-
Updated handling of
session_conf_secret
to accommodate Kong 3.6. It can now be omitted when using OIDC. #1033 -
Setting a Service's
servicePort
to 0 now disables that port on the Service, for use when the external Service and container listens should differ, such as when terminating TLS at a LoadBalancer. #1021 -
Added an
ingressController.admissionWebhook.filterSecrets
option. When enabled, the webhook will only validate Secrets that have one of the recognized KIC labels:konghq.com/credential: <"key-auth", "jwt", etc. credential types>
konghq.com/validate: <"plugin", "custom">
Earlier versions checked all Secrets and did not require labels, interfering with non-KIC labels. Requires KIC 3.0+. #1061
- Added support for setting
SVC.tls.appProtocol
andSVC.http.appProtocol
values to configure the appProtocol fields for Kubernetes Service HTTP and TLS ports. It might be useful for integration with external load balancers like GCP. #1018
- Rename the controller status port. This fixes a collision with the proxy status port in the Prometheus ServiceMonitor. #1008
- Bumped default
kong/kubernetes-ingress-controller
image tag and updated CRDs to 3.1. #1011 - Bumped default
kong
image tag to 3.6. #1011
- Add
KongLicense
RBAC rules. #1006
- The plugin helper no longer sets the plugin list when not in use. #1002
- Added controller's RBAC rules for
KongVault
CRD (installed only when KIC version >= 3.1.0). #992
- Added a missing
envFrom
render in the main Kong proxy container. #994
- The
envFrom
andingressController.envFrom
values.yaml keys now populate the container field of the same name. This loads environment variables from ConfigMap or Secret resource keys in bulk: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables #987 - Kong listens now use both IPv4 and IPv6 addresses. #986
- Add RBAC rules for get, list and watch operations on namespaces so that Gateway API controllers in KIC can access using a cached controller-runtime client. #974
- Fix a template bug related to the
affinity
field for migrations Pods. #972
- Use changed
incubator.ingress-controller.konghq.com
API group name inKongServiceFacade
RBAC rules. Refer to KIC#5302 for rename reasoning. #968
- Only allow
None
ClusterIPs on ClusterIP-type Services. #961 #962 - Bumped Kong version to 3.5. #957
- Support for
affinity
configuration has been added to migration job templates. - Display a warning message when Kong Manager is enabled and the Admin API is disabled.
- Validate Gateway API's
Gateway
andHTTPRoute
resources in the controller's admission webhook only when KIC version is 3.0 or higher. #954 - Added controller's RBAC rules for
KongServiceFacade
CRD (installed only when KongServiceFacade feature gate turned on and KIC version >= 3.1.0). #963
- Add new
deployment.hostname
value to make identifying instances in controlplane/dataplane configurations easier. #943
- Added controller's RBAC rules for
KongUpstreamPolicy
CRD. #917 - Added services resource to admission webhook config for KIC >= 3.0.0. #919
- Update default ingress controller version to v3.0 #929 #930
- The target port for cmetrics should only be applied if the ingress controller is enabled. #926
- Fix RBAC for Gateway API v1. #928
- Enable Admission webhook for Gateway API v1 resources. #928
- Prevent installing PodDisruptionBudget for
replicaCount: 1
orautoscaling.minReplicas: 1
. #896 - The admission webhook now will be triggered on Secrets creation for KIC 2.12.1+. #907
- Container security context defaults now comply with the restricted pod security standard. This includes an enforced run as user ID set to 1000. UID 1000 is used for official Kong images other than Alpine images (which use UID 100) and for KIC images 3.0.0+ (older images use UID 65532). Images that do not use UID 1000 can still run with this user, as static image files are world-accessible and runtime-created files are created in temporary directories created for the run as user. #911
- Allow using templates (via
tpl
) when specifyingproxy.nameOverride
. #914
- Make it possible to set the admission webhook's
timeoutSeconds
. #894
- The admission webhook now includes Gateway API resources and Ingress resources for controller versions 2.12+. This version introduces new validations for Kong's regex path implementation. #892
- Bump default
kong
image tag to 3.4. #883 - Bump default ingress controller image tag to 2.12.
- Added validation rule for
latency
upstream load balancing algorithm to CRDs. Upgrade your CRDs when installing this release.
- Listens now all support
.address
configuration. This was an existing setting that was not applied properly for some listens. #881
- Kuma ServiceAccount Token hints and volumes are also available in migrations Pods. #877
- updated
admin_api_uri
toadmin_gui_api_url
as per kong documentation.
- Enabled Service and Ingress in Kong Manager for non enterprise users.
- Add missing CRD KongConsumerGroup and extend status subresource for CRDs
- Fix parsing enterprise tags (like e.g.
3.4.0.0
) #857
2.26 changes the default proxy readiness endpoint for newer Kong versions. This causes an issue in a narrow edge case. If all of the following are true:
- You use Kong 3.3 or newer.
- You use controller 2.10 or older.
- You run the controller and proxy in separate Deployments.
you are affected and should review the 2.26 upgrade instructions.
- Use the Kong 3.3
/status/ready
endpoint for readiness probes by default if available. If not available, use the old/status
default. #844 - Add ArgoCD
Sync
andBeforeHookCreation
hook policies to the the init and pre-upgrade migrations Jobs. - Add controller's RBAC rules for
KongConsumerGroups
CRD. #850 - Updated controller version to 2.11.
- Generate the
adminApiService.name
value from.Release.Name
rather than hardcoding tokong
#839
-
Running
tpl
against user-supplied labels and annotations used in Deployment #814Example:
podLabels: version: "{{ .Values.image.tag }}" # Will render dynamically when overridden downstream
-
Fail to render templates when PodSecurityPolicy was requested but cluster doesn't serve its API. #823
-
Add support for multiple hosts and tls configurations for Kong proxy
Ingress
. #813 -
Bump postgres default tag to
13.11.0-debian-11-r20
which includes arm64 images. #834
- Fix Ingress and HPA API versions during capabilities checking #827
- Add custom label configuration option for Kong proxy
Ingress
. #812 - Bump default
kong/kubernetes-ingress-controller
image tag to 2.10. Bump defaultkong
image tag to 3.3. #815
- Removed redundant RBAC permissions for non-existing subresources
secrets/status
andendpoints/status
. #798 - For Kong Ingress Controller in version >= 2.10, RBAC permissions for
Endpoints
are not configured anymore (because it usesEndpointSlices
). #798 - Added support for setting
certificates.cluster.commonName
. This allows a custom certificateCommonName
to be provided when deploying Kong Gateway in hybrid mode using Cert Manager #804
- Added support for
startupProbe
on Kong pods. This can be configured via.Values.startupProbe
. To maintain backward compatibility, it is disabled by default. #792 - Customize Admission Webhook namespaceSelectors and compose them from values. #794
- Added
CustomResourceDefinition
list
andwatch
permissions to controller's ClusterRole. #796
- Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode
is disabled by default.
To enable it, set
.Values.ingressController.konnect.license.enabled=true
. #793
- Fix correct timestamp format and remove
isCA
in certificates #791
- Added support for automatic license provisioning for Gateways managed by
Ingress Controllers in Konnect mode (
.Values.ingressController.konnect.enabled=true
). #787
- Fix
webhook-cert
being mounted regardless if.Values.ingressController.enabled
is set. #779
- Security context enforces read-only root filesystem by default. This is not expected to affect most configurations, but will affect custom plugins that write to the container filesystem. #770
- Added support for the Admin API service TLS client verification. [#780](#780
- The
-redhat
suffix on official KIC images is no longer considered part of the semver string for version checks. #779
- Added support for controller's gateway discovery.
With
ingressController.gatewayDiscovery.enabled
set totrue
Kong Ingress Controller will enable gateway discovery using an Admin API service. For more information on this please see the corresponding README.md section. This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher. #747 - Added experimental support for the ingress controller's Konnect sync feature via
ingressController.konnect.*
values. This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher and requiresingressController.gatewayDiscovery.enabled
set totrue
. #746 - Added support for annotations on the admission webhook ValidatingWebhookConfiguration. #760
- Added support for
subject
andprivateKey
properties on certificates. #762 - Added support for loadBalancerClass in LoadBalancer type services. #767
- Added support for
GRPCRoute
s. #772 - Default Kong version is bumped to 3.2. #773
- Added support for admissionhook to include labels. #768
- Add kube-linter to the CI pipeline to ensure produced manifests comply with community best practices. #751
- Fix autoscaling version detection. #752
- Don't include a clear-stale-pid initContainer when kong gateway is not enabled in the deployment. #749
- HorizontalPodAutoscaler's API version is detected properly. #744
- Fix template issue preventing custom dblessconfig volume from being mounted. #741
- The admission webhook is disabled when the ingress controller is disabled, as the admission webhook requires a service provided by the ingress controller.
- serviceAccount projected volume is properly provisioned for GKE clusters >= 1.20. #735
- Let users specify their own labels and annotations for generated PodSecurityPolicy. #721
- Enable the admission webhook by default. This can reject configuration, but is not expected to be a meaningfully breaking change. Existing configuration is not affected, and any new changes that the webhook would reject would also be rejected by Kong. #727
- Replaced static secret with projected volume in deployment. #722
- Reject invalid log config values. #733
- Update custom resource definitions to latest v2.8.1 from kong/kubernetes-ingress-controller #730
- Respect setting
.Values.deployment.serviceAccount.automountServiceAccountToken
in migrations Jobs. This was already the case for the Deployment. #729
- Changed
ingressController.readinessProbe
to use/readyz
to prevent pods from becoming ready and serving 404s prior to theingress-controller
first syncing config to theproxy
#716. - Fixed incorrect
if
block order in volume mount templates.
- Do not attempt to mount DB-less config if none provided by chart.
- Remove unnecessary failure condition from #695.
- Add the
dblessConfig.secret
key to the values file, allowing the user to supply a Secret for their dbless config file. #695 - Add support for version
v1beta1
of the Gateway API when generating RBAC rules. - Add support for version
v1beta1
of the Gateway API when generating RBAC rules. (#706) - Prevent supplying duplicate plugin inclusion to
KONG_PLUGINS
env variable. (#711)
- Removed appProtocol to fix AKS load balancer (#705)
- Fix lookup for CA certificate secret for admission webhook. (#704)
Note: KIC 2.8 does include several updates to CRDs, but only for documentation and validation. You can upgrade CRDs, but doing so is not required.
- Default Kong and KIC versions bumped to 3.1 and 2.8.
- UDP proxy (udpProxy) assumes the UDP protocol by default for stream entries (udpProxy.stream). This can be still overridden to TCP by specifying the protocol explicitly, but it is not recommended to do so. #682
- Supported
autoscaling/v2
API (#679) - Add support for specifying the minium number of seconds for which newly created pods should be ready without
any of its container crashing, for it to be considered available. (
deployment.minReadySeconds
) (#688) - Increased the default memory requests and limits for the Kong pod to 2G (#690)
- Add a rule for
KongIngress
to the ValidatingWebhookConfiguration. (#702)
- Removed
PodSecurityPolicy
if the API is not supported in k8s cluster to be compatible to k8s 1.25+. #680
- Updated default controller version to KIC 2.7.
- Added cert-manager issuer support for proxy default and cluster mtls certificates (#592)
- Updated CRDs with the new ordering field for KongPlugins, the new IngressClassParameters resource, and assorted field description updates. These require a manual update.
- Updated default tags to Kong 3.0 and KIC 2.6.
- Added ClusterRole for cluster-scoped resources when using watchNamespaces. #611
- Added
extraObjects
to create additional k8s resources as part of the helm release. #652
- Fixed Deployment missing if in case of empty tolerations #630
- Use stdout and stderr by default for all logs. Several were writing to prefix directory files. #634
- Remove
terminationGracePeriodSeconds
from KIC's container spec since this field is only applicable for pods, not containers. #640
- Bump controller version to 2.5. #642
- Added
fullnameOverride
to override the normal resource name string. #635 - Added size limits for emptyDir mounts. #632
- Kuma now also mounts ServiceAccount tokens on releases without a controller container.
- Updated manual ServiceAccount Secret mount format for compatibility with Kuma.
- Added option to disable test job pods. #598
- Changed default admission failure policy from
Fail
toIgnore
. #612 - ServiceAccount tokens are now only mounted in the controller container to limit attack surface. #619
- Fixed another unwanted newline chomp that broke GatewayClass permissions.
- Added terminationDelaySeconds for Ingress Controller. (597)
- Made KNative permissions conditional on CRD availability.
- Removed KNative permission from the Gateway permissions set.
- Fixed an unwanted newline chomp in fix PR #595. (594)
- Fixed the stream default type, which should have been an empty array, not an empty map. This had no effect on chart behavior, but resulted in warning messages when user values.yamls contained non-empty stream configuration. (594)
- Gateway API permissions are no longer created if Gateway API CRDs are not installed on the cluster. This would block installs by non-super admin users. (595)
2.8 requires manual removal of existing IngressClass resources and updates the Postgres sub-chart version. Further details are available in the upgrade guide.
The chart honors ingressController.installCRDs: false
again. Remove it from
your values.yaml if it is currently present. Unless your install user [lacks
permissions to read
CRDs](https://github.com/Kong/charts/blob/main/charts/kong/README.md#removing-c
luster-scoped-permissions), which would have prevented you from installing
earlier chart versions, you should omit this setting and let the templates
detect whether you use the legacy CRD installation method automatically.
- Added Ingress for cluster sync. (583)
- Added controller support for custom environment variables. (568)
- Ingress
pathType
field is now configurable. (564) - Added IngressClass resources to RBAC roles. (563)
- Ingresses now support wildcard hostnames. (559)
- Enables the option to add sidecar containers to the migration containers. (540)
- Update the IngressClass controller string to match the value used upstream. (557)
- Added support for user-defined controller volume mounts. (560)
- Added support for autoscaling
behavior
. (561) - Improved support and documentation for installations that lack cluster-scoped permissions. (565)
- Updated podDisruptionBudget from
policy/v1beta1
topolicy/v1
. (574) - Updated controller version to 2.3.
- Removed CREATE from ValidatingWebhookConfiguration objectSelector for Secrets to align with changes in Kong/kubernetes-ingress-controller. (#542)
- Fixed traffic routing from Istio's envoy proxy to Kong proxy when using Istio's AuthorizationPolicy. (#550)
- Fixed creation of non-default IngressClasses (#552)
- Fixed: wait_for_db no longer tries to instantiate the keyring in Kong Enterprise (#556)
2.7.0 includes CRD updates, which must be applied manually.
- There are upstream changes to the Postgres sub-chart that change many
values.yaml keys. The default
postgresqlUsername
andpostgresqlDatabase
keys used in this chart's values.yaml are nowauth.username
andauth.database
. If you set other Postgres sub-chart values, consult the upstream README and upgrade guide to see what you need to change.
- Added Gateway API resources to RBAC rules. (#536)
- Replaced
sleep 15
inpreStop
command with--wait=15
argument tokong quit
. (#531) - Added support for non
KONG_
prefixed custom environment variables (#530) - Updated to latest CRDs from upstream.
- Generated IngressClass resources persist across updates properly. (#518)
- Updated default tags to Kong 2.7, Kong Enterprise 2.7.0.0, and Kong Ingress Controller 2.1.
- Corrected a misnamed field in podDisruptionBudget. (#519)
- Increased example resources for the Kong container. (#511)
- Corrected an invalid label match condition for the admission webhook. (#513)
- Added
app
andversion
labels to pods. (#504) - Reworked leftover socket file cleanup to avoid similar problems of the same class. (#508)
- SecurityContext and resources applied to PID cleanup initContainer also. (#503)
- Disabled the admission webhook on Helm Secrets, fixing an issue where it prevented Helm from updating release metadata. (#500)
- initContainers that use the Kong image use the same imagePullPolicy as the main Kong container. (#501)
- Applied mesh sidecar annotations to the Pod, not the Deployment. (#507)
- Disabled IngressClass creation on Kubernetes versions that do not support it.
- Added missing resources (Secrets, KongClusterPlugins) to the admission controller configuration. (#492)
Note: chart versions 2.3.0 through 2.5.0 contained an incorrect
KongIngress CRD. The proxy.path
field was missing. Helm will not fix this
automatically on upgrade. You can fix it by running:
kubectl apply -f https://raw.githubusercontent.com/Kong/charts/main/charts/kong/crds/custom-resource-definitions.yaml
- Added an initContainer to clear leftover PID file in the event of a Kong container crash, allowing the container to restart. (#480)
- Added deployment.hostNetwork to enable host network access. (#486)
- NOTES.txt documentation link now uses up-to-date location.
- Ingress availability check tightened to require the Ingress API specifically
in
networking.k8s.io/v1
. (#484) - Flipped backwards logic for creating an IngressClass when no IngressClass was present. (#485)
- Removed unnecessary hardcoded controller container argument. (#481)
- Restored missing
proxy.path
field to KongIngress CRD.
- Default Kong proxy version updated to 2.6.
- Properly disable KongClusterPlugin when watchNamespaces is set. (#475)
- KIC now defaults to version 2.0. If you use a database, you must first perform a temporary intermediate upgrade to disable KIC before upgrading it to 2.0 and re-enabling it. See the upgrade guide for detailed instructions.
- ServiceAccount are now always created by default unless explicitly disabled.
ServiceAccount customization has moved under the
deployment
section of configuration to reflect this. This accomodates configurations that need a ServiceAccount but that do not use the ingress controller. (#455)
- Migration jobs support a configurable backoffLimit. (#442)
- Generated Ingresses now use
networking.k8s.io/v1
when available. (#446)
- 5-digit UDP ports now work properly. (#443)
- Fixed port name used for NLB annotation example. (#458)
- Fixed a compatibility issue with Helm's
--set-file
feature and user-provided DB-less configuration ConfigMaps. (#465)
- Upgraded CRDs to V1 from the previous deprecated v1beta1.
#391
ACTION REQUIRED: This is a breaking change as it makes
this chart incompatible with Kubernetes clusters older
than v1.16.x. Upgrade your cluster to a version greater
than or equal to v1.16 before installing.
Note that technically it will remain possible to deploy
on older clusters by managing the CRDs manually ahead of
time (e.g. intentionally deploying the legacy CRDs) but
these configurations will be considered unsupported.
upgrade
ACTION REQUIRED: For existing deployments Helm avoids managing
CRDs so when upgrading from a previous release you will need
to apply the new V1 versions of the CRDs (in
crds/
) manually. hip-0011 (#415) - Added support for controller metrics to the Prometheus resources. This
requires KIC 2.x. The chart automatically detects if your controller image is
compatible, but only if your tag is semver-compliant. If you are using an
image without a semver-compliant tag (such as
next
) you must set theingressController.image.effectiveSemver
value to a semver string appropriate for your image (for example, if your image is 2.0.0-based, you would set it to2.0.0
. (#430)
- Updated default Kong versions to 2.5 (OSS) and 2.5.0.0 (Enterprise).
- Added user-configured initContainer support to Jobs. (#408)
- Upgraded RBAC resources to v1 from v1beta1 for compatibility with Kubernetes 1.22 and newer. This breaks compatibility with Kubernetes 1.7 and older, but these Kubernetes versions were never supported, so this change is not breaking. Added additional permissions to support KIC 2.x. (#420) (#419)
- Added
ingressController.watchNamespaces[]
to values.yaml. When set, the controller will only watch the listed namespaces (instead of all namespaces, the default), and will create Roles for each namespace (instead of a ClusterRole). This feature requires KIC 2.x. (#420) - Added support for dnsPolicy and dnsConfig. (#425)
- Use migration commands directly in upgrade/install Jobs instead of invoking
them via a shell. This adds support for some additional features in Kong
images that only apply when the container command starts with
kong
. (#429)
- Fixed an incorrect template for DaemonSet releases. (#426)
- Removed default
maxUnavailable
setting for pod disruption budget configuration. This is necessary to allow usage of theminUnavailable
setting, but means that there is no longer any default availability constraint. If you setpodDisruptionBudget.enabled=true
in your values and did not previously set anypodDisruptionBudget.maxUnavailable
value, you must addpodDisruptionBudget.maxUnavailable="50%"
to your values.
- Added host alias injection to override DNS and/or add DNS entries not available from the DNS resolver. (#366)
- Added support for custom labels. (#370)
- Only add paths to Ingresses if configured, for OpenShift 4.x compatibility. (#375)
- Kong containers no longer the image ENTRYPOINT. This allows the stock image bootstrap scripts to run normally. (#377)
- Added security context settings for containers. (#387)
- Bumped Kong and controller image defaults to the latest versions. (#378)
- Added support for user-provided admission webhook certificates. (#385)
- Disable service account tokens when it is unnecessary. (#389)
- Admission webhook port is now listed under the controller container, where the admission webhook runs. (#384)
- Removed a duplicate key from example values. (#360)
- Clarified Enterprise free mode usage. (#362)
- Expand EKS Service annotation examples for proxy. (#376)
- Added support for user-defined volumes, volume mounts, and init containers. (#317)
- Tolerations are now applied to migration Job Pods also. (#341)
- Added support for using a DaemonSet instead of Deployment. (#347)
- Updated default image versions and completed migration off Bintray repositories. (#349)
- PDB ignores migration Job Pods. (#352)
- Clarified service monitor usage information. (#345)
- Helm 2 is no longer supported. You must migrate your Kong chart releases to Helm 3 before updating to this release.
- Deprecated Portal auth settings are no longer supported.
- The deprecated
runMigrations
setting is no longer supported. - Deprecated admin API Service configuration is no longer supported.
- Deprecated multi-host proxy configuration is no longer supported.
helm upgrade
with the previous version (1.15.0) will print a warning message
if you still use any of the removed values.yaml configuration. If you do not
see any warnings after the upgrade completes, you are already using the modern
equivalents of these settings and can proceed with upgrading to 2.0.0-rc1.
- Admission webhook certificates persist after their initial creation. This prevents an unnecessary restart of Kong Pods on upgrades that do not actually modify the deployment. (#256)
ingressController.installCRDs
now defaults tofalse
, simplifying installation on Helm 3. Installs now default to using Helm 3's CRD management system, and do not require changes to values or install flags to install successfully. (#305)- Added support for Pod
topologySpreadConstraints
. (#308) - Kong Ingress Controller image now pulled from Docker Hub (due to Bintray being discontinued). Changed the default Docker image repository for the ingress controller.
- Generated admission webhook certificates now include SANs for compatibility with Go 1.15 controller builds. (#312).
- Clarified use of
terminationGracePeriodSeconds
. (#302)
1.15.0 is an interim release before the planned release of 2.0.0. There were several feature changes we wanted to release prior to the removal of deprecated functionality for 2.0. The original planned deprecations covered in the 1.14.0 changelog are still planned for 2.0.0.
- The default Kong version is now 2.3 and the default Kong Enterprise version is now 2.3.2.0.
- Added configurable
terminationGracePeriodSeconds
for the pre-stop lifecycle hook. (#271). - Initial migration database wait init containers no longer have a default image configuration in values.yaml. When no image is specified, the chart will use the Kong image. The standard Kong images include bash, and can run the database wait script without downloading a separate image. Configuring a wait image is now only necessary if you use a custom Kong image that lacks bash. (#285).
- Init containers for database availability and migration completeness can now be disabled. They cause compatibility issues with many service meshes. (#285).
- Removed the default migration Job annotation that disabled Kuma's mesh proxy. The latest version of Kuma no longer prevents Jobs from completing. (#285).
- Services now support user-configurable labels, and the Prometheus ServiceMonitor label is included on the proxy Service by default. Users that disable the proxy Service and add this label to another Service to collect metrics. (#290).
- Migration Jobs now allow resource quota configuration. Init containers inherit their resource quotas from their associated Kong container. (#294).
- The database readiness wait script ConfigMap and associated mounts are no longer created if that feature is not in use. (#285).
- Removed a duplicated field from CRDs. (#281).
- Removed
http2
from default status listen TLS parameters. It only supports a limited subset of the extra listen parameters, and does not allowhttp2
.
- Status listens now include parameters in the default values.yaml. The absence of these defaults caused a template rendering error when the TLS listen was enabled.
- Updated status listen comments to reflect TLS listen availability on Kong 2.1+.
- Fix issues with legacy proxy Ingress object template.
- Corrected invalid default value for
enterprise.smtp.smtp_auth
.
- Moved several Kong container settings into the appropriate template block. Previously these were rendered whether or not the Kong container was enabled, which unintentionally applied them to the controller container.
1.14 is the last planned 1.x version of the Kong chart. 2.x will remove support for Helm 2.x and all deprecated configuration. The chart prints a warning when upgrading or installing if it detects any configuration still using an old format.
-
All Ingress and Service resources now use the same template. This ensures that all chart Ingresses and Services support the same configuration. The proxy previously used a unique Ingress configuration, which is now deprecated. If you use the proxy Ingress, see the instructions in UPGRADE.md to update your configuration. No changes are required for other Service and Ingress configurations. (#251).
-
The chart now uses the standard Kong status endpoint instead of custom configuration, allowing users to specify their own custom configuration. The status endpoint is no available in versions older than Kong 1.4.0 or Kong Enterprise 1.5.0; if you use an older version, you will need to add and load the old custom configuration.
If you use a newer version and include Kong container readinessProbe and/or livenessProbe configuration in your values.yaml, you must change the port from
metrics
tostatus
. (#255).
- Correct an issue with migrations Job toggles. (#231)
- Updated default Kong Enterprise version to 2.2.1.0-alpine.
- Updated default Kong Ingress Controller version to 1.1.
- Add
namespace
to values.yaml to override release namespace if desired. (#231)
- Migration Jobs now use the same nodeSelector configuration as the main Kong Deployment. (#238)
- Disabled custom Kong template mount if Kong is not enabled. (#240)
- Changed YAML string to a YAML boolean. (#240)
- Clarify requirements for using horizontal pod autoscalers. (#236)
- Increased default worker count to 2 to avoid issues with latency during blocking tasks, such as DB-less config updates. This change increases memory usage, but the increase should not be a concern for any but the smallest deployments (deployments with memory limits below 512MB).
- Updated default Kong version to 2.2. (#221)
- Updated default Kong Enterprise version to 2.1.4.1.
- Added a means to mount extra ConfigMap and Secret resources. (#208)
- Added configurable annotations for migration Jobs. (#219)
- Added template for deprecation warnings to automate formatting and avoid excess newlines.
- Upgrades no longer force auto-scaling Deployments back to the replica count. (#222)
- Kong Ingress Controller 1.0 removes support for several deprecated flags and
the KongCredential custom resource. Please see the controller changelog
for details. Note that Helm 3 will not remove the KongCredential CRD by
default: you should delete it manually after converting KongCredentials to
credential Secrets.
If you manage CRDs using Helm (check to see if your KongCredential CRD has a
app.kubernetes.io/managed-by: Helm
label), perform the credential Secret conversion before upgrading to chart 1.11.0 to avoid losing credential configuration. - The chart no longer uses the
extensions
API for PodSecurityPolicy, and now uses the modernpolicy
API. This breaks compatibility with Kubernetes versions 1.11 and older. (#195)
- Updated default controller version to 1.0.
- The chart now adds namespace information to manifests explicitly. This
simplifies workflows that use
helm template
. (#193)
- Changes to annotation block generation prevent incorrect YAML indentation when specifying annotations via command line arguments to Helm commands. (#200)
- Kong Ingress Controller 0.10.0 comes with breaking changes to global
KongPlugin
s and to resources without an ingress class defined. Refer to theUPGRADE.md notes for chart 1.10.0
for details.
- Updated default controller version to 0.10.0.
- Removed the
status
field from theTCPIngress
CRD. (#188)
- Clarified documentation for breaking changes in 1.9.0 to indicate
that any values.yaml that sets
waitImage.repository
requires changes, including those that set the old default. - Updated Enterprise examples to use latest Enterprise image version.
1.9.0 now uses a bash-based pre-migration database availability check. If you
set waitImage.repository
in values.yaml, either to the previous default
(busybox
) or to a custom image, you must change it to an image that includes
a bash
executable.
Once you have waitImage.repository
set to an image with bash, perform an
initial chart version upgrade with migrations disabled
before re-enabling migrations, updating your Kong image version, and performing
a second release upgrade.
- Added support for sidecar injection. (#174)
- Changed to a bash-based pre-migration database availability check. (#179)
- Changed to a bash-based pre-migration database availability check. (#179)
- Updated default Kong Enterprise version to 2.1.3.0.
- Added missing cluster telemetry service and fixed missing cluster service port. (#185)
- Added an example Enterprise controller-managed DB-less values.yaml. (#175)
Kong Enterprise users: please review documentation for the Kong Enterprise 2.1.x beta release and hybrid mode on Kong Enterprise as well. Version 1.8 of the Kong Helm chart adds support for hybrid mode, which is currently only available in the 2.1.x beta. Production systems should continue to use the Kong Enterprise 1.5.x stable releases, which do not support hybrid mode.
- Update default Kong version to 2.1.
- Update Kong Enterprise images to 1.5.0.4 (kong-enterprise-edition) and 2.0.4.2 (kong-enterprise-k8s).
- Updated default controller version to 0.9.1. (#150)
- Added support for ServiceMonitor targetLabels (for use with the Prometheus Operator). (#162)
- Automatically handle the new port_maps setting for the proxy service. (#169)
- Add support for hybrid mode deployments. (#160)
- Fixed an issue with improperly-rendered listen strings. (#155)
- Improved inline documentation of
env
in values.yaml. (#163)
- Added support for CRD-only and controller-only releases. (#136)
- Added a set of example values.yamls for various configurations of Kong and Kong Enterprise. (#134)
This release contains no changes other than the version. This is to address an issue with our release automation.
- Updated default controller version to 0.9.0. (#132)
- Updated default Enterprise versions to 2.0.4.1 and 1.5.0.2. (#130)
- Added ability to override chart lifecycle. (#116)
- Added ability to apply user-defined labels to pods. (#121)
- Filtered serviceMonitor to disable metrics collection from non-proxy services. (#112)
- Set admin API to listen on localhost only if possible. (#125)
- Add
auth_type
andssl
settings tosmtp
block. (#127) - Remove UID from default securityContext. (#138)
- Corrected invalid default serviceMonitor.interval value. (#110)
- Removed duplicate
installCRDs
documentation. (#115) - Simplified example license Secret creation command. (#131)
- Added support for annotating the ServiceAccount. (#97)
- Updated controller templates to use environment variables for default configuration. (#99)
- Added support for stream listens. (#103)
- Moved migration configuration under a
migrations
block with support for enabling upgrade jobs independently and adding annotations. (#102) - Added support for the status listen. (#107)
⚠️ Exposed PodSecurityPolicy spec in values.yaml and added default configuration to enforce a read-only root filesystem. Kong Enterprise versions prior to 1.5.0 require the root filesystem be read-write. If you use an older version and enforce PodSecurityPolicy, you must set.Values.podSecurityPolicy.spec.readOnlyRootFilesystem: false
. (#104)
- Fixed old init-migrations jobs blocking upgrades. (#102)
- Fixed discrepancy between image version in values.yaml and README.md. (#96)
- Added example Enterprise image tags to values.yaml. (#100)
- Added deprecation warnings in CHANGELOG.md. (#91)
- Improved RBAC documentation to clarify process and use new controller functionality. (#95)
- Added documentation for managing multi-release clusters with varied node roles (e.g. admin-only, Portal-only, etc.). (#102)
- Fixed an issue with the 1.4.1 upgrade steps.
⚠️ Service and listen configuration now use a unified configuration format. The previous configuration format for the admin API service is deprecated and will be removed in a future release. Listen configuration now supports specifying parameters. Kubernetes service creation can now be enabled or disabled for all Kong services. Users should review the 1.4.0 upgrade guide for details on how to update their values.yaml. (#72)- Updated the default controller version to 0.8. This adds new
KongClusterPlugin and TCPIngress CRDs and RBAC permissions for them. Users
should also note that
strip_path
now defaults to disabled, which will likely break existing configuration. See the controller changelog and upgrade-guide for full details. (#77) - Added support for user-supplied ingress controller CLI arguments. (#79)
- Added support for annotating the chart's deployment. (#81)
- Switched to the Bitnami Postgres chart, as the chart in Helm's repository has moved there. (#82)
- Corrected the app version in Chart.yaml. (#86)
- Fixed incorrect default value for
installCRDs
. (#78) - Added detailed upgrade guide covering breaking changes and deprecations. (#74)
- Improved installation steps for Helm 2 and Helm 3. (#83) (#84)
- Remove outdated
ingressController.replicaCount
setting. (#87)
- Added missing newline to NOTES.txt template. (#66)
- Instruct users to create secrets for both the kong-enterprise-k8s and kong-enterprise-edition Docker registries. (#65)
- Updated maintainer information.
- Custom plugin mounts now support subdirectories. These are necessary for plugins that include their own migrations. Note that Kong versions prior to 2.0.1 have a bug that prevents them from running these migrations. (#24)
- LoadBalancer services will now respect their NodePort. (#48)
- The proxy TLS listen now enables HTTP/2 (and, by extension, gRPC). (#47)
- Added support for
priorityClassName
to the Kong deployment. (#56) - Bumped default Kong version to 2.0 and controller version to 0.7.1. (#60)
⚠️ Removed dedicated Portal auth settings, which are unnecessary in modern versions. Theenterprise.portal.portal_auth
andenterprise.portal.session_conf_secret
settings in values.yaml are deprecated and will be removed in a future release. See the upgrade guide for instructions on migrating them to environment variables. (#55)
- Fixed typo in HorizontalPodAutoscaler template. (#45)
- Added contributing guidelines. (#41)
- Added README section for Helm 2 versus Helm 3 considerations. (#34)
- Added documentation for
proxy.annotations
to README.md. (#57) - Added FAQ entry for init-migrations job conflicts on upgrades. (#59
- Move changelog out of README.md into CHANGELOG.md. (#60
- Improved formatting for 1.2.0 changelog.
- Added support for HorizontalPodAutoscaler. (#12)
- Environment variables are now consistently sorted alphabetically. (#29)
- Removed temporary ServiceAccount template, which caused upgrades to break the existing ServiceAccount's credentials. Moved template and instructions for use to FAQs, as the temporary user is only needed in rare scenarios. (#31)
- Fix an issue where the wait-for-postgres job did not know which port to use in some scenarios. (#28)
- Added warning regarding volume mounts. (#25)
- Add missing
smtp_admin_emails
andsmtp_mock = off
to SMTP enabled block inkong.env
.
- Remove version bump requirement in preparation for new release model.
- Significantly refactor the
env
/EnvVar templating system to determine the complete set of environment variables (both user-defined variables and variables generated from other sections of values.yaml) and resolve conflicts before rendering. User-provided values are now guaranteed to take precedence over generated values. Previously, precedence relied on a Kubernetes implementation quirk that was not consistent across all Kubernetes providers. - Combine templates for license, session configuration, etc. that generate
secretKeyRef
values into a single generic template.
- Fix invalid namespace for pre-migrations and Role.
- Fix whitespaces formatting in README.
- Helm 3 support: CRDs are declared in crds directory. Backward compatible support for helm 2.
Fixed invalid namespace variable name causing ServiceAccount and Role to be generated in other namespace than desired.
There are not code changes between 1.0.0
and 0.36.5
.
From this version onwards, charts are hosted at https://charts.konghq.com.
The 0.x
versions of the chart are available in Helm's
Charts repository are are now considered
deprecated.
- Allow
grpc
protocol for KongPlugins
- Fix spacing in ServiceMonitor when label is specified in config
- Set
sideEffects
andadmissionReviewVersions
for Admission Webhook - timeouts for liveness and readiness probes has been changed from
1s
to5s
- Added missing watch permission to custom resources
- When upgrading from <0.35.0, in-place chart upgrades will fail.
It is necessary to delete the helm release with
helm del --purge $RELEASE
and redeploy from scratch. Note that this will cause downtime for the kong proxy.
- Fixed Deployment's label selector that prevented in-place chart upgrades.
- Update CRDs to Ingress Controller 0.7
- Optimize readiness and liveness probes for more responsive health checks
- Fixed incorrect space in NOTES.txt
PR #19856
- Labels on all resources have been updated to adhere to the Helm Chart guideline here: https://v2.helm.sh/docs/developing_charts/#syncing-your-chart-repository
PR #19854
This release contains no user-visible changes
- Various tests have been consolidated to speed up CI.
PR #19887
- Correct indentation for Job securityContexts.
PR #19885
- Update default version of Ingress Controller to 0.7.0
PR #19852
- Correct an issue with white space handling within
final_env
helper.
PR #19840
- Postgres sub-chart has been bumped up to 8.1.2
- Removed podDisruption budge for Ingress Controller. Ingress Controller and Kong run in the same pod so this was no longer applicable
- Migration job now receives the same environment variable and configuration as that of the Kong pod.
- If Kong is configured to run with Postgres, the Kong pods now always wait for Postgres to start. Previously this was done only when the sub-chart Postgres was deployed.
- A hard-coded container name is used for kong:
proxy
. Previously this was auto-generated by Helm. This deterministic naming allows for simpler scripts and documentation.
Following changes have no end user visible effects:
- All Custom Resource Definitions have been consolidated into a single template file
- All RBAC resources have been consolidated into a single template file
wait-for-postgres
container has been refactored and de-duplicated
- This is a doc only release. No code changes have been done.
- Post installation steps have been simplified and now point to a getting started page
- Misc updates to README:
- Document missing variables
- Remove outdated variables
- Revamp and rewrite major portions of the README
- Added a table of content to make the content navigable
- Create and mount emptyDir volumes for
/tmp
and/kong_prefix
to allow for read-only root filesystem securityContexts and PodSecurityPolicys. - Use read-only mounts for custom plugin volumes.
- Update stock PodSecurityPolicy to allow emptyDir access.
- Override the standard
/usr/local/kong
prefix to the mounted emptyDir at/kong_prefix
in.Values.env
. - Add securityContext injection points to template. By default, it sets Kong pods to run with UID 1000.
- Correct behavior for the Vitals toggle.
Vitals defaults to on in all current Kong Enterprise releases, and
the existing template only created the Vitals environment variable
if
.Values.enterprise.enabled == true
. Inverted template to create it (and set it to "off") if that setting is instead disabled. - Correct an issue where custom plugin configurations would block Kong from starting.
- Admin Service is disabled by default (
admin.enabled
) - Default for
proxy.type
has been changed toLoadBalancer
- Update default version of Kong to 1.4
- Update default version of Ingress Controller to 0.6.2
- Add support to disable kong-admin service via
admin.enabled
flag.
- Do not remove white space between documents when rendering
migrations-pre-upgrade.yaml
- Add support for specifying Proxy service ClusterIP
admin_gui_auth_conf_secret
is now required for Kong Manager authentication methods other thanbasic-auth
. Users defining values foradmin_gui_auth_conf
should migrate them to an externally-defined secret with a key ofadmin_gui_auth_conf
and reference the secret name inadmin_gui_auth_conf_secret
.
- Add support for specifying Ingress Controller environment variables.
- Added support for the Validating Admission Webhook with the Ingress Controller.
- Do not create a ServiceAccount if it is not necessary.
- If a configuration change requires creating a ServiceAccount, create a temporary ServiceAccount to allow pre-upgrade tasks to complete before the regular ServiceAccount is created.
- Retroactive changelog update for 0.24 breaking changes.
- DB-less mode is enabled by default.
- Kong is installed as an Ingress Controller for the cluster by default.
- Add support for PodSecurityPolicy
- Require creation of a ServiceAccount
- The configuration format for ingresses in values.yaml has changed.
Previously, all ingresses accepted an array of hostnames, and would create
ingress rules for each. Ingress configuration for services other than the proxy
now accepts a single hostname, which allows simpler TLS configuration and
automatic population of
admin_api_uri
and similar settings. Configuration for the proxy ingress is unchanged, but its documentation now accurately reflects the TLS configuration needed.