterprise/secrets-management/getting-started/">secrets</a> in a vault. References must follow a <a href="/gateway/latest/kong-enterprise/secrets-management/reference-format/">specific format</a>.</p> </li> </ul> </li> <li> <p><a href="/hub/kong-inc/kafka-upstream/">Kafka Upstream</a> (<code class="language-plaintext highlighter-rouge">kafka-upstream</code>) and <a href="/hub/kong-inc/kafka-log/">Kafka Log</a> (<code class="language-plaintext highlighter-rouge">kafka-log</code>)</p> <ul> <li> <p>Added the ability to identify a Kafka cluster using the <code class="language-plaintext highlighter-rouge">cluster_name</code> configuration parameter. By default, this field generates a random string. You can also set your own custom cluster identifier.</p> </li> <li> <p><strong>Beta feature:</strong> The <code class="language-plaintext highlighter-rouge">authentication.user</code> and <code class="language-plaintext highlighter-rouge">authentication.password</code> configuration fields are now marked as referenceable, which means they can be securely stored as <a href="/gateway/latest/kong-enterprise/secrets-management/getting-started/">secrets</a> in a vault. References must follow a <a href="/gateway/latest/kong-enterprise/secrets-management/reference-format/">specific format</a>.</p> </li> </ul> </li> <li> <p><a href="/hub/kong-inc/ldap-auth-advanced/">LDAP Authentication Advanced</a> (<code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>)</p> <ul> <li> <strong>Beta feature:</strong> The <code class="language-plaintext highlighter-rouge">ldap_password</code> and <code class="language-plaintext highlighter-rouge">bind_dn</code> configuration fields are now marked as referenceable, which means they can be securely stored as <a href="/gateway/latest/kong-enterprise/secrets-management/getting-started/">secrets</a> in a vault. References must follow a <a href="/gateway/latest/kong-enterprise/secrets-management/reference-format/">specific format</a>.</li> </ul> </li> <li> <p><a href="/hub/kong-inc/vault-auth/">Vault Authentication</a> (<code class="language-plaintext highlighter-rouge">vault-auth</code>)</p> <ul> <li> <strong>Beta feature:</strong> The <code class="language-plaintext highlighter-rouge">vaults.vault_token</code> form field is now marked as referenceable, which means it can be securely stored as a <a href="/gateway/latest/kong-enterprise/secrets-management/getting-started/">secret</a> in a vault. References must follow a <a href="/gateway/latest/kong-enterprise/secrets-management/reference-format/">specific format</a>.</li> </ul> </li> <li> <p><a href="/hub/kong-inc/graphql-rate-limiting-advanced/">GraphQL Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">graphql-rate-limiting-advanced</code>)</p> <ul> <li> <p>Added Redis ACL support (Redis v6.0.0+ and Redis Sentinel v6.2.0+).</p> </li> <li> <p>Added the <code class="language-plaintext highlighter-rouge">redis.username</code> and <code class="language-plaintext highlighter-rouge">redis.sentinel_username</code> configuration parameters.</p> </li> <li> <p><strong>Beta feature:</strong> The <code class="language-plaintext highlighter-rouge">redis.username</code>, <code class="language-plaintext highlighter-rouge">redis.password</code>, <code class="language-plaintext highlighter-rouge">redis.sentinel_username</code>, and <code class="language-plaintext highlighter-rouge">redis.sentinel_password</code> configuration fields are now marked as referenceable, which means they can be securely stored as <a href="/gateway/latest/kong-enterprise/secrets-management/getting-started/">secrets</a> in a vault. References must follow a <a href="/gateway/latest/kong-enterprise/secrets-management/reference-format/">specific format</a>.</p> </li> </ul> </li> <li> <p><a href="/hub/kong-inc/rate-limiting/">Rate Limiting</a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>)</p> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li> <p>Added Redis ACL support (Redis v6.0.0+ and Redis Sentinel v6.2.0+).</p> </li> <li> <p>Added the <code class="language-plaintext highlighter-rouge">redis.username</code> and <code class="language-plaintext highlighter-rouge">redis.sentinel_username</code> configuration parameters.</p> </li> <li> <p><strong>Beta feature:</strong> The <code class="language-plaintext highlighter-rouge">redis.username</code>, <code class="language-plaintext highlighter-rouge">redis.password</code>, <code class="language-plaintext highlighter-rouge">redis.sentinel_username</code>, and <code class="language-plaintext highlighter-rouge">redis.sentinel_password</code> configuration fields are now marked as referenceable, which means they can be securely stored as <a href="/gateway/latest/kong-enterprise/secrets-management/getting-started/">secrets</a> in a vault. References must follow a <a href="/gateway/latest/kong-enterprise/secrets-management/reference-format/">specific format</a>.</p> </li> </ul> </li> <li> <a href="/hub/kong-inc/response-ratelimiting/">Response Rate Limiting</a> (<code class="language-plaintext highlighter-rouge">response-ratelimiting</code>) <ul> <li>Added Redis ACL support (Redis v6.0.0+ and Redis Sentinel v6.2.0+).</li> <li> <p>Added the <code class="language-plaintext highlighter-rouge">redis_username</code> configuration parameter.</p> <p>Thanks, <a href="https://github.com/27ascii" target="_blank" rel="noopener nofollow noreferrer ">@27ascii</a> for the original contribution! <a href="https://github.com/Kong/kong/pull/8213" target="_blank" rel="noopener nofollow noreferrer ">#8213</a></p> </li> </ul> </li> <li> <a href="/hub/kong-inc/response-transformer-advanced/">Response Transformer Advanced</a> (<code class="language-plaintext highlighter-rouge">response-transformer-advanced</code>) <ul> <li>Use response buffering from the PDK.</li> </ul> </li> <li> <a href="/hub/kong-inc/proxy-cache-advanced/">Proxy Cache Advanced</a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>) <ul> <li> <p>Added Redis ACL support (Redis v6.0.0+ and Redis Sentinel v6.2.0+).</p> </li> <li> <p>Added the <code class="language-plaintext highlighter-rouge">redis.sentinel_username</code> and <code class="language-plaintext highlighter-rouge">redis.sentinel_password</code> configuration parameters.</p> </li> <li> <p><strong>Beta feature:</strong> The <code class="language-plaintext highlighter-rouge">redis.password</code>, <code class="language-plaintext highlighter-rouge">redis.sentinel_username</code>, and <code class="language-plaintext highlighter-rouge">redis.sentinel_password</code> configuration fields are now marked as referenceable, which means they can be securely stored as <a href="/gateway/latest/kong-enterprise/secrets-management/getting-started/">secrets</a> in a vault. References must follow a <a href="/gateway/latest/kong-enterprise/secrets-management/reference-format/">specific format</a>.</p> </li> </ul> </li> <li> <a href="/hub/kong-inc/jq/">jq</a> (<code class="language-plaintext highlighter-rouge">jq</code>) <ul> <li>Use response buffering from the PDK.</li> </ul> </li> <li> <a href="/hub/kong-inc/acme/">ACME</a> (<code class="language-plaintext highlighter-rouge">acme</code>) <ul> <li> <p>Added the <code class="language-plaintext highlighter-rouge">rsa_key_size</code> configuration parameter.</p> <p>Thanks, <a href="https://github.com/lodrantl" target="_blank" rel="noopener nofollow noreferrer ">lodrantl</a>! <a href="https://github.com/Kong/kong/pull/8114" target="_blank" rel="noopener nofollow noreferrer ">#8114</a></p> </li> </ul> </li> </ul> <h3 id="fixes-84">Fixes</h3> <h4 id="enterprise-38">Enterprise</h4> <ul> <li> <p>Fixed a timer leak that caused the timers to be exhausted and failed to start any other timers used by Kong, showing the error <code class="language-plaintext highlighter-rouge">too many pending timers</code>.</p> </li> <li> <p>Fixed an issue where, if <code class="language-plaintext highlighter-rouge">data_plane_config_cache_mode</code> was set to <code class="language-plaintext highlighter-rouge">off</code>, the data plane received no updates from the control plane.</p> </li> <li> <p>Fixed <code class="language-plaintext highlighter-rouge">attempt to index local 'workspace'</code> error, which occurred when accessing Routes or Services using TLS.</p> </li> <li> <p>Fixed an issue where <a href="/gateway/latest/reference/configuration/#cluster_telemetry_server_name"><code class="language-plaintext highlighter-rouge">cluster_telemetry_server_name</code></a> was not automatically generated and registered if it was not explicitly set.</p> </li> <li> <p>Fixed the <a href="/gateway/latest/reference/configuration/#cluster_allowed_common_names"><code class="language-plaintext highlighter-rouge">cluster_allowed_common_names</code></a> setting. When using PKI for certificate verification in hybrid mode, you can now configure a list of Common Names allowed to connect to a control plane with the option. If not set, only data planes with the same parent domain as the control plane cert are allowed.</p> </li> </ul> <h4 id="kong-manager-26">Kong Manager</h4> <ul> <li> <p>Fixed an issue where OIDC authentication into Kong Manager failed when used with Azure AD.</p> </li> <li> <p>Fixed a performance issue with the Teams page in Kong Manager.</p> </li> <li> <p>Fixed an issue with checkboxes in Kong Manager, where the checkbox for the OAuth2 plugin’s <code class="language-plaintext highlighter-rouge">hash_secret</code> value was labelled as <em>Required</em> and users were not able to uncheck it.</p> </li> <li> <p>Fixed an issue where Kong Manager was not updating plugin configuration when attempting to clear the <code class="language-plaintext highlighter-rouge">service.id</code> from a plugin.</p> </li> <li> <p>Fixes an issue with Route creation in Kong Manager, where a new route would default to <code class="language-plaintext highlighter-rouge">http</code> as the supported protocol. Now, creating a Route picks up the correct default value, which is <code class="language-plaintext highlighter-rouge">http,https</code>.</p> </li> <li> <p>Kong Manager now accurately lists <code class="language-plaintext highlighter-rouge">udp</code> as a protocol option for Route and Service objects on their configuration pages.</p> </li> <li> <p>Fixed an issue with Kong Manager OIDC authentication, which caused the error <code class="language-plaintext highlighter-rouge">“attempt to call method 'select_by_username_ignore_case' (a nil value)”</code> and prevented login with OIDC.</p> </li> <li> <p>Fixed a latency issue with OAuth2 token creation. These tokens are no longer tracked by the workspace entity counter, as the count is not needed by the Kong Manager UI.</p> </li> <li> <p>Fixed an issue where the plugin list table couldn’t be sorted by the <strong>Applied To</strong> column.</p> </li> </ul> <h4 id="dev-portal-2">Dev Portal</h4> <ul> <li> <p>When the SMTP configuration was broken or unresponsive, the API would respond with an error message that was a JavaScript Object (<code class="language-plaintext highlighter-rouge">[Object object]</code>) instead of a string. This happened when a user was registering on any given portal with broken SMTP. Now, if there is an error, the API responds with the string <code class="language-plaintext highlighter-rouge">Error sending email</code>.</p> </li> <li> <p>The <code class="language-plaintext highlighter-rouge">/document_objects</code> and <code class="language-plaintext highlighter-rouge">/services/:id/document_objects</code> endpoints no longer accept multiple documents per service. This was an issue, as each service can only have one document. Instead, posting a document to one of these endpoints now overrides the previous document.</p> </li> </ul> <h4 id="core-83">Core</h4> <ul> <li> <p>When the Router encounters an SNI FQDN with a trailing dot (<code class="language-plaintext highlighter-rouge">.</code>), the dot will be ignored, since according to <a href="https://datatracker.ietf.org/doc/html/rfc3546#section-3.1" target="_blank" rel="noopener nofollow noreferrer ">RFC-3546</a> the dot is not part of the hostname. <a href="https://github.com/Kong/kong/pull/8269" target="_blank" rel="noopener nofollow noreferrer ">#8269</a></p> </li> <li> <p>Fixed a bug in the Router that would not prioritize the routes with both a wildcard and a port (<code class="language-plaintext highlighter-rouge">route.*:80</code>) over wildcard-only routes (<code class="language-plaintext highlighter-rouge">route.*</code>), which have less specificity. <a href="https://github.com/Kong/kong/pull/8233" target="_blank" rel="noopener nofollow noreferrer ">#8233</a></p> </li> <li> <p>The internal DNS client isn’t confused by the single-dot (<code class="language-plaintext highlighter-rouge">.</code>) domain, which can appear in <code class="language-plaintext highlighter-rouge">/etc/resolv.conf</code> in special cases like <code class="language-plaintext highlighter-rouge">search .</code> <a href="https://github.com/Kong/kong/pull/8307" target="_blank" rel="noopener nofollow noreferrer ">#8307</a></p> </li> <li> <p>The Cassandra connector now records migration consistency level.</p> <p>Thanks, <a href="https://github.com/mpenick" target="_blank" rel="noopener nofollow noreferrer ">@mpenick</a>! <a href="https://github.com/Kong/kong/pull/8226" target="_blank" rel="noopener nofollow noreferrer ">#8226</a></p> </li> </ul> <h4 id="balancer">Balancer</h4> <ul> <li> <p>Targets now keep their health status when upstreams are updated. <a href="https://github.com/Kong/kong/pull/8394" target="_blank" rel="noopener nofollow noreferrer ">#8394</a></p> </li> <li> <p>One debug message which was erroneously using the <code class="language-plaintext highlighter-rouge">error</code> log level has been downgraded to the appropriate <code class="language-plaintext highlighter-rouge">debug</code> log level. <a href="https://github.com/Kong/kong/pull/8410" target="_blank" rel="noopener nofollow noreferrer ">#8410</a></p> </li> </ul> <h4 id="clustering-17">Clustering</h4> <ul> <li>Replaced a cryptic error message with a more useful one when there is a failure on SSL when connecting with the control plane. <a href="https://github.com/Kong/kong/pull/8260" target="_blank" rel="noopener nofollow noreferrer ">#8260</a> </li> </ul> <h4 id="admin-api-32">Admin API</h4> <ul> <li>Fixed an incorrect <code class="language-plaintext highlighter-rouge">next</code> field that appeared when paginating Upstreams. <a href="https://github.com/Kong/kong/pull/8249" target="_blank" rel="noopener nofollow noreferrer ">#8249</a> </li> </ul> <h4 id="pdk-24">PDK</h4> <ul> <li>Phase names are now correctly selected when performing phase checks. <a href="https://github.com/Kong/kong/pull/8208" target="_blank" rel="noopener nofollow noreferrer ">#8208</a> </li> <li>Fixed a bug in the go-PDK where, if <code class="language-plaintext highlighter-rouge">kong.request.getrawbody</code> was big enough to be buffered into a temporary file, it would return an an empty string. <a href="https://github.com/Kong/kong/pull/8390" target="_blank" rel="noopener nofollow noreferrer ">#8390</a> </li> </ul> <h4 id="plugins-108">Plugins</h4> <ul> <li> <strong>External Plugins</strong>: <ul> <li> <p>Fixed incorrect handling of the Headers Protobuf Structure and representation of null values, which provoked an error on init with the go-pdk. <a href="https://github.com/Kong/kong/pull/8267" target="_blank" rel="noopener nofollow noreferrer ">#8267</a></p> </li> <li> <p>Unwrap <code class="language-plaintext highlighter-rouge">ConsumerSpec</code> and <code class="language-plaintext highlighter-rouge">AuthenticateArgs</code>.</p> <p>Thanks, <a href="https://github.com/raptium" target="_blank" rel="noopener nofollow noreferrer ">@raptium</a>! <a href="https://github.com/Kong/kong/pull/8280" target="_blank" rel="noopener nofollow noreferrer ">#8280</a></p> </li> <li> <p>Fixed a problem in the stream subsystem, where it would attempt to load HTTP headers. <a href="https://github.com/Kong/kong/pull/8414" target="_blank" rel="noopener nofollow noreferrer ">#8414</a></p> </li> </ul> </li> <li> <a href="/hub/kong-inc/cors/">CORS</a> (<code class="language-plaintext highlighter-rouge">cors</code>) <ul> <li> <p>The CORS plugin does not send the <code class="language-plaintext highlighter-rouge">Vary: Origin</code> header anymore when the header <code class="language-plaintext highlighter-rouge">Access-Control-Allow-Origin</code> is set to <code class="language-plaintext highlighter-rouge">*</code>.</p> <p>Thanks, <a href="https://github.com/jkla-dr" target="_blank" rel="noopener nofollow noreferrer ">@jkla-dr</a>! <a href="https://github.com/Kong/kong/pull/8401" target="_blank" rel="noopener nofollow noreferrer ">#8401</a></p> </li> </ul> </li> <li> <a href="/hub/kong-inc/aws-lambda/">AWS Lambda</a> (<code class="language-plaintext highlighter-rouge">aws-lambda</code>) <ul> <li>Fixed incorrect behavior when configured to use an HTTP proxy and deprecated the <code class="language-plaintext highlighter-rouge">proxy_scheme</code> config attribute for removal in 3.0. <a href="https://github.com/Kong/kong/pull/8406" target="_blank" rel="noopener nofollow noreferrer ">#8406</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/oauth2/">OAuth2</a> (<code class="language-plaintext highlighter-rouge">oauth2</code>) <ul> <li>The plugin clears the <code class="language-plaintext highlighter-rouge">X-Authenticated-UserId</code> and <code class="language-plaintext highlighter-rouge">X-Authenticated-Scope</code> headers when it is configured in logical OR and is used in conjunction with another authentication plugin. <a href="https://github.com/Kong/kong/pull/8422" target="_blank" rel="noopener nofollow noreferrer ">#8422</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/datadog/">Datadog</a> (<code class="language-plaintext highlighter-rouge">datadog</code>) <ul> <li>The plugin schema now lists the default values for configuration options in a single place instead of in two separate places. <a href="https://github.com/Kong/kong/pull/8315" target="_blank" rel="noopener nofollow noreferrer ">#8315</a> </li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting/">Rate Limiting</a> (<code class="language-plaintext highlighter-rouge">rate-limiting</code>) <ul> <li>Fixed a 500 error associated with performing arithmetic functions on a nil value by adding a nil value check after performing <code class="language-plaintext highlighter-rouge">ngx.shared.dict</code> operations.</li> </ul> </li> <li> <a href="/hub/kong-inc/rate-limiting-advanced/">Rate Limiting Advanced</a> (<code class="language-plaintext highlighter-rouge">rate-limiting-advanced</code>) <ul> <li> <p>Fixed a 500 error that occurred when consumer groups were enforced but no proper configurations were provided. Now, if no specific consumer group configuration exists, the consumer group defaults to the original plugin configuration.</p> </li> <li> <p>Fixed a timer leak that caused the timers to be exhausted and failed to start any other timers used by Kong, showing the error <code class="language-plaintext highlighter-rouge">too many pending timers</code>.</p> <p>Before, the plugin used one timer for each namespace maintenance process, increasing timer usage on instances with a large number of rate limiting namespaces. Now, it uses a single timer for all namespace maintenance.</p> </li> <li> <p>Fixed an issue where the <code class="language-plaintext highlighter-rouge">local</code> strategy was not working with DB-less and hybrid deployments. We now allow <code class="language-plaintext highlighter-rouge">sync_rate = null</code> and <code class="language-plaintext highlighter-rouge">sync_rate = -1</code> when a <code class="language-plaintext highlighter-rouge">local</code> strategy is defined.</p> </li> </ul> </li> <li> <a href="/hub/kong-inc/exit-transformer/">Exit Transformer</a> (<code class="language-plaintext highlighter-rouge">exit-transformer</code>) <ul> <li>Fixed an issue where the Exit Transformer plugin would break the plugin iterator, causing later plugins not to run.</li> </ul> </li> <li> <p><a href="/hub/kong-inc/mtls-auth/">mTLS Authentication</a> (<code class="language-plaintext highlighter-rouge">mtls-auth</code>)</p> <ul> <li>Fixed <code class="language-plaintext highlighter-rouge">attempt to index local 'workspace'</code> error, which occurred when accessing Routes or Services using TLS.</li> </ul> </li> <li> <p><a href="/hub/kong-inc/oauth2-introspection/">OAuth2 Introspection</a> (<code class="language-plaintext highlighter-rouge">oauth2-introspection</code>)</p> <ul> <li>Fixed issues with TLS connections when the IDP is behind a reverse proxy.</li> </ul> </li> <li> <p><a href="/hub/kong-inc/proxy-cache-advanced/">Proxy Cache Advanced</a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>)</p> <ul> <li>Fixed a <code class="language-plaintext highlighter-rouge">X-Cache-Status:Miss</code> error that occurred when caching large files.</li> </ul> </li> <li> <p><a href="/hub/kong-inc/proxy-cache-advanced/">Proxy Cache Advanced</a> (<code class="language-plaintext highlighter-rouge">proxy-cache-advanced</code>)</p> <ul> <li>Fixed a <code class="language-plaintext highlighter-rouge">X-Cache-Status:Miss</code> error that occurred when caching large files.</li> </ul> </li> <li> <p><a href="/hub/kong-inc/response-transformer-advanced/">Response Transformer Advanced</a> (<code class="language-plaintext highlighter-rouge">response-transformer-advanced</code>)</p> <ul> <li>In the <code class="language-plaintext highlighter-rouge">body_filter</code> phase, the plugin now sets the body to an empty string instead of <code class="language-plaintext highlighter-rouge">nil</code>.</li> </ul> </li> <li> <p><a href="/hub/kong-inc/jq/">jq</a> (<code class="language-plaintext highlighter-rouge">jq</code>)</p> <ul> <li>If plugin has no output, it will now return the raw body instead of attempting to restore the original response body.</li> </ul> </li> <li> <p><a href="/hub/kong-inc/openid-connect/">OpenID Connect</a> (<code class="language-plaintext highlighter-rouge">openid-connect</code>)</p> <ul> <li>Fixed negative caching, which was loading wrong a configuration value.</li> </ul> </li> <li> <p><a href="/hub/kong-inc/jwt-signer/">JWT Signer</a> (<code class="language-plaintext highlighter-rouge">jwt-signer</code>)</p> <ul> <li>Fixed an issue where the <code class="language-plaintext highlighter-rouge">enable_hs_signatures</code> configuration parameter did not work. The plugin now defines expiry earlier to avoid arithmetic on a nil value.</li> </ul> </li> </ul> <h3 id="dependencies-53">Dependencies</h3> <ul> <li>Bumped OpenSSL from 1.1.1l to 1.1.1m <a href="https://github.com/Kong/kong/pull/8191" target="_blank" rel="noopener nofollow noreferrer ">#8191</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">resty.session</code> from 3.8 to 3.10 <a href="https://github.com/Kong/kong/pull/8294" target="_blank" rel="noopener nofollow noreferrer ">#8294</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lua-resty-openssl</code> to 0.8.5 <a href="https://github.com/Kong/kong/pull/8368" target="_blank" rel="noopener nofollow noreferrer ">#8368</a> </li> <li>Bumped <code class="language-plaintext highlighter-rouge">lodash</code> for Dev Portal from 4.17.11 to 4.17.21</li> <li>Bumped <code class="language-plaintext highlighter-rouge">lodash</code> for Kong Manager from 4.17.15 to 4.17.21</li> </ul> <h3 id="deprecated-1">Deprecated</h3> <ul> <li> <p>The external <code class="language-plaintext highlighter-rouge">go-pluginserver</code> project is considered deprecated in favor of the <a href="/gateway/latest/reference/external-plugins/">embedded server approach</a>.</p> </li> <li> <p>Starting with Kong Gateway 2.8.0.0, Kong is not building new open-source CentOS images. Support for running open-source Kong Gateway on CentOS on is now deprecated, as <a href="https://www.centos.org/centos-linux-eol/" target="_blank" rel="noopener nofollow noreferrer ">CentOS has reached End of Life (OEL)</a>.</p> <p>Running Kong Gateway Enterprise on CentOS is currently supported, but CentOS is planned to be fully deprecated in Kong Gateway 3.x.x.</p> </li> <li> <p>OpenID Connect plugin: The <code class="language-plaintext highlighter-rouge">session_redis_auth</code> field is now deprecated and planned to be removed in 3.x.x. Use <code class="language-plaintext highlighter-rouge">session_redis_username</code> and <code class="language-plaintext highlighter-rouge">session_redis_password</code> instead.</p> </li> <li> <p>Forward Proxy Advanced plugin: The <code class="language-plaintext highlighter-rouge">proxy_port</code> and <code class="language-plaintext highlighter-rouge">proxy_host</code> fields are now deprecated and planned to be removed in 3.x.x. Use <code class="language-plaintext highlighter-rouge">http_proxy_host</code> and <code class="language-plaintext highlighter-rouge">http_proxy_port</code>, or <code class="language-plaintext highlighter-rouge">https_proxy_host</code> and <code class="language-plaintext highlighter-rouge">https_proxy_port</code> instead.</p> </li> <li> <p>AWS Lambda plugin: The <code class="language-plaintext highlighter-rouge">proxy_scheme</code> field is now deprecated and planned to be removed in 3.x.x.</p> </li> </ul> </div> </div> </div> <div id="scroll-to-top-button"> <i class="fas fa-chevron-up"></i> </div> <div class="feedback-widget-container"> <input id="feedback-widget-checkbox" type="checkbox"> <label for="feedback-widget-checkbox"> <img src="/assets/images/icons/feedback-widget.svg" alt="Feedback widget"> </label> <div class="feedback-container"> <div class="feedback-thankyou"> Thank you for your feedback. </div> <div class="feedback-comment"> <textarea id="feedback-comment-text" rows="3" placeholder="Please let us know what we can improve on this page..."></textarea> <div class="feedback-comment-buttons"> <button id="feedback-comment-button-back">Back</button> <button id="feedback-comment-button-submit" class="button-primary">Submit</button> </div> </div> <div class="feedback-options"> <div class="feedback-options-title">Was this page useful?</div> <div class="feedback-options-buttons"> <i data-feedback-result="yes" class="feedback-options-button far fa-thumbs-up"></i> <i data-feedback-result="no" class="feedback-options-button far fa-thumbs-down"></i> </div> </div> </div> </div> </div> <div id="image-modal" data-image-expand-disabled=""> <div class="image-modal-backdrop"></div> <div class="image-container"> <img src="" alt=""> <i class="fa fa-times"></i> </div> </div> <div class="modal closed" id="modal" role="dialog" aria-hidden="true" aria-labelledby="title" aria-describedby="description"> <div class="konnect-cta-card"> <div class="title"> Too much on your plate? <a href="#" class="cta-card-close modal-close" id="modal-close"> <img src="/assets/images/icons/documentation/close.svg" alt="close cta icon"> </a> </div> <div class="description"> More features, less infrastructure with Kong Konnect. 1M requests per month for free. </div> <a href="https://konghq.com/products/kong-konnect/register?utm_medium=referral&utm_source=docs&utm_campaign=gateway-konnect&utm_campaign=right-nav-card&utm_content=gateway" class="button" target="_blank" rel="noopener nofollow noreferrer "> Try it for Free </a> </div> </div> <div id="modal-open" class="modal-open"></div> <div class="modal-overlay closed" id="modal-overlay"></div> <footer class="marketing-footer--light-gray"> <section> <ul class="newsletter"> <li class="logo-wrapper"> <div class="logo"> <img src="/assets/images/logos/konglogo-light-theme-primary.svg" alt="Kong"> </div> <div class="footer-title">Powering the API world</div> <p> Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller. </p> <div class="footer-form-container"> <form id="subscribe-form" method="POST" action="/assets/javascripts/subscribe.js"> <input required id="subscribe-input" type="email" name="email" placeholder="Email" aria-required="true" aria-invalid="false"> <input id="footer-form-button" type="submit" form="subscribe-form" value="Subscribe"> </form> <div id="form-response"></div> </div> </li> <li class="footer-columns"> <ul class="footer-columns-product-list"> <li> <nav> <div class="footer-category">Products</div> <ul> <li> <a href="https://konghq.com/products/kong-konnect" target="_blank" rel="noopener nofollow noreferrer ">Kong Konnect</a> </li> <li> <a href="https://konghq.com/products/kong-enterprise" target="_blank" rel="noopener nofollow noreferrer ">Kong Gateway Enterprise</a> </li> <li> <a href="https://konghq.com/products/kong-gateway" target="_blank" rel="noopener nofollow noreferrer ">Kong Gateway</a> </li> <li> <a href="https://konghq.com/products/kong-mesh" target="_blank" rel="noopener nofollow noreferrer ">Kong Mesh</a> </li> <li> <a href="https://konghq.com/products/kong-ingress-controller" target="_blank" rel="noopener nofollow noreferrer ">Kong Ingress Controller</a> </li> <li> <a href="https://insomnia.rest/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Kong Insomnia</a> </li> <li> <a href="https://konghq.com/product-updates" target="_blank" rel="noopener nofollow noreferrer ">Product Updates</a> </li> <li> <a href="https://konghq.com/contact-sales" target="_blank" rel="noopener nofollow noreferrer ">Get Started</a> </li> </ul> </nav> </li> <li> <nav> <div class="footer-category">Documentation</div> <ul> <li> <a href="/konnect/">Kong Konnect Docs</a> </li> <li> <a href="/gateway/latest/">Kong Gateway Docs</a> </li> <li> <a href="/gateway/latest/kong-enterprise/">Kong Gateway Enterprise Docs</a> </li> <li> <a href="/mesh/latest/">Kong Mesh Docs</a> </li> <li> <a href="https://docs.insomnia.rest/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Kong Insomnia Docs</a> </li> <li> <a href="/hub/">Kong Konnect Plugin Hub</a> </li> </ul> </nav> </li> <li> <nav> <div class="footer-category">Open Source</div> <ul> <li> <a href="https://konghq.com/install/#kong-community" target="_blank" rel="noopener nofollow noreferrer ">Kong Gateway</a> </li> <li> <a href="https://kuma.io/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Kuma</a> </li> <li> <a href="https://insomnia.rest/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Insomnia</a> </li> <li> <a href="https://konghq.com/community" target="_blank" rel="noopener nofollow noreferrer ">Kong Community</a> </li> </ul> </nav> </li> <li> <nav> <div class="footer-category">Company</div> <ul> <li> <a href="https://konghq.com/company/about-us" target="_blank" rel="noopener nofollow noreferrer ">About Kong</a> </li> <li> <a href="https://konghq.com/customers" target="_blank" rel="noopener nofollow noreferrer ">Customers</a> </li> <li> <a href="https://konghq.com/company/careers" target="_blank" rel="noopener nofollow noreferrer ">Careers</a> </li> <li> <a href="https://konghq.com/press-room" target="_blank" rel="noopener nofollow noreferrer ">Press</a> </li> <li> <a href="https://konghq.com/events" target="_blank" rel="noopener nofollow noreferrer ">Events</a> </li> <li> <a href="https://konghq.com/company/contact-us" target="_blank" rel="noopener nofollow noreferrer ">Contact</a> </li> </ul> </nav> </li> </ul> </li> </ul> </section> <section class="legal"> <div class="container d-flex"> <div class="social"> <div class="social-link"> <a href="https://www.facebook.com/konghq/" title="Facebook" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="Facebook" class="fa fa-facebook-official" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://twitter.com/thekonginc" title="Twitter" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="Twitter" class="fa fa-twitter" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://www.meetup.com/topics/kong/all/" title="Meetup" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="Meetup" class="fa fa-meetup" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://linkedin.com/company/278819" title="LinkedIn" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="GitHub" class="fa fa-linkedin" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://github.com/kong/kong" target="_blank" class="btn-gh" title="GitHub" rel="noopener nofollow noreferrer "> <i class="fa fa-github" aria-hidden="true" aria-label="GitHub"></i> </a> </div> </div> <ul> <li> <span class="mashape-footer-content"> <a href="https://konghq.com/legal/terms-of-use" target="_blank" rel="noopener nofollow noreferrer ">Terms</a><b>•</b> <a href="https://konghq.com/legal/privacy-policy" target="_blank" rel="noopener nofollow noreferrer ">Privacy</a><b>•</b> <a href="https://konghq.com/compliance" target="_blank" rel="noopener nofollow noreferrer ">Trust and Compliance</a> </span> </li> </ul> <div> <span>© Kong Inc. 2025 </span> </div> </div> </section> </footer> <script> var anchorForId = function (id) { var anchor = document.createElement("a"); anchor.className = "header-link"; anchor.href = "#" + id; anchor.innerHTML = "<i class=\"fa fa-link\"></i>"; anchor.title = `${id} Permalink`; return anchor; }; document.onreadystatechange = function () { if (this.readyState === "complete") { var className = ".show-anchor-links h1, .show-anchor-links h2, .show-anchor-links h3, " + ".show-anchor-links h4, .show-anchor-links h5, .show-anchor-links h6"; var headers = document.querySelectorAll(className); for (var i = 0; i < headers.length; i++) { var header = headers[i]; if (typeof header.id !== "undefined" && header.id !== "") { header.prepend(anchorForId(header.id)); } } } }; </script> <script> !function(){var i="analytics",analytics=window[i]=window[i]||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","debug","page","screen","once","off","on","addSourceMiddleware","addIntegrationMiddleware","setAnonymousId","addDestinationMiddleware","register"];analytics.factory=function(e){return function(){if(window[i].initialized)return window[i][e].apply(window[i],arguments);var n=Array.prototype.slice.call(arguments);if(["track","screen","alias","group","page","identify"].indexOf(e)>-1){var c=document.querySelector("link[rel='canonical']");n.push({__t:"bpc",c:c&&c.getAttribute("href")||void 0,p:location.pathname,u:location.href,s:location.search,t:document.title,r:document.referrer})}n.unshift(e);analytics.push(n);return analytics}};for(var n=0;n<analytics.methods.length;n++){var key=analytics.methods[n];analytics[key]=analytics.factory(key)}analytics.load=function(key,n){var t=document.createElement("script");t.type="text/javascript";t.async=!0;t.setAttribute("data-global-segment-analytics-key",i);t.src="https://cdn.segment.com/analytics.js/v1/" + key + "/analytics.min.js";var r=document.getElementsByTagName("script")[0];r.parentNode.insertBefore(t,r);analytics._loadOptions=n};analytics._writeKey="X7EZTdbdUKQ8M6x42SHHPWiEhjsfs1EQ";;analytics.SNIPPET_VERSION="5.2.0"; analytics.load("X7EZTdbdUKQ8M6x42SHHPWiEhjsfs1EQ"); analytics.page(); }}(); </script> <div id="fb-root"></div> <script id="github-bjs" src="https://buttons.github.io/buttons.js" async defer></script> <script type="text/javascript"> var _vwo_code = (function() { var account_id = 125292, settings_tolerance = 2000, library_tolerance = 2500, use_existing_jquery = true, // DO NOT EDIT BELOW THIS LINE f = false, d = document; return { use_existing_jquery: function() { return use_existing_jquery; }, library_tolerance: function() { return library_tolerance; }, finish: function() { if (!f) { f = true; var a = d.getElementById('_vis_opt_path_hides'); if (a) a.parentNode.removeChild(a); } }, finished: function() { return f; }, load: function(a) { var b = d.createElement('script'); b.src = a; b.type = 'text/javascript'; b.innerText; b.onerror = function() { _vwo_code.finish(); }; d.getElementsByTagName('head')[0].appendChild(b); }, init: function() { settings_timer = setTimeout( '_vwo_code.finish()', settings_tolerance ); this.load( '//dev.visualwebsiteoptimizer.com/j.php?a=' + account_id + '&u=' + encodeURIComponent(d.URL) + '&r=' + Math.random() ); var a = d.createElement('style'), b = '', h = d.getElementsByTagName('head')[0]; a.setAttribute('id', '_vis_opt_path_hides'); a.setAttribute('type', 'text/css'); if (a.styleSheet) a.styleSheet.cssText = b; else a.appendChild(d.createTextNode(b)); h.appendChild(a); return settings_timer; } }; })(); _vwo_settings_timer = _vwo_code.init(); </script> <script src="https://cdn.jsdelivr.net/npm/@docsearch/js@3"></script> <script type="text/javascript"> docsearch({ appId: '05Y6TLHNFZ', apiKey: '80483bfe28d9fd036a11a6f6a06454f8', indexName: 'konghq', container: '#getkong-algolia-search-input', disableUserPersonalization: true, placeholder: 'Search the docs...', // Override selected event to allow for local environment navigation transformItems(items) { return items.map((item) => { var modifiedUrl = window.location.protocol + '//' + window.location.host + item.url.split('docs.konghq.com')[1]; return { ...item, url: modifiedUrl }; }); }, translations: { button: { buttonText: 'Search the docs..', buttonAriaLabel: 'Search the docs...' } }, resultsFooterComponent({ state }) { var facetParameters = {}; facetParameters = {"version[0]":"latest","product[0]":"Kong Gateway"}; var queryParams = new URLSearchParams(facetParameters); queryParams.set('query', state.query); return { // The HTML `tag` type: 'a', ref: undefined, constructor: undefined, key: state.query, // Its props props: { href: `/search/?${queryParams.toString()}`, target: '_blank', // Raw text rendered in the HTML element children: 'See more >' }, __v: null, }; }, searchParameters: { optionalFilters: ['product:deck<score=1>', 'product:Plugin Hub<score=2>', 'product:Kong Gateway<score=3>'], facetFilters: [ 'version:latest'] } }); </script> <script> (function() { if (typeof window === 'undefined') return; if (typeof window.signals !== 'undefined') return; var script = document.createElement('script'); script.src = 'https://cdn.cr-relay.com/v1/site/993c7a0d-caec-465c-be46-2d3a78ab60c5/signals.js'; script.async = true; window.signals = Object.assign( [], ['page', 'identify', 'form'].reduce(function (acc, method){ acc[method] = function () { signals.push([method, arguments]); return signals; }; return acc; }, {}) ); document.head.appendChild(script); })(); </script> </div> </body> </html>