Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
…ateway (#3226)

* fix(gateway-api): verify TLS/TCPRoute is accepted before pushing to Gateway

* add test

* fix ut

* changelog

* Add todo

* Fix typo
21 contributors

Users who have contributed to this file

@rainest @shaneutt @hbagdi @mflendrich @pmalek @czeslavo @randmonkey @mlavacca @ccfishk @tharun208 @seh @jrsmroz
2176 lines (1806 sloc) 107 KB

Table of Contents

2.8.0

Release date: TBD

Breaking changes

  • The CombinedRoutes feature flag is enabled by default, and traditional route generation is deprecated. This reduces configuration size without affecting routing, but does change route names and IDs. Metrics monitors or other systems that track data by route name or ID will see a break in continuity. The feature gates document covers changes in greater detail. Please comment on the deprecation issue if you have questions or concerns about the transition. #3132

Added

  • Added HTTPRoute support for CombinedRoutes feature. When enabled, HTTPRoute.HTTPRouteRule objects with identical backendRefs generate a single Kong service instead of a service per rule, and HTTPRouteRule.HTTPRouteMatche objects using the same backendRefs can be consolidated into a single Kong route instead of always creating a route per match, reducing configuration size. The following limitations apply:
    • HTTPRouteRule objects cannot be consolidated into a single Kong Service if they belong to different HTTPRoute.
    • HTTPRouteRule objects cannot be consolidated into a single Kong Service if they have different HTTPRouteRule.HTTPBackendRef[] objects. The order of the backend references is not important.
    • HTTPRouteMatch objects cannot be consolidated into a single Kong Route if parent HTTPRouteRule objects cannot be consolidated into a single Kong Service.
    • HTTPRouteMatch objects cannot be consolidated into a single Kong Route if parent HTTPRouteRule objects have different HTTPRouteRule.HTTPRouteFilter[] filters.
    • HTTPRouteMatch objects cannot be consolidated into a single Kong Route if they have different matching spec (HTTPHeaderMatch.Headers, HTTPHeaderMatch.QueryParams, HTTPHeaderMatch.Method). Different HTTPHeaderMatch.Path paths between HTTPRouteMatch[] objects does not prevent consolidation. This change does not functionally impact routing: requests that went to a given Service using the original method still go to the same Service when CombinedRoutes is enabled. #3008 [#3060]#3060)
  • Added --cache-sync-timeout flag allowing to change the default controllers' cache synchronisation timeout. #3013
  • Secrets validation introduced: CA certificates won't be synchronized to Kong if the certificate is expired. #3063
  • Changed the logic of storing secrets into object cache. Now only the secrets that are possibly used in Kong configuration are stored into cache, and the irrelevant secrets (e.g: service account tokens) are not stored. This change is made to reduce memory usage of the cache. #3047
  • Services support annotations for connect, read, and write timeouts. #3121
  • Services support annotations for retries. #3121
  • Routes support annotations for headers. These use a special konghq.com/headers.HEADERNAME format. For example, adding konghq.com/headers.x-example: green to an Ingress will create routes that only match requests with an x-example: green request header. #3121 #3155
  • Routes support annotations for path handling. #3121
  • Warning events are recorded when CA secrets cannot be properly translated into Kong configuration. #3125
  • Warning events are recorded when annotations in services backing a single route do not match. #3130
  • Warning events are recorded when a service's referred client-cert does not exist. #3137
  • CRDs' validations improvements: UDPIngressRule.Port, IngressRule.Port and IngressBackend.ServiceName instead of being validated in the Parser, are validated by the Kubernetes API now. #3136
  • Gateway API: Implement port matching for HTTPRoute, TCPRoute and TLSRoute as defined in GEP-957 #3129 #3226
  • Warning events are recorded when one of netv1.Ingress related issues occurs (e.g. backing Kubernetes service couldn't be found, matching Kubernetes service port couldn't be found). #3138
  • Warning events are recorded when a Gateway Listener has more than one CertificateRef specified or refers to a Secret that has no valid TLS key-pair. #3147
  • Warning events are recorded when an Ingress refers to a TLS secret that does not exist or has no valid TLS key-pair. #3150
  • Warning events are recorded when HTTPRoute has no backendRefs specified. #3167
  • Gateway API: Matching routes by Listener.AllowedRoutes #3181

Fixed

  • The controller now logs an error for and skips multi-Service rules that have inconsistent Service annotations. Previously this issue prevented the controller from applying configuration until corrected. #2988
  • Gateway API has been updated to 0.5.1. That version brought in some changes in the conformance tests logic. Now, when the TLS config of a listener references a non-existing secret, the listener ResolvedRefs condition reason is set to InvalidCertificateRef. In addition, if a TLS config references a secret in another namespace, and no ReferenceGrant allows that reference, the listener ResolvedRefs condition reason is set to RefNotPermitted. #3024
  • The distroless target is now the last target in the Dockerfile. This makes it the default target if docker buildx build is invoked without a target. While custom image build pipelines should specify a target, this change makes the default the same target released as the standard kong/kubernetes-ingress-controller:X.Y.Z tags in the official repo. #3043
  • The controller will no longer crash in case of missing CRDs installation. Instead, an explicit message will be logged, informing that a given resource controller has been disabled. #3013
  • Improve signal handling and cancellation. With this change broken connection to Admin API and/or initial data plane sync can be cancelled properly. #3076
  • Admin and proxy listens in the deploy manifests now use the same parameters as the default upstream kong.conf. #3165
  • Fix the behavior of filtering hostnames in HTTPRoute when listeners of parent gateways specified hostname. If an HTTPRoute does not specify hostnames, and one of its parent listeners has not specified hostname, the HTTPRoute matches any hostname. If an HTTPRoute specifies hostnames, and no intersecting hostnames could be found in its parent listners, it is not accepted. #3180

2.7.0

Release date: 2022-09-26

2.7 patches several bugs in 2.6.0. One of these required a breaking change. The breaking change is not expected to affect most configurations, but does require a minor version bump to comply with semver. If you have not already upgraded to 2.6, you should upgrade directly from 2.5 to 2.7, and follow the 2.6 upgrade instructions and the revised Kong 3.x upgrade instructions.

Breaking changes

  • Ingress paths that begin with /~ are now treated as regular expressions, and are translated into a Kong route path that begins with ~ instead of /~. To preserve the existing translation, set konghq.com/regex-prefix to some value. For example, if you set konghq.com/regex-prefix: /@, paths beginning with /~ will result in route paths beginning in /~, whereas paths beginning in /@ will result in route paths beginning in ~. #2956

Added

  • The controller-specific /~ prefix translates to the Kong ~ prefix, as Ingress does not allow paths that do not begin in /. The prefix can be overriden by setting a konghq.com/regex-prefix annotation, for routes that need their paths to actually begin with /~ #2956
  • Prometheus metrics now highlight configuration push failures caused by conflicts. The ingress_controller_configuration_push_count Prometheus metric now reports success="false" with a failure_reason="conflict|other" label, distinguishing configuration conflicts from other errors (transient network errors, Kong offline, Kong reported non-conflict error, etc.). #2965

Fixed

  • The legacy regex heuristic toggle on IngressClassParameters now works when the combined routes feature flag is enabled. #2942
  • Handles Kubernetes versions that do not support namespaced IngressClassParameters without panicking. Although the controller will run on clusters without the IngressClassNamespacedParams feature gate enabled (1.21) or without it available (<1.21), these clusters do not support the legacy regular expression heuristic IngressClassParameters option. These versions are EOL, and we advise users to upgrade to Kubernetes 1.22 or later before upgrading to KIC 2.6+ or Kong 3.0+. #2970

2.6.0

Release date: 2022-09-14

Breaking changes

  • Kong 3.x changes regular expression configuration and the controller does not handle these changes automatically. You will need to enable compatibility features initially and then update Ingress configuration before disabling them. This procedure is covered in the Kong 3.x upgrade guide for the controller.
  • When using the CombinedRoutes=true feature gate, Ingress rules with no PathType now use ImplementationSpecific instead of Prefix. While Kong's ImplementationSpecific handling is similar to Prefix, it does not require that the prefix be a directory: an ImplementationSpecific /foo will match /foo, /foo/, and /foo/.*, whereas Prefix will only match the latter two. If you have rules with no PathType, use CombinedRoutes=true, and wish to preserve existing behavior, add PathType=prefix configuration to those rules. #2883
  • The GatewayClass objects now require the annotation "konghq.com/gatewayclass-unmanaged" to be reconciled by the controller. The annotation "konghq.com/gateway-unmanaged" is not considered anymore and doesn't need to be set on Gateways to be reconciled. Only the Gateways using an unmanaged GatewayClass are reconciled. #2917

Added

  • IngressClassParameters now supports a enableLegacyRegexDetection boolean field. Kong 3.x+ requires adding a ~ prefix to regular expression paths, whereas Kong 2.x and earlier attempted to detect regular expression paths using heuristics. By default, if you use regular expression paths and wish to migrate to Kong 3.x, you must update all Ingresses to use this prefix. Enabling this field will use the 2.x heuristic to detect if an Ingress path is a regular expression and add the prefix for you. You should update your Ingresses to include the new prefix as soon as possible after upgrading to Kong 3.x+, however, as the heuristic has known flaws that will not be fixed. #2883
  • Added support for plugin ordering (requires Kong Enterprise 3.0 or higher). #2657
  • The all-in-one manifests now use a separate ClusterRole for Gateway API resources, allowing non-admin users to apply these manifests (minus the Gateway API role) on clusters without Gateway API CRDs installed. #2529
  • Gateway API support which had previously been off by default behind a feature gate (--feature-gates=Gateway=true) is now on by default and covers beta stage APIs (GatewayClass, Gateway, and HTTPRoute). Alpha stage APIs (TCPRoute, UDPRoute, TLSRoute, ReferenceGrant) have been moved behind a different feature gate called GatewayAlpha and are off by default. When upgrading if you're using the alpha APIs, switch your feature gate flags to --feature-gates=GatewayAlpha=true to keep them enabled. #2781
  • Added all the Gateway-related conformance tests. #2777
  • Added all the HTTPRoute-related conformance tests. #2776
  • Added support for Kong 3.0 upstream query_arg and uri_capture hash configuration to KongIngress. #2822
  • Added support for Gateway API's v1beta1 versions of: GatewayClass, Gateway and HTTPRoute. #2889 #2894 #2900
  • Manifests now use /bin/bash instead of /bin/sh and use bash-based connectivity checks for compatibility with the new Debian Kong images. #2923

Fixed

  • When Endpoints could not be found for a Service to add them as targets of a Kong Upstream, this would produce a log message at error and warning levels which was inaccurate because this condition is often expected when Pods are being provisioned. Those log entries now report at info level. #2820 #2825
  • Added mtls-auth to the admission webhook supported credential types list. #2739
  • Disabled additional IngressClass lookups in other reconcilers when the IngressClass reconciler is disabled. #2724
  • ReferencePolicy support has been dropped in favor of the newer ReferenceGrant API. #2775
  • Fixed a bug that caused the Knative feature gate to not be checked. Since our knative integration is on by default and because it gets very little usage this likely did not cause any troubles for anyone as all fixing this will do is make it possible to disable the knative controller using the feature gate. (it is also possible to control it via the --enable-controller-knativeingress which was working properly). #2781
  • Treat status conditions in Gateway and GatewayClass as snapshots, replace existing conditions with same type on setting conditions. #2791
  • Update Listener statuses whenever they change, not just on Gateway creation. #2797
  • StripPath for HTTPRoutes is now disabled by default to be conformant with the Gateway API requirements. ##2737

Under the hood

2.5.0

Release date: 2022-07-11

Breaking changes in Gateway API technical preview:

  • The controller no longer overrides Gateway Listeners with a list of Listeners derived from Kong configuration. User-provided Listener lists are preserved as-is. Listener status information indicates if a requested Listener is not ready because of missing Kong listen configuration. This is necessary to properly support allowed routes and TLS configuration in Listeners, which would otherwise be wiped out by automatic updates. This has no immediate impact on existing Gateway resources used with previous versions: their automatically-set Listeners are now treated as user-defined Listeners and will not be modified by upgrading. This only affects new Gateway resources: you will need to populate the Listeners you want, and they will need to match Kong's listen configuration to become ready. #2555

Added

  • Updated Gateway API dependencies to v0.5.0 and updated examples directory to use v1beta1 versions of APIs where applicable. #2691
  • Added support for Gateway Listener TLS configuration, to enable full use of TLSRoute and HTTPS HTTPRoutes. #2580
  • Added information about service mesh deployment and distribution in telemetry data reported to Kong. #2642

Fixed

  • Fixed the problem that logs from reporter does not appear in the pod log. #2645

2.4.2

Release date: 2022-06-30

Fixed

  • Fix an issue with ServiceAccount token mount. #2620 #2626

2.4.1

Release date: 2022-06-22

Added

  • Increased the default Kong admin API timeout from 10s to 30s and added a log mentioning the flag to increase it further. #2594

Fixed

  • Disabling the IngressClass controller now disables IngressClass watches in other controllers. This fixes a crash on Kubernetes versions that do not offer an IngressClass version that KIC can read. #2577

2.4.0

Release date: 2022-06-14

Added

  • A new gated feature called CombinedRoutes has been added. Historically a kong.Route would be created for each path on an Ingress resource in the phase where Kubernetes resources are translated to Kong Admin API configuration. This new feature changes how Ingress resources are translated so that a single route can be created for any unique combination of ingress object, hostname, service and port which has multiple paths. This option is helpful for end-users who are making near constant changes to their configs (e.g. constantly adding, updating, and removing Ingress resources) at scale, and users that have enormous numbers of paths all pointing to a single Kubernetes Service as it can significantly reduce the overall size of the dataplane configuration that is pushed to the Kong Admin API. This feature is expected to be disruptive (routes may be dropped briefly in postgres mode when switching to this mode) so for the moment it is behind a feature gate while we continue to iterate on it and evaluate it and seek a point where it would become the default behavior. Enable it with the controller argument --feature-gates=CombinedRoutes. #2490
  • UDPRoute resources now support multiple backendRefs for load-balancing. #2405
  • TCPRoute resources now support multiple backendRefs for load-balancing. #2405
  • TCPRoute resources are now supported. #2086
  • HTTPRoute resources now support multiple backendRefs with a round-robin load-balancing strategy applied by default across the Endpoints or the Services (if the ingress.kubernetes.io/service-upstream annotation is set). They also now support weights to enable more fine-tuning of the load-balancing between those backend services. #2166
  • Gateway resources now honor listener.allowedRoutes.namespaces filters. Note that the unmanaged Kong Gateway implementation populates listeners automatically based on the Kong Service and Deployment, and user-provided allowedRoutes filters are merged into generated listeners with the same protocol. #2389
  • Added --skip-ca-certificates flag to ignore CA certificate resources for use with multi-workspace environments. #2341
  • Gateway API Route types now support cross-namespace BackendRefs if a ReferencePolicy permits them. #2451
  • Added description of each field of kongIngresses CRD. #1766
  • Added support for TLSRoute resources. #2476
  • Added --term-delay flag to support setting a time delay before processing SIGTERM and SIGINT signals. This was added to specifically help in situations where the Kong Gateway has a load-balancer in front of it to help stagger and stabilize the shutdown procedure when the load-balancer is draining or otherwise needs to remove the Gateway from it's rotation. #2494
  • Added kong-ingress-controller category to CRDs #2517
  • Added v1alpha1.IngressClassParameters CRD and its first field ServiceUpstream to control the behavior of routing traffic via an upstream service for all services managed by an ingress class without the need of adding an annotation to every single one #2535

Fixed

  • Unmanaged-mode Gateway resources which reference a LoadBalancer type Service will now tolerate the IPs/Hosts for that Service not becoming provisioned (e.g. the LoadBalancer implementation is broken or otherwise and the EXTERNAL-IP is stuck in <pending>) and will still attempt to configure Routes for that Gateway as long as the dataplane API can be otherwise reached. #2413
  • Fixed a race condition in the newer Gateway route controllers which could trigger when an object's status was updated shortly after the object was cached in the dataplane client. #2446
  • Added a mechanism to retry the initial connection to the Kong Admin API on controller start to fix an issue where the controller pod could crash loop on start when waiting for Gateway readiness (e.g. if the Gateway is waiting for its database to initialize). The new retry mechanism can be manually configured using the --kong-admin-init-retries and --kong-admin-init-retry-delay flags. #2274
  • diff logging now honors log level instead of printing at all log levels. It will only print at levels debug and trace. #2422
  • For KNative Ingress resources, KIC now reads both the new style annotation networking.knative.dev/ingress-class and the deprecated networking.knative.dev/ingress.class one to adapt to what has already been done in knative. #2485
  • Remove KongIngress support for Gateway API Route objects and Services referenced by those Routes. This disables an undocumented ability of customizing Gateway API *Route objects and Services that are set as backendRefs for those *Routes via konghq.com/override annotations. #2554
  • Fixed a vulnerability that permission could be escalated by running custom lua scripts. #2572

2.3.1

Release date: 2022-04-07

Fixed

  • Fixed an issue where admission controllers configured without certificates would incorrectly detect invalid configuration and prevent the controller from starting. #2403

2.3.0

Release date: 2022-04-05

Breaking changes

  • HTTPRoute header matches no longer interpret CSV values as multiple match values, as this was not part of the HTTPRoute specification. Multiple values should use regular expressions instead. #2302

Added

  • Gateway resources which have a LoadBalancer address among their list of addresses will have those addresses listed on the top for convenience, and so that those addresses are made prominent in the kubectl get gateways short view. #2339
  • The controller manager can now be flagged with a client certificate to use for mTLS authentication with the Kong Admin API. #1958
  • Deployment manifests now include an IngressClass resource and permissions to read IngressClass resources. #2292
  • The controller now reads IngressClass resources to determine if its IngressClass is the default IngressClass. If so, the controller will ingest resources that require a class (Ingress, KongConsumer, KongClusterPlugin, etc.) but have none set. #2313
  • HTTPRoute header matches now support regular expressions. #2302
  • HTTPRoutes that define multiple matches for the same header are rejected to comply with the HTTPRoute specification. #2302
  • Admission webhook certificate files now track updates to the file, and will update when the corresponding Secret has changed. #2258
  • Added support for Gateway API UDPRoute resources. #2363
  • The controller can now detect whether a Kong container has crashed and needs a configuration push. Requires Kong 2.8+. #2343

Fixed

  • Fixed an issue where duplicated route names in HTTPRoute resources with multiple matches would cause the Kong Admin API to collide the routes into one, effectively dropping routes for services beyond the first. #2345
  • Status updates for HTTPRoute objects no longer mark the resource as ConditionRouteAccepted until the object has been successfully configured in Kong Gateway at least once, as long as --update-status is enabled (enabled by default). #2339
  • Status updates for HTTPRoute now properly use the ConditionRouteAccepted value for parent Gateway conditions when the route becomes configured in the Gateway rather than the previous random "attached" string. #2339
  • Fixed a minor issue where addresses on Gateway resources would be duplicated depending on how many listeners are configured. #2339
  • Unconfigured fields now use their default value according to the Kong proxy instance's reported schema. This addresses an issue where configuration updates would send unnecessary requests to clear a default value. #2286
  • Certificate selection for hostnames is no longer random if both certificate Secrets have the same creation timestamp, and no longer results in unnecessary configuration updates. #2338

2.2.1

Release date: 2022/02/15

Fixed

  • Added mitigation for an issue where controllers may briefly delete and recreate configuration upon gaining leadership while populating their Kubernetes object cache. #2255

2.2.0

Release date: 2022/02/04

Added

Fixed

  • Fixed an issue where validation could fail for credentials secrets if the value for a unique constrained key were updated in place while linked to a managed KongConsumer. #2190
  • The controller now retries status updates if the publish service LoadBalancer has not yet provisioned. This fixes an issue where controllers would not update status until the first configuration change after the LoadBalancer became ready.

2.1.1

Release date: 2022/01/05

2.1.1 has no user-facing changes from 2.1.0. It updates a certificate used in the test environment which expired during the 2.1.0 release process. #2133

2.1.0

Release date: 2022/01/05

Note: the admission webhook updates originally released in 2.0.6 are not applied automatically by the upgrade. If you set one up previously, you should edit it (kubectl edit validatingwebhookconfiguration kong-validations) and add kongclusterplugins under the resources block for the configuration.konghq.com API group.

Breaking changes

  • The --leader-elect flag has been deprectated and will be removed in a future release. Leader election is now enabled or disabled automatically based on the database mode. The flag is no longer honored. #2053
  • You must upgrade to 2.0.x before upgrading to 2.1.x to properly handle the transition from apiextensions.k8s.io/v1beta1 CRDs to apiextensions.k8s.io/v1 CRDSs. CRDs are now generated from their underlying Go structures to avoid accidental mismatches between implementation and Kubernetes configuration. KongIngresses previously included healthchecks.passive.unhealthy.timeout and healthchecks.active.unhealthy.timeout fields that did not match the corresponding Kong configuration and had no effect. These are now healthchecks.passive.unhealthy.timeouts and healthchecks.active.unhealthy.timeouts, respectively. If you use these fields, you must rename them in your KongIngresses before upgrading. #1971

Added

  • Added validation for Gateway objects in the admission webhook #1946
  • Feature Gates have been added to the controller manager in order to enable alpha/beta/experimental features and provide documentation about those features and their maturity over time. For more information see the KIC Feature Gates Documentation. #1970
  • a Gateway controller has been added in support of Gateway APIs. This controller is foundational and doesn't serve any end-user purpose alone. #1945
  • Anonymous reports now use TLS instead of UDP. #2089
  • The new --election-namespace flag sets the leader election namespace. This is normally only used if a controller is running outside a Kubernetes cluster. #2053
  • There is now a Grafana dashboard for the controller metrics. #2035
  • TCPIngresses now support TLS passthrough in Kong 2.7+, by setting a konghq.com/protocols: tls_passthrough annotation. #2041

Fixed

  • Fixed an edge case which could theoretically remove data-plane config for objects which couldn't be retrieved from the manager's cached client. #2057
  • The validating webhook now validates that required fields data are not empty. #1993
  • The validating webhook now validates unique key constraints for KongConsumer credentials secrets on update of secrets, and on create or update of KongConsumers. #729
  • Fixed a race condition where multiple actors may simultaneously attempt to create the configured Enterprise workspaces. #2070
  • Fixed incorrect leader election behavior. Previously, non-leader instances would still attempt to update Kong configuration, but would not scan for Kubernetes resources to translate into Kong configuration. #2053
  • Configuration updates that time out now correctly report a failure. deck #529 #2125

2.0.7

Release date: 2022/01/19

Under the hood

  • Anonymous reports now use TLS instead of UDP. #2089

2.0.6

Release date: 2021/11/19

Note: the admission webhook updates are not applied automatically by the upgrade. If you set one up previously, you should edit it (kubectl edit validatingwebhookconfiguration kong-validations) and add kongclusterplugins under the resources block for the configuration.konghq.com API group.

Fixed

  • Fixed an issue where statuses would not update properly when a single service had multiple Ingress resources associated with it. #2013
  • Fixed an issue where statuses would not update for Ingress resources with periods in the name. #2012
  • The template admission webhook configuration now includes KongClusterPlugins. #2000

Under the hood

  • Updated several Go dependencies. See go.mod in the diff for details.

2.0.5

Release date: 2021/11/02

Fixed

  • Fixed a bug where version reported for the controller manager was missing due to incorrect linker flags and missing build args in image builds. #1943
  • hash_secret strings in OAuth2 credentials now correctly convert to bools in the generated Kong configuration. #1984
  • Fixed an issue where the admission controller returned an incorrect status code for invalid plugin configuration. #1980

2.0.4

Release date: 2021/10/22

Added

  • Go Module V2 has been published so that APIs and Clients can be imported from external Golang projects. #1936

Fixed

  • Fixed a bug where the admission server's logger was missing, resulting in panics when the admission server tried logging. #1954
  • The admission controller now also validates KongClusterPlugin resources. #1764
  • Fixed a segfault when the version reporter failed to initialize. #1961

2.0.3

Release date: 2021/10/19

Fixed

  • Debug logging for resource status updates have been fixed to ensure that debug output isn't silently lost and to fix some formatting issues. #1930
  • Fixed a bug where Ingress resources would not be able to receive status updates containing relevant addresses in environments where LoadBalancer type services provision slowly. #1931

2.0.2

Release date: 2021/10/14

Added

  • Builds now produce Red Hat UBI-based images.

2.0.1

Release date: 2021/10/11

Added

  • The ingress controller version now gets logged on startup. #1911

Fixed

  • Fixed an issue reading workspace information with RBAC permissions that only allow access to the specified workspace. #1900

2.0.0

Release date: 2021/10/07

NOTE: This changelog entry was compiled from every changelog entry in the alpha and beta pre-releases of 2.0.0. If you're looking for the interim changelog between alpha and/or beta versions prior to the release see the historical changelog here.

Breaking changes

While you're reviewing the breaking changes below we also recommend you check out our upgrade guide which covers upgrading from the previous v1.3.x releases to this release.

  • The admission webhook now requires clients that support TLS 1.2 or higher. #1671
  • autonegotiation of the Ingress API version (extensions v1beta1, networking v1beta1, networking v1) has been disabled. Instead, the user is expected to set exactly one of: --controller-ingress-networkingv1 --controller-ingress-networkingv1beta1 --controller-ingress-extensionsv1beta1
  • several miscellaneous flags have been removed. The following flags are no longer present:
    • --disable-ingress-extensionsv1beta1 (replaced by --enable-controller-ingress-extensionsv1beta1=false)
    • --disable-ingress-networkingv1 (replaced by --enable-controller-ingress-networkingv1=false)
    • --disable-ingress-networkingv1beta1 (replaced by --enable-controller-ingress-networkingv1beta1=false)
    • --version
    • --alsologtostderr
    • --logtostderr
    • --v
    • --vmodule
  • support for "classless" ingress types has been removed. The following flags are no longer present:
    • --process-classless-ingress-v1beta1
    • --process-classless-ingress-v1
    • --process-classless-kong-consumer
  • --dump-config (a diagnostic option) is now a boolean. true is equivalent to the old enabled value. false is equivalent to the old disabled value. true with the additional new --dump-sensitive-config=true flag is equivalent to the old sensitive value.
  • The historical --stderrthreshold flag is now deprecated: it no longer has any effect when used and will be removed in a later release. #1297
  • The --update-status-on-shutdown flag which supplements the --update-status flag has been deprecated and will no longer have any effect, it will be removed in a later release. #1304
  • the --sync-rate-limit is now deprecated in favor of --sync-time-seconds. This functionality no longer blocks goroutines until the provided number of seconds has passed to enforce rate limiting, now instead it configures a non-blocking time.Ticker that runs at the provided seconds interval. Input remains a float that indicates seconds.
  • Per documentation and by design, KongClusterPlugin resources require an kubernetes.io/ingress.class annotation, but this was not fully enforced. In 2.0, all KongClusterPlugin resources require this annotation set to the controller's ingress class. Check your resources to confirm they are annotated before upgrading. #2090

Added

  • Individual controllers can now be enabled or disabled at a granular level. For example you can disable the controller for TCPIngress with: --enable-controller-tcpingress=false To see the entire list of configurable controllers run the controller manager with --help. #1638
  • The --watch-namespace flag was added and supports watching a single specific namespace (e.g. --watch-namespace namespaceA) or multiple distinct namespaces using a comma-separated list (e.g. --watch-namespace "namespaceA,namespaceB"). If not provided the default behavior is to watch all namespaces as it was in previous releases. #1317
  • UDP support was added via the v1beta1.UDPIngress API. #1454 UDP Blog Post
  • Renamed roles and bindings to reflect their association with Kong. #1801
  • Upgraded Kong Gateway from 2.4 to 2.5 #1684
  • Decreased log level of some status update messages. #1641
  • Added metrics tracking whether configuration was successfully generated and applied and the time taken to sync configuration to Kong. #1622
  • Added a Prometheus operator PodMonitor to scrape controller and Kong metrics. To use it:
    kubectl apply -f https://raw.githubusercontent.com/Kong/kubernetes-ingress-controller/main/config/prometheus/monitor.yaml
    
    #1657
  • Added controller functional metrics in 2.x #705
  • Implemented Ingress status updates in 2.x. #1451
  • Added --publish-status-address and --publish-service flags to 2.x. #1451 #1509
  • Added scripts to generate 2.x manifests. #1563
  • Added support for --dump-config to 2.x. #1589
  • profiling using pprof is now a standalone HTTP server listening on port 10256.
  • adds support for selector tags (filter) tags refractored work. KIC 1.x #1415
  • Profiling using pprof is now a standalone HTTP server listening on port 10256. #1417
  • Reduced 2.x RBAC permissions to match 1.x permissions and added a generated single-namespace Role that matches the ClusterRole. #1457
  • support for the konghq.com/host-aliases annotation. #1016
  • Added --proxy-timeout-seconds flag to configure the kong client api timeout. #1401

Fixed

  • In DB-less mode, the controller only marks itself ready once it has successfully applied configuration at least once. This ensures that proxies do not start handling traffic until they are configured. #1720
  • Prometheus metrics were not exposed on the metrics endpoint in 2.0.0-beta.1 by default #1497
  • Resolved an issue where certain UDPIngress and TCPIngress configurations resulted in overlapping incompatible Kong configuration. #1702
  • Fixed a panic that would occur in the controller manager when a KongConsumer object with an empty name was submitted. Any KongConsumer resource created with an empty UserName will now throw an error in the controller manager logs (this wont stop other configurations from proceeding), but the object in question will thereafter otherwise be skipped for backend configuration until the resource has been corrected. #1658
  • The controller will now retry unsuccessful TCPIngress status updates. #1641
  • The controller now correctly disables Knative controllers automatically when Knative controllers are not installed. #1585
  • Corrected the old Ingress v1beta1 API group. #1584
  • Updated our Knative API support for more recent upstream releases. [#1148] (#1396)

Under the hood

  • Updated the compiler to Go v1.17 #1714
  • Code for the previous v1.x releases of the Kubernetes Ingress Controller have been removed. Maintenance of the v1.x era codebase lives on in the 1.3.x and related branches going forward. #1591
  • Made assorted improvements to CI and test code. #1646 #1664 #1669 #1672
  • New v1 versions of CustomResourceDefinitions introduced for KIC 2.0 are now backwards compatible with the previous v1beta1 CRD definitions (i.e. v1beta1 -> v1 upgrades of KIC's CustomResourceDefinitions now work fully automatically). In practice the upgrade process should be seamless for end-users (e.g. kubectl apply -f <NEW CRDS>). If you're interested in better understanding the differences and what's going on under the hood, please see the relevant PR which includes the user facing changes. Kubernetes#79604 #1133
  • The uuid generation is now done by the same library in the whole project #1604
  • the controller manager will no longer log multiple entries for nil updates to the Kong Admin API. The result is that operators will no longer see multiple "no configuration change, skipping sync to kong" entries for any single update, instead it will only report this nil update scenario the first time it is encountered for any particular SHA derived from the configuration contents.
  • project layout for contributions has been changed: this project now uses the Kubebuilder SDK and there are layout changes and configurations specific to the new build environment.
  • controller architecture has been changed: each API type now has an independent controller implementation and all controllers now utilize controller-runtime.
  • full integration testing in Golang has been added for testing APIs and controllers on a fully featured Kubernetes cluster, this is now supported by the new Kong Kubernetes Testing Framework (KTF) project and now runs as part of CI.
  • the mechanism for caching and resolving Kong Admin /config configurations when running in DBLESS mode has been reimplemented to enable fine-tuned configuration options in later iterations.
  • contains the refactored admission webhook server. The server key and certificate flags have improved semantics: the default flag value is no longer the default path, but an empty string. When both key/cert value flags and key/cert file flags remain unset, KIC will read cert/key files from the default paths, as said in the flag descriptions. This change should not affect any existing configuration - in all configuration cases, behavior is expected to remain unchanged.
  • taking configuration values from environment variables no longer uses Viper.

1.3.4

Release date: 2022/01/19

Under the hood

  • Anonymous reports now use TLS instead of UDP. #2089

1.3.3

Release date: 2021/10/01

Fixed

  • Fixed invalid plugin validation code in admission controller. go-kong#81
  • Fixed a panic when sorting consumers. #1658

1.3.2

Release date: 2021/08/12

Under the hood

  • Updated Alpine image to 3.14. #1691
  • Update Kong images to 2.5.

1.3.1

Release date: 2021/06/03

Fixed

  • fixed a bug that now stops v1.3.x releases from advertising themselves as v2 if manually built with default configurations.

Under the hood

  • Upgraded CI dependencies
  • Some cleanup iterations on RELEASE.md release process

1.3.0

Release date: 2021/05/27

Added

  • support for the konghq.com/host-aliases annotation. #1016

Fixed

  • Sort SNIs and certificates consistently to avoid an issue with unnecessary configuration re-syncs. #1268

Under the hood

  • Upgraded various dependencies.

1.2.0

Release date: 2021/03/24

Added

  • Ingresses now support konghq.com/request-buffering and konghq.com/response-buffering annotations, which set the request-buffering and response-buffering settings on associated Kong routes. #1016
  • Added --dump-config flag to dump generated Kong configuration to a temporary file to debug issues where the controller generates unexpected configuration or unacceptable configuration. When set to enabled it redacts sensitive values (credentials and certificate keys), and when set to sensitive, it includes all configuration. #991
  • Added support for mtls-auth plugin credentials (requires Enterprise 2.3.2.0 or newer). #1078
  • The KongClusterPlugin CRD is now optional, for installation in clusters where KIC administrators do not have cluster-wide permissions.

Fixed

  • The admission webhook can now validate KongPlugin configurations stored in a Secret. #1036

Under the hood

  • Build configuration allows target architectures other than amd64. Note that other architectures are not officially supported. #1046
  • Updated to Go 1.16. Make sure to update your Go version if you build your own controller binaries. #1110
  • Refactored synchronization loop into more discrete components and created packages for them. #1027 #1029
  • Broad refactoring (with the purpose of exposing KIC's logic as libraries), in preparation for an architectural upgrade of KIC to a kubebuilder-based implementation of the controller (expected to be released as KIC v2.0). #1037
  • Added a Go-based integration test environment and initial set of tests. #1102
  • CI improvements check test coverage for PRs and automaticall open PRs for dependency updates.
  • Upgraded almost all Go library dependencies (from now on, using Dependabot to ensure that minor releases use the newest versions available).

1.1.1

Release date: 2021/01/07

Fixed

  • Ingress controller now correctly sets ports for ExternalName services #985
  • TCPIngress CRD: removed the duplicated subresource YAML key #997

Deprecated

  • Removed Helm 2 installation instructions because Helm 2 is EOL. Use Helm 3 instead. #993

1.1.0

Release date: 2020/12/09

Breaking changes

  • The controller no longer supports Cassandra-backed Kong clusters, following deprecation in 0.9.0. You must migrate to a Postgres-backed or DB-less cluster before upgrading to 1.1.0. The controller will restore configuration from Kubernetes resources (Ingresses, Services, KongPlugins, etc.) into the new datastore automatically. Kong Enterprise users with non-controller-managed configuration (Portal configuration, RBAC configuration, etc.) will need to migrate that configuration manually. #974

Added

  • The default Kong version is now 2.2.x and the default Kong Enterprise version is now 2.2.0.0. #932 #965
  • The default worker count is now 2 instead of 1. This avoids request latency during blocking configuration changes. #957
  • Knative Services now support konghq.com/override (for attaching KongIngress resources). #908
  • Added the konghq.com/snis Ingress annotation. This populates SNI configuration on the routes derived from the annotated Ingress. #863

Fixed

  • The controller now correctly prints the affected Service name when logging warnings about Services without any endpoints. #915
  • Credentials that lack critical fields no longer result in a panic. #944

1.0.0

Release date: 2020/10/05

Breaking changes

  • The controller no longer supports versions of Kong prior to 2.0.0. #875
  • Deprecated 0.x.x flags are no longer supported. Please see the documentation changes for a complete list of removed flags and their replacements. Note that this change applies to both flags and their equivalent environment variables, e.g. for --admin-header, if you set CONTROLLER_ADMIN_HEADER, you should now use CONTROLLER_KONG_ADMIN_HEADER. #866
  • KongCredential custom resources are no longer supported. You should convert any KongCredential resources to credential Secrets before upgrading to 1.0.0. #862
  • Deprecated 0.x.x annotations are no longer supported. Please see the documentation changes for a complete list of removed annotations and their replacements. #873

Added

  • The controller Docker registry now has minor version tags. These always point to the latest patch release for a given minor version, e.g. if 1.0.3 is the latest patch release for the 1.0.x series, the 1.0 Docker tag will point to 1.0.3. #747
  • Custom resources now all have a status field. For 1.0.0, this field is a placeholder, and does not contain any actual status information. Future versions will add status information that reflects whether the controller has created Kong configuration for that custom resource. #824
  • Version compatibility documentation now includes information about supported Kubernetes versions for a given controller version. #820

Fixed

  • EKS documentation now uses hostnames rather than IP addresses. #877

0.10.0

Release date: 2020/09/15

Breaking changes

  • Ingress resources now require kubernetes.io/ingress.class annotations by default. Kong recommends adding this annotation to Ingresses that previously did not have it, but you can override this change and instruct the controller to process Ingresses without this annotation if desired. See the ingress class documentation for details. #767
  • KongConsumer resources now require kubernetes.io/ingress.class annotations by default. This change can also be overriden using a flag. #767
  • TCPIngress resources now require kubernetes.io/ingress.class annotations. This change cannot be overriden. #767
  • CA certificate secrets now require kubernetes.io/ingress.class annotations. This change cannot be overriden. #815
  • Removed support for global KongPlugin resources. You must now use KongClusterPlugin resources for global plugins. You should run kubectl get kongplugin -l global=true --all-namespaces to list existing global KongPlugins to find and convert them before upgrading. The controller will also log a warning if it finds any global KongPlugins that are still in place. #751

Added

  • Added support for Ingress v1. #832. #843.
  • Added support for the port mapping functionality in Kong versions 2.1 and newer in example manifests. This feature improves Kong's functionality when behind a load balancer that uses different ports than Kong's proxy listens. #753
  • Added support for the ingress.kubernetes.io/force-ssl-redirect annotation. #745
  • Transitioned to structured logging. #748
  • Added flags to enable processing of Ingress and KongConsumer resources without ingress.class annotations regardless of the controller class. Previously, this functionality was only available when using the default controller class, and could not be disabled. #767
  • Added support for admission.k8s.io/v1 validating webhooks. #759
  • Migrated to Go 1.13-style error handling. #765
  • Added documentation for using the controller along with Istio. #798
  • Updated documentation to include information on Kong 2.1.

Fixed

  • Removed securityContext from example deployments. Earlier Kong versions had to run as root to support some Enterprise features. This is no longer the case in modern Kong versions. #672
  • Added missing documentation for --enable-reverse-sync flag. #718
  • Fixed a bug where the controller did not track updates to resources that should not have required ingress.class unless that annotation was present. #767
  • Clarified build instructions for pushing Docker artifacts. #768
  • Improved controller startup behavior in scenarios where Kong was not available. The controller will now retry and exit with an error after a timeout, rather than hanging indefinitely. #771 #799
  • Addressed several documentation typos and incongruent examples. #776 #785 #809
  • Corrected a Helm 3 example that still used deprecated Helm 2 flags. #793

Under the hood

  • Improved tests by removing many hard-coded default values. The tests now reference variables that define the default value in a single location. #815
  • Added CI warning when base and single-file example manifests diverge. #797
  • Updated Kubernetes dependencies from v0.17.x to v0.19.0 and switched from knative.dev/serving to knative.dev/networking. #813 #817
  • Updated Go build configuration to use Go 1.15. #816

0.9.1

Release date: 2020/06/08

Fixed

  • Parse TLS section of Knative Ingress resources #721

0.9.0

Release date: 2020/05/26

Breaking change

Health-check behavior of the default manifest has been changed to use status interface of Kong instead of a simple Nginx server block. The change is transparent and doesn't require any additional work. #634

Deprecations

Kong deployments backed by Cassandra are deprecated and will not be supported in future. Cassandra deployments for Ingress Controller use cases are rare and seldom make sense since the features that Cassandra brings are provided by other means in such architectures. #617

Added

  • Plugin configuration via Kubernetes Secrets Configuration of plugins can be stored in Kubernetes Secrets and then referenced in KongPlugin and KongClusterPlugin resources. #618
  • mTLS authentication The controller can configure CA Certificates in Kong and these can be used by mtls-auth plugin in Kong. The plugin is currently enterprise-only. #616
  • Kong Custom entities in DB-less mode Custom entities used in custom plugins can now be configured for DB-less deployments of Kong. #630
  • Host-header manipulation Host header of a request destined to a Kubernetes Service can now be manipulated using the konghq.com/host-header annotation on the Service resource. #597
  • Method-based routing Method based routing can be performed using the Ingress resource. A new annotation konghq.com/methods can now be used to match HTTP method in addition to HTTP host and path. This was previously supported only via KongIngress Custom Resource. #591
  • New configuration options Following new CLI flags and corresponding environment variables have been added:
    • --admission-webhook-cert, --admission-webhook-key and --kong-admin-ca-cert. These have been added to ease configuration by enabling users to supply sensitive values using Secret references inside PodSpec. #628
    • --kong-custom-entities-secret flag has been added to support custom entities in DB-less mode feature.

Fixed

  • Some errors that were previously ignored are being caught and handled correctly #635
  • Ingress rules with consecutive slashes (//) are now ignored #663

0.8.1

Release date: 2020/04/15

Added

  • Added --enable-reverse-sync flag to enable checks from Kong to kubernetes state. This should be enabled only if a human has access to Kong's Admin API or Kong Manager (for Enterprise users). This flag will disable an optimization in the controller and result in an increase read activity on Kong's Admin API and database. #559

Fixed

  • Fix certificate and SNI sync to avoid a deadlock due to a conflict when Kong is running with a database backend. #524
  • Correctly set Knative Ingress Status #600

0.8.0

Release date: 2020/03/25

Breaking changes

  • strip_path disabled by default The value of strip_path of routes in Kong is now set to false. If you are upgrading from a previous version, please carefully test the change before rolling it out as this change can possibly break the routing for your clusters. You can use konghq.com/strip-path annotation to set the value to true.

Deprecations

The following annotations are now deprecated and will be removed in a future release:

  • configuration.konghq.com
  • plugins.konghq.com
  • configuration.konghq.com/protocols
  • configuration.konghq.com/protocol
  • configuration.konghq.com/client-cert

Please read the annotations document for new annotations.

Added

  • Knative Ingress support The controller can now proxy traffic for serverless workloads running on top of Knative. Users can also select Kong plugins to execute on a per Knative workload/service basis. #563
  • TCP/TLS routing New Custom Resource TCPIngress has been introduced to support TCP proxy. SNI-based proxying is also supported for TLS encrypted TCP streams. #527
  • New Custom Resource KongClusterPlugin Plugin configuration can now be shared acrossed Kubernetes namespaces using KongClusterPlugin, a new cluster-level Custom Resource. #520
  • New annotation group konghq.com A new annotations group has been introduced which should simplify configuration and reduce the need of KongIngress resource in most use-cases. The following new annotations have been introduced:
    • konghq.com/plugins
    • konghq.com/override
    • konghq.com/client-cert
    • konghq.com/protocols
    • konghq.com/protocol
    • konghq.com/preserve-host
    • konghq.com/plugins
    • konghq.com/override
    • konghq.com/path
    • konghq.com/strip-path
    • konghq.com/https-redirect-status-code

Fixed

  • Admission webhook now checks for the correct fields for JWT credential type. #556

Under the hood

  • decK has been upgraded to v1.0.3. #576
  • Go has been upgraded to 1.14. #579
  • Alpine docker image has been upgraded to 3.11. #567

0.7.1

Release date: 2020/01/31

Summary

This releases contains bug-fixes only. All users are advised to upgrade.

Fixed

  • De-duplicate SNIs when the same SNI is associated with multiple secrets. #510
  • plugin.RunOn is not injected when Kong version >= 2.0.0. #521
  • Parse default backend in Ingress resource correctly. #511
  • KongPlugin resources with global: true label are correctly processed to include protocols fields while rendering Kong's configuration. #502
  • Admission Controller: correctly process updates to KongConsumer resource #501
  • Do not send multiple update events for a single CRD update #514

0.7.0

Release date: 2020/01/06

Summary

This release adds secret-based credentials, gRPC routing, upstream mutual authentication, DB-less deployment by default and performance improvements.

Breaking changes

  • The default value of --admission-webhook-listen flag is now off to avoid an error in the logs when the cert and key pair is not provided. Users will have to explicitly set this flag to :8080 to enable it. Please do note that it is recommended to always set up the Admission Controller.

Added

  • Multi-port services Ingress rules forwarding traffic to multiple ports of the same services are now supported. The names of the services configured in Kong have been changed to include the port number/name for uniqueness. #404
  • When using the controller with Kong Enterprise, Controller now attempts to create the workspace configured via --kong-workspace, if it does not exist. #429
  • Controller configuration revamped Configuration of the controller itself can now be tweaked via environment flags and CLI flags, both. Environment variables and Secrets can be used to pass sensitive information to the controller. #436
  • Encrypted credentials via Secrets Credentials can now be configured via Secret resource from the Kubernetes core API. These credentials are encrypted at rest by Kubernetes. The controller loads these secrets into Kong's memory or database from the Kubernetes data-store. #430
  • Multi-entity plugins Plugins can now be configured for a combination of an Ingress rule(s) and KongConsumer or a combination of a Service and KongConsumer. #386
  • Mutual authentication using mTLS Kong and the Kubernetes Service can mutually authenticate each other now. Use the new configuration.konghq.com/client-cert annotation on a Kubernetes Service to specify the cert-key pair Kong should use to authenticate itself. #483
  • gRPC routing Kong Ingress Controller can now expose and proxy gRPC protocol based services, in addition to HTTP-based services. These can be configured using the core Ingress resource itself. #454
  • Performance improvement Number of sync calls to Kong, in both DB and DB-less mode, should be reduced by an order of magnitude for most deployments. This will also improve Kong's performance. #484
  • credentials property has been added to the KongConsumer Custom Resource. This property holds the references to the secrets containing the credentials. #430
  • Flag --kong-admin-filter-tag has been added to change the tag used to filter and managed entity in Kong's database. This defaults to managed-by-ingress-controller. #440
  • Flag --kong-admin-concurrency has been added to control the number of concurrent requests between the controller and Kong's Admin API. This defaults to 10. #481
  • Flag --kong-admin-token has been added to supply the RBAC token for the Admin API for Kong Enterprise deployments. #489
  • Admission Controller now validates Secret-based credentials. It ensures that the required fields are set in the secret and the credential type is a valid one. #446
  • http2 is now enabled by default on the TLS port. #456
  • DB-less or the in-memory mode is now the new default in the reference manifests. It is recommended to run Kong without a database for Ingress Controller deployments. #456
  • upstream.host_header property has been added to the KongIngress Custom Resource. This property can be used to change the host header in every request that is sent to the upstream service. #478

Fixed

  • Every event in the queue is not logged anymore as it can leak sensitive information in the logs. Thanks to @goober for the report. #439
  • For database deployments, upstream entity are now created with round-robin as default algorithm to avoid false positives during a sync operation. These false positives can have a negative impact on Kong's performance. #480

Deprecated

  • KongCredential Custom Resource is now deprecated and will be remove in a future release. Instead, please use Secret-based credentials. #430:
  • Following flags have been deprecated and new ones have been added in place #436:
    • --kong-url, instead use --kong-admin-url
    • --admin-tls-skip-verify, instead use --kong-admin-tls-skip-verify
    • --admin-header, instead use --kong-admin-header
    • --admin-tls-server-name, instead use --kong-admin-tls-server-name
    • --admin-ca-cert-file, instead use --kong-admin-ca-cert-file

Under the hood

  • decK has been bumped up to v0.6.2.

0.6.2

Release date: 2019/11/13

Summary

This is a minor patch release to fix version parsing issue with new Kong Enterprise packages.

0.6.1

Release date: 2019/10/09

Summary

This is a minor patch release to update Kong Ingress Controller's Docker image to use a non-root by default.

0.6.0

Release date: 2019/09/17

Summary

This release introduces an Admission Controller for CRDs, Istio compatibility, support for networking/ingress, Kong 1.3 additions and enhancements to documentation and deployments.

Added

  • Service Mesh integration Kong Ingress Controller can now be deployed alongside Service Mesh solutions like Kuma and Istio. In such a deployment, Kong handles all the external client facing routing and policies while the mesh takes care of these aspects for internal service-to-service traffic.
  • ingress.kubernetes.io/service-upstream, a new annotation has been introduced. Adding this annotation to a Kubernetes service resource will result in Kong directly forwarding traffic to kube-proxy. In other words, Kong will not send traffic directly to the pods. #365
  • Ingress resources created in the new networking.k8s.io API group are now be supported. The controller dynamically figures out the API group to use based on the metadata it receives from k8s API-server.
  • Kong Credential enhancements
    • Kong Credentials are now live-synced as they are created and updated in DB-mode. #230
    • A single Consumer can now contain multiple credentials of the same type and multiple ACL group associations. #371
  • Admission controller Kong Ingress Controller now ships with an in-built admission controller for KongPlugin and KongConsumer entities. The validations stop users from misconfiguring the Ingress controller. #372
  • Kong 1.3 support:
    • HTTP Header based routing is now supported using KongIngress.Route.Headers property.
    • The algorithm to use for load-balancing traffic sent upstream can be set using KongIngress.Upstream.Algorithm field.
  • Kustomize: Users can now use kustomize to tweak the reference deployment as per their needs. Both, DB and DB-less modes are supported. Please have a look at deploy/manifests directory in the Github repository.
  • Documentation: The documentation for the project has been revamped. Deployment guides, how-to guides, and reference docs have been added.
  • Deployment: The deployment of Kong Ingress Controller in DB and DB-less modes has been simplified, and Kong Ingress Controller now always runs as a side-car to Kong in proxy mode. There is no dedicated deployment for Kong Ingress Controller that needs to be run.

Fixed

  • SNIs and Certificates are now de-duplicated across namespaces. #360 #327
  • Empty TLS secret no longer stops the controller from syncing configuration #321
  • Fix a nil reference when empty Ingress rules are created #365

Under the hood

  • Kubernetes client-go library has been updated to v1.15.3.
  • Credentials sync has been moved into decK and decK has been bumped up to v0.5.1.

0.5.0

Release date: 2019/06/25

Summary

This release introduces automated TLS certificates, consumer-level plugins, enabling deployments using controller and Kong's Admin API at the same time and numerous bug-fixes and enhancements.

Breaking changes

  • UUID of consumers in Kong are no longer associated with UID of KongConsumer custom resource.

Added

  • Kong 1.2 is now supported, meaning wild-card hosts in TLS section of Ingress resources are allowed.
  • Automated TLS certificates using Let's Encrypt: Use Kong's Ingress Controller and cert-manager to automatically provision TLS certs and serve them.
  • Tagging support: All entities managed by Kong Ingress Controller in Kong's database are now tagged and the controller manages only a subset of Kong's configuration. Any entity created via Kong's Admin API will not be automatically deleted by the Ingress Controller.
  • Consumer-level plugins can now be configured by applying plugins.konghq.com annotation on KongConsumer custom resources. #250
  • Kong Enterprise workspaces: Ingress Controller can manage a specific workspace inside Kong Enterprise (previously, only default workspace).
  • Avoid reloading configuration in Kong in db-less mode when there is no change in configuration. #308
  • Service scoped plugins for Kong 1.1 are now configured correctly. #289

Fixed

  • Multiple certificates are now correctly populated in Kong. #285
  • Missing entities like certificate secrets, services or plugins in Kubernetes object store will not stop controller from syncing configuration to Kong.
  • A Ingress rule with an empty path is correctly parsed and populated in Kong. #98
  • Plugins with a nested schema are now correctly configured. #294

Under the hood

  • Dependency management for the project is done using Go modules.
  • Kubernetes client-go library has been updated to v1.14.1.
  • Makefile and Dockerfiles have been simplified.

0.4.0

Release date: 2019/04/24

Summary

This release introduces support to run Kong as an Ingress Controller without a database! This release comes with major under the hood rewrites to fix numerous bugs and design issues in the codebase. Most of the syncing logic has now been ported over to decK.

This release comes with a number of breaking changes. Please read the changelog and test in your environment.

Breaking Changes

  • ⚠️ Annotation <plugin-name>.plugin.konghq.com (deprecated in 0.2.0) is no longer supported.
  • ⚠️ --default-backend-service CLI flag is now removed. The default service will now be picked up from the default backend in the Ingress rules.
  • ⚠️ Service and Upstream entity overrides via KongIngress CRD are now supported only with configuration.konghq.com annotation on Kubernetes services. Route level overrides work same as before, using the configuration.konghq.com annotation on Ingress resources.
  • ⚠️ strip_path property of Routes in Kong is set to true by default.
  • ⚠️ preserve_host property of Routes in Kong is set to true by default.
  • Plugins created for a combination of Route and Consumer using consumerRef property in KongPlugin CRD are not supported anymore. This functionality will be added back in future via #250.
  • Service and upstream Host name have changed from namespace.service-name.port to service-name.namespace.svc.

Added

  • Ingress Controller now supports a DB-less deployment mode using Kong 1.1. #244
  • New run_on and protocols properties are added to KongPlugin CRD. These can be used to further tune behaviors of plugins in Service Mesh deployments.
  • New fields are added to KongIngress CRD to support HTTPS Active health-checks.
  • Ingress Controller is now built using Go 1.12.
  • Default service, which handles all traffic that is not matched against any of the Ingress rules, is now configured using the default backend defined via the Ingress resources.

Fixed

  • Logs to stdout and stderr will be much more quieter and helpful and won't be as verbose as before.
  • Routes with same path but different methods can now be created. #202
  • Removing a value in KongPlugin config will now correctly sync it to Kong. #117
  • Setting --update-state=false no longer causes a panic and performs leader election correctly. #232 Thanks to @lijiaocn for the fix!!
  • KongIngress will now correctly override properites of Upstream object in Kong. #252
  • Removing a value from KongPlugin config will now correctly unset it in Kong's datastore. #117

Under the hood

  • Translation of Ingress rules and CRDs to Kong entities is completey re-written. #241
  • For database deployments, an external tool, decK is used to sync resources to Kong, fixing numerous bugs and making Ingress Controller code saner and easier to maintain.

0.3.0

Release date: 2019/01/08

Breaking Changes

  • ⚠️ Default Ingress class is now kong. If you were relying on the previous default of nginx, you will need to explicitly set the class using --ingress-class CLI flag.

Added

  • Support for Kong 1.0.x Kong 1.0 introduces a number of breaking changes in the Admin API. Ingress controller is updated to make correct calls and parse responses correctly. #213
  • ingress.class annotation-based filtering on CRD Multiple Kong clusters can be deployed and configured individually on the same Kubernetes Cluster. This feature allows configuring global Plugins, Consumers & credentials using a different ingress.class annotation for each Kong cluster. #220
  • TLS support for Ingress Controller <-> Kong communication The ingress controller can now talk to Kong's Control-Plane using TLS with custom certificates. Following new CLI flags are introduces:
    • --admin-tls-skip-verify: to skip validation of a certificate; it shouldn't be used in production environments.
    • --admin-tls-server-name: use this if the FQDN of Kong's Control Plane doesn't match the CN in the certificate.
    • --admin-ca-cert-file: use this to specify a custom CA cert which is not part of the bundled CA certs. #212

Fixed

  • Retries for services in Kong can be set to zero. #211

0.2.2

Release date: 2018/11/09

Fixed

  • Fix plugin config comparison logic to avoid unnecessary PATCH requests to Kong #196
  • Fix strip_path in Routes in Kong. It is now set to false by default as in all other versions of Ingress controller except 0.2.1. #194
  • Fix path-only based Ingress rule parsing and configuration where only a path based rule for a Kubernetes Service would not setup Routes and Service in Kong. #190
  • Fix a nil pointer reference when overriding Ingress resource with KongIngress #188

0.1.3

Release date: 2018/11/09

Fixed

  • Fix path-only based Ingress rule parsing and configuration where only a path based rule for a Kubernetes Service would not setup Routes and Service in Kong. #190
  • Fix plugin config comparison logic to avoid unnecessary PATCH requests to Kong #196

0.2.1

Release date: 2018/10/26

Added

  • Header Injection in requests to Kong's Admin API HTTP Headers can be set via CLI which will be injected in every request sent to Kong's Admin API, enabling the use of Ingress Controller when Kong's Control Plane is protected by Authentication/Authorization. #172
  • Path only based routing Path only Ingress rules (without a host) are now parsed and served correctly. #142
  • Under the hood, an external library is now used to talk to Kong's Admin API. Several other packages and dead code has been dropped. These changes don't have any user facing changes but are steps in direction to simplify code and make it more testable. #150 #154 #179

Fixed

  • Fixed KongIngress overrides to enable overriding hashing attributes in Upstream object in Kong. Thanks @jdevalk2 for the patch! #139
  • Remove and sync certificates correctly when TLS secret reference changes for a hostname in Ingress spec. #169
  • Migrations for Kong are run using 'Job' in Kubernetes to avoid any issues that might arise due to multiple Kong nodes running migrations. #161
  • Kong and Ingress controller now wait for Postgres to start and migrations to finish before attempting to start. #168

0.1.2

Release date: 2018/10/26

Deprecated

  • ⚠️ Configuring plugins in Kong using <plugin-name>.plugin.konghq.com annotation is now deprecated and will be removed in a future release. Please use plugins.konghq.com annotation instead.

Added

  • Header Injection in requests to Kong's Admin API HTTP Headers can be set via CLI which will be injected in every request sent to Kong's Admin API, enabling the use of Ingress Controller when Kong's Control Plane is protected by Authentication/Authorization. #172
  • Path only based routing Path only Ingress rules (without a host) are now parsed and served correctly. #142
  • Global Plugins Plugins can be configured to run globally in Kong using a "global" label on KongPlugin resource. #112
  • A new property plugin has been introduced in KongPlugin resource which ties the configuration to be used and the type of the plugin. #122
  • Multiple plugins can be configured for an Ingress or a Service in k8s using plugins.konghq.com annotation. #124
  • KongPlugin resources do not need to be duplicated any more. The same KongPlugin resource can be used across multiple Ingress/Service resources. #121

Fixed

  • Avoid issuing unnecessary PATCH requests on Services in Kong during the reconciliation loop, which lead to unnecessary Router rebuilds inside Kong. #107
  • Fixed the diffing logic for plugin configuration between KongPlugin resource in k8s and plugin config in Kong to avoid false positives. #106
  • Correctly format IPv6 address for Targets in Kong. Thanks @NixM0nk3y for the patch! #118
  • Fixed KongIngress overrides to enable overriding hashing attributes in Upstream object in Kong. Thanks @jdevalk2 for the patch! #139
  • Remove and sync certificates correctly when TLS secret reference changes for a hostname in Ingress spec. #169

0.1.1

Release date: 2018/09/26

Fixed

  • Fix version parsing for minor releases of Kong Enterprise (like 0.33-1). The dash(-) didn't go well with the semver parsing #141

0.2.0

Release date: 2018/09/21

Breaking Changes

  • ⚠️ Support for Kong 0.13.x has been dropped in favor of 0.14.x

Deprecated

  • ⚠️ Configuring plugins in Kong using <plugin-name>.plugin.konghq.com annotation is now deprecated and will be removed in a future release. Please use plugins.konghq.com annotation instead.

Added

  • Support for Kong 0.14.x The supported version of Kong 0.14.x has been introduced. Kong 0.14.x introduced breaking changes to a few Admin API endpoints which have been updated in the Ingress Controller. #101
  • Global Plugins Plugins can be configured to run globally in Kong using a "global" label on KongPlugin resource. #112
  • A new property plugin has been introduced in KongPlugin resource which ties the configuration to be used and the type of the plugin. #122
  • Multiple plugins can be configured for an Ingress or a Service in k8s using plugins.konghq.com annotation. #124
  • KongPlugin resources do not need to be duplicated any more. The same KongPlugin resource can be used across multiple Ingress/Service resources. #121
  • The custom resource definitions now have a short-name for all the CRDs, making it easy to interact with kubectl. #120

Fixed

  • Avoid issuing unnecessary PATCH requests on Services in Kong during the reconciliation loop, which lead to unnecessary Router rebuilds inside Kong. #107
  • Fixed the diffing logic for plugin configuration between KongPlugin resource in k8s and plugin config in Kong to avoid false positives. #106
  • Correctly format IPv6 address for Targets in Kong. Thanks @NixM0nk3y for the patch! #118

0.1.0

Release date: 2018/08/17

Breaking Changes

  • ⚠️ Declarative Consumers in Kong Kong consumers can be declaratively configured via KongConsumer custom resources. Any consumers created directly in Kong without a corresponding KongConsumer custom resource will be deleted by the ingress controller. #81

Added

  • Support Upstream TLS Service in Kong can be configured to use HTTPS via KongIngress custom resource. #79
  • Support for control over protocol(HTTP/HTTPS) to use for ingress traffic via KongIngress custom resource. #64

Fixed

  • Multiple SNIs are created in Kong if multiple hosts are specified in TLS section of an Ingress resource. #76
  • Updates to KongIngress resource associated with an Ingress now updates the corresponding routing properties in Kong. #92

v0.0.5

Release date: 2018/06/02

Added

  • Add support for Kong Enterprise Edition 0.32 and above

v0.0.4 and prior

  • The initial versions were rapildy iterated to deliver a working ingress controller.