Skip to content

Latest commit

 

History

History
787 lines (643 loc) · 36 KB

CHANGELOG.md

File metadata and controls

787 lines (643 loc) · 36 KB

Table of Contents

0.9.1 - 2020/06/08

Fixed

  • Parse TLS section of Knative Ingress resources #721

0.9.0 - 2020/05/26

Breaking change

Health-check behavior of the default manifest has been changed to use status interface of Kong instead of a simple Nginx server block. The change is transparent and doesn't require any additional work. #634

Deprecations

Kong deployments backed by Cassandra are deprecated and will not be supported in future. Cassandra deployments for Ingress Controller use cases are rare and seldom make sense since the features that Cassandra brings are provided by other means in such architectures. #617

Added

  • Plugin configuration via Kubernetes Secrets Configuration of plugins can be stored in Kubernetes Secrets and then referenced in KongPlugin and KongClusterPlugin resources. #618
  • mTLS authentication The controller can configure CA Certificates in Kong and these can be used by mtls-auth plugin in Kong. The plugin is currently enterprise-only. #616
  • Kong Custom entities in DB-less mode Custom entities used in custom plugins can now be configured for DB-less deployments of Kong. #630
  • Host-header manipulation Host header of a request destined to a Kubernetes Service can now be manipulated using the konghq.com/host-header annotation on the Service resource. #597
  • Method-based routing Method based routing can be performed using the Ingress resource. A new annotation konghq.com/methods can now be used to match HTTP method in addition to HTTP host and path. This was previously supported only via KongIngress Custom Resource. #591
  • New configuration options Following new CLI flags and corresponding environment variables have been added:
    • --admission-webhook-cert, --admission-webhook-key and --kong-admin-ca-cert. These have been added to ease configuration by enabling users to supply sensitive values using Secret references inside PodSpec. #628
    • --kong-custom-entities-secret flag has been added to support custom entities in DB-less mode feature.

Fixed

  • Some errors that were previously ignored are being caught and handled correctly #635
  • Ingress rules with consecutive slashes (//) are now ignored #663

0.8.1 - 2020/04/15

Added

  • Added --enable-reverse-sync flag to enable checks from Kong to kubernetes state. This should be enabled only if a human has access to Kong's Admin API or Kong Manager (for Enterprise users). This flag will disable an optimization in the controller and result in an increase read activity on Kong's Admin API and database. #559

Fixed

  • Fix certificate and SNI sync to avoid a deadlock due to a conflict when Kong is running with a database backend. #524
  • Correctly set Knative Ingress Status #600

0.8.0 - 2020/03/25

Breaking changes

  • strip_path disabled by default
    The value of strip_path of routes in Kong is now set to false. If you are upgrading from a previous version, please carefully test the change before rolling it out as this change can possibly break the routing for your clusters. You can use konghq.com/strip-path annotation to set the value to true.

Deprecations

The following annotations are now deprecated and will be removed in a future release:

  • configuration.konghq.com
  • plugins.konghq.com
  • configuration.konghq.com/protocols
  • configuration.konghq.com/protocol
  • configuration.konghq.com/client-cert

Please read the annotations document for new annotations.

Added

  • Knative Ingress support The controller can now proxy traffic for serverless workloads running on top of Knative. Users can also select Kong plugins to execute on a per Knative workload/service basis. #563
  • TCP/TLS routing New Custom Resource TCPIngress has been introduced to support TCP proxy. SNI-based proxying is also supported for TLS encrypted TCP streams. #527
  • New Custom Resource KongClusterPlugin Plugin configuration can now be shared acrossed Kubernetes namespaces using KongClusterPlugin, a new cluster-level Custom Resource. #520
  • New annotation group konghq.com A new annotations group has been introduced which should simplify configuration and reduce the need of KongIngress resource in most use-cases. The following new annotations have been introduced:
    • konghq.com/plugins
    • konghq.com/override
    • konghq.com/client-cert
    • konghq.com/protocols
    • konghq.com/protocol
    • konghq.com/preserve-host
    • konghq.com/plugins
    • konghq.com/override
    • konghq.com/path
    • konghq.com/strip-path
    • konghq.com/https-redirect-status-code

Fixed

  • Admission webhook now checks for the correct fields for JWT credential type. #556

Under the hood

  • decK has been upgraded to v1.0.3. #576
  • Go has been upgraded to 1.14. #579
  • Alpine docker image has been upgraded to 3.11. #567

0.7.1 - 2020/01/31

Summary

This releases contains bug-fixes only. All users are advised to upgrade.

Fixed

  • De-duplicate SNIs when the same SNI is associated with multiple secrets. #510
  • plugin.RunOn is not injected when Kong version >= 2.0.0. #521
  • Parse default backend in Ingress resource correctly. #511
  • KongPlugin resources with global: true label are correctly processed to include protocols fields while rendering Kong's configuration. #502
  • Admission Controller: correctly process updates to KongConsumer resource #501
  • Do not send multiple update events for a single CRD update #514

0.7.0 - 2020/01/06

Summary

This release adds secret-based credentials, gRPC routing, upstream mutual authentication, DB-less deployment by default and performance improvements.

Breaking changes

  • The default value of --admission-webhook-listen flag is now off to avoid an error in the logs when the cert and key pair is not provided. Users will have to explicitly set this flag to :8080 to enable it. Please do note that it is recommended to always set up the Admission Controller.

Added

  • Multi-port services Ingress rules forwarding traffic to multiple ports of the same services are now supported. The names of the services configured in Kong have been changed to include the port number/name for uniqueness. #404
  • When using the controller with Kong Enterprise, Controller now attempts to create the workspace configured via --kong-workspace, if it does not exist. #429
  • Controller configuration revamped Configuration of the controller itself can now be tweaked via environment flags and CLI flags, both. Environment variables and Secrets can be used to pass sensitive information to the controller. #436
  • Encrypted credentials via Secrets Credentials can now be configured via Secret resource from the Kubernetes core API. These credentials are encrypted at rest by Kubernetes. The controller loads these secrets into Kong's memory or database from the Kubernetes data-store. #430
  • Multi-entity plugins Plugins can now be configured for a combination of an Ingress rule(s) and KongConsumer or a combination of a Service and KongConsumer. #386
  • Mutual authentication using mTLS Kong and the Kubernetes Service can mutually authenticate each other now. Use the new configuration.konghq.com/client-cert annotation on a Kubernetes Service to specify the cert-key pair Kong should use to authenticate itself. #483
  • gRPC routing Kong Ingress Controller can now expose and proxy gRPC protocol based services, in addition to HTTP-based services. These can be configured using the core Ingress resource itself. #454
  • Performance improvement Number of sync calls to Kong, in both DB and DB-less mode, should be reduced by an order of magnitude for most deployments. This will also improve Kong's performance. #484
  • credentials property has been added to the KongConsumer Custom Resource. This property holds the references to the secrets containing the credentials. #430
  • Flag --kong-admin-filter-tag has been added to change the tag used to filter and managed entity in Kong's database. This defaults to managed-by-ingress-controller. #440
  • Flag --kong-admin-concurrency has been added to control the number of concurrent requests between the controller and Kong's Admin API. This defaults to 10. #481
  • Flag --kong-admin-token has been added to supply the RBAC token for the Admin API for Kong Enterprise deployments. #489
  • Admission Controller now validates Secret-based credentials. It ensures that the required fields are set in the secret and the credential type is a valid one. #446
  • http2 is now enabled by default on the TLS port. #456
  • DB-less or the in-memory mode is now the new default in the reference manifests. It is recommended to run Kong without a database for Ingress Controller deployments. #456
  • upstream.host_header property has been added to the KongIngress Custom Resource. This property can be used to change the host header in every request that is sent to the upstream service. #478

Fixed

  • Every event in the queue is not logged anymore as it can leak sensitive information in the logs. Thanks to @goober for the report. #439
  • For database deployments, upstream entity are now created with round-robin as default algorithm to avoid false positives during a sync operation. These false positives can have a negative impact on Kong's performance. #480

Deprecated

  • KongCredential Custom Resource is now deprecated and will be remove in a future release. Instead, please use Secret-based credentials. #430:
  • Following flags have been deprecated and new ones have been added in place #436:
    • --kong-url, instead use --kong-admin-url
    • --admin-tls-skip-verify, instead use --kong-admin-tls-skip-verify
    • --admin-header, instead use --kong-admin-header
    • --admin-tls-server-name, instead use --kong-admin-tls-server-name
    • --admin-ca-cert-file, instead use --kong-admin-ca-cert-file

Under the hood

  • decK has been bumped up to v0.6.2.

0.6.2 - 2019/11/13

Summary

This is a minor patch release to fix version parsing issue with new Kong Enterprise packages.

0.6.1 - 2019/10/09

Summary

This is a minor patch release to update Kong Ingress Controller's Docker image to use a non-root by default.

0.6.0 - 2019/09/17

Summary

This release introduces an Admission Controller for CRDs, Istio compatibility, support for networking/ingress, Kong 1.3 additions and enhancements to documentation and deployments.

Added

  • Service Mesh integration Kong Ingress Controller can now be deployed alongside Service Mesh solutions like Kuma and Istio. In such a deployment, Kong handles all the external client facing routing and policies while the mesh takes care of these aspects for internal service-to-service traffic.
  • ingress.kubernetes.io/service-upstream, a new annotation has been introduced. Adding this annotation to a Kubernetes service resource will result in Kong directly forwarding traffic to kube-proxy. In other words, Kong will not send traffic directly to the pods. #365
  • Ingress resources created in the new networking.k8s.io API group are now be supported. The controller dynamically figures out the API group to use based on the metadata it receives from k8s API-server.
  • Kong Credential enhancements
    • Kong Credentials are now live-synced as they are created and updated in DB-mode. #230
    • A single Consumer can now contain multiple credentials of the same type and multiple ACL group associations. #371
  • Admission controller Kong Ingress Controller now ships with an in-built admission controller for KongPlugin and KongConsumer entities. The validations stop users from misconfiguring the Ingress controller. #372
  • Kong 1.3 support:
    • HTTP Header based routing is now supported using KongIngress.Route.Headers property.
    • The algorithm to use for load-balancing traffic sent upstream can be set using KongIngress.Upstream.Algorithm field.
  • Kustomize: Users can now use kustomize to tweak the reference deployment as per their needs. Both, DB and DB-less modes are supported. Please have a look at deploy/manifests directory in the Github repository.
  • Documentation: The documentation for the project has been revamped. Deployment guides, how-to guides, and reference docs have been added.
  • Deployment: The deployment of Kong Ingress Controller in DB and DB-less modes has been simplified, and Kong Ingress Controller now always runs as a side-car to Kong in proxy mode. There is no dedicated deployment for Kong Ingress Controller that needs to be run.

Fixed

  • SNIs and Certificates are now de-duplicated across namespaces. #360 #327
  • Empty TLS secret no longer stops the controller from syncing configuration #321
  • Fix a nil reference when empty Ingress rules are created #365

Under the hood

  • Kubernetes client-go library has been updated to v1.15.3.
  • Credentials sync has been moved into decK and decK has been bumped up to v0.5.1.

0.5.0 - 2019/06/25

Summary

This release introduces automated TLS certificates, consumer-level plugins, enabling deployments using controller and Kong's Admin API at the same time and numerous bug-fixes and enhancements.

Breaking changes

  • UUID of consumers in Kong are no longer associated with UID of KongConsumer custom resource.

Added

  • Kong 1.2 is now supported, meaning wild-card hosts in TLS section of Ingress resources are allowed.
  • Automated TLS certificates using Let's Encrypt: Use Kong's Ingress Controller and cert-manager to automatically provision TLS certs and serve them.
  • Tagging support: All entities managed by Kong Ingress Controller in Kong's database are now tagged and the controller manages only a subset of Kong's configuration. Any entity created via Kong's Admin API will not be automatically deleted by the Ingress Controller.
  • Consumer-level plugins can now be configured by applying plugins.konghq.com annotation on KongConsumer custom resources. #250
  • Kong Enterprise workspaces: Ingress Controller can manage a specific workspace inside Kong Enterprise (previously, only default workspace).
  • Avoid reloading configuration in Kong in db-less mode when there is no change in configuration. #308
  • Service scoped plugins for Kong 1.1 are now configured correctly. #289

Fixed

  • Multiple certificates are now correctly populated in Kong. #285
  • Missing entities like certificate secrets, services or plugins in Kubernetes object store will not stop controller from syncing configuration to Kong.
  • A Ingress rule with an empty path is correctly parsed and populated in Kong. #98
  • Plugins with a nested schema are now correctly configured. #294

Under the hood

  • Dependency management for the project is done using Go modules.
  • Kubernetes client-go library has been updated to v1.14.1.
  • Makefile and Dockerfiles have been simplified.

0.4.0 - 2019/04/24

Summary

This release introduces support to run Kong as an Ingress Controller without a database! This release comes with major under the hood rewrites to fix numerous bugs and design issues in the codebase. Most of the syncing logic has now been ported over to decK.

This release comes with a number of breaking changes. Please read the changelog and test in your environment.

Breaking Changes

  • ⚠️ Annotation <plugin-name>.plugin.konghq.com (deprecated in 0.2.0) is no longer supported.
  • ⚠️ --default-backend-service CLI flag is now removed. The default service will now be picked up from the default backend in the Ingress rules.
  • ⚠️ Service and Upstream entity overrides via KongIngress CRD are now supported only with configuration.konghq.com annotation on Kubernetes services. Route level overrides work same as before, using the configuration.konghq.com annotation on Ingress resources.
  • ⚠️ strip_path property of Routes in Kong is set to true by default.
  • ⚠️ preserve_host property of Routes in Kong is set to true by default.
  • Plugins created for a combination of Route and Consumer using consumerRef property in KongPlugin CRD are not supported anymore. This functionality will be added back in future via #250.
  • Service and upstream Host name have changed from namespace.service-name.port to service-name.namespace.svc.

Added

  • Ingress Controller now supports a DB-less deployment mode using Kong 1.1. #244
  • New run_on and protocols properties are added to KongPlugin CRD. These can be used to further tune behaviors of plugins in Service Mesh deployments.
  • New fields are added to KongIngress CRD to support HTTPS Active health-checks.
  • Ingress Controller is now built using Go 1.12.
  • Default service, which handles all traffic that is not matched against any of the Ingress rules, is now configured using the default backend defined via the Ingress resources.

Fixed

  • Logs to stdout and stderr will be much more quieter and helpful and won't be as verbose as before.
  • Routes with same path but different methods can now be created. #202
  • Removing a value in KongPlugin config will now correctly sync it to Kong. #117
  • Setting --update-state=false no longer causes a panic and performs leader election correctly. #232 Thanks to @lijiaocn for the fix!!
  • KongIngress will now correctly override properites of Upstream object in Kong. #252
  • Removing a value from KongPlugin config will now correctly unset it in Kong's datastore. #117

Under the hood

  • Translation of Ingress rules and CRDs to Kong entities is completey re-written. #241
  • For database deployments, an external tool, decK is used to sync resources to Kong, fixing numerous bugs and making Ingress Controller code saner and easier to maintain.

0.3.0 - 2019/01/08

Breaking Changes

  • ⚠️ Default Ingress class is now kong. If you were relying on the previous default of nginx, you will need to explicitly set the class using --ingress-class CLI flag.

Added

  • Support for Kong 1.0.x Kong 1.0 introduces a number of breaking changes in the Admin API. Ingress controller is updated to make correct calls and parse responses correctly. #213
  • ingress.class annotation-based filtering on CRD Multiple Kong clusters can be deployed and configured individually on the same Kubernetes Cluster. This feature allows configuring global Plugins, Consumers & credentials using a different ingress.class annotation for each Kong cluster. #220
  • TLS support for Ingress Controller <-> Kong communication The ingress controller can now talk to Kong's Control-Plane using TLS with custom certificates. Following new CLI flags are introduces:
    • --admin-tls-skip-verify: to skip validation of a certificate; it shouldn't be used in production environments.
    • --admin-tls-server-name: use this if the FQDN of Kong's Control Plane doesn't match the CN in the certificate.
    • --admin-ca-cert-file: use this to specify a custom CA cert which is not part of the bundled CA certs. #212

Fixed

  • Retries for services in Kong can be set to zero. #211

0.2.2 - 2018/11/09

Fixed

  • Fix plugin config comparison logic to avoid unnecessary PATCH requests to Kong #196
  • Fix strip_path in Routes in Kong. It is now set to false by default as in all other versions of Ingress controller except 0.2.1. #194
  • Fix path-only based Ingress rule parsing and configuration where only a path based rule for a Kubernetes Service would not setup Routes and Service in Kong. #190
  • Fix a nil pointer reference when overriding Ingress resource with KongIngress #188

0.1.3 - 2018/11/09

Fixed

  • Fix path-only based Ingress rule parsing and configuration where only a path based rule for a Kubernetes Service would not setup Routes and Service in Kong. #190
  • Fix plugin config comparison logic to avoid unnecessary PATCH requests to Kong #196

0.2.1 - 2018/10/26

Added

  • Header Injection in requests to Kong's Admin API HTTP Headers can be set via CLI which will be injected in every request sent to Kong's Admin API, enabling the use of Ingress Controller when Kong's Control Plane is protected by Authentication/Authorization. #172
  • Path only based routing Path only Ingress rules (without a host) are now parsed and served correctly. #142
  • Under the hood, an external library is now used to talk to Kong's Admin API. Several other packages and dead code has been dropped. These changes don't have any user facing changes but are steps in direction to simplify code and make it more testable. #150 #154 #179

Fixed

  • Fixed KongIngress overrides to enable overriding hashing attributes in Upstream object in Kong. Thanks @jdevalk2 for the patch! #139
  • Remove and sync certificates correctly when TLS secret reference changes for a hostname in Ingress spec. #169
  • Migrations for Kong are run using 'Job' in Kubernetes to avoid any issues that might arise due to multiple Kong nodes running migrations. #161
  • Kong and Ingress controller now wait for Postgres to start and migrations to finish before attempting to start. #168

0.1.2 - 2018/10/26

Deprecated

  • ⚠️ Configuring plugins in Kong using <plugin-name>.plugin.konghq.com annotation is now deprecated and will be removed in a future release. Please use plugins.konghq.com annotation instead.

Added

  • Header Injection in requests to Kong's Admin API HTTP Headers can be set via CLI which will be injected in every request sent to Kong's Admin API, enabling the use of Ingress Controller when Kong's Control Plane is protected by Authentication/Authorization. #172
  • Path only based routing Path only Ingress rules (without a host) are now parsed and served correctly. #142
  • Global Plugins Plugins can be configured to run globally in Kong using a "global" label on KongPlugin resource. #112
  • A new property plugin has been introduced in KongPlugin resource which ties the configuration to be used and the type of the plugin. #122
  • Multiple plugins can be configured for an Ingress or a Service in k8s using plugins.konghq.com annotation. #124
  • KongPlugin resources do not need to be duplicated any more. The same KongPlugin resource can be used across multiple Ingress/Service resources. #121

Fixed

  • Avoid issuing unnecessary PATCH requests on Services in Kong during the reconciliation loop, which lead to unnecessary Router rebuilds inside Kong. #107
  • Fixed the diffing logic for plugin configuration between KongPlugin resource in k8s and plugin config in Kong to avoid false positives. #106
  • Correctly format IPv6 address for Targets in Kong. Thanks @NixM0nk3y for the patch! #118
  • Fixed KongIngress overrides to enable overriding hashing attributes in Upstream object in Kong. Thanks @jdevalk2 for the patch! #139
  • Remove and sync certificates correctly when TLS secret reference changes for a hostname in Ingress spec. #169

0.1.1 - 2018/09/26

Fixed

  • Fix version parsing for minor releases of Kong Enterprise (like 0.33-1). The dash(-) didn't go well with the semver parsing #141

0.2.0 - 2018/09/21

Breaking Changes

  • ⚠️ Support for Kong 0.13.x has been dropped in favor of 0.14.x

Deprecated

  • ⚠️ Configuring plugins in Kong using <plugin-name>.plugin.konghq.com annotation is now deprecated and will be removed in a future release. Please use plugins.konghq.com annotation instead.

Added

  • Support for Kong 0.14.x The supported version of Kong 0.14.x has been introduced. Kong 0.14.x introduced breaking changes to a few Admin API endpoints which have been updated in the Ingress Controller. #101
  • Global Plugins Plugins can be configured to run globally in Kong using a "global" label on KongPlugin resource. #112
  • A new property plugin has been introduced in KongPlugin resource which ties the configuration to be used and the type of the plugin. #122
  • Multiple plugins can be configured for an Ingress or a Service in k8s using plugins.konghq.com annotation. #124
  • KongPlugin resources do not need to be duplicated any more. The same KongPlugin resource can be used across multiple Ingress/Service resources. #121
  • The custom resource definitions now have a short-name for all the CRDs, making it easy to interact with kubectl. #120

Fixed

  • Avoid issuing unnecessary PATCH requests on Services in Kong during the reconciliation loop, which lead to unnecessary Router rebuilds inside Kong. #107
  • Fixed the diffing logic for plugin configuration between KongPlugin resource in k8s and plugin config in Kong to avoid false positives. #106
  • Correctly format IPv6 address for Targets in Kong. Thanks @NixM0nk3y for the patch! #118

0.1.0 - 2018/08/17

Breaking Changes

  • ⚠️ Declarative Consumers in Kong Kong consumers can be declaratively configured via KongConsumer custom resources. Any consumers created directly in Kong without a corresponding KongConsumer custom resource will be deleted by the ingress controller. #81

Added

  • Support Upstream TLS Service in Kong can be configured to use HTTPS via KongIngress custom resource. #79
  • Support for control over protocol(HTTP/HTTPS) to use for ingress traffic via KongIngress custom resource. #64

Fixed

  • Multiple SNIs are created in Kong if multiple hosts are specified in TLS section of an Ingress resource. #76
  • Updates to KongIngress resource associated with an Ingress now updates the corresponding routing properties in Kong. #92

v0.0.5 - 2018/06/02

Added

  • Add support for Kong Enterprise Edition 0.32 and above

v0.0.4 and prior

  • The initial versions were rapildy iterated to deliver a working ingress controller.