[ { "path": ".bazelignore", "content": "# NB: sematics here are not the same as .gitignore\n# see https://github.com/bazelbuild/bazel/issues/8106\n# Ignore backup files.\n*~\n# Ignore Vim swap files.\n.*.swp\n# Ignore files generated by IDEs.\n/.aswb/\n/.cache/\n/.classpath\n/.clwb/\n/.factorypath\n/.idea/\n/.ijwb/\n/.project\n/.settings\n/.vscode/\n/bazel.iml\n# Ignore all bazel-* symlinks. There is no full list since this can change\n# based on the name of the directory bazel is cloned into.\n/bazel-*\n# Ignore outputs generated during Bazel bootstrapping.\n/output/\n# Ignore jekyll build output.\n/production\n/.sass-cache\n# Bazelisk version file\n.bazelversion\n# User-specific .bazelrc\nuser.bazelrc\n\n/t/\n/spec/\n/spec-ee/\n/servroot/\n/autodoc/\n/.github/\n\n.DS_Store\n" }, { "path": ".bazelrc", "content": "# Bazel doesn't need more than 200MB of memory for local build based on memory profiling:\n# https://docs.bazel.build/versions/master/skylark/performance.html#memory-profiling\n# The default JVM max heapsize is 1/4 of physical memory up to 32GB which could be large\n# enough to consume all memory constrained by cgroup in large host.\n# Limiting JVM heapsize here to let it do GC more when approaching the limit to\n# leave room for compiler/linker.\n# The number 3G is chosen heuristically to both support large VM and small VM with RBE.\n# Startup options cannot be selected via config.\nstartup --host_jvm_args=-Xmx512m\n\nrun --color=yes\n\ncommon --color=yes\ncommon --curses=auto\n\n# TODO: remove after bump to bazel >= 8\ncommon --enable_workspace\n\nbuild --experimental_ui_max_stdouterr_bytes=10485760\n\nbuild --show_progress_rate_limit=0\nbuild --show_timestamps\nbuild --worker_verbose\n\nbuild --incompatible_strict_action_env\n\n# make output files and directories 0755 instead of 0555\nbuild --experimental_writable_outputs\n\n\n# Pass PATH, CC, CXX variables from the environment.\nbuild --action_env=CC --host_action_env=CC\nbuild --action_env=CXX --host_action_env=CXX\nbuild --action_env=PATH --host_action_env=PATH\n\n# temporary fix for https://github.com/bazelbuild/bazel/issues/12905 on macOS\nbuild --features=-debug_prefix_map_pwd_is_dot\n\n# Build flags.\nbuild --action_env=BUILD_NAME=kong-dev\nbuild --action_env=INSTALL_DESTDIR=MANAGED\nbuild --strip=never\n\n# Release flags\nbuild:release --//:debug=false\nbuild:release --//:licensing=true\nbuild:release --action_env=BUILD_NAME=kong-dev\nbuild:release --action_env=INSTALL_DESTDIR=/usr/local\nbuild:release --compilation_mode=opt\nbuild:release --copt=\"-g\"\nbuild:release --strip=never\n\nbuild --spawn_strategy=local\n\n" }, { "path": ".bazelversion", "content": "7.3.1\n" }, { "path": ".busted", "content": "return {\n default = {\n lpath = \"./?.lua;./?/init.lua;\",\n -- make setup() and teardown() behave like their lazy_ variants\n lazy = true,\n helper = \"./spec/busted-ci-helper.lua\",\n }\n}\n" }, { "path": ".ci/ast-grep/README.md", "content": "# ast-grep\n\n`ast-grep` is a tool for querying source code in a (relatively)\nlanguage-agnostic manner. It allows us to write lint rules that target patterns\nthat are specific to our codebase and therefore not covered by tools like\n`luacheck`.\n\n## Installing ast-grep\n\nSee the [installation docs](https://ast-grep.github.io/guide/quick-start.html#installation)\nfor guidance.\n\n\n## Crafting a New Lint Rule\n\nThe workflow for writing a new lint rule looks like this:\n\n1. Draft your rule at `.ci/ast-grep/rules/${name}.yml`\n * Use `ast-grep scan --filter ${name} [paths...]` to evaluate your rule's behavior\n2. Write tests for the rule in `.ci/ast-grep/tests/${name}-test.yml`\n * Make sure to fill out several `valid` and `invalid` code snippets\n * Use `ast-grep test --interactive`* to test the rule\n3. `git add .gi/ast-grep && git commit ...`\n\n\\* `ast-grep test` uses a file snapshot testing pattern. Almost any time a rule\nor test is created/modified, the snapshots must be updated. The `--interactive`\nflag for `ast-grep test` will prompt you to accept these updates. The snapshots\nprovide very granular testing for rule behavior, but for many cases where we\njust care about whether or not a rule matches a certain snippet of code, they\ncan be overkill. Use `ast-grep --update-all` to automatically accept and save\nnew snapshots.\n\n## CI\n\n`ast-grep` is executed in the ([ast-grep lint\nworkflow](/.github/workflows/ast-grep.yml)). In addition to running the linter,\nthis workflow also performs self-tests and ensures that all existing rules are\nwell-formed and have tests associated with them.\n\n### Links\n\n* [ast-grep website and documentation](https://ast-grep.github.io)\n* [ast-grep source code](https://github.com/ast-grep/ast-grep)\n" }, { "path": ".ci/ast-grep/common/.gitkeep", "content": "" }, { "path": ".ci/ast-grep/rules/.gitkeep", "content": "" }, { "path": ".ci/ast-grep/rules/assert-eventually-terminated.yml", "content": "id: assert-eventually-terminated\nlanguage: lua\nmessage: Unterminated eventual assertion\nseverity: error\nnote: |\n `assert.eventually()` does not perform any assertion unless followed\n by one of its terminator methods:\n * `is_truthy(message)`\n * `is_falsy(message)`\n * `has_error(message)`\n * `has_no_error(message)`\n\nfiles:\n - '**/*_spec.lua'\n\nrule:\n all:\n - kind: function_call\n pattern: $$$.eventually($$$)\n\n - has:\n kind: dot_index_expression\n any:\n - pattern: assert.$$$\n - pattern: luassert.$$$\n stopBy: end\n\n - not:\n inside:\n kind: function_call\n any:\n - pattern: $$$.is_truthy($$$)\n - pattern: $$$.is_falsy($$$)\n - pattern: $$$.has_error($$$)\n - pattern: $$$.has_no_error($$$)\n stopBy: end\n" }, { "path": ".ci/ast-grep/rules/helpers-outside-of-setup.yml", "content": "id: helpers-outside-of-setup\nlanguage: lua\nmessage: Calling test setup helper function in the wrong scope\nseverity: warning\nnote: |\n Avoid calling test setup functions outside of `setup()`/`lazy_setup()`.\n\n ## good\n ```lua\n describe(\"my test\", function()\n local port_a\n local port_b\n\n lazy_setup(function()\n port_a = helpers.get_available_port()\n end)\n\n it(\"my test case\", function()\n port_b = helpers.get_available_port()\n end)\n end)\n\n ## bad\n ```lua\n local port_a = helpers.get_available_port()\n describe(\"my test\", function()\n local port_b = helpers.get_available_port()\n\n it(\"my test case\", function()\n end)\n end)\n\n\nfiles:\n - '**/*_spec.lua'\n\nutils:\n function-scope:\n any:\n - kind: function_call\n - kind: function_declaration\n - kind: function_definition\n\n module-scope:\n not:\n inside:\n matches: function-scope\n stopBy: end\n\n busted-test-case:\n inside:\n kind: function_call\n any:\n - pattern: it($$$)\n - pattern: pending($$$)\n\n # aliases for it/pending seen in test files\n - pattern: do_it($$$)\n - pattern: postgres_only($$$)\n\n busted-lifecycle:\n inside:\n kind: function_call\n any:\n - pattern: setup($$$)\n - pattern: lazy_setup($$$)\n - pattern: teardown($$$)\n - pattern: lazy_teardown($$$)\n - pattern: before_each($$$)\n - pattern: after_each($$$)\n\n in-upgrade-helper-setup:\n pattern: $IDENT.setup($$$)\n inside:\n kind: chunk\n stopBy: end\n has:\n any:\n - pattern: $IDENT = require \"spec.upgrade_helpers\"\n - pattern: $IDENT = require(\"spec.upgrade_helpers\")\n stopBy: end\n\n in-function-scope:\n any:\n # local function my_setup()\n # helpers.get_available_port()\n # end\n - kind: function_declaration\n\n # local my_setup = function()\n # helpers.get_available_port()\n # end\n - pattern: $IDENT = function($$$) $$$ end\n\n busted-describe:\n inside:\n kind: function_call\n pattern: describe($$$)\n stopBy:\n any:\n - matches: busted-test-case\n - matches: busted-lifecycle\n - matches: in-function-scope\n - matches: in-upgrade-helper-setup\n\n non-setup-scope:\n any:\n - matches: module-scope\n - matches: busted-describe\n\nrule:\n kind: function_call\n pattern: helpers.$FUNC($$$)\n matches: non-setup-scope\n\nconstraints:\n FUNC:\n kind: identifier\n any:\n - pattern: admin_client\n - pattern: generate_keys\n - pattern: get_available_port\n - pattern: get_db_utils\n - pattern: setenv\n - pattern: start_kong\n - pattern: tcp_server\n" }, { "path": ".ci/ast-grep/rules/ngx-log-string-concat.yml", "content": "id: ngx-log-string-concat\nlanguage: lua\nmessage: Using string concatenation to build arguments for ngx.log()\nseverity: error\nnote: |\n When invoking `ngx.log()` with some variable as input, prefer vararg-style\n calls rather than using the string concatenation operator (`..`):\n\n ## bad\n ```lua\n ngx.log(ngx.DEBUG, \"if `my_var` is nil, this code throws an exception: \" .. my_var)\n ```\n\n ## good\n ```lua\n ngx.log(ngx.DEBUG, \"if `my_var` is nil, this code is fine: \", my_var)\n ```\n\nfiles:\n - kong/**\n - test*.lua\n\nrule:\n all:\n - matches: string-concat\n inside:\n kind: arguments\n inside:\n matches: ngx-log-call\n - not:\n matches: string-literal-concat\n\nutils:\n ngx-log-call:\n any:\n # direct invocation of `_G.ngx.log()`\n - pattern: ngx.log($_LEVEL, $$$)\n\n # track local var assignments of `_G.ngx.log`\n - pattern: $IDENT($_LEVEL, $$$)\n inside:\n kind: chunk\n stopBy: end\n has:\n pattern: $IDENT = ngx.log\n stopBy: end\n\n string-concat:\n kind: binary_expression\n pattern: $LHS .. $RHS\n\n string-literal-concat:\n kind: binary_expression\n all:\n - has:\n nthChild: 1\n any:\n - kind: string\n - matches: string-literal-concat\n\n - has:\n nthChild: 2\n any:\n - kind: string\n - matches: string-literal-concat\n" }, { "path": ".ci/ast-grep/tests/.gitkeep", "content": "" }, { "path": ".ci/ast-grep/tests/__snapshots__/assert-eventually-terminated-snapshot.yml", "content": "id: assert-eventually-terminated\nsnapshots:\n assert.eventually(function() end):\n labels:\n - source: assert.eventually(function() end)\n style: primary\n start: 0\n end: 33\n - source: assert.eventually\n style: secondary\n start: 0\n end: 17\n ? |\n assert.eventually(function() end)\n : labels:\n - source: assert.eventually(function() end)\n style: primary\n start: 0\n end: 33\n - source: assert.eventually\n style: secondary\n start: 0\n end: 17\n assert.eventually(function() end).with_timeout(1):\n labels:\n - source: assert.eventually(function() end)\n style: primary\n start: 0\n end: 33\n - source: assert.eventually\n style: secondary\n start: 0\n end: 17\n assert.with_timeout(1).eventually(function() end):\n labels:\n - source: assert.with_timeout(1).eventually(function() end)\n style: primary\n start: 0\n end: 49\n - source: assert.with_timeout\n style: secondary\n start: 0\n end: 19\n assert.with_timeout(1).eventually(function() end).with_timeout(1):\n labels:\n - source: assert.with_timeout(1).eventually(function() end)\n style: primary\n start: 0\n end: 49\n - source: assert.with_timeout\n style: secondary\n start: 0\n end: 19\n luassert.eventually(function() end):\n labels:\n - source: luassert.eventually(function() end)\n style: primary\n start: 0\n end: 35\n - source: luassert.eventually\n style: secondary\n start: 0\n end: 19\n ? |\n luassert.eventually(function() end)\n : labels:\n - source: luassert.eventually(function() end)\n style: primary\n start: 0\n end: 35\n - source: luassert.eventually\n style: secondary\n start: 0\n end: 19\n luassert.eventually(function() end).with_timeout(1):\n labels:\n - source: luassert.eventually(function() end)\n style: primary\n start: 0\n end: 35\n - source: luassert.eventually\n style: secondary\n start: 0\n end: 19\n luassert.with_timeout(1).eventually(function() end):\n labels:\n - source: luassert.with_timeout(1).eventually(function() end)\n style: primary\n start: 0\n end: 51\n - source: luassert.with_timeout\n style: secondary\n start: 0\n end: 21\n luassert.with_timeout(1).eventually(function() end).with_timeout(1):\n labels:\n - source: luassert.with_timeout(1).eventually(function() end)\n style: primary\n start: 0\n end: 51\n - source: luassert.with_timeout\n style: secondary\n start: 0\n end: 21\n" }, { "path": ".ci/ast-grep/tests/__snapshots__/helpers-outside-of-setup-snapshot.yml", "content": "id: helpers-outside-of-setup\nsnapshots:\n ? |\n describe(\"my test\", function()\n for , strategy in helpers.each_strategy() do\n local a = 123\n local port = helpers.get_available_port()\n end\n end)\n : labels:\n - source: helpers.get_available_port()\n style: primary\n start: 113\n end: 141\n - source: |-\n describe(\"my test\", function()\n for , strategy in helpers.each_strategy() do\n local a = 123\n local port = helpers.get_available_port()\n end\n end)\n style: secondary\n start: 0\n end: 152\n ? |\n describe(\"my test\", function()\n local a = 123\n local port = helpers.get_available_port()\n end)\n : labels:\n - source: helpers.get_available_port()\n style: primary\n start: 62\n end: 90\n - source: |-\n describe(\"my test\", function()\n local a = 123\n local port = helpers.get_available_port()\n end)\n style: secondary\n start: 0\n end: 95\n ? |\n describe(function()\n local a = 123\n local port = helpers.get_available_port()\n end)\n : labels:\n - source: helpers.get_available_port()\n style: primary\n start: 51\n end: 79\n - source: |-\n describe(function()\n local a = 123\n local port = helpers.get_available_port()\n end)\n style: secondary\n start: 0\n end: 84\n ? |\n for , strategy in helpers.each_strategy() do\n local a = 123\n local port = helpers.get_available_port()\n\n describe(\"my test\", function()\n -- ...\n end)\n end\n : labels:\n - source: helpers.get_available_port()\n style: primary\n start: 76\n end: 104\n ? |\n for , strategy in helpers.each_strategy() do\n local a = 123\n local port = helpers.get_available_port()\n end\n : labels:\n - source: helpers.get_available_port()\n style: primary\n start: 76\n end: 104\n ? |\n local a = 123\n local port = helpers.get_available_port()\n : labels:\n - source: helpers.get_available_port()\n style: primary\n start: 27\n end: 55\n local port = helpers.get_available_port():\n labels:\n - source: helpers.get_available_port()\n style: primary\n start: 13\n end: 41\n" }, { "path": ".ci/ast-grep/tests/__snapshots__/ngx-log-string-concat-snapshot.yml", "content": "id: ngx-log-string-concat\nsnapshots:\n ? |\n local foo = ngx.log\n\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n : labels:\n - source: 'b .. c .. \": STRING\"'\n style: primary\n start: 37\n end: 57\n - source: foo = ngx.log\n style: secondary\n start: 6\n end: 19\n - source: |\n local foo = ngx.log\n\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n style: secondary\n start: 0\n end: 59\n - source: 'foo(ngx.NOTICE, b .. c .. \": STRING\")'\n style: secondary\n start: 21\n end: 58\n - source: '(ngx.NOTICE, b .. c .. \": STRING\")'\n style: secondary\n start: 24\n end: 58\n ? |\n local foo = ngx.log\n\n if true then\n local function my_log(a, b, c)\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n end\n end\n : labels:\n - source: 'b .. c .. \": STRING\"'\n style: primary\n start: 87\n end: 107\n - source: foo = ngx.log\n style: secondary\n start: 6\n end: 19\n - source: |\n local foo = ngx.log\n\n if true then\n local function my_log(a, b, c)\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n end\n end\n style: secondary\n start: 0\n end: 119\n - source: 'foo(ngx.NOTICE, b .. c .. \": STRING\")'\n style: secondary\n start: 71\n end: 108\n - source: '(ngx.NOTICE, b .. c .. \": STRING\")'\n style: secondary\n start: 74\n end: 108\n ? |\n local ngx_log = ngx.log\n local foo = ngx.log\n\n if true then\n local function my_log(a, b, c)\n ngx_log(ngx.ERR, \"STRING: \" .. a)\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n end\n end\n : labels:\n - source: '\"STRING: \" .. a'\n style: primary\n start: 112\n end: 127\n - source: ngx_log = ngx.log\n style: secondary\n start: 6\n end: 23\n - source: |\n local ngx_log = ngx.log\n local foo = ngx.log\n\n if true then\n local function my_log(a, b, c)\n ngx_log(ngx.ERR, \"STRING: \" .. a)\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n end\n end\n style: secondary\n start: 0\n end: 181\n - source: 'ngx_log(ngx.ERR, \"STRING: \" .. a)'\n style: secondary\n start: 95\n end: 128\n - source: '(ngx.ERR, \"STRING: \" .. a)'\n style: secondary\n start: 102\n end: 128\n ? |\n local ngx_log = ngx.log\n local foo = ngx.log\n\n local function my_log(a, b, c)\n ngx_log(ngx.ERR, \"STRING: \" .. a)\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n end\n my_log(1, 2, 3)\n : labels:\n - source: '\"STRING: \" .. a'\n style: primary\n start: 95\n end: 110\n - source: ngx_log = ngx.log\n style: secondary\n start: 6\n end: 23\n - source: |\n local ngx_log = ngx.log\n local foo = ngx.log\n\n local function my_log(a, b, c)\n ngx_log(ngx.ERR, \"STRING: \" .. a)\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n end\n my_log(1, 2, 3)\n style: secondary\n start: 0\n end: 172\n - source: 'ngx_log(ngx.ERR, \"STRING: \" .. a)'\n style: secondary\n start: 78\n end: 111\n - source: '(ngx.ERR, \"STRING: \" .. a)'\n style: secondary\n start: 85\n end: 111\n ? |\n local ngx_log = ngx.log\n local foo = ngx.log\n\n ngx_log(ngx.ERR, \"STRING: \" .. a)\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n : labels:\n - source: '\"STRING: \" .. a'\n style: primary\n start: 62\n end: 77\n - source: ngx_log = ngx.log\n style: secondary\n start: 6\n end: 23\n - source: |\n local ngx_log = ngx.log\n local foo = ngx.log\n\n ngx_log(ngx.ERR, \"STRING: \" .. a)\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n style: secondary\n start: 0\n end: 117\n - source: 'ngx_log(ngx.ERR, \"STRING: \" .. a)'\n style: secondary\n start: 45\n end: 78\n - source: '(ngx.ERR, \"STRING: \" .. a)'\n style: secondary\n start: 52\n end: 78\n ? |\n ngx.log(ngx.INFO, \"STRING: \" .. my_var .. \": STRING\")\n : labels:\n - source: '\"STRING: \" .. my_var .. \": STRING\"'\n style: primary\n start: 18\n end: 52\n - source: 'ngx.log(ngx.INFO, \"STRING: \" .. my_var .. \": STRING\")'\n style: secondary\n start: 0\n end: 53\n - source: '(ngx.INFO, \"STRING: \" .. my_var .. \": STRING\")'\n style: secondary\n start: 7\n end: 53\n 'ngx.log(ngx.INFO, \"STRING: \" .. my_var)':\n labels:\n - source: '\"STRING: \" .. my_var'\n style: primary\n start: 18\n end: 38\n - source: 'ngx.log(ngx.INFO, \"STRING: \" .. my_var)'\n style: secondary\n start: 0\n end: 39\n - source: '(ngx.INFO, \"STRING: \" .. my_var)'\n style: secondary\n start: 7\n end: 39\n ? |\n ngx.log(ngx.INFO, \"STRING: \" .. my_var)\n : labels:\n - source: '\"STRING: \" .. my_var'\n style: primary\n start: 18\n end: 38\n - source: 'ngx.log(ngx.INFO, \"STRING: \" .. my_var)'\n style: secondary\n start: 0\n end: 39\n - source: '(ngx.INFO, \"STRING: \" .. my_var)'\n style: secondary\n start: 7\n end: 39\n ? |\n ngx.log(ngx.INFO, my_var .. \": STRING :\" .. my_other_var)\n : labels:\n - source: 'my_var .. \": STRING :\" .. my_other_var'\n style: primary\n start: 18\n end: 56\n - source: 'ngx.log(ngx.INFO, my_var .. \": STRING :\" .. my_other_var)'\n style: secondary\n start: 0\n end: 57\n - source: '(ngx.INFO, my_var .. \": STRING :\" .. my_other_var)'\n style: secondary\n start: 7\n end: 57\n 'ngx.log(ngx.INFO, my_var .. \": STRING\")':\n labels:\n - source: 'my_var .. \": STRING\"'\n style: primary\n start: 18\n end: 38\n - source: 'ngx.log(ngx.INFO, my_var .. \": STRING\")'\n style: secondary\n start: 0\n end: 39\n - source: '(ngx.INFO, my_var .. \": STRING\")'\n style: secondary\n start: 7\n end: 39\n ? |\n ngx.log(ngx.INFO, my_var .. \": STRING\")\n : labels:\n - source: 'my_var .. \": STRING\"'\n style: primary\n start: 18\n end: 38\n - source: 'ngx.log(ngx.INFO, my_var .. \": STRING\")'\n style: secondary\n start: 0\n end: 39\n - source: '(ngx.INFO, my_var .. \": STRING\")'\n style: secondary\n start: 7\n end: 39\n" }, { "path": ".ci/ast-grep/tests/assert-eventually-terminated-test.yml", "content": "id: assert-eventually-terminated\n\nvalid:\n # simple, all terminators\n - |\n assert.eventually(function() end).is_truthy()\n assert.eventually(function() end).is_falsy()\n assert.eventually(function() end).has_error()\n assert.eventually(function() end).has_no_error()\n\n # luassert counts too\n - |\n luassert.eventually(function() end).is_truthy()\n luassert.eventually(function() end).is_falsy()\n luassert.eventually(function() end).has_error()\n luassert.eventually(function() end).has_no_error()\n\n # with modifiers before .eventually()\n - |\n assert\n .with_timeout(1)\n .eventually(function() end)\n .is_truthy()\n\n # with modifiers after .eventually()\n - |\n assert\n .eventually(function() end)\n .with_timeout(1)\n .is_truthy()\n\n # eventually() but unrelated to assert\n - |\n local t = {}\n t.eventually(function() end)\n\n\ninvalid:\n # unterminated assert\n - assert.eventually(function() end)\n - assert.with_timeout(1).eventually(function() end)\n - assert.with_timeout(1).eventually(function() end).with_timeout(1)\n - assert.eventually(function() end).with_timeout(1)\n\n # same, but luassert\n - luassert.eventually(function() end)\n - luassert.with_timeout(1).eventually(function() end)\n - luassert.with_timeout(1).eventually(function() end).with_timeout(1)\n - luassert.eventually(function() end).with_timeout(1)\n" }, { "path": ".ci/ast-grep/tests/helpers-outside-of-setup-test.yml", "content": "id: helpers-outside-of-setup\n\nvalid:\n # inside `lazy_setup()`\n - |\n lazy_setup(function()\n local a = 123\n local port = helpers.get_available_port()\n end)\n\n # inside `setup()`\n - |\n setup(function()\n local a = 123\n local port = helpers.get_available_port()\n end)\n\n # inside `it()`\n - |\n it(function()\n local a = 123\n local port = helpers.get_available_port()\n end)\n\n # inside a local function (declaration)\n - |\n describe(\"foo\", function()\n local port\n\n local function my_setup()\n port = helpers.get_available_port()\n end\n\n local function my_setup_with_opts(opts)\n port = helpers.get_available_port()\n end\n\n lazy_setup(function()\n my_setup()\n my_setup_with_opts({})\n end)\n end)\n\n # inside a local function (declaration + assignment)\n - |\n describe(\"foo\", function()\n local port\n\n local my_setup = function()\n port = helpers.get_available_port()\n end\n\n local my_setup_with_opts = function(opts)\n port = helpers.get_available_port()\n end\n\n lazy_setup(function()\n my_setup()\n my_setup_with_opts({})\n end)\n end)\n\n # inside a non-local function (declaration + assignment)\n - |\n local my_setup, my_setup_with_opts\n\n describe(\"foo\", function()\n local port\n\n my_setup = function()\n port = helpers.get_available_port()\n end\n\n my_setup_with_opts = function(opts)\n port = helpers.get_available_port()\n end\n\n lazy_setup(function()\n my_setup()\n my_setup_with_opts({})\n end)\n end)\n\n # inside require\"spec.upgrade_helpers\".setup\n - |\n local uh = require \"spec.upgrade_helpers\"\n\n describe(\"my test\", function()\n local port\n\n uh.setup(function()\n port = helpers.get_available_port()\n end)\n end)\n\n # inside require(\"spec.upgrade_helpers\").setup\n - |\n local uh = require(\"spec.upgrade_helpers\")\n\n describe(\"my test\", function()\n local port\n\n uh.setup(function()\n port = helpers.get_available_port()\n end)\n end)\n\ninvalid:\n # at the outermost scope\n - |\n local a = 123\n local port = helpers.get_available_port()\n\n # inside some strategy iterator thing\n - |\n for , strategy in helpers.each_strategy() do\n local a = 123\n local port = helpers.get_available_port()\n\n describe(\"my test\", function()\n -- ...\n end)\n end\n\n # inside describe() inside some iterator\n - |\n describe(\"my test\", function()\n for , strategy in helpers.each_strategy() do\n local a = 123\n local port = helpers.get_available_port()\n end\n end)\n\n # directly inside `describe()` (no label)\n - |\n describe(function()\n local a = 123\n local port = helpers.get_available_port()\n end)\n\n # directly inside `describe()` (with label)\n - |\n describe(\"my test\", function()\n local a = 123\n local port = helpers.get_available_port()\n end)\n" }, { "path": ".ci/ast-grep/tests/ngx-log-string-concat-test.yml", "content": "id: ngx-log-string-concat\n\nvalid:\n # normal, expected usage\n - |\n ngx.log(ngx.ERR, \"STRING: \", my_var)\n\n # string literals can be concatenated to keep line lengths in check\n - |\n ngx.log(ngx.ERR, \"my very super long line\"\n .. \" my continuation of that line\")\n\n # chained/nested concatenation of string literals is allowed\n - |\n ngx.log(ngx.ERR, \"my very super long line\"\n .. \" my continuation of that line\"\n .. \" my extra continuation of that line\")\n\n # only ngx.log() calls are checked\n - |\n my_other_function(ngx.ERR, \"STRING: \" .. my_var)\n\n # saving a local reference ngx.log doesn't affect other function calls\n - |\n local ngx_log = ngx.log\n my_other_function(ngx.ERR, \"STRING: \" .. my_var)\n\ninvalid:\n # string .. variable\n - |\n ngx.log(ngx.INFO, \"STRING: \" .. my_var)\n\n # variable .. string\n - |\n ngx.log(ngx.INFO, my_var .. \": STRING\")\n\n # variable .. string .. variable\n - |\n ngx.log(ngx.INFO, my_var .. \": STRING :\" .. my_other_var)\n\n # string .. variable .. string\n - |\n ngx.log(ngx.INFO, \"STRING: \" .. my_var .. \": STRING\")\n\n # calling ngx.log via local var reference\n - |\n local foo = ngx.log\n\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n\n # calling ngx.log via local var reference (nested)\n - |\n local foo = ngx.log\n\n if true then\n local function my_log(a, b, c)\n foo(ngx.NOTICE, b .. c .. \": STRING\")\n end\n end\n" }, { "path": ".ci/luacov-stats-aggregator.lua", "content": "-- Aggregates stats from multiple luacov stat files.\n-- Example stats for a 12 lines file `my/file.lua`\n-- that received hits on lines 3, 4, 9:\n-- \n-- [\"my/file.lua\"] = {\n-- [3] = 1,\n-- [4] = 3,\n-- [9] = 2,\n-- max = 12,\n-- max_hits = 3\n-- }\n--\n\nlocal luacov_stats = require \"luacov.stats\"\nlocal luacov_reporter = require \"luacov.reporter\"\nlocal luacov_runner = require \"luacov.runner\"\nlocal lfs = require \"lfs\"\n\n\n-- load parameters\nlocal params = {...}\nlocal stats_folders_prefix = params[1] or \"luacov-stats-out-\"\nlocal file_name = params[2] or \"luacov.stats.out\"\nlocal strip_prefix = params[3] or \"\"\nlocal base_path = \".\"\n\n\n-- load stats from different folders named using the format:\n-- luacov-stats-out-${timestamp}\nlocal loaded_stats = {}\nfor folder in lfs.dir(base_path) do\n if folder:find(stats_folders_prefix, 1, true) then\n local stats_file = folder .. \"/\" .. file_name\n local loaded = luacov_stats.load(stats_file)\n if loaded then\n loaded_stats[#loaded_stats + 1] = loaded\n print(\"loading file: \" .. stats_file)\n end\n end\nend\n\n\n-- aggregate\nluacov_runner.load_config()\nfor _, stat_data in ipairs(loaded_stats) do\n -- make all paths relative to ensure file keys have the same format\n -- and avoid having separate counters for the same file\n local rel_stat_data = {}\n for f_name, data in pairs(stat_data) do\n if f_name:sub(0, #strip_prefix) == strip_prefix then\n f_name = f_name:sub(#strip_prefix + 1)\n end\n rel_stat_data[f_name] = data\n end\n\n luacov_runner.data = rel_stat_data\n luacov_runner.save_stats()\nend\n\n\n-- generate report\nluacov_reporter.report()\n" }, { "path": ".ci/test_suites.json", "content": "[\n {\n \"name\": \"unit\",\n \"exclude_tags\": \"flaky,ipv6\",\n \"venv_script\": \"kong-dev-venv.sh\",\n \"specs\": [\"spec/01-unit/\"]\n },\n {\n \"name\": \"integration\",\n \"exclude_tags\": \"flaky,ipv6,off\",\n \"environment\": {\n \"KONG_TEST_DATABASE\": \"postgres\"\n },\n \"venv_script\": \"kong-dev-venv.sh\",\n \"specs\": [\"spec/02-integration/\"]\n },\n {\n \"name\": \"dbless\",\n \"exclude_tags\": \"flaky,ipv6,postgres,db\",\n \"environment\": {\n \"KONG_TEST_DATABASE\": \"off\"\n },\n \"venv_script\": \"kong-dev-venv.sh\",\n \"specs\": [\n \"spec/02-integration/02-cmd/\",\n \"spec/02-integration/05-proxy/\",\n \"spec/02-integration/04-admin_api/02-kong_routes_spec.lua\",\n \"spec/02-integration/04-admin_api/15-off_spec.lua\",\n \"spec/02-integration/08-status_api/01-core_routes_spec.lua\",\n \"spec/02-integration/08-status_api/03-readiness_endpoint_spec.lua\",\n \"spec/02-integration/11-dbless/\"\n ]\n },\n {\n \"name\": \"plugins\",\n \"exclude_tags\": \"flaky,ipv6\",\n \"venv_script\": \"kong-dev-venv.sh\",\n \"specs\": [\"spec/03-plugins/\"]\n }\n]\n" }, { "path": ".devcontainer/Dockerfile", "content": "FROM kong/kong:3.0.0-ubuntu\n\nUSER root\n\nRUN apt-get update\n\nRUN apt-get install -y \\\n build-essential \\\n unzip \\\n git \\\n m4 \\\n libyaml-dev \\\n curl\n" }, { "path": ".devcontainer/devcontainer.json", "content": "// For format details, see https://code.visualstudio.com/docs/remote/devcontainerjson-reference\n{\n \"name\": \"Kong Gateway Dev\",\n\n // Update the 'dockerComposeFile' list if you have more compose files or use different names.\n \"dockerComposeFile\": \"docker-compose.yml\",\n\n // The 'service' property is the name of the service for the container that VS Code should\n // use. Update this value and .devcontainer/docker-compose.yml to the real service name.\n \"service\": \"kong\",\n\n // The optional 'workspaceFolder' property is the path VS Code should open by default when\n // connected. This is typically a volume mount in .devcontainer/docker-compose.yml\n \"workspaceFolder\": \"/workspace\",\n\n // Use 'forwardPorts' to make a list of ports inside the container available locally.\n \"forwardPorts\": [8000, 8001, \"db:5432\"],\n\n \"postCreateCommand\": \"make dev-legacy\",\n\n // Set *default* container specific settings.json values on container create.\n // \"settings\": {},\n\n // Add the IDs of extensions you want installed when the container is created.\n // \"extensions\": [],\n\n // Uncomment the next line if you want to keep your containers running after VS Code shuts down.\n // \"shutdownAction\": \"none\",\n\n // Uncomment the next line to use 'postCreateCommand' to run commands after the container is created.\n // \"postCreateCommand\": \"uname -a\",\n\n // Comment out to connect as root instead. To add a non-root user, see: https://aka.ms/vscode-remote/containers/non-root.\n // \"remoteUser\": \"vscode\"\n}\n" }, { "path": ".devcontainer/docker-compose.yml", "content": "version: \"3.8\"\n\nservices:\n\n db:\n image: postgres:9.6\n environment:\n POSTGRES_PASSWORD: kong\n POSTGRES_USER: kong\n\n kong:\n build:\n # Using a Dockerfile is optional, but included for completeness.\n context: .\n dockerfile: Dockerfile\n\n volumes:\n # This is where VS Code should expect to find your project's source code and the value of \"workspaceFolder\" in .devcontainer/devcontainer.json\n - ..:/workspace:cached\n\n # Uncomment the next line to use Docker from inside the container. See https://aka.ms/vscode-remote/samples/docker-from-docker-compose for details.\n - /var/run/docker.sock:/var/run/docker.sock\n\n # Uncomment the next four lines if you will use a ptrace-based debugger like C++, Go, and Rust.\n cap_add:\n - SYS_PTRACE\n security_opt:\n - seccomp:unconfined\n\n environment:\n KONG_PROXY_ERROR_LOG: /dev/stderr\n KONG_PG_USER: kong\n KONG_PG_DATABASE: kong\n KONG_PG_PASSWORD: kong\n KONG_PG_HOST: db\n OPENSSL_DIR: /usr/local/kong\n CRYPTO_DIR: /usr/local/kong\n\n # Overrides default command so things don't shut down after the process ends.\n command: /bin/sh -c \"while sleep 1000; do :; done\"\n\n # Runs app on the same network as the service container, allows \"forwardPorts\" in devcontainer.json function.\n network_mode: service:db\n\n # Use \"forwardPorts\" in **devcontainer.json** to forward an app port locally.\n # (Adding the \"ports\" property to this file will not forward from a Codespace.)\n\n # Uncomment the next line to use a non-root user for all processes - See https://aka.ms/vscode-remote/containers/non-root for details.\n # user: vscode\n" }, { "path": ".editorconfig", "content": "root = true\n\n[*]\nend_of_line = lf\ninsert_final_newline = true\ntrim_trailing_whitespace = true\ncharset = utf-8\n\n[*.lua]\nindent_style = space\nindent_size = 2\n\n[kong/templates/nginx*]\nindent_style = space\nindent_size = 4\n\n[*.template]\nindent_style = space\nindent_size = 4\n\n[Makefile]\nindent_style = tab\n\n[bin/kong]\nindent_style = space\nindent_size = 2\n\n[bin/busted]\nindent_style = space\nindent_size = 2\n\n[bin/kong-health]\nindent_style = space\nindent_size = 2\n" }, { "path": ".github/ISSUE_TEMPLATE/bug_report.yaml", "content": "name: 🐞 Bug\ndescription: Something is not working as indended.\nbody:\n- type: checkboxes\n attributes:\n label: Is there an existing issue for this?\n description: Please search to see if an issue already exists for the bug you encountered. Make sure you are also using the latest version of Kong.\n options:\n - label: I have searched the existing issues\n required: true\n- type: input \n attributes:\n label: Kong version (`$ kong version`)\n description: 'example: Kong 2.5'\n placeholder: 'Please provide the current Kong Gateway version you are using here.'\n validations:\n required: true\n- type: textarea\n attributes:\n label: Current Behavior\n description: A concise description of what you're experiencing.\n placeholder: |\n When I do , happens and I see the error message attached below:\n ```...```\n validations:\n required: false\n- type: textarea\n attributes:\n label: Expected Behavior\n description: A concise description of what you expected to happen.\n placeholder: When I do , should happen instead.\n validations:\n required: false\n- type: textarea\n attributes:\n label: Steps To Reproduce\n description: Steps to reproduce the behavior.\n placeholder: |\n 1. In this environment...\n 2. With this config...\n 3. Run '...'\n 4. See error...\n validations:\n required: false\n- type: textarea\n attributes:\n label: Anything else?\n description: |\n - Kong debug-level startup logs (`$ kong start --vv`)\n - Kong error logs (`/logs/error.log`)\n - Kong configuration (the output of a GET request to Kong's Admin port - see\n https://docs.konghq.com/latest/admin-api/#retrieve-node-information)\n - Running operating system\n validations:\n required: false\n" }, { "path": ".github/ISSUE_TEMPLATE/config.yml", "content": "blank_issues_enabled: true\ncontact_links:\n - name: Kong Gateway Open Source Community Pledge\n url: https://github.com/Kong/kong/blob/master/COMMUNITY_PLEDGE.md\n - name: Feature Request\n url: https://github.com/Kong/kong/discussions/categories/ideas-and-feature-requests\n about: Propose your cool ideas and feature requests at the Kong discussion forum\n - name: Question\n url: https://github.com/Kong/kong/discussions/categories/help\n about: Ask (and answer) questions at the Kong discussion forum\n" }, { "path": ".github/PULL_REQUEST_TEMPLATE.md", "content": "\n\n### Summary\n\n\n\n### Checklist\n\n- [ ] The Pull Request has tests\n- [ ] A changelog file has been created under `changelog/unreleased/kong` or `skip-changelog` label added on PR if changelog is unnecessary. [README.md](https://github.com/Kong/gateway-changelog/blob/main/README.md)\n- [ ] There is a user-facing docs PR against https://github.com/Kong/developer.konghq.com - PUT DOCS PR HERE\n\n### Issue reference\n\n\nFix #_[issue number]_\n" }, { "path": ".github/actions/build-cache-key/action.yml", "content": "name: Build Cache Key\n\ndescription: >\n Generates a cache key suitable for save/restore of Kong builds.\n\ninputs:\n prefix:\n description: 'String prefix applied to the build cache key'\n required: false\n default: 'build'\n extra:\n description: 'Additional values/file hashes to use in the cache key'\n required: false\n\noutputs:\n cache-key:\n description: 'The generated cache key'\n value: ${{ steps.cache-key.outputs.CACHE_KEY }}\n\nruns:\n using: composite\n steps:\n - name: Generate cache key\n id: cache-key\n shell: bash\n env:\n PREFIX: ${{ inputs.prefix }}\n EXTRA: ${{ inputs.extra }}\n run: |\n # please keep these sorted\n FILE_HASHES=(\n ${{ hashFiles('.bazelignore') }}\n ${{ hashFiles('.bazelrc') }}\n ${{ hashFiles('.bazelversion') }}\n ${{ hashFiles('.github/actions/build-cache-key/**') }}\n ${{ hashFiles('.github/workflows/build.yml') }}\n ${{ hashFiles('.requirements') }}\n ${{ hashFiles('BUILD.bazel') }}\n ${{ hashFiles('WORKSPACE') }}\n ${{ hashFiles('bin/kong') }}\n ${{ hashFiles('bin/kong-health') }}\n ${{ hashFiles('build/**') }}\n ${{ hashFiles('kong-*.rockspec') }}\n ${{ hashFiles('kong.conf.default') }}\n )\n\n if [[ -n ${EXTRA:-} ]]; then\n readarray \\\n -O \"${#FILE_HASHES[@]}\" \\\n -t \\\n FILE_HASHES \\\n <<< \"$EXTRA\"\n fi\n\n HASH=$(printf '%s\\n' \"${FILE_HASHES[@]}\" \\\n | grep -vE '^$' \\\n | sort --stable --unique \\\n | sha256sum - \\\n | awk '{print $1}'\n )\n\n echo \"CACHE_KEY=${PREFIX}::${HASH}\" | tee -a $GITHUB_OUTPUT\n" }, { "path": ".github/actions/build-wasm-test-filters/action.yml", "content": "name: Build WASM Test Filters\n\ndescription: >\n Installs the rust toolchain and builds the WASM filters that are used\n in our integration tests\n\nruns:\n using: composite\n steps:\n - name: Setup env vars\n shell: bash\n run: |\n FILTER_PATH=$PWD/spec/fixtures/proxy_wasm_filters\n {\n echo \"WASM_FILTER_PATH=$FILTER_PATH\"\n echo \"WASM_FIXTURE_PATH=$FILTER_PATH/build\"\n echo \"WASM_FILTER_CARGO_LOCK=$FILTER_PATH/Cargo.lock\"\n echo \"WASM_FILTER_TARGET=wasm32-wasip1\"\n } >> $GITHUB_ENV\n\n - name: Setup cache key\n shell: bash\n env:\n FILE_HASH: ${{ hashFiles(env.WASM_FILTER_CARGO_LOCK, format('{0}/**/*.rs', env.WASM_FILTER_PATH)) }}\n CACHE_VERSION: \"6\"\n RUNNER_OS: ${{ runner.os }}\n run: |\n CACHE_PREFIX=\"wasm-test-filters::v${CACHE_VERSION}::${RUNNER_OS}::${WASM_FILTER_TARGET}::\"\n {\n echo \"WASM_CACHE_PREFIX=${CACHE_PREFIX}\"\n echo \"WASM_CACHE_KEY=${CACHE_PREFIX}${FILE_HASH}\"\n } >> $GITHUB_ENV\n\n - name: Restore Cache\n uses: actions/cache/restore@v4\n id: restore-cache\n with:\n path: ${{ env.WASM_FILTER_PATH }}/target/**/*.wasm\n key: ${{ env.WASM_CACHE_KEY }}\n\n - name: Install Rust Toolchain\n if: steps.restore-cache.outputs.cache-hit != 'true'\n uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203\n with:\n toolchain: stable\n components: cargo\n targets: ${{ env.WASM_FILTER_TARGET }}\n\n - name: Build Test Filters\n if: steps.restore-cache.outputs.cache-hit != 'true'\n shell: bash\n run: |\n # building in release mode yields smaller library sizes, so it's\n # better for our cacheability\n cargo build \\\n --manifest-path \"${WASM_FILTER_PATH:?}/Cargo.toml\" \\\n --workspace \\\n --lib \\\n --target \"${WASM_FILTER_TARGET:?}\" \\\n --release\n\n - name: Save cache\n if: steps.restore-cache.outputs.cache-hit != 'true'\n id: save-cache\n uses: actions/cache/save@v4\n with:\n path: ${{ env.WASM_FILTER_PATH }}/target/**/*.wasm\n key: ${{ env.WASM_CACHE_KEY }}\n\n - name: Create a symlink to the target directory\n shell: bash\n run: |\n ln -sfv \\\n --no-target-directory \\\n \"${WASM_FILTER_PATH:?}\"/target/\"${WASM_FILTER_TARGET:?}\"/release \\\n \"${WASM_FIXTURE_PATH:?}\"\n\n - name: debug\n shell: bash\n run: ls -la \"${{ env.WASM_FIXTURE_PATH }}\"/*.wasm\n" }, { "path": ".github/dependabot.yml", "content": "# Set update schedule for GitHub Actions\n\nversion: 2\nupdates:\n\n - package-ecosystem: \"github-actions\"\n directory: \"/\"\n schedule:\n # Check for updates to GitHub Actions every week\n interval: \"weekly\"\n" }, { "path": ".github/labeler.yml", "content": "'cherry-pick kong-ee':\n- changed-files:\n - any-glob-to-any-file: ['kong/**/*', 'spec/**/*', 'build/**/*', 'bin/**/*', 'scripts/**/*', 'changelog/**/*']\n\ncore/admin-api:\n- changed-files:\n - any-glob-to-any-file: kong/api/**/*\n\ncore/balancer:\n- changed-files:\n - any-glob-to-any-file: kong/runloop/balancer/*\n\ncore/cli:\n- changed-files:\n - any-glob-to-any-file: kong/cmd/**/*\n\ncore/clustering:\n- changed-files:\n - any-glob-to-any-file: ['kong/clustering/**/*', 'kong/cluster_events/**/*']\n\ncore/configuration:\n- changed-files:\n - any-glob-to-any-file: kong/conf_loader/*\n\ncore/db/migrations:\n- changed-files:\n - any-glob-to-any-file: kong/db/migrations/**/*\n\ncore/db:\n- changed-files:\n - all-globs-to-any-file: ['kong/db/**/*', '!kong/db/migrations/**/*']\n\nchangelog:\n- changed-files:\n - any-glob-to-any-file: CHANGELOG.md\n\ncore/docs:\n- changed-files:\n - all-globs-to-any-file: ['**/*.md', '!CHANGELOG.md']\n\nautodoc:\n- changed-files:\n - any-glob-to-any-file: 'autodoc/**/*'\n\ncore/language/go:\n- changed-files:\n - any-glob-to-any-file: kong/runloop/plugin_servers/*\n\ncore/language/js:\n- changed-files:\n - any-glob-to-any-file: kong/runloop/plugin_servers/*\n\ncore/language/python:\n- changed-files:\n - any-glob-to-any-file: kong/runloop/plugin_servers/*\n\ncore/logs:\n- changed-files:\n - any-glob-to-any-file: kong/pdk/log.lua\n\ncore/pdk:\n- changed-files:\n - all-globs-to-any-file: ['kong/pdk/**/*', '!kong/pdk/log.lua']\n\ncore/proxy:\n- changed-files:\n - all-globs-to-any-file: ['kong/runloop/**/*', '!kong/runloop/balancer/*', '!kong/runloop/plugin_servers/*']\n\ncore/router:\n- changed-files:\n - any-glob-to-any-file: kong/router/*\n\ncore/templates:\n- changed-files:\n - any-glob-to-any-file: kong/templates/*\n\ncore/tracing:\n- changed-files:\n - any-glob-to-any-file: ['kong/observability/tracing/**/*', 'kong/pdk/tracing.lua']\n\ncore/wasm:\n- changed-files:\n - any-glob-to-any-file: ['kong/runloop/wasm.lua', 'kong/runloop/wasm/**/*']\n\nchore:\n- changed-files:\n - any-glob-to-any-file: ['.github/**/*', '.devcontainer/**/*']\n\nplugins/acl:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/acl/**/*\n\nplugins/acme:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/acme/**/*\n\nplugins/ai-proxy:\n- changed-files:\n - any-glob-to-any-file: ['kong/plugins/ai-proxy/**/*', 'kong/llm/**/*']\n\nplugins/ai-prompt-decorator:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/ai-prompt-decorator/**/*\n\nplugins/ai-prompt-template:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/ai-prompt-template/**/*\n\nplugins/ai-request-transformer:\n- changed-files:\n - any-glob-to-any-file: ['kong/plugins/ai-request-transformer/**/*', 'kong/llm/**/*']\n\nplugins/ai-response-transformer:\n- changed-files:\n - any-glob-to-any-file: ['kong/plugins/ai-response-transformer/**/*', 'kong/llm/**/*']\n\nplugins/ai-prompt-guard:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/ai-prompt-guard/**/*\n\nplugins/aws-lambda:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/aws-lambda/**/*\n\nplugins/azure-functions:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/azure-functions/**/*\n\nplugins/basic-auth:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/basic-auth/**/*\n\nplugins/bot-detection:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/bot-detection/**/*\n\nplugins/correlation-id:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/correlation-id/**/*\n\nplugins/cors:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/cors/**/*\n\nplugins/datadog:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/datadog/**/*\n\nplugins/file-log:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/file-log/**/*\n\nplugins/grpc-gateway:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/grpc-gateway/**/*\n\nplugins/grpc-web:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/grpc-web/**/*\n\nplugins/hmac-auth:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/hmac-auth/**/*\n\nplugins/http-log:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/http-log/**/*\n\nplugins/ip-restriction:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/ip-restriction/**/*\n\nplugins/jwt:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/jwt/**/*\n\nplugins/key-auth:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/key-auth/**/*\n\nplugins/ldap-auth:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/ldap-auth/**/*\n\nplugins/loggly:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/loggly/**/*\n\nplugins/oauth2:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/oauth2/**/*\n\nplugins/prometheus:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/prometheus/**/*\n\nplugins/proxy-cache:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/proxy-cache/**/*\n\nplugins/rate-limiting:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/rate-limiting/**/*\n\nplugins/request-size-limiting:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/request-size-limiting/**/*\n\nplugins/request-termination:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/request-termination/**/*\n\nplugins/request-transformer:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/request-transformer/**/*\n\nplugins/response-ratelimiting:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/response-ratelimiting/**/*\n\nplugins/response-transformer:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/response-transformer/**/*\n\nplugins/session:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/session/**/*\n\nplugins/serverless-functions:\n- changed-files:\n - any-glob-to-any-file: ['kong/plugins/post-function/**/*', 'kong/plugins/pre-function/**/*']\n\nplugins/statsd:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/statsd/**/*\n\nplugins/syslog:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/syslog/**/*\n\nplugins/tcp-log:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/tcp-log/**/*\n\nplugins/udp-log:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/udp-log/**/*\n\nplugins/zipkin:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/zipkin/**/*\n\nplugins/opentelemetry:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/opentelemetry/**/*\n\nplugins/standard-webhooks:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/standard-webhooks/**/*\n\nplugins/redirect:\n- changed-files:\n - any-glob-to-any-file: kong/plugins/redirect/**/*\n\nschema-change-noteworthy:\n- changed-files:\n - any-glob-to-any-file: [\n 'kong/db/schema/**/*.lua', 'kong/**/schema.lua', 'kong/plugins/**/daos.lua', 'plugins-ee/**/daos.lua', 'plugins-ee/**/schema.lua', 'kong/db/dao/*.lua', 'kong/enterprise_edition/redis/init.lua',\n 'kong/llm/init.lua', 'kong/llm/schemas/*.lua', 'kong/llm/vectordb/strategies/pgvector/init.lua',\n ]\n\nbuild/bazel:\n- changed-files:\n - any-glob-to-any-file: ['**/*.bazel', '**/*.bzl', 'build/**/*', 'WORKSPACE', '.bazelignore', '.bazelrc', '.bazelversion', 'scripts/build-*.sh']\n" }, { "path": ".github/matrix-commitly.yml", "content": "# please see matrix-full.yml for meaning of each field\nbuild-packages:\n- label: ubuntu-24.04\n image: ubuntu:24.04\n package: deb\n check-manifest-suite: ubuntu-24.04-amd64\n\nbuild-images:\n- label: ubuntu\n base-image: ubuntu:24.04\n package: deb\n artifact-from: ubuntu-24.04\n\nsmoke-tests:\n- label: ubuntu\n\nscan-vulnerabilities:\n- label: ubuntu\n\nrelease-packages:\n\nrelease-images:\n- label: ubuntu\n package: deb\n" }, { "path": ".github/matrix-full.yml", "content": "build-packages:\n# label: used to distinguish artifacts for later use\n# image: docker image name if the build is running in side a container\n# package: package type\n# package-type: the nfpm packaging target, //:kong_{package} target; only used when package is rpm\n# bazel-args: additional bazel build flags\n# check-manifest-suite: the check manifest suite as defined in scripts/explain_manifest/config.py\n\n# Ubuntu\n- label: ubuntu-20.04\n image: ubuntu:20.04\n package: deb\n check-manifest-suite: ubuntu-20.04-amd64\n- label: ubuntu-22.04\n image: ubuntu:22.04\n package: deb\n check-manifest-suite: ubuntu-22.04-amd64\n- label: ubuntu-22.04-arm64\n image: ubuntu:22.04\n package: deb\n bazel-args: --platforms=//:generic-crossbuild-aarch64\n check-manifest-suite: ubuntu-22.04-arm64\n- label: ubuntu-24.04\n image: ubuntu:24.04\n package: deb\n check-manifest-suite: ubuntu-24.04-amd64\n- label: ubuntu-24.04-arm64\n image: ubuntu:24.04\n package: deb\n bazel-args: --platforms=//:generic-crossbuild-aarch64\n check-manifest-suite: ubuntu-24.04-arm64\n\n# Debian\n- label: debian-11\n image: debian:11\n package: deb\n check-manifest-suite: debian-11-amd64\n- label: debian-12\n image: debian:12\n package: deb\n check-manifest-suite: debian-12-amd64\n\n# RHEL\n- label: rhel-8\n image: rockylinux:8\n package: rpm\n package-type: el8\n check-manifest-suite: el8-amd64\n- label: rhel-9\n image: rockylinux:9\n package: rpm\n package-type: el9\n check-manifest-suite: el9-amd64\n- label: rhel-9-arm64\n package: rpm\n package-type: el9\n bazel-args: --platforms=//:rhel9-crossbuild-aarch64 --//:brotli=False\n check-manifest-suite: el9-arm64\n\n # Amazon Linux\n- label: amazonlinux-2\n package: rpm\n package-type: aws2\n check-manifest-suite: amazonlinux-2-amd64\n # simdjson doesn't compile on gcc7.3.1 (needs 7.4)\n bazel-args: --platforms=//:aws2-crossbuild-x86_64 --//:simdjson=False\n- label: amazonlinux-2023\n image: amazonlinux:2023\n package: rpm\n package-type: aws2023\n check-manifest-suite: amazonlinux-2023-amd64\n- label: amazonlinux-2023-arm64\n package: rpm\n package-type: aws2023\n bazel-args: --platforms=//:aws2023-crossbuild-aarch64 --//:brotli=False\n check-manifest-suite: amazonlinux-2023-arm64\n\nbuild-images:\n# Only build images for the latest version of each major release.\n\n# label: used as compose docker image label ${github.sha}-${label}\n# base-image: docker image to use as base\n# package: package type\n# artifact-from: label of build-packages to use\n# artifact-from-alt: another label of build-packages to use for downloading package (to build multi-arch image)\n# docker-platforms: comma separated list of docker buildx platforms to build for\n\n# Ubuntu\n- label: ubuntu\n base-image: ubuntu:24.04\n package: deb\n artifact-from: ubuntu-24.04\n artifact-from-alt: ubuntu-24.04-arm64\n docker-platforms: linux/amd64, linux/arm64\n\n# Debian\n- label: debian\n base-image: debian:12-slim\n package: deb\n artifact-from: debian-12\n\n# RHEL\n- label: rhel\n base-image: registry.access.redhat.com/ubi9\n package: rpm\n rpm_platform: el9\n artifact-from: rhel-9\n artifact-from-alt: rhel-9-arm64\n docker-platforms: linux/amd64, linux/arm64\n\nsmoke-tests:\n- label: ubuntu\n- label: debian\n- label: rhel\n\nscan-vulnerabilities:\n- label: ubuntu\n- label: debian\n- label: rhel\n\nrelease-packages:\n# Ubuntu\n- label: ubuntu-20.04\n package: deb\n artifact-from: ubuntu-20.04\n artifact-version: 20.04\n artifact-type: ubuntu\n artifact: kong.amd64.deb\n- label: ubuntu-22.04\n package: deb\n artifact-from: ubuntu-22.04\n artifact-version: 22.04\n artifact-type: ubuntu\n artifact: kong.amd64.deb\n- label: ubuntu-22.04-arm64\n package: deb\n artifact-from: ubuntu-22.04-arm64\n artifact-version: 22.04\n artifact-type: ubuntu\n artifact: kong.arm64.deb\n- label: ubuntu-24.04\n package: deb\n artifact-from: ubuntu-24.04\n artifact-version: 24.04\n artifact-type: ubuntu\n artifact: kong.amd64.deb\n- label: ubuntu-24.04-arm64\n package: deb\n artifact-from: ubuntu-24.04-arm64\n artifact-version: 24.04\n artifact-type: ubuntu\n artifact: kong.arm64.deb\n\n# Debian\n- label: debian-11\n package: deb\n artifact-from: debian-11\n artifact-version: 11\n artifact-type: debian\n artifact: kong.amd64.deb\n- label: debian-12\n package: deb\n artifact-from: debian-12\n artifact-version: 12\n artifact-type: debian\n artifact: kong.amd64.deb\n\n# RHEL\n- label: rhel-8\n package: rpm\n artifact-from: rhel-8\n artifact-version: 8\n artifact-type: rhel\n artifact: kong.el8.amd64.rpm\n- label: rhel-9\n package: rpm\n artifact-from: rhel-9\n artifact-version: 9\n artifact-type: rhel\n artifact: kong.el9.amd64.rpm\n- label: rhel-9-arm64\n package: rpm\n artifact-from: rhel-9-arm64\n artifact-version: 9\n artifact-type: rhel\n artifact: kong.el9.arm64.rpm\n\n# Amazon Linux\n- label: amazonlinux-2\n package: rpm\n artifact-from: amazonlinux-2\n artifact-version: 2\n artifact-type: amazonlinux\n artifact: kong.aws2.amd64.rpm\n- label: amazonlinux-2023\n package: rpm\n artifact-from: amazonlinux-2023\n artifact-version: 2023\n artifact-type: amazonlinux\n artifact: kong.aws2023.amd64.rpm\n- label: amazonlinux-2023-arm64\n package: rpm\n artifact-from: amazonlinux-2023-arm64\n artifact-version: 2023\n artifact-type: amazonlinux\n artifact: kong.aws2023.arm64.rpm\n\nrelease-images:\n- label: ubuntu\n- label: debian\n- label: rhel\n" }, { "path": ".github/workflows/add-release-pongo.yml", "content": "name: Add New Release to Pongo\n\non:\n push:\n tags:\n - '[1-9]+.[0-9]+.[0-9]+'\n\njobs:\n set_vars:\n name: Set Vars\n runs-on: ubuntu-latest-kong\n env:\n REF_NAME: ${{ github.ref_name }}\n RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}\n outputs:\n code_base: ${{ steps.define_vars.outputs.CODE_BASE }}\n tag_version: ${{ steps.define_vars.outputs.TAG_VERSION }}\n steps:\n - name: Define Vars\n id: define_vars\n shell: bash\n run: |\n if [[ \"${GITHUB_REPOSITORY,,}\" = \"kong/kong\" ]] ; then\n CODE_BASE=CE\n elif [[ \"${GITHUB_REPOSITORY,,}\" = \"kong/kong-ee\" ]] ; then\n CODE_BASE=EE\n fi\n echo \"CODE_BASE=$CODE_BASE\" >> \"$GITHUB_OUTPUT\"\n\n if [[ \"${{ github.event_name }}\" == \"push\" ]] ; then\n TAG_VERSION=\"$REF_NAME\"\n elif [[ \"${{ github.event_name }}\" == \"release\" ]] ; then\n TAG_VERSION=\"$RELEASE_TAG_NAME\"\n fi\n echo \"TAG_VERSION=$TAG_VERSION\" >> \"$GITHUB_OUTPUT\"\n add_release_to_pongo:\n name: Add Release to Pongo\n runs-on: ubuntu-latest-kong\n needs:\n - set_vars\n env:\n GITHUB_TOKEN: ${{ secrets.PAT }}\n steps:\n - name: Checkout Pongo\n id: checkout_pongo\n uses: actions/checkout@v4\n with:\n token: ${{ env.GITHUB_TOKEN }}\n repository: kong/kong-pongo\n ref: master\n - name: Set git Env\n id: set_git_env\n shell: bash\n run: |\n git config --global user.email \"ci-bot@konghq.com\"\n git config --global user.name \"CI Bot\"\n - name: Create PR\n id: create_pr\n shell: bash\n run: |\n ./assets/add_version.sh \"${{ needs.set_vars.outputs.code_base }}\" \"${{ needs.set_vars.outputs.tag_version }}\"\n" }, { "path": ".github/workflows/ast-grep.yml", "content": "name: ast-grep lint\n\non:\n pull_request:\n paths:\n - .github/workflows/ast-grep.yml # this workflow\n - sgconfig.yml\n - .ci/ast-grep/**\n\n # globs for files that we want to check with ast-grep here\n - '**/*.lua'\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}\n cancel-in-progress: true\n\njobs:\n lint:\n name: lint\n\n runs-on: ubuntu-22.04\n\n defaults:\n run:\n shell: bash\n\n steps:\n - name: git checkout\n uses: actions/checkout@v4\n\n - name: ensure all rules are properly formed and have tests\n run: |\n shopt -s failglob\n\n declare -i failed=0\n fail() {\n failed=1\n\n local -r fname=${1:?}\n shift\n\n local entry\n printf -v entry '::error file=%s' \"$fname\"\n\n while (( $# > 0 )); do\n case $1 in\n -t|--title)\n local title=${2:?}\n shift 2\n printf -v entry '%s,title=%s' \"$entry\" \"$title\"\n ;;\n *)\n break\n ;;\n esac\n done\n\n local msg\n printf -v msg \"$@\"\n printf '%s::%s\\n' \"$entry\" \"$msg\"\n }\n\n declare -i count=0\n\n for rule in .ci/ast-grep/rules/*.yml; do\n count+=1\n\n name=${rule##*/}\n name=${name%*.yml}\n\n printf 'Rule(%s): %s\\n' \"$name\" \"$rule\"\n\n id=$(yq -r .id < \"$rule\")\n\n if [[ $id != \"$name\" ]]; then\n fail \"$rule\" \\\n --title 'Rule .id/filename mismatch' \\\n 'Rule(%s) ${filename}.yml must match its .id (%s)' \\\n \"$name\" \"$id\"\n fi\n\n test=.ci/ast-grep/tests/${name}-test.yml\n\n if [[ ! -e $test ]]; then\n failed=1\n fail \"$rule\" \\\n --title 'Rule test required' \\\n 'Rule test file (%s) not found' \"$test\"\n\n continue\n fi\n\n printf 'Rule(%s): test file: %s\\n' \"$name\" \"$test\"\n\n test_id=$(yq -r .id < \"$test\")\n if [[ $test_id != $id ]]; then\n fail \"$test\" \\\n --title 'Rule test file/.id mismatch' \\\n 'Rule test file .id (%s) does not match rule .id (%s)' \\\n \"$test_id\" \"$id\"\n fi\n\n declare -i valid invalid\n valid=$(yq -r '.valid | length' < \"$test\")\n invalid=$(yq -r '.invalid | length' < \"$test\")\n\n if (( valid < 1 || invalid < 1 )); then\n fail \"$test\" \\\n --title 'Rule tests insufficient' \\\n 'Rule test file must contain at least one valid and one invalid test case'\n fi\n\n printf 'Rule(%s) test has %s valid and %s invalid test cases\\n' \\\n \"$name\" \"$valid\" \"$invalid\"\n done\n\n printf 'Checked %s rules\\n' \"$count\"\n\n if (( failed > 0 )); then\n printf '::error::Found one or more problems while checking ast-grep rules and tests\\n'\n exit 1\n fi\n\n # NOTE: this is basically an inline of the official, public gh action\n # (https://github.com/ast-grep/action).\n - name: install ast-grep\n run: |\n set -euo pipefail\n\n readonly VERSION=0.36.2\n readonly CHECKSUM=7fd693b013447582d8befa1695f00d17301c2cff1763cfb0b52191096309dbef\n readonly FILENAME=app-x86_64-unknown-linux-gnu.zip\n readonly BINDIR=$HOME/.local/bin\n\n readonly URL=https://github.com/ast-grep/ast-grep/releases/download/${VERSION}/${FILENAME}\n\n curl --fail \\\n --silent \\\n --location \\\n --output \"$FILENAME\" \\\n \"$URL\"\n\n sha256sum --check --strict <<< \"${CHECKSUM} ${FILENAME}\"\n\n unzip \"$FILENAME\" ast-grep\n ./ast-grep --version\n\n mkdir -p \"$BINDIR\"\n mv ast-grep \"$BINDIR\"\n echo \"$BINDIR\" >> $GITHUB_PATH\n\n - name: ast-grep test\n run: ast-grep test\n\n - name: ast-grep scan\n run: ast-grep scan --format github\n" }, { "path": ".github/workflows/auto-assignee.yml", "content": "name: Add assignee to PRs\non:\n pull_request:\n types: [ opened, reopened ]\npermissions:\n pull-requests: write\njobs:\n assign-author:\n runs-on: ubuntu-latest\n steps:\n - name: assign-author\n # ignore the pull requests opened from PR because token is not correct\n if: github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'\n uses: toshimaru/auto-author-assign@ebd30f10fb56e46eb0759a14951f36991426fed0\n\n" }, { "path": ".github/workflows/autodocs.yml", "content": "name: Autodocs\n\non:\n workflow_dispatch:\n inputs:\n version:\n description: \"Version (e.g. 2.4.x)\"\n required: true\n source_branch:\n description: \"Source Branch in kong/kong (e.g. release/2.4.x)\"\n required: true\n target_branch:\n description: \"Target Branch in kong/docs.konghq.com (e.g. release/2.4)\"\n required: true\n force_build:\n description: \"Ignore the build cache and build dependencies from scratch\"\n type: boolean\n default: false\njobs:\n build:\n name: Build dependencies\n runs-on: ubuntu-22.04\n\n env:\n DOWNLOAD_ROOT: $HOME/download-root\n\n steps:\n - name: Set environment variables\n run: |\n echo \"INSTALL_ROOT=$HOME/install-root\" >> $GITHUB_ENV\n echo \"DOWNLOAD_ROOT=$HOME/download-root\" >> $GITHUB_ENV\n echo \"LD_LIBRARY_PATH=$INSTALL_ROOT/openssl/lib:$LD_LIBRARY_PATH\" >> $GITHUB_ENV\n\n - name: Checkout Kong source code\n uses: actions/checkout@v4\n\n - name: Lookup build cache\n uses: actions/cache@v4\n id: cache-deps\n with:\n path: ${{ env.INSTALL_ROOT }}\n key: ${{ hashFiles('.ci/setup_env_github.sh') }}-${{ hashFiles('.requirements') }}-${{ hashFiles('kong-*.rockspec') }}\n\n - name: Checkout kong-build-tools\n if: steps.cache-deps.outputs.cache-hit != 'true' || github.event.inputs.force_build == 'true'\n uses: actions/checkout@v4\n with:\n repository: Kong/kong-build-tools\n path: kong-build-tools\n ref: master\n\n - name: Checkout go-pluginserver\n if: steps.cache-deps.outputs.cache-hit != 'true' || github.event.inputs.force_build == 'true'\n uses: actions/checkout@v4\n with:\n repository: Kong/go-pluginserver\n path: go-pluginserver\n\n - name: Add to Path\n if: steps.cache-deps.outputs.cache-hit != 'true' || github.event.inputs.force_build == 'true'\n run: echo \"$INSTALL_ROOT/openssl/bin:$INSTALL_ROOT/openresty/nginx/sbin:$INSTALL_ROOT/openresty/bin:$INSTALL_ROOT/luarocks/bin:$GITHUB_WORKSPACE/kong-build-tools/openresty-build-tools\" >> $GITHUB_PATH\n\n - name: Install packages\n if: steps.cache-deps.outputs.cache-hit != 'true' || github.event.inputs.force_build == 'true'\n run: sudo apt update && sudo apt install libyaml-dev valgrind\n\n - name: Build Kong dependencies\n if: steps.cache-deps.outputs.cache-hit != 'true' || github.event.inputs.force_build == 'true'\n run: |\n source .ci/setup_env_github.sh\n make dev\n autodoc:\n runs-on: ubuntu-22.04\n needs: [build]\n steps:\n - name: Set environment variables\n run: |\n echo \"INSTALL_ROOT=$HOME/install-root\" >> $GITHUB_ENV\n echo \"DOWNLOAD_ROOT=$HOME/download-root\" >> $GITHUB_ENV\n echo \"LD_LIBRARY_PATH=$INSTALL_ROOT/openssl/lib:$LD_LIBRARY_PATH\" >> $GITHUB_ENV\n\n - name: Checkout Kong source code\n uses: actions/checkout@v4\n with:\n path: kong\n ref: ${{ github.event.inputs.source_branch }}\n\n - name: Checkout Kong Docs\n uses: actions/checkout@v4\n with:\n repository: kong/docs.konghq.com\n path: docs.konghq.com\n token: ${{ secrets.PAT }}\n ref: ${{ github.event.inputs.target_branch }}\n\n - name: Lookup build cache\n uses: actions/cache@v4\n id: cache-deps\n with:\n path: ${{ env.INSTALL_ROOT }}\n key: ${{ hashFiles('kong/.ci/setup_env_github.sh') }}-${{ hashFiles('kong/.requirements') }}-${{ hashFiles('kong/kong-*.rockspec') }}\n\n - name: Add to Path\n run: echo \"$INSTALL_ROOT/openssl/bin:$INSTALL_ROOT/openresty/nginx/sbin:$INSTALL_ROOT/openresty/bin:$INSTALL_ROOT/luarocks/bin:$GITHUB_WORKSPACE/kong-build-tools/openresty-build-tools:$INSTALL_ROOT/go-pluginserver\" >> $GITHUB_PATH\n\n - name: Run Autodocs\n run: |\n cd kong\n eval `luarocks path`\n scripts/autodoc ../docs.konghq.com ${{ github.event.inputs.version }}\n\n - name: Generate branch name\n id: kong-branch\n run: |\n cd kong\n output=\"$(git branch --show-current)\"\n echo \"name=$output\" >> $GITHUB_OUTPUT\n\n - name: Show Docs status\n run: |\n cd docs.konghq.com\n git status\n git checkout -b \"autodocs-${{ steps.kong-branch.outputs.name }}\"\n\n - name: Commit autodoc changes\n uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5\n with:\n repository: \"./docs.konghq.com\"\n commit_message: \"Autodocs update\"\n branch: \"autodocs-${{ steps.kong-branch.outputs.name }}\"\n skip_fetch: true\n push_options: \"--force\"\n\n - name: Raise PR\n run: |\n cd docs.konghq.com\n echo \"${{ secrets.PAT }}\" | gh auth login --with-token\n gh pr create --base \"${{ github.event.inputs.target_branch }}\" --fill --label \"review:autodoc\"\n" }, { "path": ".github/workflows/backport-fail-bot.yml", "content": "name: Forward failed backport alert to Slack\n\non:\n issue_comment:\n types: [created]\n\njobs:\n check_comment:\n runs-on: ubuntu-latest\n if: github.event.issue.pull_request != null && contains(github.event.comment.body, 'cherry-pick the changes locally and resolve any conflicts')\n\n steps:\n - name: Fetch mapping file\n id: fetch_mapping\n uses: actions/github-script@v7\n env:\n ACCESS_TOKEN: ${{ secrets.PAT }}\n with:\n script: |\n const url = 'https://raw.githubusercontent.com/Kong/github-slack-mapping/main/mapping.json';\n const headers = {Authorization: `token ${process.env.ACCESS_TOKEN}`};\n const response = await fetch(url, {headers});\n const mapping = await response.json();\n return mapping;\n\n - name: Generate Slack Payload\n id: generate-payload\n uses: actions/github-script@v7\n env:\n SLACK_CHANNEL: gateway-notifications\n SLACK_MAPPING: \"${{ steps.fetch_mapping.outputs.result }}\"\n with:\n script: |\n const pr_url = ${{ github.event.issue.pull_request.html_url }};\n const slack_mapping = JSON.parse(process.env.SLACK_MAPPING);\n const pr_author_github_id = ${{ github.event.issue.user.login }};\n const pr_author_slack_id = slack_mapping[pr_author_github_id];\n const author = pr_author_slack_id ? `<@${pr_author_slack_id}>` : pr_author_github_id;\n const payload = {\n text: `${pr_url} from ${author} failed to backport.`,\n channel: process.env.SLACK_CHANNEL,\n };\n return JSON.stringify(payload);\n result-encoding: string\n\n - name: Send Slack Message\n uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0\n with:\n payload: ${{ steps.generate-payload.outputs.result }}\n env:\n SLACK_WEBHOOK_URL: ${{ secrets.SLACK_GATEWAY_NOTIFICATIONS_WEBHOOK }}\n" }, { "path": ".github/workflows/backport-v2.yml", "content": "name: Backport v2\non:\n pull_request:\n types: [closed, labeled] # runs when the pull request is closed/merged or labeled (to trigger a backport in hindsight)\npermissions:\n contents: write # so it can comment\n pull-requests: write # so it can create pull requests\n actions: write\njobs:\n backport:\n name: Backport\n runs-on: ubuntu-latest\n if: github.event.pull_request.merged\n steps:\n - uses: actions/checkout@v4\n - name: Create backport pull requests\n uses: korthout/backport-action@924c8170740fa1e3685f69014971f7f251633f53 # v2.4.1\n id: backport\n with:\n github_token: ${{ secrets.PAT }}\n pull_title: '[backport -> ${target_branch}] ${pull_title}'\n merge_commits: 'skip'\n copy_labels_pattern: ^(?!backport ).* # copies all labels except those starting with \"backport \"\n label_pattern: ^backport (release\\/[^ ]+)$ # filters for labels starting with \"backport \" and extracts the branch name\n pull_description: |-\n Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.\n\n ## Original description\n\n ${pull_description}\n copy_assignees: true\n copy_milestone: true\n copy_requested_reviewers: true\n experimental: >\n {\n \"detect_merge_method\": true\n }\n - name: add label\n if: steps.backport.outputs.was_successful == 'false'\n uses: Kong/action-add-labels@81b0a07d6b2ec64d770be1ca94c31ec827418054\n with:\n labels: incomplete-backport\n" }, { "path": ".github/workflows/build.yml", "content": "name: Build\non:\n workflow_call:\n inputs:\n relative-build-root:\n required: true\n type: string\n outputs:\n cache-key:\n description: 'Computed cache key, used for restoring cache in other workflows'\n value: ${{ jobs.build.outputs.cache-key }}\n\nenv:\n BUILD_ROOT: ${{ github.workspace }}/${{ inputs.relative-build-root }}\n\njobs:\n build:\n name: Build dependencies\n runs-on: ubuntu-22.04\n\n outputs:\n cache-key: ${{ steps.cache-key.outputs.cache-key }}\n\n steps:\n - name: Checkout Kong source code\n uses: actions/checkout@v4\n\n - name: Generate cache key\n id: cache-key\n uses: ./.github/actions/build-cache-key\n\n - name: Lookup build cache\n id: cache-deps\n uses: actions/cache@v4\n with:\n path: ${{ env.BUILD_ROOT }}\n key: ${{ steps.cache-key.outputs.cache-key }}\n\n - name: Install packages\n if: steps.cache-deps.outputs.cache-hit != 'true'\n run: sudo apt update && sudo apt install libyaml-dev valgrind libprotobuf-dev\n\n - name: Build Kong\n if: steps.cache-deps.outputs.cache-hit != 'true'\n env:\n GH_TOKEN: ${{ github.token }}\n run: |\n make build-kong\n chmod +rw -R \"$BUILD_ROOT/kong-dev\"\n\n - name: Update PATH\n run: |\n echo \"$BUILD_ROOT/kong-dev/bin\" >> $GITHUB_PATH\n echo \"$BUILD_ROOT/kong-dev/openresty/nginx/sbin\" >> $GITHUB_PATH\n echo \"$BUILD_ROOT/kong-dev/openresty/bin\" >> $GITHUB_PATH\n\n - name: Debug (nginx)\n run: |\n echo nginx: $(which nginx)\n nginx -V 2>&1 | sed -re 's/ --/\\n--/g'\n ldd $(which nginx)\n\n - name: Debug (luarocks)\n run: |\n echo luarocks: $(which luarocks)\n luarocks --version\n luarocks config\n\n - name: Bazel Outputs\n uses: actions/upload-artifact@v4\n if: failure()\n with:\n name: bazel-outputs\n path: |\n bazel-out/_tmp/actions\n retention-days: 3\n\n - name: Build Dev Kong dependencies\n if: steps.cache-deps.outputs.cache-hit != 'true'\n run: |\n make install-dev-rocks\n" }, { "path": ".github/workflows/build_and_test.yml", "content": "name: Build & Test\non:\n pull_request:\n paths-ignore:\n # ignore markdown files (CHANGELOG.md, README.md, etc.)\n - '**/*.md'\n - 'COPYRIGHT'\n - 'LICENSE'\n - '.github/workflows/release.yml'\n - 'changelog/**'\n - 'kong.conf.default'\n push:\n paths-ignore:\n # ignore markdown files (CHANGELOG.md, README.md, etc.)\n - '**/*.md'\n # ignore PRs for the generated COPYRIGHT file\n - 'COPYRIGHT'\n - 'LICENSE'\n branches:\n - master\n - release/*\n - test-please/*\n workflow_dispatch:\n inputs:\n coverage:\n description: 'Coverage enabled'\n required: false\n type: boolean\n default: false\n\n# cancel previous runs if new commits are pushed to the PR, but run for each commit on master\nconcurrency:\n group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}\n cancel-in-progress: true\n\nenv:\n BUILD_ROOT: ${{ github.workspace }}/bazel-bin/build\n KONG_TEST_COVERAGE: ${{ inputs.coverage == true || github.event_name == 'schedule' }}\n RUNNER_COUNT: 7\n\njobs:\n metadata:\n name: Metadata\n runs-on: ubuntu-22.04\n outputs:\n old-kong-version: ${{ steps.old-kong-version.outputs.ref }}\n\n steps:\n - uses: actions/checkout@v4\n with:\n fetch-depth: 0 # `git merge-base` requires the history\n\n - name: Get Old Kong Version\n id: old-kong-version\n run: |\n KONG_VERSION=$(bash scripts/grep-kong-version.sh)\n major=$(echo \"$KONG_VERSION\" | cut -d. -f1)\n minor=$(echo \"$KONG_VERSION\" | cut -d. -f2)\n # if the minor version isn't 0, use the first release or starting point of the previous minor branch;\n # otherwise just leave it empty, so later the default branch or commit will be used.\n if [ \"$minor\" -ne 0 ]; then\n minor=$((minor - 1))\n git fetch origin master -t\n if [ $(git tag -l \"$major.$minor.0\") ]; then\n echo \"ref=$major.$minor.0\" >> $GITHUB_OUTPUT\n else\n git fetch origin release/$major.$minor.x\n COMMIT_HASH=$(git merge-base origin/master origin/release/$major.$minor.x)\n echo \"ref=$COMMIT_HASH\" >> $GITHUB_OUTPUT\n fi\n else\n echo \"ref=\" >> $GITHUB_OUTPUT\n fi\n\n build:\n uses: ./.github/workflows/build.yml\n with:\n relative-build-root: bazel-bin/build\n\n lint-and-doc-tests:\n name: Lint and Doc tests\n runs-on: ubuntu-22.04\n needs: build\n\n steps:\n - name: Bump max open files\n run: |\n sudo echo 'kong soft nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf\n sudo echo 'kong hard nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf\n sudo echo \"$(whoami) soft nofile 65536\" | sudo tee -a /etc/security/limits.d/kong-ci.conf\n sudo echo \"$(whoami) hard nofile 65536\" | sudo tee -a /etc/security/limits.d/kong-ci.conf\n\n - name: Checkout Kong source code\n uses: actions/checkout@v4\n\n - name: Lookup build cache\n id: cache-deps\n uses: actions/cache@v4\n with:\n path: ${{ env.BUILD_ROOT }}\n key: ${{ needs.build.outputs.cache-key }}\n\n - name: Check test-helpers doc generation\n run: |\n source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh\n pushd ./spec && ldoc .\n\n - name: Check autodoc generation\n run: |\n source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh\n scripts/autodoc\n\n - name: Lint Lua code\n run: |\n make lint\n\n - name: Validate rockspec file\n run: |\n source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh\n scripts/validate-rockspec\n\n - name: Check spec file misspelling\n run: |\n scripts/check_spec_files_spelling.sh\n\n - name: Check labeler configuration\n run: scripts/check-labeler.pl .github/labeler.yml\n\n schedule:\n name: Schedule busted tests to run\n runs-on: ubuntu-22.04\n needs: build\n\n env:\n WORKFLOW_ID: ${{ github.run_id }}\n\n outputs:\n runners: ${{ steps.generate-runner-array.outputs.RUNNERS }}\n\n steps:\n - name: Checkout source code\n uses: actions/checkout@v4\n\n - name: Download runtimes file\n uses: Kong/gh-storage/download@b196a6b94032e56e414227c749e9f96a6afc2b91 # v1\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n with:\n repo-path: Kong/gateway-action-storage/main/.ci/runtimes.json\n\n - name: Schedule tests\n uses: Kong/gateway-test-scheduler/schedule@69f0c2a562ac44fc3650b8bfa62106b34094b5ce # v3\n with:\n test-suites-file: .ci/test_suites.json\n test-file-runtime-file: .ci/runtimes.json\n output-prefix: test-chunk.\n runner-count: ${{ env.RUNNER_COUNT }}\n static-mode: ${{ github.run_attempt > 1 }}\n\n - name: Upload schedule files\n uses: actions/upload-artifact@v4\n continue-on-error: true\n with:\n name: schedule-test-files\n path: test-chunk.*\n retention-days: 7\n\n - name: Generate runner array\n id: generate-runner-array\n run: |\n echo \"RUNNERS=[$(seq -s \",\" 1 $(( \"$RUNNER_COUNT\" )))]\" >> \"$GITHUB_OUTPUT\"\n\n busted-tests:\n name: Busted test runner ${{ matrix.runner }}\n runs-on: ubuntu-22.04\n needs: [metadata,build,schedule]\n\n strategy:\n fail-fast: false\n matrix:\n runner: ${{ fromJSON(needs.schedule.outputs.runners) }}\n\n services:\n postgres:\n image: postgres:13\n env:\n POSTGRES_USER: kong\n POSTGRES_DB: kong\n POSTGRES_HOST_AUTH_METHOD: trust\n ports:\n - 5432:5432\n options: --health-cmd pg_isready --health-interval 5s --health-timeout 5s --health-retries 8\n\n grpcbin:\n image: kong/grpcbin\n ports:\n - 15002:9000\n - 15003:9001\n\n redis:\n image: redis\n ports:\n - 6379:6379\n - 6380:6380\n options: >-\n --name kong_redis\n\n zipkin:\n image: openzipkin/zipkin:2\n ports:\n - 9411:9411\n\n redis-auth:\n image: redis/redis-stack-server\n # Set health checks to wait until redis has started\n options: >-\n --health-cmd \"redis-cli ping\"\n --health-interval 10s\n --health-timeout 5s\n --health-retries 5\n ports:\n - 6385:6379\n env:\n REDIS_ARGS: \"--requirepass passdefault\"\n\n steps:\n - name: Bump max open files\n run: |\n sudo echo 'kong soft nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf\n sudo echo 'kong hard nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf\n sudo echo \"$(whoami) soft nofile 65536\" | sudo tee -a /etc/security/limits.d/kong-ci.conf\n sudo echo \"$(whoami) hard nofile 65536\" | sudo tee -a /etc/security/limits.d/kong-ci.conf\n\n - name: Checkout Kong source code\n uses: actions/checkout@v4\n\n # used for plugin compatibility test\n - name: Checkout old version Kong source code\n uses: actions/checkout@v4\n with:\n path: kong-old\n # if the minor version is 0, `ref` will default to ''\n # which is same as in the previous step\n ref: ${{ needs.metadata.outputs.old-kong-version }}\n\n - name: Lookup build cache\n id: cache-deps\n uses: actions/cache@v4\n with:\n path: ${{ env.BUILD_ROOT }}\n key: ${{ needs.build.outputs.cache-key }}\n\n - name: Add gRPC test host names\n run: |\n echo \"127.0.0.1 grpcs_1.test\" | sudo tee -a /etc/hosts\n echo \"127.0.0.1 grpcs_2.test\" | sudo tee -a /etc/hosts\n\n - name: Enable SSL for Redis\n run: |\n docker cp ${{ github.workspace }} kong_redis:/workspace\n docker cp ${{ github.workspace }}/spec/fixtures/redis/docker-entrypoint.sh kong_redis:/usr/local/bin/docker-entrypoint.sh\n docker restart kong_redis\n docker logs kong_redis\n\n - name: Run OpenTelemetry Collector\n run: |\n mkdir -p ${{ github.workspace }}/tmp/otel\n touch ${{ github.workspace }}/tmp/otel/file_exporter.json\n sudo chmod 777 -R ${{ github.workspace }}/tmp/otel\n docker run -p 4317:4317 -p 4318:4318 -p 55679:55679 \\\n -v ${{ github.workspace }}/spec/fixtures/opentelemetry/otelcol.yaml:/etc/otel-collector-config.yaml \\\n -v ${{ github.workspace }}/tmp/otel:/etc/otel \\\n --name opentelemetry-collector -d \\\n otel/opentelemetry-collector-contrib:0.52.0 \\\n --config=/etc/otel-collector-config.yaml\n sleep 2\n docker logs opentelemetry-collector\n\n - name: Install AWS SAM cli tool\n run: |\n curl -L -s -o /tmp/aws-sam-cli.zip https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip\n unzip -o /tmp/aws-sam-cli.zip -d /tmp/aws-sam-cli\n sudo /tmp/aws-sam-cli/install --update\n\n - name: Update PATH\n run: |\n echo \"$BUILD_ROOT/kong-dev/bin\" >> $GITHUB_PATH\n echo \"$BUILD_ROOT/kong-dev/openresty/nginx/sbin\" >> $GITHUB_PATH\n echo \"$BUILD_ROOT/kong-dev/openresty/bin\" >> $GITHUB_PATH\n\n - name: Debug (nginx)\n run: |\n echo nginx: $(which nginx)\n nginx -V 2>&1 | sed -re 's/ --/\\n--/g'\n ldd $(which nginx)\n\n - name: Debug (luarocks)\n run: |\n echo luarocks: $(which luarocks)\n luarocks --version\n luarocks config\n\n - name: Tune up postgres max_connections\n run: |\n # arm64 runners may use more connections due to more worker cores\n psql -hlocalhost -Ukong kong -tAc 'alter system set max_connections = 5000;'\n\n - name: Download test schedule file\n uses: actions/download-artifact@v4\n with:\n name: schedule-test-files\n\n - name: Generate helper environment variables\n run: |\n echo FAILED_TEST_FILES_FILE=failed-tests.json >> $GITHUB_ENV\n echo TEST_FILE_RUNTIME_FILE=test-runtime.json >> $GITHUB_ENV\n echo SPEC_ERRLOG_CACHE_DIR=/tmp/${{ github.run_id }}/build_test/${{ matrix.runner }} >> $GITHUB_ENV\n\n - name: Build & install dependencies\n run: |\n make dev\n # python pluginserver tests dependency\n pip install kong-pdk\n\n - name: Download test rerun information\n uses: actions/download-artifact@v4\n continue-on-error: true\n with:\n name: test-rerun-info-${{ matrix.runner }}\n\n - name: Download test runtime statistics from previous runs\n uses: actions/download-artifact@v4\n continue-on-error: true\n with:\n name: test-runtime-statistics-${{ matrix.runner }}\n\n - name: Run Tests\n env:\n KONG_TEST_PG_DATABASE: kong\n KONG_TEST_PG_USER: kong\n KONG_TEST_DATABASE: postgres\n KONG_SPEC_TEST_GRPCBIN_PORT: \"15002\"\n KONG_SPEC_TEST_GRPCBIN_SSL_PORT: \"15003\"\n KONG_SPEC_TEST_OTELCOL_FILE_EXPORTER_PATH: ${{ github.workspace }}/tmp/otel/file_exporter.json\n KONG_SPEC_TEST_OLD_VERSION_KONG_PATH: ${{ github.workspace }}/kong-old\n DD_ENV: ci\n DD_SERVICE: kong-ce-ci\n DD_CIVISIBILITY_MANUAL_API_ENABLED: 1\n DD_CIVISIBILITY_AGENTLESS_ENABLED: true\n DD_TRACE_GIT_METADATA_ENABLED: true\n DD_API_KEY: ${{ secrets.DATADOG_API_KEY }}\n SPEC_ERRLOG_CACHE_DIR: ${{ env.SPEC_ERRLOG_CACHE_DIR }}\n uses: Kong/gateway-test-scheduler/runner@69f0c2a562ac44fc3650b8bfa62106b34094b5ce # v3\n with:\n tests-to-run-file: test-chunk.${{ matrix.runner }}.json\n failed-test-files-file: ${{ env.FAILED_TEST_FILES_FILE }}\n test-file-runtime-file: ${{ env.TEST_FILE_RUNTIME_FILE }}\n setup-venv-path: ${{ env.BUILD_ROOT }}\n\n - name: Upload error logs\n if: failure()\n uses: actions/upload-artifact@v4\n with:\n name: busted-test-errlogs-${{ matrix.runner }}\n path: ${{ env.SPEC_ERRLOG_CACHE_DIR }}\n retention-days: 1\n\n - name: Upload test rerun information\n if: always()\n uses: actions/upload-artifact@v4\n with:\n name: test-rerun-info-${{ matrix.runner }}\n path: ${{ env.FAILED_TEST_FILES_FILE }}\n retention-days: 2\n\n - name: Upload test runtime statistics for offline scheduling\n if: always()\n uses: actions/upload-artifact@v4\n with:\n name: test-runtime-statistics-${{ matrix.runner }}\n path: ${{ env.TEST_FILE_RUNTIME_FILE }}\n retention-days: 7\n\n - name: Archive coverage stats file\n uses: actions/upload-artifact@v4\n if: ${{ always() && (inputs.coverage == true || github.event_name == 'schedule') }}\n with:\n name: luacov-stats-out-${{ github.job }}-${{ github.run_id }}-${{ matrix.runner }}\n retention-days: 1\n path: |\n luacov.stats.out\n\n - name: Get kernel message\n if: failure()\n run: |\n sudo dmesg -T\n\n pdk-tests:\n name: PDK tests\n runs-on: ubuntu-22.04\n needs: build\n\n steps:\n - name: Bump max open files\n run: |\n sudo echo 'kong soft nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf\n sudo echo 'kong hard nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf\n sudo echo \"$(whoami) soft nofile 65536\" | sudo tee -a /etc/security/limits.d/kong-ci.conf\n sudo echo \"$(whoami) hard nofile 65536\" | sudo tee -a /etc/security/limits.d/kong-ci.conf\n\n - name: Checkout Kong source code\n uses: actions/checkout@v4\n\n - name: Lookup build cache\n id: cache-deps\n uses: actions/cache@v4\n with:\n path: ${{ env.BUILD_ROOT }}\n key: ${{ needs.build.outputs.cache-key }}\n\n - name: Install Test::Nginx\n run: |\n CPAN_DOWNLOAD=./cpanm\n mkdir -p $CPAN_DOWNLOAD\n curl -o $CPAN_DOWNLOAD/cpanm https://cpanmin.us\n chmod +x $CPAN_DOWNLOAD/cpanm\n\n echo \"Installing CPAN dependencies...\"\n $CPAN_DOWNLOAD/cpanm --notest --local-lib=$HOME/perl5 local::lib && eval $(perl -I $HOME/perl5/lib/perl5/ -Mlocal::lib)\n $CPAN_DOWNLOAD/cpanm --notest Test::Nginx\n\n - name: Generate environment variables\n run: |\n echo SPEC_ERRLOG_CACHE_DIR=/tmp/${{ github.run_id }}/PDK_test >> $GITHUB_ENV\n\n - name: Tests\n env:\n TEST_SUITE: pdk\n run: |\n source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh\n if [[ $KONG_TEST_COVERAGE = true ]]; then\n export PDK_LUACOV=1\n fi\n eval $(perl -I $HOME/perl5/lib/perl5/ -Mlocal::lib)\n prove -I. -r t\n\n - name: Upload error logs\n if: failure()\n uses: actions/upload-artifact@v4\n with:\n name: PDK-test-errlogs\n path: ${{ env.SPEC_ERRLOG_CACHE_DIR }}\n retention-days: 1\n\n - name: Archive coverage stats file\n uses: actions/upload-artifact@v4\n if: ${{ always() && (inputs.coverage == true || github.event_name == 'schedule') }}\n with:\n name: luacov-stats-out-${{ github.job }}-${{ github.run_id }}\n retention-days: 1\n path: |\n luacov.stats.out\n\n - name: Get kernel message\n if: failure()\n run: |\n sudo dmesg -T\n\n cleanup-and-aggregate-stats:\n needs: [lint-and-doc-tests,pdk-tests,busted-tests]\n name: Cleanup and Luacov stats aggregator\n if: ${{ always() && (inputs.coverage == true || github.event_name == 'schedule') }}\n runs-on: ubuntu-22.04\n\n steps:\n - name: Checkout source code\n uses: actions/checkout@v4\n\n - name: Install requirements\n run: |\n sudo apt-get update && sudo apt-get install -y luarocks\n sudo luarocks install luacov\n sudo luarocks install luafilesystem\n\n # Download all archived coverage stats files\n - uses: actions/download-artifact@v4\n\n - name: Stats aggregation\n shell: bash\n run: |\n lua .ci/luacov-stats-aggregator.lua \"luacov-stats-out-\" \"luacov.stats.out\" ${{ github.workspace }}/\n # The following prints a report with each file sorted by coverage percentage, and the total coverage\n printf \"\\n\\nCoverage File\\n\\n\"\n awk -v RS='Coverage\\n-+\\n' 'NR>1{print $0}' luacov.report.out | grep -vE \"^-|^$\" > summary.out\n cat summary.out | grep -v \"^Total\" | awk '{printf \"%7d%% %s\\n\", $4, $1}' | sort -n\n cat summary.out | grep \"^Total\" | awk '{printf \"%7d%% %s\\n\", $4, $1}'\n" }, { "path": ".github/workflows/buildifier.yml", "content": "name: Buildifier\n\non:\n pull_request:\n paths:\n - '**/*.bzl'\n - '**/*.bazel'\n - 'BUILD*'\n - 'WORKSPACE*'\n push:\n paths:\n - '**/*.bzl'\n - '**/*.bazel'\n - 'BUILD*'\n - 'WORKSPACE*'\n branches:\n - master\n - release/*\n\njobs:\n\n autoformat:\n name: Auto-format and Check\n runs-on: ubuntu-22.04\n\n steps:\n - name: Check out code\n uses: actions/checkout@v4\n\n - name: Install Dependencies\n run: |\n sudo wget -O /bin/buildifier https://github.com/bazelbuild/buildtools/releases/download/5.1.0/buildifier-linux-amd64\n sudo chmod +x /bin/buildifier\n\n - name: Run buildifier\n run: |\n buildifier -mode=fix $(find . -name 'BUILD*' -o -name 'WORKSPACE*' -o -name '*.bzl' -o -name '*.bazel' -type f)\n\n - name: Verify buildifier\n shell: bash\n run: |\n # From: https://backreference.org/2009/12/23/how-to-match-newlines-in-sed/\n # This is to leverage this workaround:\n # https://github.com/actions/toolkit/issues/193#issuecomment-605394935\n function urlencode() {\n sed ':begin;$!N;s/\\n/%0A/;tbegin'\n }\n if [[ $(git diff-index --name-only HEAD --) ]]; then\n for x in $(git diff-index --name-only HEAD --); do\n echo \"::error file=$x::Please run buildifier.%0A$(git diff $x | urlencode)\"\n done\n echo \"${{ github.repository }} is out of style. Please run buildifier.\"\n exit 1\n fi\n echo \"${{ github.repository }} is formatted correctly.\"\n" }, { "path": ".github/workflows/changelog-requirement.yml", "content": "name: Changelog Requirement\n\non:\n pull_request:\n types: [ opened, synchronize, labeled, unlabeled ]\n paths:\n - 'kong/**'\n - '**.rockspec'\n - '.requirements'\n - 'changelog/**'\n\njobs:\n require-changelog:\n if: ${{ !contains(github.event.*.labels.*.name, 'skip-changelog') }}\n name: Requires changelog\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n fetch-depth: 2\n\n - name: Find changelog files\n id: changelog-list\n uses: kong/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf\n with:\n files_yaml: |\n changelogs:\n - 'changelog/unreleased/**/*.yml'\n upper_case:\n - 'CHANGELOG/**'\n numbered:\n - 'changelog/unreleased/**/[0-9]+.yml'\n\n - name: Check changelog existence\n if: steps.changelog-list.outputs.changelogs_any_changed == 'false'\n run: |\n echo \"Changelog file expected but found none. If you believe this PR requires no changelog entry, label it with \\\"skip-changelog\\\".\"\n echo \"Refer to https://github.com/Kong/gateway-changelog for format guidelines.\"\n exit 1\n\n - name: Check correct case for changelog directory\n if: steps.changelog-list.outputs.upper_case_any_changed == 'true'\n run: |\n echo \"Please use \\\"changelog\\\" (all lowercase) for changelog modifications.\"\n echo \"Refer to https://github.com/Kong/gateway-changelog for format guidelines.\"\n echo \"Bad file(s): ${{ steps.changelog-list.outputs.upper_case_all_changed_files }}\"\n exit 1\n\n - name: Check descriptive filename for changelog entry\n if: steps.changelog-list.outputs.numbered_any_changed == 'true'\n run: |\n echo \"Please use short descriptive name for changelog files instead of numbers.\"\n echo \"E.g. bump_openresty.yml instead of 12345.yml.\"\n echo \"Refer to https://github.com/Kong/gateway-changelog for format guidelines.\"\n echo \"Bad file(s): ${{ steps.changelog-list.outputs.numbered_all_changed_files }}\"\n exit 1\n\n - name: Fail when deprecated YAML keys are used\n run: |\n for file in ${{ steps.changelog-list.outputs.changelogs_all_changed_files }}; do\n if grep -q \"prs:\" $file || grep -q \"jiras:\" $file; then\n echo \"Please do not include \\\"prs\\\" or \\\"jiras\\\" keys in new changelogs, put the JIRA number inside commit message and PR description instead.\"\n echo \"Refer to https://github.com/Kong/gateway-changelog for format guidelines.\"\n echo \"Bad file: $file\"\n exit 1\n fi\n done\n" }, { "path": ".github/workflows/changelog-validation.yml", "content": "name: Changelog Validation\n\non:\n pull_request:\n types: [ opened, synchronize ]\n\njobs:\n validate-changelog:\n name: Validate changelog\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Validate changelogs\n uses: Kong/gateway-changelog@bc389e6bcc015b3560c4d1024a3782331602a0f6\n with:\n files: changelog/unreleased/*/*.yml\n" }, { "path": ".github/workflows/cherry-picks-v2.yml", "content": "name: Cherry Pick to remote repository v2\non:\n pull_request:\n types: [closed, labeled]\n issue_comment:\n types: [created]\npermissions:\n contents: write # so it can comment\n pull-requests: write # so it can create pull requests and labels\njobs:\n cross-repo-cherrypick:\n name: Cherry pick to remote repository\n runs-on: ubuntu-latest\n # Only run when pull request is merged, or labeled\n # or when a comment containing `/cherry-pick` is created\n # and the author is a member, collaborator or owner\n if: >\n github.ref == 'refs/heads/master' &&\n (\n github.event_name == 'pull_request' &&\n github.event.pull_request.merged\n ) || (\n github.event_name == 'issue_comment' &&\n github.event.issue.pull_request &&\n contains(fromJSON('[\"MEMBER\", \"COLLABORATOR\", \"OWNER\"]'), github.event.comment.author_association) &&\n startsWith(github.event.comment.body, '/cherry-pick')\n )\n steps:\n - uses: actions/checkout@v4\n with:\n token: ${{ secrets.CHERRY_PICK_TOKEN }}\n - name: Create backport pull requests\n uses: jschmid1/cross-repo-cherrypick-action@9d2ead0043acba474373992c8175f2b8ffcdb31c #v1.2.0\n id: cherry_pick\n with:\n token: ${{ secrets.CHERRY_PICK_TOKEN }}\n pull_title: '[cherry-pick -> ${target_branch}] ${pull_title}'\n merge_commits: 'skip'\n trigger_label: 'cherry-pick kong-ee' # trigger based on this label\n pull_description: |-\n Automated cherry-pick to `${target_branch}`, triggered by a label in https://github.com/${owner}/${repo}/pull/${pull_number} :robot:.\n\n ## Original description\n\n ${pull_description}\n upstream_repo: 'kong/kong-ee'\n branch_map: |-\n {\n \"master\": \"master\"\n }\n - name: add label\n if: steps.cherry_pick.outputs.was_successful == 'false'\n uses: Kong/action-add-labels@81b0a07d6b2ec64d770be1ca94c31ec827418054\n with:\n labels: incomplete-cherry-pick\n" }, { "path": ".github/workflows/community-stale.yml", "content": "name: Close inactive issues\non:\n schedule:\n - cron: \"30 1 * * *\"\n\njobs:\n close-issues:\n runs-on: ubuntu-latest\n permissions:\n issues: write\n pull-requests: write\n steps:\n - uses: actions/stale@v9\n with:\n days-before-stale: 14\n days-before-close: 7\n only-labels: \"pending author feedback\"\n exempt-pr-labels: \"pinned,security\"\n exempt-issue-labels: \"pinned,security\"\n stale-issue-label: \"stale\"\n stale-issue-message: \"This issue is marked as stale because it has been open for 14 days with no activity.\"\n close-issue-message: |\n Dear contributor,\n \n We are automatically closing this issue because it has not seen any activity for three weeks.\n We're sorry that your issue could not be resolved. If any new information comes up that could\n help resolving it, please feel free to reopen it.\n \n Your contribution is greatly appreciated!\n \n Please have a look\n [our pledge to the community](https://github.com/Kong/kong/blob/master/COMMUNITY_PLEDGE.md)\n for more information.\n \n Sincerely,\n Your Kong Gateway team\n stale-pr-message: \"This PR is marked as stale because it has been open for 14 days with no activity.\"\n close-pr-message: |\n Dear contributor,\n \n We are automatically closing this pull request because it has not seen any activity for three weeks.\n We're sorry that we could not merge it. If you still want to pursure your patch, please feel free to \n reopen it and address any remaining issues.\n \n Your contribution is greatly appreciated!\n \n Please have a look\n [our pledge to the community](https://github.com/Kong/kong/blob/master/COMMUNITY_PLEDGE.md)\n for more information.\n \n Sincerely,\n Your Kong Gateway team\n repo-token: ${{ secrets.GITHUB_TOKEN }}\n" }, { "path": ".github/workflows/copyright-check.yml", "content": "name: Detect Unexpected EE Changes\n\non:\n pull_request:\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.ref }}\n cancel-in-progress: ${{ github.event_name == 'pull_request' }}\n\njobs:\n check-copyright-and-ee-files:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v4\n\n - name: Find Enterprise Copyright\n shell: bash\n run: |\n set -e\n\n workflow_file=$(grep -rnl \"^name:[[:space:]]*Detect Unexpected EE Changes\" .github/workflows/*.yml | head -n1)\n echo \"Detected workflow file: $workflow_file\"\n\n all_files=$(grep -r -F -l \"This software is copyright Kong Inc. and its licensors.\" .)\n\n # ignore this file\n files=$(echo \"$all_files\" | grep -v \"$workflow_file$\" || true)\n\n\n if [ -n \"$files\" ]; then\n echo \"Error: Enterprise copyright detected in the following files:\"\n echo \"$files\"\n exit 1\n else\n echo \"No enterprise copyright found.\"\n fi\n\n - name: Get changed EE files\n id: changed-ee-files\n uses: kong/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf\n with:\n files: |\n spec-ee/**\n plugins-ee/**\n kong/enterprise_edition/**\n kong/plugins/*-advanced/**\n changelog/**/*-ee/**\n \n - name: Detect EE files\n if: steps.changed-ee-files.outputs.any_changed == 'true'\n run: |\n echo \"The following unexpected EE files were detected:\"\n echo \"${{ steps.changed-ee-files.outputs.all_changed_files }}\"\n exit 1\n" }, { "path": ".github/workflows/deck-integration.yml", "content": "name: Gateway decK Integration Tests\n\non:\n pull_request:\n paths:\n - 'kong/db/schema/**/*.lua'\n - 'kong/**/schema.lua'\n - 'kong/plugins/**/daos.lua'\n - 'kong/db/dao/*.lua'\n - 'kong/api/**/*.lua'\n - '.github/workflows/deck-integration.yml'\n\npermissions:\n pull-requests: write\n\nenv:\n LIBRARY_PREFIX: /usr/local/kong\n TEST_RESULTS_XML_OUTPUT: test-results\n BUILD_ROOT: ${{ github.workspace }}/bazel-bin/build\n\n# cancel previous runs if new commits are pushed to the PR\nconcurrency:\n group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}\n cancel-in-progress: true\n\njobs:\n build:\n uses: ./.github/workflows/build.yml\n with:\n relative-build-root: bazel-bin/build\n\n deck-integration:\n name: Gateway decK integration tests\n runs-on: ubuntu-22.04\n needs: build\n timeout-minutes: 5\n\n services:\n postgres:\n image: postgres:13\n env:\n POSTGRES_USER: kong\n POSTGRES_DB: kong\n POSTGRES_HOST_AUTH_METHOD: trust\n ports:\n - 5432:5432\n options: --health-cmd pg_isready --health-interval 5s --health-timeout 5s --health-retries 8\n\n steps:\n - name: Install packages\n run: sudo apt update && sudo apt install -y libyaml-dev valgrind libprotobuf-dev libpam-dev postgresql-client jq\n\n - name: Checkout Kong source code\n uses: actions/checkout@v4\n with:\n submodules: recursive\n\n - name: Lookup build cache\n id: cache-deps\n uses: actions/cache@v4\n with:\n path: ${{ env.BUILD_ROOT }}\n key: ${{ needs.build.outputs.cache-key }}\n\n - name: Install Kong dev\n run: make dev\n\n - name: Tests\n id: deck_tests\n env:\n KONG_TEST_PG_DATABASE: kong\n KONG_TEST_PG_USER: kong\n KONG_TEST_DATABASE: postgres\n run: |\n mkdir $TEST_RESULTS_XML_OUTPUT\n source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh\n bin/busted spec/06-third-party/01-deck -o hjtest -Xoutput $(realpath $TEST_RESULTS_XML_OUTPUT)/report.xml -v\n" }, { "path": ".github/workflows/label-check.yml", "content": "name: Pull Request Label Checker\non:\n pull_request:\n types: [opened, edited, synchronize, labeled, unlabeled]\njobs:\n check-labels:\n name: prevent merge labels\n runs-on: ubuntu-latest\n\n steps:\n - name: backport master label found\n run: echo \"Please do not backport into master, instead, create a PR targeting master and backport from it instead.\"; exit 1\n if: ${{ contains(github.event.*.labels.*.name, 'backport master') }}\n" }, { "path": ".github/workflows/label-community-pr.yml", "content": "name: Label community PRs\n\non:\n schedule:\n - cron: '*/30 * * * *'\n\npermissions:\n pull-requests: write\n\njobs:\n check_author:\n runs-on: ubuntu-latest\n defaults:\n run:\n shell: bash\n steps:\n - uses: actions/checkout@v4\n - name: Label Community PR\n env:\n GH_TOKEN: ${{ secrets.COMMUNITY_PRS_TOKEN }}\n LABEL: \"author/community\"\n BOTS: \"team-gateway-bot app/dependabot\"\n run: |\n set +e\n for id in `gh pr list -S 'draft:false' -s 'open'|awk '{print $1}'`\n do\n name=`gh pr view $id --json author -q '.author.login'`\n ret=`gh api orgs/Kong/members --paginate -q '.[].login'|grep \"^${name}$\"`\n if [[ -z $ret && ! \"${BOTS[@]}\" =~ $name ]]; then\n gh pr edit $id --add-label \"${{ env.LABEL }}\"\n else\n gh pr edit $id --remove-label \"${{ env.LABEL }}\"\n fi\n done\n" }, { "path": ".github/workflows/label-schema.yml", "content": "name: Pull Request Schema Labeler\non:\n pull_request:\n types: [opened, edited, labeled, unlabeled]\njobs:\n schema-change-labels:\n if: \"${{ contains(github.event.*.labels.*.name, 'schema-change-noteworthy') }}\"\n runs-on: ubuntu-latest\n steps:\n - name: Schema change label found\n uses: Kong/action-slack-notify@bd750854aaf93c5c6f69799bf813c40e7786368a # v2_node20\n continue-on-error: true\n env:\n SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_SCHEMA_CHANGE }}\n SLACK_MESSAGE: ${{ github.event.pull_request.title }}\n SLACK_FOOTER: \"<${{ github.server_url }}/${{ github.repository }}/pull/${{ github.event.pull_request.number }}>\"\n" }, { "path": ".github/workflows/labeler-v2.yml", "content": "name: \"Pull Request Labeler v2\"\non:\n- pull_request\n\njobs:\n labeler:\n if: ${{ !github.event.pull_request.head.repo.fork }}\n permissions:\n contents: read\n pull-requests: write\n runs-on: ubuntu-latest\n steps:\n - uses: actions/labeler@v5\n" }, { "path": ".github/workflows/openresty-patches-companion.yml", "content": "name: Openresty patches review companion\non:\n pull_request:\n paths:\n - 'build/openresty/patches/**'\n\njobs:\n create-pr:\n runs-on: ubuntu-latest\n steps:\n - name: Dispatch the workflow\n if: ${{ github.repository_owner == 'Kong' }}\n uses: benc-uk/workflow-dispatch@25b02cc069be46d637e8fe2f1e8484008e9e9609 # v1\n with:\n workflow: create-pr.yml\n repo: kong/openresty-patches-review\n ref: master\n token: ${{ secrets.PAT }}\n inputs: |\n {\"pr-branch\":\"${{ github.event.pull_request.head.repo.owner.login }}:${{ github.head_ref }}\", \"pr-base\":\"${{ github.base_ref }}\", \"ee\":${{ contains(github.repository, 'kong-ee') && 'true' || 'false' }}, \"pr-id\":\"${{ github.event.pull_request.number }}\"}\n\n" }, { "path": ".github/workflows/perf.yml", "content": "name: Performance Test\n\non:\n pull_request:\n schedule:\n # don't know the timezone but it's daily at least\n - cron: '0 7 * * *'\n\nenv:\n terraform_version: '1.2.4'\n HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}\n BUILD_ROOT: ${{ github.workspace }}/bazel-bin/build\n\n # only for pr\n GHA_CACHE: ${{ github.event_name == 'pull_request' }}\n\njobs:\n build-packages:\n name: Build dependencies\n runs-on: ubuntu-22.04\n if: |\n github.event_name == 'schedule' ||\n (github.event_name == 'pull_request' && startsWith(github.event.pull_request.title, 'perf(')) ||\n (github.event_name == 'issue_comment' && github.event.action == 'created' &&\n github.event.issue.pull_request &&\n contains('[\"OWNER\", \"COLLABORATOR\", \"MEMBER\"]', github.event.comment.author_association) &&\n (startsWith(github.event.comment.body, '/perf') || startsWith(github.event.comment.body, '/flamegraph'))\n )\n\n outputs:\n cache-key: ${{ steps.cache-key.outputs.cache-key }}\n\n steps:\n - name: Checkout Kong source code\n uses: actions/checkout@v4\n\n - name: Generate cache key\n id: cache-key\n uses: ./.github/actions/build-cache-key\n with:\n prefix: perf\n\n - name: Lookup build cache\n id: cache-deps\n uses: actions/cache@v4\n with:\n path: ${{ env.BUILD_ROOT }}\n key: ${{ steps.cache-key.outputs.cache-key }}\n\n - name: Install packages\n if: steps.cache-deps.outputs.cache-hit != 'true'\n run: sudo apt update && sudo apt install libyaml-dev valgrind libprotobuf-dev\n\n - name: Build Kong\n if: steps.cache-deps.outputs.cache-hit != 'true'\n env:\n GH_TOKEN: ${{ github.token }}\n run: |\n make build-kong\n BUILD_PREFIX=$BUILD_ROOT/kong-dev\n export PATH=\"$BUILD_PREFIX/bin:$BUILD_PREFIX/openresty/nginx/sbin:$BUILD_PREFIX/openresty/bin:$PATH\"\n chmod +rw -R $BUILD_PREFIX\n nginx -V\n ldd $(which nginx)\n luarocks\n\n - name: Bazel Outputs\n uses: actions/upload-artifact@v4\n if: failure()\n with:\n name: bazel-outputs\n path: |\n bazel-out/_tmp/actions\n retention-days: 3\n\n - name: Build Dev Kong dependencies\n if: steps.cache-deps.outputs.cache-hit != 'true'\n run: |\n make install-dev-rocks\n\n perf:\n name: RPS, latency and flamegraphs\n runs-on: ubuntu-22.04\n needs: build-packages\n\n permissions:\n # required to send comment of graphs and results in the PR\n pull-requests: write\n\n if: |\n github.event_name == 'schedule' ||\n (github.event_name == 'pull_request' && startsWith(github.event.pull_request.title, 'perf(')) ||\n (github.event_name == 'issue_comment' && github.event.action == 'created' &&\n github.event.issue.pull_request &&\n contains('[\"OWNER\", \"COLLABORATOR\", \"MEMBER\"]', github.event.comment.author_association) &&\n (startsWith(github.event.comment.body, '/perf') || startsWith(github.event.comment.body, '/flamegraph'))\n )\n\n # perf test can only run one at a time per repo for now\n concurrency:\n group: perf-ce\n\n steps:\n # set up mutex across CE and EE to avoid resource race\n - name: Set up mutex\n uses: ben-z/gh-action-mutex@9709ba4d8596ad4f9f8bbe8e0f626ae249b1b3ac # v1.0-alpha-6\n with:\n repository: \"Kong/kong-perf-mutex-lock\"\n branch: \"gh-mutex\"\n repo-token: ${{ secrets.PAT }}\n\n - name: Checkout Kong source code\n uses: actions/checkout@v4\n with:\n # Fetch all history for all tags and branches\n fetch-depth: 0\n\n - name: Load Cached Packages\n id: cache-deps\n if: env.GHA_CACHE == 'true'\n uses: actions/cache@v4\n with:\n path: ${{ env.BUILD_ROOT }}\n key: ${{ needs.build-packages.outputs.cache-key }}\n\n - name: Install performance test Dependencies\n run: |\n # in Kong repository\n sudo apt update && sudo apt install inkscape -y\n\n # terraform!\n wget https://releases.hashicorp.com/terraform/${{ env.terraform_version }}/terraform_${{ env.terraform_version }}_linux_amd64.zip\n unzip terraform_${{ env.terraform_version }}_linux_amd64.zip\n sudo mv terraform /usr/bin/\n\n - name: Choose perf suites\n id: choose_perf\n env:\n COMMENT_BODY: ${{ github.event.comment.body }}\n run: |\n suites=\"$(printf '%s' \"$COMMENT_BODY\" | awk '{print $1}')\"\n tags=\"$(printf '%s' \"$COMMENT_BODY\" | awk '{print $2}')\"\n\n if [[ $suite == \"/flamegraph\" ]]; then\n suites=\"02-flamegraph\"\n if [[ -z $tags ]]; then\n tags=\"simple\"\n fi\n elif [[ $suite == \"/perf\" ]]; then\n suites=\"01-rps\"\n if [[ -z $tags ]]; then\n tags=\"baseline,single_route\"\n fi\n else\n # if not specified by comment, run both\n suites=\"01-rps 02-flamegraph\"\n if [[ -z $tags ]]; then\n tags=\"baseline,single_route,simple\"\n fi\n fi\n\n echo \"suites=$suites\" >> $GITHUB_OUTPUT\n echo \"tags=$tags\" >> $GITHUB_OUTPUT\n\n - uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v1.4.1\n id: comment-branch\n if: github.event_name == 'issue_comment' && github.event.action == 'created'\n\n - name: Find compared versions\n id: compare_versions\n env:\n PR_BASE_REF: ${{ github.event.pull_request.base.ref }}\n COMMENT_BODY: ${{ github.event.comment.body }}\n run: |\n pr_ref=$(echo \"$PR_BASE_REF\")\n custom_vers=\"$(printf '%s' \"$COMMENT_BODY\" | awk '{print $3}')\"\n\n if [[ ! -z \"${pr_ref}\" ]]; then\n vers=\"git:${{ github.head_ref }},git:${pr_ref}\"\n elif [[ ! -z \"${custom_vers}\" ]]; then\n vers=\"${custom_vers}\"\n elif [[ ! -z \"$COMMENT_BODY\" ]]; then\n vers=\"git:${{ steps.comment-branch.outputs.head_ref}},git:${{ steps.comment-branch.outputs.base_ref}}\"\n else # is cron job/on master\n vers=\"git:master,git:origin/master~10,git:origin/master~50\"\n fi\n\n echo $vers\n\n echo \"vers=$vers\" >> $GITHUB_OUTPUT\n\n\n - name: Run Tests\n env:\n PERF_TEST_VERSIONS: ${{ steps.compare_versions.outputs.vers }}\n PERF_TEST_DRIVER: terraform\n PERF_TEST_TERRAFORM_PROVIDER: bring-your-own\n PERF_TEST_BYO_KONG_IP: ${{ secrets.PERF_TEST_BYO_KONG_IP }}\n PERF_TEST_BYO_WORKER_IP: ${{ secrets.PERF_TEST_BYO_WORKER_IP }}\n PERF_TEST_BYO_SSH_USER: gha\n PERF_TEST_USE_DAILY_IMAGE: true\n PERF_TEST_DISABLE_EXEC_OUTPUT: true\n timeout-minutes: 180\n run: |\n export PERF_TEST_BYO_SSH_KEY_PATH=$(pwd)/ssh_key\n echo \"${{ secrets.PERF_TEST_BYO_SSH_KEY }}\" > ${PERF_TEST_BYO_SSH_KEY_PATH}\n\n chmod 600 ${PERF_TEST_BYO_SSH_KEY_PATH}\n # setup tunnel for psql and admin port\n ssh -o StrictHostKeyChecking=no -o TCPKeepAlive=yes -o ServerAliveInterval=10 \\\n -o ExitOnForwardFailure=yes -o ConnectTimeout=5 \\\n -L 15432:localhost:5432 -L 39001:localhost:39001 \\\n -i ${PERF_TEST_BYO_SSH_KEY_PATH} \\\n ${PERF_TEST_BYO_SSH_USER}@${PERF_TEST_BYO_KONG_IP} tail -f /dev/null &\n sleep 5\n\n sudo iptables -t nat -I OUTPUT -p tcp --dport 5432 -d ${PERF_TEST_BYO_KONG_IP} -j DNAT --to 127.0.0.1:15432\n sudo iptables -t nat -I OUTPUT -p tcp --dport 39001 -d ${PERF_TEST_BYO_KONG_IP} -j DNAT --to 127.0.0.1:39001\n\n make dev # required to install other dependencies like bin/grpcurl\n source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh\n for suite in ${{ steps.choose_perf.outputs.suites }}; do\n # Run each test individually, ngx.pipe doesn't like to be imported twice\n # maybe bin/busted --no-auto-insulate\n for f in $(find \"spec/04-perf/$suite/\" -type f); do\n bin/busted \"$f\" \\\n -t \"${{ steps.choose_perf.outputs.tags }}\"\n done\n done\n\n - name: Teardown\n # Note: by default each job has if: ${{ success() }}\n if: always()\n env:\n PERF_TEST_VERSIONS: git:${{ github.sha }}\n PERF_TEST_DRIVER: terraform\n PERF_TEST_TERRAFORM_PROVIDER: bring-your-own\n PERF_TEST_BYO_KONG_IP: ${{ secrets.PERF_TEST_BYO_KONG_IP }}\n PERF_TEST_BYO_WORKER_IP: ${{ secrets.PERF_TEST_BYO_WORKER_IP }}\n PERF_TEST_BYO_SSH_USER: gha\n PERF_TEST_TEARDOWN_ALL: true\n run: |\n export PERF_TEST_BYO_SSH_KEY_PATH=$(pwd)/ssh_key\n echo \"${{ secrets.PERF_TEST_BYO_SSH_KEY }}\" > ${PERF_TEST_BYO_SSH_KEY_PATH}\n\n make dev # required to install other dependencies like bin/grpcurl\n source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh\n bin/busted spec/04-perf/99-teardown/\n\n rm -f ${PERF_TEST_BYO_SSH_KEY_PATH}\n\n - name: Generate high DPI graphs\n if: always()\n run: |\n for i in $(ls output/*.svg); do\n inkscape --export-area-drawing --export-png=\"${i%.*}.png\" --export-dpi=300 -b FFFFFF $i\n done\n\n - uses: actions/setup-python@v5\n with:\n python-version: '3.10'\n cache: 'pip'\n\n - name: Generate plots\n if: always()\n run: |\n cwd=$(pwd)\n cd spec/helpers/perf/charts/\n pip install -r requirements.txt\n for i in $(ls ${cwd}/output/*.data.json); do\n python ./charts.py $i -o \"${cwd}/output/\"\n done\n\n - name: Save results\n uses: actions/upload-artifact@v3\n if: always()\n with:\n name: perf-results\n path: |\n output/\n !output/**/*.log\n\n retention-days: 31\n\n - name: Save error logs\n uses: actions/upload-artifact@v3\n if: always()\n with:\n name: error_logs\n path: |\n output/**/*.log\n retention-days: 31\n\n - name: Output\n if: always()\n id: output\n run: |\n if [[ \"${{ steps.choose_perf.outputs.suites }}\" =~ \"02-flamegraph\" ]]; then\n result=\"Please see Github Actions artifacts for flamegraphs.\n\n \"\n fi\n\n result=\"${result}$(cat output/result.txt)\" || true\n\n # https://github.community/t/set-output-truncates-multiline-strings/16852/2\n result=\"${result//'%'/'%25'}\"\n result=\"${result//$'\\n'/'%0A'}\"\n result=\"${result//$'\\r'/'%0D'}\"\n\n echo \"result=$results\" >> $GITHUB_OUTPUT\n\n - name: Upload charts\n if: always()\n id: charts\n uses: devicons/public-upload-to-imgur@352cf5f2805c692539a96cfe49a09669e6fca88e # v2.2.2\n continue-on-error: true\n with:\n path: output/*.png\n client_id: ${{ secrets.PERF_TEST_IMGUR_CLIENT_ID }}\n\n - name: Comment\n if: |\n github.event_name == 'pull_request' ||\n (github.event_name == 'issue_comment' && github.event.issue.pull_request)\n uses: actions-ecosystem/action-create-comment@e23bc59fbff7aac7f9044bd66c2dc0fe1286f80b # v1.0.0\n with:\n github_token: ${{ secrets.GITHUB_TOKEN }}\n body: |\n ## :rocket: Performance test result\n\n **Test Suite**: ${{ steps.choose_perf.outputs.suites }} (${{ steps.choose_perf.outputs.tags }})\n\n ${{ join(fromJSON(steps.charts.outputs.markdown_urls), ' ') }}\n\n
Click to expand\n\n ```\n ${{ steps.output.outputs.result }}\n\n Kong error logs are also available in Github Actions artifacts.\n ```\n\n
\n\n [Download Artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}#artifacts) for detailed results and interactive SVG flamegraphs.\n" }, { "path": ".github/workflows/release.yml", "content": "name: Package & Release\n\n# The workflow to build and release official Kong packages and images.\n\non: # yamllint disable-line rule:truthy\n pull_request:\n paths-ignore:\n - '**/*.md'\n - 'COPYRIGHT'\n - 'LICENSE'\n - '.github/workflows/build_and_test.yml'\n - 'changelog/**'\n - 'kong.conf.default'\n schedule:\n - cron: '0 0 * * *'\n push:\n branches:\n - master\n workflow_dispatch:\n inputs:\n official:\n description: 'Official release?'\n required: true\n type: boolean\n default: false\n version:\n description: 'Release version, e.g. `3.0.0.0-beta.2`'\n required: true\n type: string\n\n# `commit-ly` is a flag that indicates whether the build should be run per commit.\n\nenv:\n # official release repo\n DOCKER_ORGANIZATION: kong\n DOCKER_REPOSITORY: kong/kong\n PRERELEASE_DOCKER_REPOSITORY: kong/kong-dev\n FULL_RELEASE: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.actor == 'dependabot[bot]'}}\n\n # only for PR\n GHA_CACHE: ${{ github.event_name == 'pull_request' }}\n # PRs opened from fork and from dependabot don't have access to repo secrets\n HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}\n\n\njobs:\n metadata:\n name: Metadata\n runs-on: ubuntu-24.04\n outputs:\n kong-version: ${{ steps.build-info.outputs.kong-version }}\n prerelease-docker-repository: ${{ env.PRERELEASE_DOCKER_REPOSITORY }}\n docker-repository: ${{ steps.build-info.outputs.docker-repository }}\n release-desc: ${{ steps.build-info.outputs.release-desc }}\n release-label: ${{ steps.build-info.outputs.release-label || '' }}\n deploy-environment: ${{ steps.build-info.outputs.deploy-environment }}\n matrix: ${{ steps.build-info.outputs.matrix }}\n arch: ${{ steps.build-info.outputs.arch }}\n # use github.event.pull_request.head.sha instead of github.sha on a PR, as github.sha on PR is the merged commit (temporary commit)\n commit-sha: ${{ github.event.pull_request.head.sha || github.sha }}\n\n steps:\n - uses: actions/checkout@v4\n - name: Build Info\n id: build-info\n run: |\n KONG_VERSION=$(bash scripts/grep-kong-version.sh)\n echo \"kong-version=$KONG_VERSION\" >> $GITHUB_OUTPUT\n\n if [ \"${{ github.event_name == 'schedule' }}\" == \"true\" ]; then\n echo \"release-label=$(date -u +'%Y%m%d')\" >> $GITHUB_OUTPUT\n fi\n\n matrix_file=\".github/matrix-commitly.yml\"\n if [ \"$FULL_RELEASE\" == \"true\" ]; then\n matrix_file=\".github/matrix-full.yml\"\n fi\n\n if [ \"${{ github.event.inputs.official }}\" == \"true\" ]; then\n release_desc=\"$KONG_VERSION (official)\"\n echo \"docker-repository=$DOCKER_REPOSITORY\" >> $GITHUB_OUTPUT\n echo \"deploy-environment=release\" >> $GITHUB_OUTPUT\n else\n release_desc=\"$KONG_VERSION (pre-release)\"\n echo \"docker-repository=$PRERELEASE_DOCKER_REPOSITORY\" >> $GITHUB_OUTPUT\n fi\n\n echo \"release-desc=$release_desc\" >> $GITHUB_OUTPUT\n\n echo \"matrix=$(yq -I=0 -o=json $matrix_file)\" >> $GITHUB_OUTPUT\n\n echo \"docker-test-image=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ github.event.pull_request.head.sha || github.sha }}\" >> $GITHUB_OUTPUT\n\n cat $GITHUB_OUTPUT\n\n echo \"### :package: Building and packaging for $release_desc\" >> $GITHUB_STEP_SUMMARY\n echo >> $GITHUB_STEP_SUMMARY\n echo '- event_name: ${{ github.event_name }}' >> $GITHUB_STEP_SUMMARY\n echo '- ref_name: ${{ github.ref_name }}' >> $GITHUB_STEP_SUMMARY\n echo '- inputs.version: ${{ github.event.inputs.version }}' >> $GITHUB_STEP_SUMMARY\n echo >> $GITHUB_STEP_SUMMARY\n echo '```' >> $GITHUB_STEP_SUMMARY\n cat $GITHUB_OUTPUT >> $GITHUB_STEP_SUMMARY\n echo '```' >> $GITHUB_STEP_SUMMARY\n\n build-packages:\n needs: metadata\n name: Build & Package - ${{ matrix.label }}\n environment: ${{ needs.metadata.outputs.deploy-environment }}\n\n strategy:\n fail-fast: false\n matrix:\n include: \"${{ fromJSON(needs.metadata.outputs.matrix)['build-packages'] }}\"\n\n runs-on: ubuntu-24.04\n container:\n image: ${{ matrix.image }}\n options: --privileged\n\n steps:\n - name: Early Rpm Setup\n if: matrix.package == 'rpm' && matrix.image != ''\n run: |\n # tar/gzip is needed to restore git cache (if available)\n yum install -y tar gzip which file zlib-devel\n\n - name: Early Deb in Container Setup\n if: matrix.package == 'deb' && matrix.image != ''\n run: |\n # tar/gzip is needed to restore git cache (if available)\n apt-get update\n apt-get install -y git tar gzip file sudo\n\n - name: Cache Git\n id: cache-git\n if: (matrix.package == 'rpm') && matrix.image != ''\n uses: actions/cache@v4\n with:\n path: /usr/local/git\n key: ${{ matrix.label }}-git-2.41.0\n\n # el-7,8, amazonlinux-2,2023 doesn't have git 2.18+, so we need to install it manually\n - name: Install newer Git\n if: (matrix.package == 'rpm') && matrix.image != '' && steps.cache-git.outputs.cache-hit != 'true'\n run: |\n if which apt 2>/dev/null; then\n apt update\n apt install -y wget libz-dev libssl-dev libcurl4-gnutls-dev libexpat1-dev gettext make gcc autoconf sudo\n else\n yum update -y\n yum groupinstall -y 'Development Tools'\n yum install -y wget zlib-devel openssl-devel curl-devel expat-devel gettext-devel perl-CPAN perl-devel\n fi\n wget https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.41.0.tar.gz\n tar xf git-2.41.0.tar.gz\n cd git-2.41.0\n\n make configure\n ./configure --prefix=/usr/local/git\n make -j$(nproc)\n make install\n\n - name: Add Git to PATH\n if: (matrix.package == 'rpm') && matrix.image != ''\n run: |\n echo \"/usr/local/git/bin\" >> $GITHUB_PATH\n\n - name: Checkout Kong source code\n uses: actions/checkout@v4\n\n - name: Swap git with https\n run: git config --global url.\"https://github\".insteadOf git://github\n\n - name: Generate build cache key\n id: cache-key\n if: env.GHA_CACHE == 'true'\n uses: ./.github/actions/build-cache-key\n with:\n prefix: ${{ matrix.label }}-build\n extra: |\n ${{ hashFiles('kong/**') }}\n\n - name: Cache Packages\n id: cache-deps\n if: env.GHA_CACHE == 'true'\n uses: actions/cache@v4\n with:\n path: bazel-bin/pkg\n key: ${{ steps.cache-key.outputs.cache-key }}\n\n - name: Set .requirements into environment variables\n run: |\n grep -v '^#' .requirements >> $GITHUB_ENV\n\n - name: Setup Bazel\n uses: bazel-contrib/setup-bazel@e403ad507104847c3539436f64a9e9eecc73eeec #0.8.5\n with:\n bazelisk-version: \"1.20.0\"\n # Avoid downloading Bazel every time.\n bazelisk-cache: true\n \n - name: Install Deb Dependencies\n if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true'\n run: |\n sudo apt-get update && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y \\\n automake \\\n build-essential \\\n curl \\\n file \\\n libyaml-dev \\\n m4 \\\n perl \\\n pkg-config \\\n unzip \\\n zlib1g-dev\n\n - name: Install Ubuntu Cross Build Dependencies (arm64)\n if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true' && endsWith(matrix.label, 'arm64')\n run: |\n sudo apt-get install crossbuild-essential-arm64 -y\n\n - name: Install Rpm Dependencies\n if: matrix.package == 'rpm' && matrix.image != ''\n run: |\n yum groupinstall -y 'Development Tools'\n dnf install -y 'dnf-command(config-manager)'\n dnf config-manager --set-enabled powertools || true # enable devel packages on rockylinux:8\n dnf config-manager --set-enabled crb || true # enable devel packages on rockylinux:9\n yum install -y libyaml-devel\n yum install -y cpanminus || (yum install -y perl && curl -L https://raw.githubusercontent.com/miyagawa/cpanminus/master/cpanm | perl - App::cpanminus) # amazonlinux2023 removed cpanminus\n # required for openssl 3.x config\n cpanm IPC/Cmd.pm\n\n - name: Build Kong dependencies\n if: steps.cache-deps.outputs.cache-hit != 'true'\n env:\n GH_TOKEN: ${{ github.token }}\n run: |\n bazel build --config release //build:kong --verbose_failures ${{ matrix.bazel-args }}\n\n - name: Package Kong - ${{ matrix.package }}\n if: matrix.package != 'rpm' && steps.cache-deps.outputs.cache-hit != 'true'\n run: |\n bazel build --config release :kong_${{ matrix.package }} --verbose_failures ${{ matrix.bazel-args }}\n\n - name: Package Kong - rpm\n if: matrix.package == 'rpm' && steps.cache-deps.outputs.cache-hit != 'true'\n env:\n RELEASE_SIGNING_GPG_KEY: ${{ secrets.RELEASE_SIGNING_GPG_KEY }}\n NFPM_RPM_PASSPHRASE: ${{ secrets.RELEASE_SIGNING_GPG_KEY_PASSPHRASE }}\n run: |\n if [ -n \"${RELEASE_SIGNING_GPG_KEY:-}\" ]; then\n RPM_SIGNING_KEY_FILE=$(mktemp)\n echo \"$RELEASE_SIGNING_GPG_KEY\" > $RPM_SIGNING_KEY_FILE\n export RPM_SIGNING_KEY_FILE=$RPM_SIGNING_KEY_FILE\n fi\n\n bazel build --config release :kong_${{ matrix.package-type }} --action_env=RPM_SIGNING_KEY_FILE --action_env=NFPM_RPM_PASSPHRASE ${{ matrix.bazel-args }}\n\n - name: Bazel Debug Outputs\n if: failure()\n run: |\n cat bazel-out/_tmp/actions/stderr-*\n sudo dmesg || true\n tail -n500 bazel-out/**/*/CMake.log || true\n\n - name: Upload artifacts\n uses: actions/upload-artifact@v4\n with:\n name: ${{ matrix.label }}-packages\n path: bazel-bin/pkg\n retention-days: 3\n\n verify-manifest-packages:\n needs: [metadata, build-packages]\n name: Verify Manifest - Package ${{ matrix.label }}\n runs-on: ubuntu-24.04\n\n strategy:\n fail-fast: false\n matrix:\n include: \"${{ fromJSON(needs.metadata.outputs.matrix)['build-packages'] }}\"\n\n steps:\n - uses: actions/checkout@v4\n\n - name: Download artifact\n uses: actions/download-artifact@v4\n with:\n name: ${{ matrix.label }}-packages\n path: bazel-bin/pkg\n\n - name: Install Python\n uses: actions/setup-python@v5\n with:\n python-version: '3.11'\n cache: 'pip' # caching pip dependencies\n\n - name: Verify\n run: |\n cd scripts/explain_manifest\n pip install -r requirements.txt\n pkg=$(ls ../../bazel-bin/pkg/kong* |head -n1)\n python ./main.py -f filelist.txt -p $pkg -o test.txt -s ${{ matrix.check-manifest-suite }}\n\n build-images:\n name: Build Images - ${{ matrix.label }}\n needs: [metadata, build-packages]\n runs-on: ubuntu-24.04\n\n permissions:\n # create comments on commits for docker images needs the `write` permission\n contents: write\n\n strategy:\n fail-fast: false\n matrix:\n include: \"${{ fromJSON(needs.metadata.outputs.matrix)['build-images'] }}\"\n\n steps:\n - uses: actions/checkout@v4\n\n - name: Download artifact\n uses: actions/download-artifact@v4\n with:\n name: ${{ matrix.artifact-from }}-packages\n path: bazel-bin/pkg\n\n - name: Download artifact (alt)\n if: matrix.artifact-from-alt != ''\n uses: actions/download-artifact@v4\n with:\n name: ${{ matrix.artifact-from-alt }}-packages\n path: bazel-bin/pkg\n\n - name: Login to Docker Hub\n if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }}\n uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v2.1.0\n with:\n username: ${{ env.DOCKER_ORGANIZATION }}\n password: ${{ secrets.DOCKER_OAT_PUSH }}\n\n - name: Docker meta\n id: meta\n uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5\n env:\n DOCKER_METADATA_PR_HEAD_SHA: true\n with:\n images: ${{ needs.metadata.outputs.prerelease-docker-repository }}\n tags: |\n type=raw,${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}\n type=raw,enable=${{ matrix.label == 'ubuntu' }},${{ needs.metadata.outputs.commit-sha }}\n\n - name: Set up QEMU\n if: matrix.docker-platforms != ''\n uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3\n\n - name: Set up Docker Buildx\n uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3\n\n - name: Set platforms\n id: docker_platforms_arg\n run: |\n platforms=\"${{ matrix.docker-platforms }}\"\n if [[ -z \"$platforms\" ]]; then\n platforms=\"linux/amd64\"\n fi\n\n echo \"platforms=$platforms\"\n echo \"platforms=$platforms\" >> $GITHUB_OUTPUT\n\n - name: Set rpm platform\n id: docker_rpm_platform_arg\n if: matrix.package == 'rpm'\n run: |\n rpm_platform=\"${{ matrix.rpm_platform }}\"\n if [[ -z \"$rpm_platform\" ]]; then\n rpm_platform=\"el9\"\n fi\n\n echo \"rpm_platform=$rpm_platform\"\n echo \"rpm_platform=$rpm_platform\" >> $GITHUB_OUTPUT\n\n - name: Build Docker Image\n uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5\n with:\n file: build/dockerfiles/${{ matrix.package }}.Dockerfile\n context: .\n push: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }}\n tags: ${{ steps.meta.outputs.tags }}\n labels: ${{ steps.meta.outputs.labels }}\n platforms: ${{ steps.docker_platforms_arg.outputs.platforms }}\n build-args: |\n KONG_BASE_IMAGE=${{ matrix.base-image }}\n KONG_ARTIFACT_PATH=bazel-bin/pkg\n KONG_VERSION=${{ needs.metadata.outputs.kong-version }}\n RPM_PLATFORM=${{ steps.docker_rpm_platform_arg.outputs.rpm_platform }}\n EE_PORTS=8002 8445 8003 8446 8004 8447\n\n - name: Comment on commit\n if: github.event_name == 'push' && matrix.label == 'ubuntu'\n uses: peter-evans/commit-comment@5a6f8285b8f2e8376e41fe1b563db48e6cf78c09 # v3.0.0\n with:\n token: ${{ secrets.GITHUB_TOKEN }}\n body: |\n ### Bazel Build\n Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}`\n Artifacts available https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n verify-manifest-images:\n needs: [metadata, build-images]\n name: Verify Manifest - Image ${{ matrix.label }}\n runs-on: ubuntu-24.04\n if: github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')\n\n strategy:\n fail-fast: false\n matrix:\n include: \"${{ fromJSON(needs.metadata.outputs.matrix)['build-images'] }}\"\n\n steps:\n - uses: actions/checkout@v4\n\n - name: Install Python\n uses: actions/setup-python@v5\n with:\n python-version: '3.11'\n cache: 'pip' # caching pip dependencies\n\n - name: Verify\n run: |\n cd scripts/explain_manifest\n # docker image verify requires sudo to set correct permissions, so we\n # also install deps for root\n sudo -E pip install -r requirements.txt\n IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}\n\n sudo -E python ./main.py --image $IMAGE -f docker_image_filelist.txt -s docker-image\n\n if [[ ! -z \"${{ matrix.docker-platforms }}\" ]]; then\n DOCKER_DEFAULT_PLATFORM=linux/arm64 sudo -E python ./main.py --image $IMAGE -f docker_image_filelist.txt -s docker-image\n fi\n\n scan-images:\n name: Scan Images - ${{ matrix.label }}\n needs: [metadata, build-images]\n runs-on: ubuntu-24.04\n timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }}\n if: |-\n always()\n && vars.DISABLE_SCA_SCAN == 'false'\n && fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] != ''\n && needs.build-images.result == 'success'\n && (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'))\n strategy:\n fail-fast: false\n matrix:\n include: \"${{ fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] }}\"\n env:\n IMAGE: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}\n steps:\n - name: Install regctl\n uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183\n\n - name: Login to Docker Hub\n if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN }}\n uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v2.1.0\n with:\n username: ${{ env.DOCKER_ORGANIZATION }}\n password: ${{ secrets.DOCKER_OAT_PUSH }}\n\n # TODO: Refactor matrix file to support and parse platforms specific to distro\n # Workaround: Look for specific amd64 and arm64 hardcooded architectures\n - name: Parse Architecture Specific Image Manifest Digests\n id: image_manifest_metadata\n run: |\n manifest_list_exists=\"$(\n if regctl manifest get \"${IMAGE}\" --format raw-body --require-list -v panic &> /dev/null; then\n echo true\n else\n echo false\n fi\n )\"\n echo \"manifest_list_exists=$manifest_list_exists\"\n echo \"manifest_list_exists=$manifest_list_exists\" >> $GITHUB_OUTPUT\n\n amd64_sha=\"$(regctl image digest \"${IMAGE}\" --platform linux/amd64 || echo '')\"\n arm64_sha=\"$(regctl image digest \"${IMAGE}\" --platform linux/arm64 || echo '')\"\n echo \"amd64_sha=$amd64_sha\"\n echo \"amd64_sha=$amd64_sha\" >> $GITHUB_OUTPUT\n echo \"arm64_sha=$arm64_sha\"\n echo \"arm64_sha=$arm64_sha\" >> $GITHUB_OUTPUT\n\n - name: Scan AMD64 Image digest\n id: sbom_action_amd64\n if: steps.image_manifest_metadata.outputs.amd64_sha != ''\n uses: Kong/public-shared-actions/security-actions/scan-docker-image@a5b1cfac7d55d8cf9390456a1e6799425e28840d # v4.0.1\n with:\n asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-amd64\n image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}\n skip_cis_scan: true # FIXME\n\n - name: Scan ARM64 Image digest\n if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''\n id: sbom_action_arm64\n uses: Kong/public-shared-actions/security-actions/scan-docker-image@a5b1cfac7d55d8cf9390456a1e6799425e28840d # v4.0.1\n with:\n asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-arm64\n image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}\n skip_cis_scan: true # FIXME\n\n release-packages:\n name: Release Packages - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }}\n needs: [metadata, build-packages, build-images]\n runs-on: ubuntu-24.04\n if: fromJSON(needs.metadata.outputs.matrix)['release-packages'] != ''\n timeout-minutes: 5 # PULP takes a while to publish\n environment: release\n\n strategy:\n # limit to 3 jobs at a time\n max-parallel: 3\n fail-fast: false\n matrix:\n include: \"${{ fromJSON(needs.metadata.outputs.matrix)['release-packages'] }}\"\n\n steps:\n - uses: actions/checkout@v4\n\n - name: Download artifact\n uses: actions/download-artifact@v4\n with:\n name: ${{ matrix.artifact-from }}-packages\n path: bazel-bin/pkg\n\n - name: Set package architecture\n id: pkg-arch\n run: |\n arch='amd64'\n if [[ '${{ matrix.label }}' == *'arm64' ]]; then\n arch='arm64'\n fi\n echo \"arch=$arch\"\n echo \"arch=$arch\" >> $GITHUB_OUTPUT\n\n - name: Upload Packages\n env:\n ARCHITECTURE: ${{ steps.pkg-arch.outputs.arch }}\n OFFICIAL_RELEASE: ${{ github.event.inputs.official }}\n ARTIFACT_VERSION: ${{ matrix.artifact-version }}\n ARTIFACT_TYPE: ${{ matrix.artifact-type }}\n ARTIFACT: ${{ matrix.artifact }}\n INPUT_VERSION: ${{ github.event.inputs.version }}\n PACKAGE_TYPE: ${{ matrix.package }}\n KONG_RELEASE_LABEL: ${{ needs.metadata.outputs.release-label }}\n VERBOSE: ${{ runner.debug == '1' && '1' || '' }}\n CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}\n CLOUDSMITH_DRY_RUN: ''\n IGNORE_CLOUDSMITH_FAILURES: ${{ vars.IGNORE_CLOUDSMITH_FAILURES }}\n USE_CLOUDSMITH: ${{ vars.USE_CLOUDSMITH }}\n run: |\n sha256sum bazel-bin/pkg/*\n\n # set the version input as tags passed to release-scripts\n # note: release-scripts rejects user tags if missing internal flag\n #\n # this can be a comma-sepratated list of tags to apply\n if [[ \"$OFFICIAL_RELEASE\" == 'false' ]]; then\n if echo \"$INPUT_VERSION\" | grep -qs -E 'rc|alpha|beta|nightly'; then\n PACKAGE_TAGS=\"$INPUT_VERSION\"\n export PACKAGE_TAGS\n fi\n fi\n\n scripts/release-kong.sh\n\n release-images:\n name: Release Images - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }}\n needs: [metadata, build-images]\n runs-on: ubuntu-24.04\n if: fromJSON(needs.metadata.outputs.matrix)['release-images'] != ''\n\n strategy:\n # limit to 3 jobs at a time\n max-parallel: 3\n fail-fast: false\n matrix:\n include: \"${{ fromJSON(needs.metadata.outputs.matrix)['release-images'] }}\"\n\n steps:\n - name: Login to Docker Hub\n if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }}\n uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v2.1.0\n with:\n username: ${{ env.DOCKER_ORGANIZATION }}\n password: ${{ secrets.DOCKER_OAT_PUSH }}\n\n - uses: actions/checkout@v4\n\n - name: Get latest commit SHA on master\n run: |\n echo \"latest_sha=$(git ls-remote origin -h refs/heads/master | cut -f1)\" >> $GITHUB_ENV\n\n - name: Docker meta\n id: meta\n uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5\n with:\n images: ${{ needs.metadata.outputs.docker-repository }}\n sep-tags: \" \"\n tags: |\n type=raw,value=latest,enable=${{ matrix.label == 'ubuntu' && github.ref_name == 'master' && env.latest_sha == needs.metadata.outputs.commit-sha }}\n type=match,enable=${{ github.event_name == 'workflow_dispatch' }},pattern=^\\d+\\.\\d+,value=${{ github.event.inputs.version }}\n type=match,enable=${{ github.event_name == 'workflow_dispatch' && matrix.label == 'ubuntu' }},pattern=^\\d+\\.\\d+,value=${{ github.event.inputs.version }},suffix=\n type=raw,enable=${{ github.event_name == 'workflow_dispatch' }},${{ github.event.inputs.version }}\n type=raw,enable=${{ github.event_name == 'workflow_dispatch' && matrix.label == 'ubuntu' }},${{ github.event.inputs.version }},suffix=\n type=ref,event=branch\n type=ref,enable=${{ matrix.label == 'ubuntu' }},event=branch,suffix=\n type=ref,event=tag\n type=ref,enable=${{ matrix.label == 'ubuntu' }},event=tag,suffix=\n type=ref,event=pr\n type=schedule,pattern=nightly\n type=schedule,enable=${{ matrix.label == 'ubuntu' }},pattern=nightly,suffix=\n type=schedule,pattern={{date 'YYYYMMDD'}}\n type=schedule,enable=${{ matrix.label == 'ubuntu' }},pattern={{date 'YYYYMMDD'}},suffix=\n flavor: |\n latest=false\n suffix=-${{ matrix.label }}\n\n - name: Install regctl\n uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc\n\n - name: Push Images\n if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }}\n env:\n TAGS: \"${{ steps.meta.outputs.tags }}\"\n run: |\n PRERELEASE_IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}\n docker pull $PRERELEASE_IMAGE\n for tag in $TAGS; do\n regctl -v debug image copy $PRERELEASE_IMAGE $tag\n done\n" }, { "path": ".github/workflows/update-ngx-wasm-module.yml", "content": "name: Update ngx_wasm_module dependency\n\non:\n workflow_dispatch:\n schedule:\n # run weekly\n - cron: '0 0 * * 0'\n\njobs:\n update:\n runs-on: ubuntu-22.04\n\n permissions:\n # required to create a branch and push commits\n contents: write\n # required to open a PR for updates\n pull-requests: write\n\n steps:\n - name: Checkout Kong source code\n uses: actions/checkout@v4\n with:\n ref: master\n\n - name: Detect current version of NGX_WASM_MODULE in .requirements\n id: check-kong\n run: |\n SHA=$(sed -nre 's/^NGX_WASM_MODULE=([^ ]+) .*/\\1/p' < .requirements)\n echo \"sha=$SHA\" | tee -a \"$GITHUB_OUTPUT\"\n\n - name: Check Kong/ngx_wasm_module HEAD\n id: check-repo\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n SHA=$(gh api repos/Kong/ngx_wasm_module/commits/main --jq '.sha')\n echo \"sha=$SHA\" | tee -a \"$GITHUB_OUTPUT\"\n\n - name: Update .requirements and create a pull request\n if: steps.check-kong.outputs.sha != steps.check-repo.outputs.sha\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n FROM: ${{ steps.check-kong.outputs.sha }}\n TO: ${{ steps.check-repo.outputs.sha }}\n run: |\n set -x\n gh auth status\n gh auth setup-git\n\n # masquerade as dependabot for the purposes of this commit/PR\n git config --global user.email \\\n \"49699333+dependabot[bot]@users.noreply.github.com\"\n git config --global user.name \"dependabot[bot]\"\n\n readonly BRANCH=chore/deps-bump-ngx-wasm-module\n if gh api repos/Kong/kong/branches/\"$BRANCH\"; then\n echo \"branch ($BRANCH) already exists, exiting\"\n exit 1\n fi\n\n EXISTING_PRS=$(\n gh pr list \\\n --json id \\\n --head \"$BRANCH\" \\\n | jq '.[]'\n )\n\n if [[ -n ${EXISTING_PRS:-} ]]; then\n echo \"existing PR for $BRANCH already exists, exiting\"\n echo \"$EXISTING_PRS\"\n exit 1\n fi\n\n git switch --create \"$BRANCH\"\n\n sed -i \\\n -re \"s/^NGX_WASM_MODULE=.*/NGX_WASM_MODULE=$TO/\" \\\n .requirements\n\n git add .requirements\n\n # create or update changelog file\n readonly CHANGELOG_FILE=changelog/unreleased/kong/bump-ngx-wasm-module.yml\n {\n printf 'message: \"Bumped `ngx_wasm_module` to `%s`\"\\n' \"$TO\"\n printf 'type: dependency\\n'\n } > \"$CHANGELOG_FILE\"\n\n git add \"$CHANGELOG_FILE\"\n\n gh api repos/Kong/ngx_wasm_module/compare/\"$FROM...$TO\" \\\n --jq '.commits | reverse | .[] | {\n sha: .sha[0:7],\n url: .html_url,\n message: ( .commit.message | split(\"\\n\") | .[0] )\n }' \\\n > commits.json\n\n # craft commit message\n readonly HEADER=\"chore(deps): bump ngx_wasm_module to $TO\"\n {\n printf '%s\\n\\nChanges since %s:\\n\\n' \\\n \"$HEADER\" \"$FROM\"\n\n jq -r '\"* \\(.sha) - \\(.message)\"' \\\n < commits.json\n } > commit.txt\n\n git commit --file commit.txt\n git push origin HEAD\n\n # craft PR body\n {\n printf '## Changelog `%s...%s`\\n\\n' \\\n \"${FROM:0:7}\" \"${TO:0:7}\"\n\n printf '[Compare on GitHub](%s/compare/%s...%s)\\n\\n' \\\n \"https://github.com/Kong/ngx_wasm_module\" \\\n \"$FROM\" \"$TO\"\n\n # turn the commits into links for the PR body\n jq -r \\\n '\"* [`\\(.sha)`](\\(.url)) - \\(.message)\"' \\\n < commits.json\n\n printf '\\n\\n'\n printf '**IMPORTANT: Remember to scan this commit log for updates '\n printf 'to Wasmtime/V8/Wasmer and update `.requirements` manually '\n printf 'as needed**\\n'\n } > body.md\n\n gh pr create \\\n --base master \\\n --head \"$BRANCH\" \\\n --title \"$HEADER\" \\\n --body-file body.md\n" }, { "path": ".github/workflows/update-test-runtime-statistics.yml", "content": "name: Update test runtime statistics file for test scheduling\non:\n workflow_dispatch:\n schedule:\n - cron: \"1 0 * * SAT\"\n # push rule below needed for testing only\n push:\n branches:\n - feat/test-run-scheduler\n\njobs:\n process-statistics:\n name: Download statistics from GitHub and combine them\n runs-on: ubuntu-22.04\n steps:\n - name: Checkout source code\n uses: actions/checkout@v4\n with:\n token: ${{ secrets.PAT }}\n\n - name: Process statistics\n uses: Kong/gateway-test-scheduler/analyze@69f0c2a562ac44fc3650b8bfa62106b34094b5ce # v3\n env:\n GITHUB_TOKEN: ${{ secrets.PAT }}\n with:\n workflow-name: build_and_test.yml\n test-file-runtime-file: .ci/runtimes.json\n artifact-name-regexp: \"^test-runtime-statistics-\\\\d+$\"\n\n - name: Upload new runtimes file\n uses: Kong/gh-storage/upload@b196a6b94032e56e414227c749e9f96a6afc2b91 # v1\n env:\n GITHUB_TOKEN: ${{ secrets.PAT }}\n with:\n repo-path: Kong/gateway-action-storage/main/.ci/runtimes.json\n" }, { "path": ".github/workflows/upgrade-tests.yml", "content": "name: Upgrade Tests\n\non:\n pull_request:\n paths:\n - 'scripts/upgrade-tests/**'\n - 'kong/db/migrations/**'\n - 'spec/05-migration/**'\n - 'kong/enterprise_edition/db/migrations/**'\n - '.github/workflows/upgrade-tests.yml'\n - 'kong/plugins/*/migrations/**'\n - 'plugins-ee/**/migrations/**'\n push:\n paths-ignore:\n # ignore markdown files (CHANGELOG.md, README.md, etc.)\n - '**/*.md'\n branches:\n - master\n - release/*\n - test-please/*\n workflow_dispatch:\n# cancel previous runs if new commits are pushed to the PR, but run for each commit on master\nconcurrency:\n group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}\n cancel-in-progress: true\nenv:\n GH_TOKEN: ${{ github.token }}\n BUILD_ROOT: ${{ github.workspace }}/bazel-bin/build\n\njobs:\n build:\n uses: ./.github/workflows/build.yml\n with:\n relative-build-root: bazel-bin/build\n\n upgrade-test:\n name: Run migration tests\n runs-on: ubuntu-22.04\n needs: build\n\n steps:\n - name: Clone Source Code\n uses: actions/checkout@v4\n with:\n fetch-depth: 0\n submodules: recursive\n\n - name: Lookup build cache\n id: cache-deps\n uses: actions/cache@v4\n with:\n path: ${{ env.BUILD_ROOT }}\n key: ${{ needs.build.outputs.cache-key }}\n\n - name: Run Upgrade Tests\n run: |\n bash ./scripts/upgrade-tests/test-upgrade-path.sh -i ${{ env.BUILD_ROOT }}/kong-dev-venv.sh\n" }, { "path": ".gitignore", "content": ".DS_Store\n.vagrant/\n.buildpath\n.project\n.idea\n.env\n.vscode\n.VSCodeCounter\n\nservroot*\nmockserver\n\n# kong\nnginx_tmp/\nkong*.yml\n\n# luacov\nluacov.*\n/doc\n\n# autodoc\nautodoc/output\n\n# ldoc\nspec/docs\n\nkong-build-tools\nbin/grpcurl\n\n*.so\n*.bak\n*.rock\n\nworktree/\nbin/bazel\nbin/h2client\n\n# wasm\n*.wasm\nspec/fixtures/proxy_wasm_filters/build\nspec/fixtures/proxy_wasm_filters/target\n\n# bazel\nbazel-*\n# remove it after migrating from WORKSPACE to Bzlmod\nMODULE.bazel.lock\nspec/fixtures/external_plugins/go/go-hello\n" }, { "path": ".luacheckrc", "content": "std = \"ngx_lua\"\nunused_args = false\nredefined = false\nmax_line_length = false\n\n\nglobals = {\n \"_KONG\",\n \"kong\",\n \"ngx.IS_CLI\",\n}\n\n\nnot_globals = {\n \"string.len\",\n \"table.getn\",\n}\n\n\nignore = {\n \"6.\", -- ignore whitespace warnings\n}\n\n\nexclude_files = {\n \"spec/fixtures/invalid-module.lua\",\n \"spec-old-api/fixtures/invalid-module.lua\",\n \"bazel-bin\",\n \"bazel-out\",\n \"bazel-kong\",\n}\n\nfiles[\"kong/tools/sandbox/kong.lua\"] = {\n read_globals = {\n \"_ENV\",\n \"table.pack\",\n \"table.unpack\",\n }\n}\n\n\nfiles[\"kong/hooks.lua\"] = {\n read_globals = {\n \"table.pack\",\n \"table.unpack\",\n }\n}\n\n\nfiles[\"kong/db/schema/entities/workspaces.lua\"] = {\n read_globals = {\n \"table.unpack\",\n }\n}\n\n\nfiles[\"kong/plugins/ldap-auth/*.lua\"] = {\n read_globals = {\n \"bit.mod\",\n \"string.pack\",\n \"string.unpack\",\n },\n}\n\n\nfiles[\"spec/**/*.lua\"] = {\n std = \"ngx_lua+busted\",\n}\n\nfiles[\"**/*_test.lua\"] = {\n std = \"ngx_lua+busted\",\n}\n\nfiles[\"spec-old-api/**/*.lua\"] = {\n std = \"ngx_lua+busted\",\n}\n" }, { "path": ".luacov", "content": "return {\n\n includeuntestedfiles = {\n \"kong/\",\n },\n runreport = true,\n\n include = {\n \"kong$\",\n \"kong%/.+$\",\n },\n\n exclude = {\n \"bazel%-bin/build\",\n \"^spec/\",\n }\n\n}\n" }, { "path": ".requirements", "content": "KONG_PACKAGE_NAME=kong\n\nOPENRESTY=1.27.1.2\nOPENRESTY_SHA256=74f076f7e364b2a99a6c5f9bb531c27610c78985abe956b442b192a2295f7548\nLUAROCKS=3.12.2\nLUAROCKS_SHA256=b0e0c85205841ddd7be485f53d6125766d18a81d226588d2366931e9a1484492\nOPENSSL=3.4.1\nOPENSSL_SHA256=002a2d6b30b58bf4bea46c43bdd96365aaf8daa6c428782aa4feee06da197df3\nPCRE=10.45\nPCRE_SHA256=0e138387df7835d7403b8351e2226c1377da804e0737db0e071b48f07c9d12ee\nADA=2.9.2\nADA_SHA256=b2cce630590b490d79ea4f4460ba77efd5fb29c5a87a4e8cb7ebc4859bc4b564\nLIBEXPAT=2.6.4\nLIBEXPAT_SHA256=fd03b7172b3bd7427a3e7a812063f74754f24542429b634e0db6511b53fb2278\n\n# Note: git repositories can be loaded from local path if path is set as value\n\nLUA_KONG_NGINX_MODULE=3f305911823301a98a12ec6ecdd9070b8ebe499b # 0.18.0\nLUA_RESTY_LMDB=9da0e9f3313960d06e2d8e718b7ac494faa500f1 # 1.6.0\nLUA_RESTY_EVENTS=bc85295b7c23eda2dbf2b4acec35c93f77b26787 # 0.3.1\nLUA_RESTY_SIMDJSON=176755a45f128fd4b3069c1bdee24d14bfb6900a # 1.2.0\nLUA_RESTY_WEBSOCKET=966c69c39f03029b9b42ec0f8e55aaed7d6eebc0 # 0.4.0.1\nATC_ROUTER=4d29e10517e2c9d1dae3966f4034b38c557e2eaa # 1.7.1\nSNAPPY=2c94e11145f0b7b184b831577c93e5a41c4c0346 # 1.2.1\n\nKONG_MANAGER=nightly\nNGX_WASM_MODULE=a376e67ce02c916304cc9b9ef25a540865ee6740\nWASMER=3.1.1\nWASMTIME=26.0.0\nV8=12.0.267.17\n\nNGX_BROTLI=a71f9312c2deb28875acc7bacfdd5695a111aa53 # master branch of Oct 9, 2023\nBROTLI=ed738e842d2fbdf2d6459e39267a633c4a9b2f5d # 1.1.0\n" }, { "path": "BUILD.bazel", "content": "load(\"@bazel_skylib//lib:selects.bzl\", \"selects\")\nload(\"@bazel_skylib//rules:common_settings.bzl\", \"bool_flag\", \"string_flag\")\nload(\"//build/nfpm:rules.bzl\", \"nfpm_pkg\")\nload(\"//build/toolchain:managed_toolchain.bzl\", \"aarch64_glibc_distros\")\n\nfilegroup(\n name = \"distribution_srcs\",\n srcs = glob([\"distribution/**\"]),\n visibility = [\"//visibility:public\"],\n)\n\nfilegroup(\n name = \"rockspec_srcs\",\n srcs = glob([\n \"kong/**\",\n \"*.rockspec\",\n ]),\n visibility = [\"//visibility:public\"],\n)\n\nfilegroup(\n name = \"plugins_ee_rockspec_srcs\",\n srcs = glob([\"plugins-ee/**/*.rockspec\"]),\n visibility = [\"//visibility:public\"],\n)\n\nnfpm_env = {\n \"KONG_NAME\": \"kong\",\n \"KONG_REPLACES_1\": \"kong-community-edition\",\n \"KONG_REPLACES_2\": \"kong-enterprise-edition-fips\",\n \"KONG_CONFLICTS_1\": \"kong-community-edition\",\n \"KONG_CONFLICTS_2\": \"kong-enterprise-edition-fips\",\n}\n\nnfpm_pkg(\n name = \"kong_deb\",\n config = \"//build:package/nfpm.yaml\",\n env = nfpm_env,\n packager = \"deb\",\n pkg_name = \"kong\",\n visibility = [\"//visibility:public\"],\n)\n\nnfpm_pkg(\n name = \"kong_el9\",\n config = \"//build:package/nfpm.yaml\",\n env = nfpm_env,\n packager = \"rpm\",\n pkg_name = \"kong.el9\",\n visibility = [\"//visibility:public\"],\n)\n\nnfpm_pkg(\n name = \"kong_el8\",\n config = \"//build:package/nfpm.yaml\",\n env = nfpm_env,\n packager = \"rpm\",\n pkg_name = \"kong.el8\",\n visibility = [\"//visibility:public\"],\n)\n\nnfpm_pkg(\n name = \"kong_aws2\",\n config = \"//build:package/nfpm.yaml\",\n env = nfpm_env,\n extra_env = {\n \"RPM_EXTRA_DEPS\": \"/usr/sbin/useradd\",\n \"RPM_EXTRA_DEPS_2\": \"/usr/sbin/groupadd\",\n },\n packager = \"rpm\",\n pkg_name = \"kong.aws2\",\n visibility = [\"//visibility:public\"],\n)\n\nnfpm_pkg(\n name = \"kong_aws2023\",\n config = \"//build:package/nfpm.yaml\",\n env = nfpm_env,\n extra_env = {\n \"RPM_EXTRA_DEPS\": \"/usr/sbin/useradd\",\n \"RPM_EXTRA_DEPS_2\": \"/usr/sbin/groupadd\",\n \"RPM_EXTRA_DEPS_3\": \"libxcrypt-compat\",\n },\n packager = \"rpm\",\n pkg_name = \"kong.aws2023\",\n visibility = [\"//visibility:public\"],\n)\n\n###### flags\n\n# --//:debug=true\nbool_flag(\n name = \"debug\",\n build_setting_default = True,\n)\n\nconfig_setting(\n name = \"debug_flag\",\n flag_values = {\n \":debug\": \"true\",\n },\n visibility = [\"//visibility:public\"],\n)\n\nconfig_setting(\n name = \"debug_linux_flag\",\n constraint_values = [\n \"@platforms//os:linux\",\n ],\n flag_values = {\n \":debug\": \"true\",\n },\n visibility = [\"//visibility:public\"],\n)\n\n# --//:brotli=true\nbool_flag(\n name = \"brotli\",\n build_setting_default = True,\n)\n\nconfig_setting(\n name = \"brotli_flag\",\n flag_values = {\n \":brotli\": \"true\",\n },\n visibility = [\"//visibility:public\"],\n)\n\n# --//:simdjson=true\nbool_flag(\n name = \"simdjson\",\n build_setting_default = True,\n)\n\nconfig_setting(\n name = \"simdjson_flag\",\n flag_values = {\n \":simdjson\": \"true\",\n },\n visibility = [\"//visibility:public\"],\n)\n\n# --//:licensing=false\nbool_flag(\n name = \"licensing\",\n build_setting_default = False,\n)\n\nconfig_setting(\n name = \"licensing_flag\",\n flag_values = {\n \":licensing\": \"true\",\n },\n visibility = [\"//visibility:public\"],\n)\n\n# --//:fips=false\nbool_flag(\n name = \"fips\",\n build_setting_default = False,\n)\n\nconfig_setting(\n name = \"fips_flag\",\n flag_values = {\n \":fips\": \"true\",\n },\n visibility = [\"//visibility:public\"],\n)\n\n# --//:skip_webui=false\nbool_flag(\n name = \"skip_webui\",\n build_setting_default = False,\n)\n\nconfig_setting(\n name = \"skip_webui_flags\",\n flag_values = {\n \":skip_webui\": \"true\",\n },\n visibility = [\"//visibility:public\"],\n)\n\n# --//:wasmx=false\nbool_flag(\n name = \"wasmx\",\n build_setting_default = False,\n visibility = [\"//visibility:public\"],\n)\n\n# --//:wasmx_module_flag=dynamic\nstring_flag(\n name = \"wasmx_module_flag\",\n build_setting_default = \"dynamic\",\n values = [\n \"dynamic\",\n \"static\",\n ],\n)\n\nconfig_setting(\n name = \"wasmx_flag\",\n flag_values = {\n \":wasmx\": \"true\",\n },\n visibility = [\"//visibility:public\"],\n)\n\nconfig_setting(\n name = \"wasmx_static_mod\",\n flag_values = {\n \":wasmx\": \"true\",\n \":wasmx_module_flag\": \"static\",\n },\n visibility = [\"//visibility:public\"],\n)\n\nconfig_setting(\n name = \"wasmx_dynamic_mod\",\n flag_values = {\n \":wasmx\": \"true\",\n \":wasmx_module_flag\": \"dynamic\",\n },\n visibility = [\"//visibility:public\"],\n)\n\n# --//:wasm_runtime=wasmtime\nstring_flag(\n name = \"wasm_runtime\",\n build_setting_default = \"wasmtime\",\n values = [\n \"v8\",\n \"wasmer\",\n \"wasmtime\",\n ],\n visibility = [\"//visibility:public\"],\n)\n\n# --//:skip_tools=false\nbool_flag(\n name = \"skip_tools\",\n build_setting_default = False,\n)\n\nconfig_setting(\n name = \"skip_tools_flag\",\n flag_values = {\n \":skip_tools\": \"true\",\n },\n visibility = [\"//visibility:public\"],\n)\n\n##### constraints, platforms and config_settings for cross-compile\n\nconstraint_setting(name = \"cross_build_setting\")\n\nconstraint_value(\n name = \"cross_build\",\n constraint_setting = \":cross_build_setting\",\n)\n\n# platform sets the constraint values based on user input (--platform=//:PLATFOTM)\nplatform(\n name = \"generic-crossbuild-x86_64\",\n constraint_values = [\n \"@platforms//os:linux\",\n \"@platforms//cpu:x86_64\",\n \"//build/platforms/distro:generic\",\n \":cross_build\",\n ],\n)\n\nplatform(\n name = \"generic-crossbuild-aarch64\",\n constraint_values = [\n \"@platforms//os:linux\",\n \"@platforms//cpu:aarch64\",\n \"//build/platforms/distro:generic\",\n \":cross_build\",\n ],\n)\n\n[\n platform(\n name = vendor + \"-crossbuild-aarch64\",\n constraint_values = [\n \"@platforms//os:linux\",\n \"@platforms//cpu:aarch64\",\n \"//build/platforms/distro:\" + vendor,\n \":cross_build\",\n ],\n )\n for vendor in aarch64_glibc_distros\n]\n\nplatform(\n name = \"aws2-crossbuild-x86_64\",\n constraint_values = [\n \"@platforms//os:linux\",\n \"@platforms//cpu:x86_64\",\n \"//build/platforms/distro:aws2\",\n \":cross_build\",\n ],\n)\n\n# config_settings define a select() condition based on user-set constraint_values\n# see https://bazel.build/docs/configurable-attributes\nconfig_setting(\n name = \"aarch64-linux-glibc-cross\",\n constraint_values = [\n \"@platforms//os:linux\",\n \"@platforms//cpu:aarch64\",\n \":cross_build\",\n ],\n visibility = [\"//visibility:public\"],\n)\n\nconfig_setting(\n name = \"x86_64-linux-glibc-cross\",\n constraint_values = [\n \"@platforms//os:linux\",\n \"@platforms//cpu:x86_64\",\n \":cross_build\",\n ],\n visibility = [\"//visibility:public\"],\n)\n\nselects.config_setting_group(\n # matches all cross build platforms\n name = \"any-cross\",\n match_any = [\n \":aarch64-linux-glibc-cross\",\n \":x86_64-linux-glibc-cross\",\n ],\n visibility = [\"//visibility:public\"],\n)\n" }, { "path": "CHANGELOG-OLD.md", "content": "# Table of Contents\n\nLooking for recent releases? Please see [CHANGELOG.md](CHANGELOG.md) instead.\n\n- [2.8.5](#285)\n- [2.8.4](#284)\n- [2.8.3](#283)\n- [2.8.2](#282)\n- [2.8.1](#281)\n- [2.8.0](#280)\n- [2.7.1](#271)\n- [2.7.0](#270)\n- [2.6.0](#260)\n- [2.5.1](#251)\n- [2.5.0](#250)\n- [2.4.1](#241)\n- [2.4.0](#240)\n- [2.3.3](#233)\n- [2.3.2](#232)\n- [2.3.1](#231)\n- [2.3.0](#230)\n- [2.2.2](#222)\n- [2.2.1](#221)\n- [2.2.0](#220)\n- [2.1.4](#214)\n- [2.1.3](#213)\n- [2.1.2](#212)\n- [2.1.1](#211)\n- [2.1.0](#210)\n- [2.0.5](#205)\n- [2.0.4](#204)\n- [2.0.3](#203)\n- [2.0.2](#202)\n- [2.0.1](#201)\n- [2.0.0](#200)\n- [1.5.1](#151)\n- [1.5.0](#150)\n- [1.4.3](#143)\n- [1.4.2](#142)\n- [1.4.1](#141)\n- [1.4.0](#140)\n- [1.3.0](#130)\n- [1.2.2](#122)\n- [1.2.1](#121)\n- [1.2.0](#120)\n- [1.1.2](#112)\n- [1.1.1](#111)\n- [1.1.0](#110)\n- [1.0.3](#103)\n- [1.0.2](#102)\n- [1.0.1](#101)\n- [1.0.0](#100)\n- [0.15.0](#0150)\n- [0.14.1](#0141)\n- [0.14.0](#0140---20180705)\n- [0.13.1](#0131---20180423)\n- [0.13.0](#0130---20180322)\n- [0.12.3](#0123---20180312)\n- [0.12.2](#0122---20180228)\n- [0.12.1](#0121---20180118)\n- [0.12.0](#0120---20180116)\n- [0.11.2](#0112---20171129)\n- [0.11.1](#0111---20171024)\n- [0.10.4](#0104---20171024)\n- [0.11.0](#0110---20170816)\n- [0.10.3](#0103---20170524)\n- [0.10.2](#0102---20170501)\n- [0.10.1](#0101---20170327)\n- [0.10.0](#0100---20170307)\n- [0.9.9 and prior](#099---20170202)\n\n## [2.8.5]\n\n### Kong\n\n#### Performance\n##### Performance\n\n- Fixed an inefficiency issue in the Luajit hashing algorithm\n [#13269](https://github.com/Kong/kong/issues/13269)\n\n\n#### Fixes\n##### Default\n\n- Added zlib1g-dev dependency to Ubuntu packages.\n [#13269](https://github.com/Kong/kong/issues/13269)\n\n\n## [2.8.4]\n\n### Fixes\n\n- Fixed a bug where internal redirects (i.e. those produced by the error_page directive) could interfere with worker process handling the request when buffered proxying is being used.\n\n## [2.8.3]\n\n### Fixes\n\n##### Plugins\n\n- **HTTP Log**: fix internal error during validating the schema if http_endpoint contains\n userinfo but headers is empty [#9574](https://github.com/Kong/kong/pull/9574)\n- Update the batch queues module so that queues no longer grow without bounds if\n their consumers fail to process the entries. Instead, old batches are now dropped\n and an error is logged.\n [#10247](https://github.com/Kong/kong/pull/10247)\n\n##### CLI\n\n- Fixed a packaging problem affecting a subset of releases where the `kong version`\n command was incorrect\n\n## [2.8.2]\n\n### Dependencies\n\n- Bumped `OpenSSL` from 1.1.1n to 1.1.1o\n [#8635](https://github.com/Kong/kong/pull/8809)\n\n## [2.8.1]\n\n### Dependencies\n\n- Bumped lua-resty-healthcheck from 1.5.0 to 1.5.1\n [#8584](https://github.com/Kong/kong/pull/8584)\n- Bumped `OpenSSL` from 1.1.1l to 1.1.1n\n [#8635](https://github.com/Kong/kong/pull/8635)\n\n### Fixes\n\n#### Core\n\n- Only reschedule router and plugin iterator timers after finishing previous\n execution, avoiding unnecessary concurrent executions.\n [#8634](https://github.com/Kong/kong/pull/8634)\n- Implements conditional rebuilding of router, plugins iterator and balancer on\n data planes. This means that DPs will not rebuild router if there were no\n changes in routes or services. Similarly, the plugins iterator will not be\n rebuilt if there were no changes to plugins, and, finally, the balancer will not be\n reinitialized if there are no changes to upstreams or targets.\n [#8639](https://github.com/Kong/kong/pull/8639)\n\n\n## [2.8.0]\n\n### Deprecations\n\n- The external [go-pluginserver](https://github.com/Kong/go-pluginserver) project\nis considered deprecated in favor of the embedded server approach described in\nthe [docs](https://docs.konghq.com/gateway/2.7.x/reference/external-plugins/).\n\n### Dependencies\n\n- OpenSSL bumped to 1.1.1m\n [#8191](https://github.com/Kong/kong/pull/8191)\n- Bumped resty.session from 3.8 to 3.10\n [#8294](https://github.com/Kong/kong/pull/8294)\n- Bumped lua-resty-openssl to 0.8.5\n [#8368](https://github.com/Kong/kong/pull/8368)\n\n### Additions\n\n#### Core\n\n- Customizable transparent dynamic TLS SNI name.\n Thanks, [@zhangshuaiNB](https://github.com/zhangshuaiNB)!\n [#8196](https://github.com/Kong/kong/pull/8196)\n- Routes now support matching headers with regular expressions\n Thanks, [@vanhtuan0409](https://github.com/vanhtuan0409)!\n [#6079](https://github.com/Kong/kong/pull/6079)\n\n#### Beta\n\n- Secrets Management and Vault support as been introduced as a Beta feature.\n This means it is intended for testing in staging environments. It not intended\n for use in Production environments.\n You can read more about Secrets Management in\n [our docs page](https://docs.konghq.com/gateway/latest/plan-and-deploy/security/secrets-management/backends-overview).\n [#8403](https://github.com/Kong/kong/pull/8403)\n\n#### Performance\n\n- Improved the calculation of declarative configuration hash for big configurations\n The new method is faster and uses less memory\n [#8204](https://github.com/Kong/kong/pull/8204)\n- Multiple improvements in the Router. Amongst others:\n - The router builds twice as fast compared to prior Kong versions\n - Failures are cached and discarded faster (negative caching)\n - Routes with header matching are cached\n These changes should be particularly noticeable when rebuilding on db-less environments\n [#8087](https://github.com/Kong/kong/pull/8087)\n [#8010](https://github.com/Kong/kong/pull/8010)\n- **Prometheus** plugin export performance is improved, it now has less impact to proxy\n side traffic when being scrapped.\n [#9028](https://github.com/Kong/kong/pull/9028)\n\n#### Plugins\n\n- **Response-ratelimiting**: Redis ACL support,\n and genenarized Redis connection support for usernames.\n Thanks, [@27ascii](https://github.com/27ascii) for the original contribution!\n [#8213](https://github.com/Kong/kong/pull/8213)\n- **ACME**: Add rsa_key_size config option\n Thanks, [lodrantl](https://github.com/lodrantl)!\n [#8114](https://github.com/Kong/kong/pull/8114)\n- **Prometheus**: Added gauges to track `ngx.timer.running_count()` and\n `ngx.timer.pending_count()`\n [#8387](https://github.com/Kong/kong/pull/8387)\n\n#### Clustering\n\n- `CLUSTERING_MAX_PAYLOAD` is now configurable in kong.conf\n Thanks, [@andrewgkew](https://github.com/andrewgkew)!\n [#8337](https://github.com/Kong/kong/pull/8337)\n\n#### Admin API\n\n- The current declarative configuration hash is now returned by the `status`\n endpoint when Kong node is running in dbless or data-plane mode.\n [#8214](https://github.com/Kong/kong/pull/8214)\n [#8425](https://github.com/Kong/kong/pull/8425)\n\n### Fixes\n\n#### Core\n\n- When the Router encounters an SNI FQDN with a trailing dot (`.`),\n the dot will be ignored, since according to\n [RFC-3546](https://datatracker.ietf.org/doc/html/rfc3546#section-3.1)\n said dot is not part of the hostname.\n [#8269](https://github.com/Kong/kong/pull/8269)\n- Fixed a bug in the Router that would not prioritize the routes with\n both a wildcard and a port (`route.*:80`) over wildcard-only routes (`route.*`),\n which have less specificity\n [#8233](https://github.com/Kong/kong/pull/8233)\n- The internal DNS client isn't confused by the single-dot (`.`) domain\n which can appear in `/etc/resolv.conf` in special cases like `search .`\n [#8307](https://github.com/Kong/kong/pull/8307)\n- Cassandra connector now records migration consistency level.\n Thanks, [@mpenick](https://github.com/mpenick)!\n [#8226](https://github.com/Kong/kong/pull/8226)\n\n#### Balancer\n\n- Targets keep their health status when upstreams are updated.\n [#8394](https://github.com/Kong/kong/pull/8394)\n- One debug message which was erroneously using the `error` log level\n has been downgraded to the appropiate `debug` log level.\n [#8410](https://github.com/Kong/kong/pull/8410)\n\n#### Clustering\n\n- Replaced cryptic error message with more useful one when\n there is a failure on SSL when connecting with CP:\n [#8260](https://github.com/Kong/kong/pull/8260)\n\n#### Admin API\n\n- Fix incorrect `next` field in when paginating Upstreams\n [#8249](https://github.com/Kong/kong/pull/8249)\n\n#### PDK\n\n- Phase names are correctly selected when performing phase checks\n [#8208](https://github.com/Kong/kong/pull/8208)\n- Fixed a bug in the go-PDK where if `kong.request.getrawbody` was\n big enough to be buffered into a temporary file, it would return an\n an empty string.\n [#8390](https://github.com/Kong/kong/pull/8390)\n\n#### Plugins\n\n- **External Plugins**: Fixed incorrect handling of the Headers Protobuf Structure\n and representation of null values, which provoked an error on init with the go-pdk.\n [#8267](https://github.com/Kong/kong/pull/8267)\n- **External Plugins**: Unwrap `ConsumerSpec` and `AuthenticateArgs`.\n Thanks, [@raptium](https://github.com/raptium)!\n [#8280](https://github.com/Kong/kong/pull/8280)\n- **External Plugins**: Fixed a problem in the stream subsystem would attempt to load\n HTTP headers.\n [#8414](https://github.com/Kong/kong/pull/8414)\n- **CORS**: The CORS plugin does not send the `Vary: Origin` header any more when\n the header `Access-Control-Allow-Origin` is set to `*`.\n Thanks, [@jkla-dr](https://github.com/jkla-dr)!\n [#8401](https://github.com/Kong/kong/pull/8401)\n- **AWS-Lambda**: Fixed incorrect behavior when configured to use an http proxy\n and deprecated the `proxy_scheme` config attribute for removal in 3.0\n [#8406](https://github.com/Kong/kong/pull/8406)\n- **oauth2**: The plugin clears the `X-Authenticated-UserId` and\n `X-Authenticated-Scope` headers when it configured in logical OR and\n is used in conjunction with another authentication plugin.\n [#8422](https://github.com/Kong/kong/pull/8422)\n- **Datadog**: The plugin schema now lists the default values\n for configuration options in a single place instead of in two\n separate places.\n [#8315](https://github.com/Kong/kong/pull/8315)\n\n\n## [2.7.1]\n\n### Fixes\n\n- Reschedule resolve timer only when the previous one has finished.\n [#8344](https://github.com/Kong/kong/pull/8344)\n- Plugins, and any entities implemented with subchemas, now can use the `transformations`\n and `shorthand_fields` properties, which were previously only available for non-subschema entities.\n [#8146](https://github.com/Kong/kong/pull/8146)\n\n## [2.7.0]\n\n### Dependencies\n\n- Bumped `kong-plugin-session` from 0.7.1 to 0.7.2\n [#7910](https://github.com/Kong/kong/pull/7910)\n- Bumped `resty.openssl` from 0.7.4 to 0.7.5\n [#7909](https://github.com/Kong/kong/pull/7909)\n- Bumped `go-pdk` used in tests from v0.6.0 to v0.7.1 [#7964](https://github.com/Kong/kong/pull/7964)\n- Cassandra support is deprecated with 2.7 and will be fully removed with 4.0.\n\n### Additions\n\n#### Configuration\n\n- Deprecated the `worker_consistency` directive, and changed its default to `eventual`. Future versions of Kong will remove the option and act with `eventual` consistency only.\n\n#### Performance\n\nIn this release we continued our work on better performance:\n\n- Improved the plugin iterator performance and JITability\n [#7912](https://github.com/Kong/kong/pull/7912)\n [#7979](https://github.com/Kong/kong/pull/7979)\n- Simplified the Kong core context read and writes for better performance\n [#7919](https://github.com/Kong/kong/pull/7919)\n- Reduced proxy long tail latency while reloading DB-less config\n [#8133](https://github.com/Kong/kong/pull/8133)\n\n#### Core\n\n- DAOs in plugins must be listed in an array, so that their loading order is explicit. Loading them in a\n hash-like table is now **deprecated**.\n [#7942](https://github.com/Kong/kong/pull/7942)\n- Postgres credentials `pg_user` and `pg_password`, and `pg_ro_user` and `pg_ro_password` now support\n automatic secret rotation when used together with\n [Kong Secrets Management](https://docs.konghq.com/gateway/latest/plan-and-deploy/security/secrets-management/)\n vault references.\n [#8967](https://github.com/Kong/kong/pull/8967)\n\n#### PDK\n\n- New functions: `kong.response.get_raw_body` and `kong.response.set_raw_body`\n [#7887](https://github.com/Kong/kong/pull/7877)\n\n#### Plugins\n\n- **IP-Restriction**: response status and message can now be customized\n through configurations `status` and `message`.\n [#7728](https://github.com/Kong/kong/pull/7728)\n Thanks [timmkelley](https://github.com/timmkelley) for the patch!\n- **Datadog**: add support for the `distribution` metric type.\n [#6231](https://github.com/Kong/kong/pull/6231)\n Thanks [onematchfox](https://github.com/onematchfox) for the patch!\n- **Datadog**: allow service, consumer, and status tags to be customized through\n plugin configurations `service_tag`, `consumer_tag`, and `status_tag`.\n [#6230](https://github.com/Kong/kong/pull/6230)\n Thanks [onematchfox](https://github.com/onematchfox) for the patch!\n- **gRPC Gateway** and **gRPC Web**: Now share most of the ProtoBuf definitions.\n Both plugins now share the Timestamp transcoding and included `.proto` files features.\n [#7950](https://github.com/Kong/kong/pull/7950)\n- **gRPC Gateway**: processes services and methods defined in imported\n `.proto` files.\n [#8107](https://github.com/Kong/kong/pull/8107)\n- **Rate-Limiting**: add support for Redis SSL, through configuration properties\n `redis_ssl` (can be set to `true` or `false`), `ssl_verify`, and `ssl_server_name`.\n [#6737](https://github.com/Kong/kong/pull/6737)\n Thanks [gabeio](https://github.com/gabeio) for the patch!\n- **LDAP**: basic authentication header was not parsed correctly when\n the password contained colon (`:`).\n [#7977](https://github.com/Kong/kong/pull/7977)\n Thanks [beldahanit](https://github.com/beldahanit) for reporting the issue!\n- Old `BasePlugin` is deprecated and will be removed in a future version of Kong.\n Porting tips in the [documentation](https://docs.konghq.com/gateway-oss/2.3.x/plugin-development/custom-logic/#porting-from-old-baseplugin-style)\n- The deprecated **BasePlugin** has been removed. [#7961](https://github.com/Kong/kong/pull/7961)\n\n### Configuration\n\n- Removed the following config options, which had been deprecated in previous versions, in favor of other config names. If you have any of these options in your config you will have to rename them: (removed option -> current option).\n - upstream_keepalive -> nginx_upstream_keepalive + nginx_http_upstream_keepalive\n - nginx_http_upstream_keepalive -> nginx_upstream_keepalive\n - nginx_http_upstream_keepalive_requests -> nginx_upstream_keepalive_requests\n - nginx_http_upstream_keepalive_timeout -> nginx_upstream_keepalive_timeout\n - nginx_http_upstream_directives -> nginx_upstream_directives\n - nginx_http_status_directives -> nginx_status_directives\n - nginx_upstream_keepalive -> upstream_keepalive_pool_size\n - nginx_upstream_keepalive_requests -> upstream_keepalive_max_requests\n - nginx_upstream_keepalive_timeout -> upstream_keepalive_idle_timeout\n - client_max_body_size -> nginx_http_client_max_body_size\n - client_body_buffer_size -> nginx_http_client_max_buffer_size\n - cassandra_consistency -> cassandra_write_consistency / cassandra_read_consistency\n - router_update_frequency -> worker_state_update_frequency\n- Removed the nginx_optimizations config option. If you have it in your configuration, please remove it before updating to 3.0.\n\n### Fixes\n\n#### Core\n\n- Balancer caches are now reset on configuration reload.\n [#7924](https://github.com/Kong/kong/pull/7924)\n- Configuration reload no longer causes a new DNS-resolving timer to be started.\n [#7943](https://github.com/Kong/kong/pull/7943)\n- Fixed problem when bootstrapping multi-node Cassandra clusters, where migrations could attempt\n insertions before schema agreement occurred.\n [#7667](https://github.com/Kong/kong/pull/7667)\n- Fixed intermittent botting error which happened when a custom plugin had inter-dependent entity schemas\n on its custom DAO and they were loaded in an incorrect order\n [#7911](https://github.com/Kong/kong/pull/7911)\n- Fixed problem when the consistent hash header is not found, the balancer tries to hash a nil value.\n [#8141](https://github.com/Kong/kong/pull/8141)\n- Fixed DNS client fails to resolve unexpectedly in `ssl_cert` and `ssl_session_fetch` phases.\n [#8161](https://github.com/Kong/kong/pull/8161)\n\n#### PDK\n\n- `kong.log.inspect` log level is now debug instead of warn. It also renders text\n boxes more cleanly now [#7815](https://github.com/Kong/kong/pull/7815)\n\n#### Plugins\n\n- **Prometheus**: Control Plane does not show Upstream Target health metrics\n [#7992](https://github.com/Kong/kong/pull/7922)\n\n\n### Dependencies\n\n- Bumped `lua-pack` from 1.0.5 to 2.0.0\n [#8004](https://github.com/Kong/kong/pull/8004)\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.6.0]\n\n> Release date: 2021/10/04\n\n### Dependencies\n\n- Bumped `openresty` from 1.19.3.2 to [1.19.9.1](https://openresty.org/en/changelog-1019009.html)\n [#7430](https://github.com/Kong/kong/pull/7727)\n- Bumped `openssl` from `1.1.1k` to `1.1.1l`\n [7767](https://github.com/Kong/kong/pull/7767)\n- Bumped `lua-resty-http` from 0.15 to 0.16.1\n [#7797](https://github.com/kong/kong/pull/7797)\n- Bumped `Penlight` to 1.11.0\n [#7736](https://github.com/Kong/kong/pull/7736)\n- Bumped `lua-resty-http` from 0.15 to 0.16.1\n [#7797](https://github.com/kong/kong/pull/7797)\n- Bumped `lua-protobuf` from 0.3.2 to 0.3.3\n [#7656](https://github.com/Kong/kong/pull/7656)\n- Bumped `lua-resty-openssl` from 0.7.3 to 0.7.4\n [#7657](https://github.com/Kong/kong/pull/7657)\n- Bumped `lua-resty-acme` from 0.6 to 0.7.1\n [#7658](https://github.com/Kong/kong/pull/7658)\n- Bumped `grpcurl` from 1.8.1 to 1.8.2\n [#7659](https://github.com/Kong/kong/pull/7659)\n- Bumped `luasec` from 1.0.1 to 1.0.2\n [#7750](https://github.com/Kong/kong/pull/7750)\n- Bumped `lua-resty-ipmatcher` to 0.6.1\n [#7703](https://github.com/Kong/kong/pull/7703)\n Thanks [EpicEric](https://github.com/EpicEric) for the patch!\n\nAll Kong Gateway OSS plugins will be moved from individual repositories and centralized\ninto the main Kong Gateway (OSS) repository. We are making a gradual transition. On this\nrelease:\n\n- Moved AWS-Lambda inside the Kong repo\n [#7464](https://github.com/Kong/kong/pull/7464).\n- Moved ACME inside the Kong repo\n [#7464](https://github.com/Kong/kong/pull/7464).\n- Moved Prometheus inside the Kong repo\n [#7666](https://github.com/Kong/kong/pull/7666).\n- Moved Session inside the Kong repo\n [#7738](https://github.com/Kong/kong/pull/7738).\n- Moved GRPC-web inside the Kong repo\n [#7782](https://github.com/Kong/kong/pull/7782).\n- Moved Serverless functions inside the Kong repo\n [#7792](https://github.com/Kong/kong/pull/7792).\n\n### Additions\n\n#### Core\n\n- New schema entity validator: `mutually_exclusive`. It accepts a list of fields. If more than 1 of those fields\n is set simultaneously, the entity is considered invalid.\n [#7765](https://github.com/Kong/kong/pull/7765)\n\n#### Performance\n\nOn this release we've done some special efforts with regards to performance.\n\nThere's a new performance workflow which periodically checks new code additions against some\ntypical scenarios [#7030](https://github.com/Kong/kong/pull/7030) [#7547](https://github.com/Kong/kong/pull/7547)\n\nIn addition to that, the following changes were specifically included to improve performance:\n\n- Reduced unnecessary reads of `ngx.var`\n [#7840](https://github.com/Kong/kong/pull/7840)\n- Loaded more indexed variables\n [#7849](https://github.com/Kong/kong/pull/7849)\n- Optimized table creation in Balancer\n [#7852](https://github.com/Kong/kong/pull/7852)\n- Reduce calls to `ngx.update_time`\n [#7853](https://github.com/Kong/kong/pull/7853)\n- Use read-only replica for PostgreSQL meta-schema reading\n [#7454](https://github.com/Kong/kong/pull/7454)\n- URL escaping detects cases when it's not needed and early-exits\n [#7742](https://github.com/Kong/kong/pull/7742)\n- Accelerated variable loading via indexes\n [#7818](https://github.com/Kong/kong/pull/7818)\n- Removed unnecessary call to `get_phase` in balancer\n [#7854](https://github.com/Kong/kong/pull/7854)\n\n#### Configuration\n\n- Enable IPV6 on `dns_order` as unsupported experimental feature. Please\n give it a try and report back any issues\n [#7819](https://github.com/Kong/kong/pull/7819).\n- The template renderer can now use `os.getenv`\n [#6872](https://github.com/Kong/kong/pull/6872).\n\n#### Hybrid Mode\n\n- Data plane is able to eliminate some unknown fields when Control Plane is using a more modern version\n [#7827](https://github.com/Kong/kong/pull/7827).\n\n#### Admin API\n\n- Added support for the HTTP HEAD method for all Admin API endpoints\n [#7796](https://github.com/Kong/kong/pull/7796)\n- Added better support for OPTIONS requests. Previously, the Admin API replied the same on all OPTIONS requests, where as now OPTIONS request will only reply to routes that our Admin API has. Non-existing routes will have a 404 returned. It also adds Allow header to responses, both Allow and Access-Control-Allow-Methods now contain only the methods that the specific API supports. [#7830](https://github.com/Kong/kong/pull/7830)\n\n#### Plugins\n\n- **AWS-Lambda**: The plugin will now try to detect the AWS region by using `AWS_REGION` and\n `AWS_DEFAULT_REGION` environment variables (when not specified with the plugin configuration).\n This allows to specify a 'region' on a per Kong node basis, hence adding the ability to invoke the\n Lamda in the same region where Kong is located.\n [#7765](https://github.com/Kong/kong/pull/7765)\n- **Datadog**: `host` and `port` config options can be configured from environment variables\n `KONG_DATADOG_AGENT_HOST` and `KONG_DATADOG_AGENT_PORT`. This allows to set different\n destinations on a per Kong node basis, which makes multi-DC setups easier and in Kubernetes allows to\n run the datadog agents as a daemon-set.\n [#7463](https://github.com/Kong/kong/pull/7463)\n Thanks [rallyben](https://github.com/rallyben) for the patch!\n- **Prometheus:** A new metric `data_plane_cluster_cert_expiry_timestamp` is added to expose the Data Plane's cluster_cert expiry timestamp for improved monitoring in Hybrid Mode. [#7800](https://github.com/Kong/kong/pull/7800).\n\n**Request Termination**:\n\n- New `trigger` config option, which makes the plugin only activate for any requests with a header or query parameter\n named like the trigger. This can be a great debugging aid, without impacting actual traffic being processed.\n [#6744](https://github.com/Kong/kong/pull/6744).\n- The `request-echo` config option was added. If set, the plugin responds with a copy of the incoming request.\n This eases troubleshooting when Kong is behind one or more other proxies or LB's, especially when combined with\n the new 'trigger' option.\n [#6744](https://github.com/Kong/kong/pull/6744).\n\n**GRPC-Gateway**:\n\n- Fields of type `.google.protobuf.Timestamp` on the gRPC side are now\n transcoded to and from ISO8601 strings in the REST side.\n [#7538](https://github.com/Kong/kong/pull/7538)\n- URI arguments like `..?foo.bar=x&foo.baz=y` are interpreted as structured\n fields, equivalent to `{\"foo\": {\"bar\": \"x\", \"baz\": \"y\"}}`\n [#7564](https://github.com/Kong/kong/pull/7564)\n Thanks [git-torrent](https://github.com/git-torrent) for the patch!\n\n### Fixes\n\n#### Core\n\n- Balancer retries now correctly set the `:authority` pseudo-header on balancer retries\n [#7725](https://github.com/Kong/kong/pull/7725).\n- Healthchecks are now stopped while the Balancer is being recreated\n [#7549](https://github.com/Kong/kong/pull/7549).\n- Fixed an issue in which a malformed `Accept` header could cause unexpected HTTP 500\n [#7757](https://github.com/Kong/kong/pull/7757).\n- Kong no longer removes `Proxy-Authentication` request header and `Proxy-Authenticate` response header\n [#7724](https://github.com/Kong/kong/pull/7724).\n- Fixed an issue where Kong would not sort correctly Routes with both regex and prefix paths\n [#7695](https://github.com/Kong/kong/pull/7695)\n Thanks [jiachinzhao](https://github.com/jiachinzhao) for the patch!\n\n#### Hybrid Mode\n\n- Ensure data plane config thread is terminated gracefully, preventing a semi-deadlocked state\n [#7568](https://github.com/Kong/kong/pull/7568)\n Thanks [flrgh](https://github.com/flrgh) for the patch!\n- Older data planes using `aws-lambda`, `grpc-web` or `request-termination` plugins can now talk\n with newer control planes by ignoring new plugin fields.\n [#7881](https://github.com/Kong/kong/pull/7881)\n\n##### CLI\n\n- `kong config parse` no longer crashes when there's a Go plugin server enabled\n [#7589](https://github.com/Kong/kong/pull/7589).\n\n##### Configuration\n\n- Declarative Configuration parser now prints more correct errors when pointing unknown foreign references\n [#7756](https://github.com/Kong/kong/pull/7756).\n- YAML anchors in Declarative Configuration are properly processed\n [#7748](https://github.com/Kong/kong/pull/7748).\n\n##### Admin API\n\n- `GET /upstreams/:upstreams/targets/:target` no longer returns 404 when target weight is 0\n [#7758](https://github.com/Kong/kong/pull/7758).\n\n##### PDK\n\n- `kong.response.exit` now uses customized \"Content-Length\" header when found\n [#7828](https://github.com/Kong/kong/pull/7828).\n\n##### Plugins\n\n- **ACME**: Dots in wildcard domains are escaped\n [#7839](https://github.com/Kong/kong/pull/7839).\n- **Prometheus**: Upstream's health info now includes previously missing `subsystem` field\n [#7802](https://github.com/Kong/kong/pull/7802).\n- **Proxy-Cache**: Fixed an issue where the plugin would sometimes fetch data from the cache but not return it\n [#7775](https://github.com/Kong/kong/pull/7775)\n Thanks [agile6v](https://github.com/agile6v) for the patch!\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.5.1]\n\n> Release date: 2021/09/07\n\nThis is the first patch release in the 2.5 series. Being a patch release,\nit strictly contains bugfixes. There are no new features or breaking changes.\n\n### Dependencies\n\n- Bumped `grpcurl` from 1.8.1 to 1.8.2 [#7659](https://github.com/Kong/kong/pull/7659)\n- Bumped `lua-resty-openssl` from 0.7.3 to 0.7.4 [#7657](https://github.com/Kong/kong/pull/7657)\n- Bumped `penlight` from 1.10.0 to 1.11.0 [#7736](https://github.com/Kong/kong/pull/7736)\n- Bumped `luasec` from 1.0.1 to 1.0.2 [#7750](https://github.com/Kong/kong/pull/7750)\n- Bumped `OpenSSL` from 1.1.1k to 1.1.1l [#7767](https://github.com/Kong/kong/pull/7767)\n\n### Fixes\n\n##### Core\n\n- You can now successfully delete workspaces after deleting all entities associated with that workspace.\n Previously, Kong Gateway was not correctly cleaning up parent-child relationships. For example, creating\n an Admin also creates a Consumer and RBAC user. When deleting the Admin, the Consumer and RBAC user are\n also deleted, but accessing the `/workspaces/workspace_name/meta` endpoint would show counts for Consumers\n and RBAC users, which prevented the workspace from being deleted. Now deleting entities correctly updates\n the counts, allowing an empty workspace to be deleted. [#7560](https://github.com/Kong/kong/pull/7560)\n- When an upstream event is received from the DAO, `handler.lua` now gets the workspace ID from the request\n and adds it to the upstream entity that will be used in the worker and cluster events. Before this change,\n when posting balancer CRUD events, the workspace ID was lost and the balancer used the default\n workspace ID as a fallback. [#7778](https://github.com/Kong/kong/pull/7778)\n\n##### CLI\n\n- Fixes regression that included an issue where Go plugins prevented CLI commands like `kong config parse`\n or `kong config db_import` from working as expected. [#7589](https://github.com/Kong/kong/pull/7589)\n\n##### CI / Process\n\n- Improves tests reliability. ([#7578](https://github.com/Kong/kong/pull/7578) [#7704](https://github.com/Kong/kong/pull/7704))\n- Adds Github Issues template forms. [#7774](https://github.com/Kong/kong/pull/7774)\n- Moves \"Feature Request\" link from Github Issues to Discussions. [#7777](https://github.com/Kong/kong/pull/7777)\n\n##### Admin API\n\n- Kong Gateway now validates workspace names, preventing the use of reserved names on workspaces.\n [#7380](https://github.com/Kong/kong/pull/7380)\n\n\n[Back to TOC](#table-of-contents)\n\n## [2.5.0]\n\n> Release date: 2021-07-13\n\nThis is the final release of Kong 2.5.0, with no breaking changes with respect to the 2.x series.\n\nThis release includes Control Plane resiliency to database outages and the new\n`declarative_config_string` config option, among other features and fixes.\n\n### Distribution\n\n- :warning: Since 2.4.1, Kong packages are no longer distributed\n through Bintray. Please visit [the installation docs](https://konghq.com/install/#kong-community)\n for more details.\n\n### Dependencies\n\n- Bumped `openresty` from 1.19.3.1 to 1.19.3.2 [#7430](https://github.com/kong/kong/pull/7430)\n- Bumped `luasec` from 1.0 to 1.0.1 [#7126](https://github.com/kong/kong/pull/7126)\n- Bumped `luarocks` from 3.5.0 to 3.7.0 [#7043](https://github.com/kong/kong/pull/7043)\n- Bumped `grpcurl` from 1.8.0 to 1.8.1 [#7128](https://github.com/kong/kong/pull/7128)\n- Bumped `penlight` from 1.9.2 to 1.10.0 [#7127](https://github.com/Kong/kong/pull/7127)\n- Bumped `lua-resty-dns-client` from 6.0.0 to 6.0.2 [#7539](https://github.com/Kong/kong/pull/7539)\n- Bumped `kong-plugin-prometheus` from 1.2 to 1.3 [#7415](https://github.com/Kong/kong/pull/7415)\n- Bumped `kong-plugin-zipkin` from 1.3 to 1.4 [#7455](https://github.com/Kong/kong/pull/7455)\n- Bumped `lua-resty-openssl` from 0.7.2 to 0.7.3 [#7509](https://github.com/Kong/kong/pull/7509)\n- Bumped `lua-resty-healthcheck` from 1.4.1 to 1.4.2 [#7511](https://github.com/Kong/kong/pull/7511)\n- Bumped `hmac-auth` from 2.3.0 to 2.4.0 [#7522](https://github.com/Kong/kong/pull/7522)\n- Pinned `lua-protobuf` to 0.3.2 (previously unpinned) [#7079](https://github.com/kong/kong/pull/7079)\n\nAll Kong Gateway OSS plugins will be moved from individual repositories and centralized\ninto the main Kong Gateway (OSS) repository. We are making a gradual transition, starting with the\ngrpc-gateway plugin first:\n\n- Moved grpc-gateway inside the Kong repo. [#7466](https://github.com/Kong/kong/pull/7466)\n\n### Additions\n\n#### Core\n\n- Control Planes can now send updates to new data planes even if the control planes lose connection to the database.\n [#6938](https://github.com/kong/kong/pull/6938)\n- Kong now automatically adds `cluster_cert`(`cluster_mtls=shared`) or `cluster_ca_cert`(`cluster_mtls=pki`) into\n `lua_ssl_trusted_certificate` when operating in Hybrid mode. Before, Hybrid mode users needed to configure\n `lua_ssl_trusted_certificate` manually as a requirement for Lua to verify the Control Plane’s certificate.\n See [Starting Data Plane Nodes](https://docs.konghq.com/gateway-oss/2.5.x/hybrid-mode/#starting-data-plane-nodes)\n in the Hybrid Mode guide for more information. [#7044](https://github.com/kong/kong/pull/7044)\n- New `declarative_config_string` option allows loading a declarative config directly from a string. See the\n [Loading The Declarative Configuration File](https://docs.konghq.com/2.5.x/db-less-and-declarative-config/#loading-the-declarative-configuration-file)\n section of the DB-less and Declarative Configuration guide for more information.\n [#7379](https://github.com/kong/kong/pull/7379)\n\n#### PDK\n\n- The Kong PDK now accepts tables in the response body for Stream subsystems, just as it does for the HTTP subsystem.\n Before developers had to check the subsystem if they wrote code that used the `exit()` function before calling it,\n because passing the wrong argument type would break the request response.\n [#7082](https://github.com/kong/kong/pull/7082)\n\n#### Plugins\n\n- **hmac-auth**: The HMAC Authentication plugin now includes support for the `@request-target` field in the signature\n string. Before, the plugin used the `request-line` parameter, which contains the HTTP request method, request URI, and\n the HTTP version number. The inclusion of the HTTP version number in the signature caused requests to the same target\n but using different request methods(such as HTTP/2) to have different signatures. The newly added request-target field\n only includes the lowercase request method and request URI when calculating the hash, avoiding those issues.\n See the [HMAC Authentication](https://docs.konghq.com/hub/kong-inc/hmac-auth) documentation for more information.\n [#7037](https://github.com/kong/kong/pull/7037)\n- **syslog**: The Syslog plugin now includes facility configuration options, which are a way for the plugin to group\n error messages from different sources. See the description for the facility parameter in the\n [Parameters](https://docs.konghq.com/hub/kong-inc/syslog/#parameters) section of the Syslog documentation for more\n information. [#6081](https://github.com/kong/kong/pull/6081). Thanks, [jideel](https://github.com/jideel)!\n- **Prometheus**: The Prometheus plugin now exposes connected data planes' status on the control plane. New metrics include the\n following: `data_plane_last_seen`, `data_plane_config_hash` and `data_plane_version_compatible`. These\n metrics can be useful for troubleshooting when data planes have inconsistent configurations across the cluster. See the\n [Available metrics](https://docs.konghq.com/hub/kong-inc/prometheus) section of the Prometheus plugin documentation\n for more information. [98](https://github.com/Kong/kong-plugin-prometheus/pull/98)\n- **Zipkin**: The Zipkin plugin now includes the following tags: `kong.route`,`kong.service_name` and `kong.route_name`.\n See the [Spans](https://docs.konghq.com/hub/kong-inc/zipkin/#spans) section of the Zipkin plugin documentation for more information.\n [115](https://github.com/Kong/kong-plugin-zipkin/pull/115)\n\n#### Hybrid Mode\n\n- Kong now exposes an upstream health checks endpoint (using the status API) on the data plane for better\n observability. [#7429](https://github.com/Kong/kong/pull/7429)\n- Control Planes are now more lenient when checking Data Planes' compatibility in Hybrid mode. See the\n [Version compatibility](https://docs.konghq.com/gateway-oss/2.5.x/hybrid-mode/#version_compatibility)\n section of the Hybrid Mode guide for more information. [#7488](https://github.com/Kong/kong/pull/7488)\n- This release starts the groundwork for Hybrid Mode 2.0 Protocol. This code isn't active by default in Kong 2.5,\n but it allows future development. [#7462](https://github.com/Kong/kong/pull/7462)\n\n### Fixes\n\n#### Core\n\n- When using DB-less mode, `select_by_cache_key` now finds entities by using the provided `field` directly\n in ` select_by_key` and does not complete unnecessary cache reads. [#7146](https://github.com/kong/kong/pull/7146)\n- Kong can now finish initialization even if a plugin’s `init_worker` handler fails, improving stability.\n [#7099](https://github.com/kong/kong/pull/7099)\n- TLS keepalive requests no longer share their context. Before when two calls were made to the same \"server+hostname\"\n but different routes and using a keepalive connection, plugins that were active in the first call were also sometimes\n (incorrectly) active in the second call. The wrong plugin was active because Kong was passing context in the SSL phase\n to the plugin iterator, creating connection-wide structures in that context, which was then shared between different\n keepalive requests. With this fix, Kong does not pass context to plugin iterators with the `certificate` phase,\n avoiding plugin mixups.[#7102](https://github.com/kong/kong/pull/7102)\n- The HTTP status 405 is now handled by Kong's error handler. Before accessing Kong using the TRACE method returned\n a standard NGINX error page because the 405 wasn’t included in the error page settings of the NGINX configuration.\n [#6933](https://github.com/kong/kong/pull/6933).\n Thanks, [yamaken1343](https://github.com/yamaken1343)!\n- Custom `ngx.sleep` implementation in `init_worker` phase now invokes `update_time` in order to prevent time-based deadlocks\n [#7532](https://github.com/Kong/kong/pull/7532)\n- `Proxy-Authorization` header is removed when it is part of the original request **or** when a plugin sets it to the\n same value as the original request\n [#7533](https://github.com/Kong/kong/pull/7533)\n- `HEAD` requests don't provoke an error when a Plugin implements the `response` phase\n [#7535](https://github.com/Kong/kong/pull/7535)\n\n#### Hybrid Mode\n\n- Control planes no longer perform health checks on CRUD upstreams’ and targets’ events.\n [#7085](https://github.com/kong/kong/pull/7085)\n- To prevent unnecessary cache flips on data planes, Kong now checks `dao:crud` events more strictly and has\n a new cluster event, `clustering:push_config` for configuration pushes. These updates allow Kong to filter\n invalidation events that do not actually require a database change. Furthermore, the clustering module does\n not subscribe to the generic `invalidations` event, which has a more broad scope than database entity invalidations.\n [#7112](https://github.com/kong/kong/pull/7112)\n- Data Planes ignore null fields coming from Control Planes when doing schema validation.\n [#7458](https://github.com/Kong/kong/pull/7458)\n- Kong now includes the source in error logs produced by Control Planes.\n [#7494](https://github.com/Kong/kong/pull/7494)\n- Data Plane config hash calculation and checking is more consistent now: it is impervious to changes in table iterations,\n hashes are calculated in both CP and DP, and DPs send pings more immediately and with the new hash now\n [#7483](https://github.com/Kong/kong/pull/7483)\n\n\n#### Balancer\n\n- All targets are returned by the Admin API now, including targets with a `weight=0`, or disabled targets.\n Before disabled targets were not included in the output when users attempted to list all targets. Then\n when users attempted to add the targets again, they received an error message telling them the targets already existed.\n [#7094](https://github.com/kong/kong/pull/7094)\n- Upserting existing targets no longer fails. Before, because of updates made to target configurations since Kong v2.2.0,\n upserting older configurations would fail. This fix allows older configurations to be imported.\n [#7052](https://github.com/kong/kong/pull/7052)\n- The last balancer attempt is now correctly logged. Before balancer tries were saved when retrying, which meant the last\n retry state was not saved since there were no more retries. This update saves the failure state so it can be correctly logged.\n [#6972](https://github.com/kong/kong/pull/6972)\n- Kong now ensures that the correct upstream event is removed from the queue when updating the balancer state.\n [#7103](https://github.com/kong/kong/pull/7103)\n\n#### CLI\n\n- The `prefix` argument in the `kong stop` command now takes precedence over environment variables, as it does in the `kong start` command.\n [#7080](https://github.com/kong/kong/pull/7080)\n\n#### Configuration\n\n- Declarative configurations now correctly parse custom plugin entities schemas with attributes called \"plugins\". Before\n when using declarative configurations, users with custom plugins that included a \"plugins\" field would encounter startup\n exceptions. With this fix, the declarative configuration can now distinguish between plugins schema and custom plugins fields.\n [#7412](https://github.com/kong/kong/pull/7412)\n- The stream access log configuration options are now properly separated from the HTTP access log. Before when users\n used Kong with TCP, they couldn’t use a custom log format. With this fix, `proxy_stream_access_log` and `proxy_stream_error_log`\n have been added to differentiate stream access log from the HTTP subsystem. See\n [`proxy_stream_access_log`](https://docs.konghq.com/gateway-oss/2.5.x/configuration/#proxy_stream_access_log)\n and [`proxy_stream_error`](https://docs.konghq.com/gateway-oss/2.5.x/configuration/#proxy_stream_error) in the Configuration\n Property Reference for more information. [#7046](https://github.com/kong/kong/pull/7046)\n\n#### Migrations\n\n- Kong no longer assumes that `/?/init.lua` is in the Lua path when doing migrations. Before, when users created\n a custom plugin in a non-standard location and set `lua_package_path = /usr/local/custom/?.lua`, migrations failed.\n Migrations failed because the Kong core file is `init.lua` and it is required as part of `kong.plugins..migrations`.\n With this fix, migrations no longer expect `init.lua` to be a part of the path. [#6993](https://github.com/kong/kong/pull/6993)\n- Kong no longer emits errors when doing `ALTER COLUMN` operations in Apache Cassandra 4.0.\n [#7490](https://github.com/Kong/kong/pull/7490)\n\n#### PDK\n\n- With this update, `kong.response.get_XXX()` functions now work in the log phase on external plugins. Before\n `kong.response.get_XXX()` functions required data from the response object, which was not accessible in the\n post-log timer used to call log handlers in external plugins. Now these functions work by accessing the required\n data from the set saved at the start of the log phase. See [`kong.response`](https://docs.konghq.com/gateway-oss/{{page.kong_version}}/kong.response)\n in the Plugin Development Kit for more information. [#7048](https://github.com/kong/kong/pull/7048)\n- External plugins handle certain error conditions better while the Kong balancer is being refreshed. Before\n when an `instance_id` of an external plugin changed, and the plugin instance attempted to reset and retry,\n it was failing because of a typo in the comparison. [#7153](https://github.com/kong/kong/pull/7153).\n Thanks, [ealogar](https://github.com/ealogar)!\n- With this release, `kong.log`'s phase checker now accounts for the existence of the new `response` pseudo-phase.\n Before users may have erroneously received a safe runtime error for using a function out-of-place in the PDK.\n [#7109](https://github.com/kong/kong/pull/7109)\n- Kong no longer sandboxes the `string.rep` function. Before `string.rep` was sandboxed to disallow a single operation\n from allocating too much memory. However, a single operation allocating too much memory is no longer an issue\n because in LuaJIT there are no debug hooks and it is trivial to implement a loop to allocate memory on every single iteration.\n Additionally, since the `string` table is global and obtainable by any sandboxed string, its sandboxing provoked issues on global state.\n [#7167](https://github.com/kong/kong/pull/7167)\n- The `kong.pdk.node` function can now correctly iterates over all the shared dict metrics. Before this fix,\n users using the `kong.pdk.node` function could not see all shared dict metrics under the Stream subsystem.\n [#7078](https://github.com/kong/kong/pull/7078)\n\n#### Plugins\n\n- All custom plugins that are using the deprecated `BasePlugin` class have to remove this inheritance.\n- **LDAP-auth**: The LDAP Authentication schema now includes a default value for the `config.ldap_port` parameter\n that matches the documentation. Before the plugin documentation [Parameters](https://docs.konghq.com/hub/kong-inc/ldap-auth/#parameters)\n section included a reference to a default value for the LDAP port; however, the default value was not included in the plugin schema.\n [#7438](https://github.com/kong/kong/pull/7438)\n- **Prometheus**: The Prometheus plugin exporter now attaches subsystem labels to memory stats. Before, the HTTP\n and Stream subsystems were not distinguished, so their metrics were interpreted as duplicate entries by Prometheus.\n https://github.com/Kong/kong-plugin-prometheus/pull/118\n- **External Plugins**: the return code 127 (command not found) is detected and appropriate error is returned\n [#7523](https://github.com/Kong/kong/pull/7523)\n\n\n## [2.4.1]\n\n\n> Released 2021/05/11\n\nThis is a patch release in the 2.4 series. Being a patch release, it\nstrictly contains bugfixes. There are no new features or breaking changes.\n\n### Distribution\n\n- :warning: Starting with this release, Kong packages are no longer distributed\n through Bintray. Please download from [download.konghq.com](https://download.konghq.com).\n\n### Dependencies\n\n- Bump `luasec` from 1.0.0 to 1.0.1\n [#7126](https://github.com/Kong/kong/pull/7126)\n- Bump `prometheus` plugin from 1.2.0 to 1.2.1\n [#7061](https://github.com/Kong/kong/pull/7061)\n\n### Fixes\n\n##### Core\n\n- Ensure healthchecks and balancers are not created on control plane nodes.\n [#7085](https://github.com/Kong/kong/pull/7085)\n- Optimize URL normalization code.\n [#7100](https://github.com/Kong/kong/pull/7100)\n- Fix issue where control plane nodes would needlessly invalidate and send new\n configuration to data plane nodes.\n [#7112](https://github.com/Kong/kong/pull/7112)\n- Ensure HTTP code `405` is handled by Kong's error page.\n [#6933](https://github.com/Kong/kong/pull/6933)\n- Ensure errors in plugins `init_worker` do not break Kong's worker initialization.\n [#7099](https://github.com/Kong/kong/pull/7099)\n- Fix issue where two subsequent TLS keepalive requests would lead to incorrect\n plugin execution.\n [#7102](https://github.com/Kong/kong/pull/7102)\n- Ensure Targets upsert operation behaves similarly to other entities' upsert method.\n [#7052](https://github.com/Kong/kong/pull/7052)\n- Ensure failed balancer retry is saved and accounted for in log data.\n [#6972](https://github.com/Kong/kong/pull/6972)\n\n\n##### CLI\n\n- Ensure `kong start` and `kong stop` prioritize CLI flag `--prefix` over environment\n variable `KONG_PREFIX`.\n [#7080](https://github.com/Kong/kong/pull/7080)\n\n##### Configuration\n\n- Ensure Stream subsystem allows for configuration of access logs format.\n [#7046](https://github.com/Kong/kong/pull/7046)\n\n##### Admin API\n\n- Ensure targets with weight 0 are displayed in the Admin API.\n [#7094](https://github.com/Kong/kong/pull/7094)\n\n##### PDK\n\n- Ensure new `response` phase is accounted for in phase checkers.\n [#7109](https://github.com/Kong/kong/pull/7109)\n\n##### Plugins\n\n- Ensure plugins written in languages other than Lua can use `kong.response.get_*`\n methods - e.g., `kong.response.get_status`.\n [#7048](https://github.com/Kong/kong/pull/7048)\n- `hmac-auth`: enable JIT compilation of authorization header regex.\n [#7037](https://github.com/Kong/kong/pull/7037)\n\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.4.0]\n\n> Released 2021/04/06\n\nThis is the final release of Kong 2.4.0, with no breaking changes with respect to the 2.x series.\nThis release includes JavaScript PDK, improved CP/DP updates and UTF-8 Tags, amongst other improvements\nand fixes.\n\n### Dependencies\n\n- :warning: For Kong 2.4, the required OpenResty version has been bumped to\n [1.19.3.1](http://openresty.org/en/changelog-1019003.html), and the set of\n patches included has changed, including the latest release of\n [lua-kong-nginx-module](https://github.com/Kong/lua-kong-nginx-module).\n If you are installing Kong from one of our distribution\n packages, you are not affected by this change.\n\n**Note:** if you are not using one of our distribution packages and compiling\nOpenResty from source, you must still apply Kong's [OpenResty\npatches](https://github.com/Kong/kong-build-tools/tree/master/openresty-build-tools/patches)\n(and, as highlighted above, compile OpenResty with the new\nlua-kong-nginx-module). Our [kong-build-tools](https://github.com/Kong/kong-build-tools)\nrepository will allow you to do both easily.\n\n- Bump luarocks from 3.4.0 to 3.5.0.\n [#6699](https://github.com/Kong/kong/pull/6699)\n- Bump luasec from 0.9 to 1.0.\n [#6814](https://github.com/Kong/kong/pull/6814)\n- Bump lua-resty-dns-client from 5.2.1 to 6.0.0.\n [#6999](https://github.com/Kong/kong/pull/6999)\n- Bump kong-lapis from 1.8.1.2 to 1.8.3.1.\n [#6925](https://github.com/Kong/kong/pull/6925)\n- Bump pgmoon from 1.11.0 to 1.12.0.\n [#6741](https://github.com/Kong/kong/pull/6741)\n- Bump lua-resty-openssl from 0.6.9 to 0.7.2.\n [#6967](https://github.com/Kong/kong/pull/6967)\n- Bump kong-plugin-zipkin from 1.2 to 1.3.\n [#6936](https://github.com/Kong/kong/pull/6936)\n- Bump kong-prometheus-plugin from 1.0 to 1.2.\n [#6958](https://github.com/Kong/kong/pull/6958)\n- Bump lua-cassandra from 1.5.0 to 1.5.1\n [#6857](https://github.com/Kong/kong/pull/6857)\n- Bump luasyslog from 1.0.0 to 2.0.1\n [#6957](https://github.com/Kong/kong/pull/6957)\n\n### Additions\n\n##### Core\n\n- Relaxed version check between Control Planes and Data Planes, allowing\n Data Planes that are missing minor updates to still connect to the\n Control Plane. Also, now Data Plane is allowed to have a superset of Control\n Plane plugins.\n [6932](https://github.com/Kong/kong/pull/6932)\n- Allowed UTF-8 in Tags\n [6784](https://github.com/Kong/kong/pull/6784)\n- Added support for Online Certificate Status Protocol responder found in cluster.\n [6887](https://github.com/Kong/kong/pull/6887)\n\n##### PDK\n\n- [JavaScript Plugin Development Kit (PDK)](https://github.com/Kong/kong-js-pdk)\n is released alongside with Kong 2.4. It allows users to write Kong plugins in\n JavaScript and TypeScript.\n- Beta release of Protobuf plugin communication protocol, which can be used in\n place of MessagePack to communicate with non-Lua plugins.\n [6941](https://github.com/Kong/kong/pull/6941)\n- Enabled `ssl_certificate` phase on plugins with stream module.\n [6873](https://github.com/Kong/kong/pull/6873)\n\n##### Plugins\n\n- Zipkin: support for Jaeger style uber-trace-id headers.\n [101](https://github.com/Kong/kong-plugin-zipkin/pull/101)\n Thanks [nvx](https://github.com/nvx) for the patch!\n- Zipkin: support for OT headers.\n [103](https://github.com/Kong/kong-plugin-zipkin/pull/103)\n Thanks [ishg](https://github.com/ishg) for the patch!\n- Zipkin: allow insertion of custom tags on the Zipkin request trace.\n [102](https://github.com/Kong/kong-plugin-zipkin/pull/102)\n- Zipkin: creation of baggage items on child spans is now possible.\n [98](https://github.com/Kong/kong-plugin-zipkin/pull/98)\n Thanks [Asafb26](https://github.com/Asafb26) for the patch!\n- JWT: Add ES384 support\n [6854](https://github.com/Kong/kong/pull/6854)\n Thanks [pariviere](https://github.com/pariviere) for the patch!\n- Several plugins: capability to set new log fields, or unset existing fields,\n by executing custom Lua code in the Log phase.\n [6944](https://github.com/Kong/kong/pull/6944)\n\n### Fixes\n\n##### Core\n\n- Changed default values and validation rules for plugins that were not\n well-adjusted for dbless or hybrid modes.\n [6885](https://github.com/Kong/kong/pull/6885)\n- Kong 2.4 ensures that all the Core entities are loaded before loading\n any plugins. This fixes an error in which Plugins to could not link to\n or modify Core entities because they would not be loaded yet\n [6880](https://github.com/Kong/kong/pull/6880)\n- If needed, `Host` header is now updated between balancer retries, using the\n value configured in the correct upstream entity.\n [6796](https://github.com/Kong/kong/pull/6796)\n- Schema validations now log more descriptive error messages when types are\n invalid.\n [6593](https://github.com/Kong/kong/pull/6593)\n Thanks [WALL-E](https://github.com/WALL-E) for the patch!\n- Kong now ignores tags in Cassandra when filtering by multiple entities, which\n is the expected behavior and the one already existent when using Postgres\n databases.\n [6931](https://github.com/Kong/kong/pull/6931)\n- `Upgrade` header is not cleared anymore when response `Connection` header\n contains `Upgrade`.\n [6929](https://github.com/Kong/kong/pull/6929)\n- Accept fully-qualified domain names ending in dots.\n [6864](https://github.com/Kong/kong/pull/6864)\n- Kong does not try to warmup upstream names when warming up DNS entries.\n [6891](https://github.com/Kong/kong/pull/6891)\n- Migrations order is now guaranteed to be always the same.\n [6901](https://github.com/Kong/kong/pull/6901)\n- Buffered responses are disabled on connection upgrades.\n [6902](https://github.com/Kong/kong/pull/6902)\n- Make entity relationship traverse-order-independent.\n [6743](https://github.com/Kong/kong/pull/6743)\n- The host header is updated between balancer retries.\n [6796](https://github.com/Kong/kong/pull/6796)\n- The router prioritizes the route with most matching headers when matching\n headers.\n [6638](https://github.com/Kong/kong/pull/6638)\n- Fixed an edge case on multipart/form-data boundary check.\n [6638](https://github.com/Kong/kong/pull/6638)\n- Paths are now properly normalized inside Route objects.\n [6976](https://github.com/Kong/kong/pull/6976)\n- Do not cache empty upstream name dictionary.\n [7002](https://github.com/Kong/kong/pull/7002)\n- Do not assume upstreams do not exist after init phase.\n [7010](https://github.com/Kong/kong/pull/7010)\n- Do not overwrite configuration files when running migrations.\n [7017](https://github.com/Kong/kong/pull/7017)\n\n##### PDK\n\n- Now Kong does not leave plugin servers alive after exiting and does not try to\n start them in the unsupported stream subsystem.\n [6849](https://github.com/Kong/kong/pull/6849)\n- Go does not cache `kong.log` methods\n [6701](https://github.com/Kong/kong/pull/6701)\n- The `response` phase is included on the list of public phases\n [6638](https://github.com/Kong/kong/pull/6638)\n- Config file style and options case are now consistent all around.\n [6981](https://github.com/Kong/kong/pull/6981)\n- Added right protobuf MacOS path to enable external plugins in Homebrew\n installations.\n [6980](https://github.com/Kong/kong/pull/6980)\n- Auto-escape upstream path to avoid proxying errors.\n [6978](https://github.com/Kong/kong/pull/6978)\n- Ports are now declared as `Int`.\n [6994](https://github.com/Kong/kong/pull/6994)\n\n##### Plugins\n\n- oauth2: better handling more cases of client invalid token generation.\n [6594](https://github.com/Kong/kong/pull/6594)\n Thanks [jeremyjpj0916](https://github.com/jeremyjpj0916) for the patch!\n- Zipkin: the w3c parsing function was returning a non-used extra value, and it\n now early-exits.\n [100](https://github.com/Kong/kong-plugin-zipkin/pull/100)\n Thanks [nvx](https://github.com/nvx) for the patch!\n- Zipkin: fixed a bug in which span timestamping could sometimes raise an error.\n [105](https://github.com/Kong/kong-plugin-zipkin/pull/105)\n Thanks [Asafb26](https://github.com/Asafb26) for the patch!\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.3.3]\n\n> Released 2021/03/05\n\nThis is a patch release in the 2.3 series. Being a patch release, it\nstrictly contains bugfixes. The are no new features or breaking changes.\n\n### Dependencies\n\n- Bump OpenSSL from `1.1.1i` to `1.1.1j`.\n [6859](https://github.com/Kong/kong/pull/6859)\n\n### Fixes\n\n##### Core\n\n- Ensure control plane nodes do not execute healthchecks.\n [6805](https://github.com/Kong/kong/pull/6805)\n- Ensure only one worker executes active healthchecks.\n [6844](https://github.com/Kong/kong/pull/6844)\n- Declarative config can be now loaded as an inline yaml file by `kong config`\n (previously it was possible only as a yaml string inside json). JSON declarative\n config is now parsed with the `cjson` library, instead of with `libyaml`.\n [6852](https://github.com/Kong/kong/pull/6852)\n- When using eventual worker consistency now every Nginx worker deals with its\n upstreams changes, avoiding unnecessary synchronization among workers.\n [6833](https://github.com/Kong/kong/pull/6833)\n\n##### Admin API\n\n- Remove `prng_seed` from the Admin API and add PIDs instead.\n [6842](https://github.com/Kong/kong/pull/6842)\n\n##### PDK\n\n- Ensure `kong.log.serialize` properly calculates reported latencies.\n [6869](https://github.com/Kong/kong/pull/6869)\n\n##### Plugins\n\n- HMAC-Auth: fix issue where the plugin would check if both a username and\n signature were specified, rather than either.\n [6826](https://github.com/Kong/kong/pull/6826)\n\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.3.2]\n\n> Released 2021/02/09\n\nThis is a patch release in the 2.3 series. Being a patch release, it\nstrictly contains bugfixes. The are no new features or breaking changes.\n\n### Fixes\n\n##### Core\n\n- Fix an issue where certain incoming URI may make it possible to\n bypass security rules applied on Route objects. This fix make such\n attacks more difficult by always normalizing the incoming request's\n URI before matching against the Router.\n [#6821](https://github.com/Kong/kong/pull/6821)\n- Properly validate Lua input in sandbox module.\n [#6765](https://github.com/Kong/kong/pull/6765)\n- Mark boolean fields with default values as required.\n [#6785](https://github.com/Kong/kong/pull/6785)\n\n\n##### CLI\n\n- `kong migrations` now accepts a `-p`/`--prefix` flag.\n [#6819](https://github.com/Kong/kong/pull/6819)\n\n##### Plugins\n\n- JWT: disallow plugin on consumers.\n [#6777](https://github.com/Kong/kong/pull/6777)\n- rate-limiting: improve counters accuracy.\n [#6802](https://github.com/Kong/kong/pull/6802)\n\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.3.1]\n\n> Released 2021/01/26\n\nThis is a patch release in the 2.3 series. Being a patch release, it\nstrictly contains bugfixes. The are no new features or breaking changes.\n\n### Fixes\n\n##### Core\n\n- lua-resty-dns-client was bumped to 5.2.1, which fixes an issue that could\n lead to a busy loop when renewing addresses.\n [#6760](https://github.com/Kong/kong/pull/6760)\n- Fixed an issue that made Kong return HTTP 500 Internal Server Error instead\n of HTTP 502 Bad Gateway on upstream connection errors when using buffered\n proxying. [#6735](https://github.com/Kong/kong/pull/6735)\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.3.0]\n\n> Released 2021/01/08\n\nThis is a new release of Kong, with no breaking changes with respect to the 2.x series,\nwith **Control Plane/Data Plane version checks**, **UTF-8 names for Routes and Services**,\nand **a Plugin Servers**.\n\n\n### Distributions\n\n- :warning: Support for Centos 6 has been removed, as said distro entered\n EOL on Nov 30.\n [#6641](https://github.com/Kong/kong/pull/6641)\n\n### Dependencies\n\n- Bump kong-plugin-serverless-functions from 1.0 to 2.1.\n [#6715](https://github.com/Kong/kong/pull/6715)\n- Bump lua-resty-dns-client from 5.1.0 to 5.2.0.\n [#6711](https://github.com/Kong/kong/pull/6711)\n- Bump lua-resty-healthcheck from 1.3.0 to 1.4.0.\n [#6711](https://github.com/Kong/kong/pull/6711)\n- Bump OpenSSL from 1.1.1h to 1.1.1i.\n [#6639](https://github.com/Kong/kong/pull/6639)\n- Bump `kong-plugin-zipkin` from 1.1 to 1.2.\n [#6576](https://github.com/Kong/kong/pull/6576)\n- Bump `kong-plugin-request-transformer` from 1.2 to 1.3.\n [#6542](https://github.com/Kong/kong/pull/6542)\n\n### Additions\n\n##### Core\n\n- Introduce version checks between Control Plane and Data Plane nodes\n in Hybrid Mode. Sync will be stopped if the major/minor version differ\n or if installed plugin versions differ between Control Plane and Data\n Plane nodes.\n [#6612](https://github.com/Kong/kong/pull/6612)\n- Kong entities with a `name` field now support utf-8 characters.\n [#6557](https://github.com/Kong/kong/pull/6557)\n- The certificates entity now has `cert_alt` and `key_alt` fields, used\n to specify an alternative certificate and key pair.\n [#6536](https://github.com/Kong/kong/pull/6536)\n- The go-pluginserver `stderr` and `stdout` are now written into Kong's\n logs.\n [#6503](https://github.com/Kong/kong/pull/6503)\n- Introduce support for multiple pluginservers. This feature is\n backwards-compatible with the existing single Go pluginserver.\n [#6600](https://github.com/Kong/kong/pull/6600)\n\n##### PDK\n\n- Introduce a `kong.node.get_hostname` method that returns current's\n node host name.\n [#6613](https://github.com/Kong/kong/pull/6613)\n- Introduce a `kong.cluster.get_id` method that returns a unique ID\n for the current Kong cluster. If Kong is running in DB-less mode\n without a cluster ID explicitly defined, then this method returns nil.\n For Hybrid mode, all Control Planes and Data Planes belonging to the\n same cluster returns the same cluster ID. For traditional database\n based deployments, all Kong nodes pointing to the same database will\n also return the same cluster ID.\n [#6576](https://github.com/Kong/kong/pull/6576)\n- Introduce a `kong.log.set_serialize_value`, which allows for customizing\n the output of `kong.log.serialize`.\n [#6646](https://github.com/Kong/kong/pull/6646)\n\n##### Plugins\n\n- `http-log`: the plugin now has a `headers` configuration, so that\n custom headers can be specified for the log request.\n [#6449](https://github.com/Kong/kong/pull/6449)\n- `key-auth`: the plugin now has two additional boolean configurations:\n * `key_in_header`: if `false`, the plugin will ignore keys passed as\n headers.\n * `key_in_query`: if `false`, the plugin will ignore keys passed as\n query arguments.\n Both default to `true`.\n [#6590](https://github.com/Kong/kong/pull/6590)\n- `request-size-limiting`: add new configuration `require_content_length`,\n which causes the plugin to ensure a valid `Content-Length` header exists\n before reading the request body.\n [#6660](https://github.com/Kong/kong/pull/6660)\n- `serverless-functions`: introduce a sandboxing capability, and it has been\n *enabled* by default, where only Kong PDK, OpenResty `ngx` APIs, and Lua standard libraries are allowed.\n [#32](https://github.com/Kong/kong-plugin-serverless-functions/pull/32/)\n\n##### Configuration\n\n- `client_max_body_size` and `client_body_buffer_size`, that previously\n hardcoded to 10m, are now configurable through `nginx_admin_client_max_body_size` and `nginx_admin_client_body_buffer_size`.\n [#6597](https://github.com/Kong/kong/pull/6597)\n- Kong-generated SSL privates keys now have `600` file system permission.\n [#6509](https://github.com/Kong/kong/pull/6509)\n- Properties `ssl_cert`, `ssl_cert_key`, `admin_ssl_cert`,\n `admin_ssl_cert_key`, `status_ssl_cert`, and `status_ssl_cert_key`\n is now an array: previously, only an RSA certificate was generated\n by default; with this change, an ECDSA is also generated. On\n intermediate and modern cipher suites, the ECDSA certificate is set\n as the default fallback certificate; on old cipher suite, the RSA\n certificate remains as the default. On custom certificates, the first\n certificate specified in the array is used.\n [#6509](https://github.com/Kong/kong/pull/6509)\n- Kong now runs as a `kong` user if it exists; it said user does not exist\n in the system, the `nobody` user is used, as before.\n [#6421](https://github.com/Kong/kong/pull/6421)\n\n### Fixes\n\n##### Core\n\n- Fix issue where a Go plugin would fail to read kong.ctx.shared values set by Lua plugins.\n [#6490](https://github.com/Kong/kong/pull/6490)\n- Properly trigger `dao:delete_by:post` hook.\n [#6567](https://github.com/Kong/kong/pull/6567)\n- Fix issue where a route that supports both http and https (and has a hosts and snis match criteria) would fail to proxy http requests, as it does not contain an SNI.\n [#6517](https://github.com/Kong/kong/pull/6517)\n- Fix issue where a `nil` request context would lead to errors `attempt to index local 'ctx'` being shown in the logs\n- Reduced the number of needed timers to active health check upstreams and to resolve hosts.\n- Schemas for full-schema validations are correctly cached now, avoiding memory\n leaks when reloading declarative configurations. [#6713](https://github.com/Kong/kong/pull/6713)\n- The schema for the upstream entities now limits the highest configurable\n number of successes and failures to 255, respecting the limits imposed by\n lua-resty-healthcheck. [#6705](https://github.com/Kong/kong/pull/6705)\n- Certificates for database connections now are loaded in the right order\n avoiding failures to connect to Postgres databases.\n [#6650](https://github.com/Kong/kong/pull/6650)\n\n##### CLI\n\n- Fix issue where `kong reload -c ` would fail.\n [#6664](https://github.com/Kong/kong/pull/6664)\n- Fix issue where the Kong configuration cache would get corrupted.\n [#6664](https://github.com/Kong/kong/pull/6664)\n\n##### PDK\n\n- Ensure the log serializer encodes the `tries` field as an array when\n empty, rather than an object.\n [#6632](https://github.com/Kong/kong/pull/6632)\n\n##### Plugins\n\n- request-transformer plugin does not allow `null` in config anymore as they can\n lead to runtime errors. [#6710](https://github.com/Kong/kong/pull/6710)\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.2.2]\n\n> Released 2021/03/01\n\nThis is a patch release in the 2.2 series. Being a patch release, it\nstrictly contains bugfixes. The are no new features or breaking changes.\n\n### Fixes\n\n##### Plugins\n\n- `serverless-functions`: introduce a sandboxing capability, *enabled* by default,\n where only Kong PDK, OpenResty `ngx` APIs, and some Lua standard libraries are\n allowed. Read the documentation [here](https://docs.konghq.com/hub/kong-inc/serverless-functions/#sandboxing).\n [#32](https://github.com/Kong/kong-plugin-serverless-functions/pull/32/)\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.2.1]\n\n> Released 2020/12/01\n\nThis is a patch release in the 2.2 series. Being a patch release, it\nstrictly contains bugfixes. The are no new features or breaking changes.\n\n### Fixes\n\n##### Distribution\n\n##### Core\n\n- Fix issue where Kong would fail to start a Go plugin instance with a\n `starting instance: nil` error.\n [#6507](https://github.com/Kong/kong/pull/6507)\n- Fix issue where a route that supports both `http` and `https` (and has\n a `hosts` and `snis` match criteria) would fail to proxy `http`\n requests, as it does not contain an SNI.\n [#6517](https://github.com/Kong/kong/pull/6517)\n- Fix issue where a Go plugin would fail to read `kong.ctx.shared` values\n set by Lua plugins.\n [#6426](https://github.com/Kong/kong/issues/6426)\n- Fix issue where gRPC requests would fail to set the `:authority`\n pseudo-header in upstream requests.\n [#6603](https://github.com/Kong/kong/pull/6603)\n\n##### CLI\n\n- Fix issue where `kong config db_import` and `kong config db_export`\n commands would fail if Go plugins were enabled.\n [#6596](https://github.com/Kong/kong/pull/6596)\n Thanks [daniel-shuy](https://github.com/daniel-shuy) for the patch!\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.2.0]\n\n> Released 2020/10/23\n\nThis is a new major release of Kong, including new features such as **UDP support**,\n**Configurable Request and Response Buffering**, **Dynamically Loading of OS\nCertificates**, and much more.\n\n### Distributions\n\n- Added support for running Kong as the non-root user kong on distributed systems.\n\n\n### Dependencies\n\n- :warning: For Kong 2.2, the required OpenResty version has been bumped to\n [1.17.8.2](http://openresty.org/en/changelog-1017008.html), and the\n the set of patches included has changed, including the latest release of\n [lua-kong-nginx-module](https://github.com/Kong/lua-kong-nginx-module).\n If you are installing Kong from one of our distribution\n packages, you are not affected by this change.\n- Bump OpenSSL version from `1.1.1g` to `1.1.1h`.\n [#6382](https://github.com/Kong/kong/pull/6382)\n\n**Note:** if you are not using one of our distribution packages and compiling\nOpenResty from source, you must still apply Kong's [OpenResty\npatches](https://github.com/Kong/kong-build-tools/tree/master/openresty-build-tools/openresty-patches)\n(and, as highlighted above, compile OpenResty with the new\nlua-kong-nginx-module). Our [kong-build-tools](https://github.com/Kong/kong-build-tools)\nrepository will allow you to do both easily.\n\n- :warning: Cassandra 2.x support is now deprecated. If you are still\n using Cassandra 2.x with Kong, we recommend you to upgrade, since this\n series of Cassandra is about to be EOL with the upcoming release of\n Cassandra 4.0.\n\n### Additions\n\n##### Core\n\n- :fireworks: **UDP support**: Kong now features support for UDP proxying\n in its stream subsystem. The `\"udp\"` protocol is now accepted in the `protocols`\n attribute of Routes and the `protocol` attribute of Services.\n Load balancing and logging plugins support UDP as well.\n [#6215](https://github.com/Kong/kong/pull/6215)\n- **Configurable Request and Response Buffering**: The buffering of requests\n or responses can now be enabled or disabled on a per-route basis, through\n setting attributes `Route.request_buffering` or `Route.response_buffering`\n to `true` or `false`. Default behavior remains the same: buffering is enabled\n by default for requests and responses.\n [#6057](https://github.com/Kong/kong/pull/6057)\n- **Option to Automatically Load OS Certificates**: The configuration\n attribute `lua_ssl_trusted_certificate` was extended to accept a\n comma-separated list of certificate paths, as well as a special `system`\n value, which expands to the \"system default\" certificates file installed\n by the operating system. This follows a very simple heuristic to try to\n use the most common certificate file in most popular distros.\n [#6342](https://github.com/Kong/kong/pull/6342)\n- Consistent-Hashing load balancing algorithm does not require to use the entire\n target history to build the same proxying destinations table on all Kong nodes\n anymore. Now deleted targets are actually removed from the database and the\n targets entities can be manipulated by the Admin API as any other entity.\n [#6336](https://github.com/Kong/kong/pull/6336)\n- Add `X-Forwarded-Path` header: if a trusted source provides a\n `X-Forwarded-Path` header, it is proxied as-is. Otherwise, Kong will set\n the content of said header to the request's path.\n [#6251](https://github.com/Kong/kong/pull/6251)\n- Hybrid mode synchronization performance improvements: Kong now uses a\n new internal synchronization method to push changes from the Control Plane\n to the Data Plane, drastically reducing the amount of communication between\n nodes during bulk updates.\n [#6293](https://github.com/Kong/kong/pull/6293)\n- The `Upstream.client_certificate` attribute can now be used from proxying:\n This allows `client_certificate` setting used for mTLS handshaking with\n the `Upstream` server to be shared easily among different Services.\n However, `Service.client_certificate` will take precedence over\n `Upstream.client_certificate` if both are set simultaneously.\n In previous releases, `Upstream.client_certificate` was only used for\n mTLS in active health checks.\n [#6348](https://github.com/Kong/kong/pull/6348)\n- New `shorthand_fields` top-level attribute in schema definitions, which\n deprecates `shorthands` and includes type definitions in addition to the\n shorthand callback.\n [#6364](https://github.com/Kong/kong/pull/6364)\n- Hybrid Mode: the table of Data Plane nodes at the Control Plane is now\n cleaned up automatically, according to a delay value configurable via\n the `cluster_data_plane_purge_delay` attribute, set to 14 days by default.\n [#6376](https://github.com/Kong/kong/pull/6376)\n- Hybrid Mode: Data Plane nodes now apply only the last config when receiving\n several updates in sequence, improving the performance when large configs are\n in use. [#6299](https://github.com/Kong/kong/pull/6299)\n\n##### Admin API\n\n- Hybrid Mode: new endpoint `/clustering/data-planes` which returns complete\n information about all Data Plane nodes that are connected to the Control\n Plane cluster, regardless of the Control Plane node to which they connected.\n [#6308](https://github.com/Kong/kong/pull/6308)\n * :warning: The `/clustering/status` endpoint is now deprecated, since it\n returns only information about Data Plane nodes directly connected to the\n Control Plane node to which the Admin API request was made, and is\n superseded by `/clustering/data-planes`.\n- Admin API responses now honor the `headers` configuration setting for\n including or removing the `Server` header.\n [#6371](https://github.com/Kong/kong/pull/6371)\n\n##### PDK\n\n- New function `kong.request.get_forwarded_prefix`: returns the prefix path\n component of the request's URL that Kong stripped before proxying to upstream,\n respecting the value of `X-Forwarded-Prefix` when it comes from a trusted source.\n [#6251](https://github.com/Kong/kong/pull/6251)\n- `kong.response.exit` now honors the `headers` configuration setting for\n including or removing the `Server` header.\n [#6371](https://github.com/Kong/kong/pull/6371)\n- `kong.log.serialize` function now can be called using the stream subsystem,\n allowing various logging plugins to work under TCP and TLS proxy modes.\n [#6036](https://github.com/Kong/kong/pull/6036)\n- Requests with `multipart/form-data` MIME type now can use the same part name\n multiple times. [#6054](https://github.com/Kong/kong/pull/6054)\n\n##### Plugins\n\n- **New Response Phase**: both Go and Lua pluggins now support a new plugin\n phase called `response` in Lua plugins and `Response` in Go. Using it\n automatically enables response buffering, which allows you to manipulate\n both the response headers and the response body in the same phase.\n This enables support for response handling in Go, where header and body\n filter phases are not available, allowing you to use PDK functions such\n as `kong.Response.GetBody()`, and provides an equivalent simplified\n feature for handling buffered responses from Lua plugins as well.\n [#5991](https://github.com/Kong/kong/pull/5991)\n- aws-lambda: bump to version 3.5.0:\n [#6379](https://github.com/Kong/kong/pull/6379)\n * support for 'isBase64Encoded' flag in Lambda function responses\n- grpc-web: introduce configuration pass_stripped_path, which, if set to true,\n causes the plugin to pass the stripped request path (see the `strip_path` Route\n attribute) to the upstream gRPC service.\n- rate-limiting: Support for rate limiting by path, by setting the\n `limit_by = \"path\"` configuration attribute.\n Thanks [KongGuide](https://github.com/KongGuide) for the patch!\n [#6286](https://github.com/Kong/kong/pull/6286)\n- correlation-id: the plugin now generates a correlation-id value by default\n if the correlation id header arrives but is empty.\n [#6358](https://github.com/Kong/kong/pull/6358)\n\n\n## [2.1.4]\n\n> Released 2020/09/18\n\nThis is a patch release in the 2.0 series. Being a patch release, it strictly\ncontains bugfixes. The are no new features or breaking changes.\n\n### Fixes\n\n##### Core\n\n- Improve graceful exit of Control Plane and Data Plane nodes in Hybrid Mode.\n [#6306](https://github.com/Kong/kong/pull/6306)\n\n##### Plugins\n\n- datadog, loggly, statsd: fixes for supporting logging TCP/UDP services.\n [#6344](https://github.com/Kong/kong/pull/6344)\n- Logging plugins: request and response sizes are now reported\n by the log serializer as number attributes instead of string.\n [#6356](https://github.com/Kong/kong/pull/6356)\n- prometheus: Remove unnecessary `WARN` log that was seen in the Kong 2.1\n series.\n [#6258](https://github.com/Kong/kong/pull/6258)\n- key-auth: no longer trigger HTTP 400 error when the body cannot be decoded.\n [#6357](https://github.com/Kong/kong/pull/6357)\n- aws-lambda: respect `skip_large_bodies` config setting even when not using\n AWS API Gateway compatibility.\n [#6379](https://github.com/Kong/kong/pull/6379)\n\n\n[Back to TOC](#table-of-contents)\n- Fix issue where `kong reload` would occasionally leave stale workers locked\n at 100% CPU.\n [#6300](https://github.com/Kong/kong/pull/6300)\n- Hybrid Mode: more informative error message when the Control Plane cannot\n be reached.\n [#6267](https://github.com/Kong/kong/pull/6267)\n\n##### CLI\n\n- `kong hybrid gen_cert` now reports \"permission denied\" errors correctly\n when it fails to write the certificate files.\n [#6368](https://github.com/Kong/kong/pull/6368)\n\n##### Plugins\n\n- acl: bumped to 3.0.1\n * Fix regression in a scenario where an ACL plugin with a `deny` clause\n was configured for a group that does not exist would cause a HTTP 401\n when an authenticated plugin would match the anonymous consumer. The\n behavior is now restored to that seen in Kong 1.x and 2.0.\n [#6354](https://github.com/Kong/kong/pull/6354)\n- request-transformer: bumped to 1.2.7\n * Fix the construction of the error message when a template throws a Lua error.\n [#26](https://github.com/Kong/kong-plugin-request-transformer/pull/26)\n\n\n## [2.1.3]\n\n> Released 2020/08/19\n\nThis is a patch release in the 2.0 series. Being a patch release, it strictly\ncontains bugfixes. The are no new features or breaking changes.\n\n### Fixes\n\n##### Core\n\n- Fix behavior of `X-Forwarded-Prefix` header with stripped path prefixes:\n the stripped portion of path is now added in `X-Forwarded-Prefix`,\n except if it is `/` or if it is received from a trusted client.\n [#6222](https://github.com/Kong/kong/pull/6222)\n\n##### Migrations\n\n- Avoid creating unnecessary an index for Postgres.\n [#6250](https://github.com/Kong/kong/pull/6250)\n\n##### Admin API\n\n- DB-less: fix concurrency issues with `/config` endpoint. It now waits for\n the configuration to update across workers before returning, and returns\n HTTP 429 on attempts to perform concurrent updates and HTTP 504 in case\n of update timeouts.\n [#6121](https://github.com/Kong/kong/pull/6121)\n\n##### Plugins\n\n- request-transformer: bump from v1.2.5 to v1.2.6\n * Fix an issue where query parameters would get incorrectly URL-encoded.\n [#24](https://github.com/Kong/kong-plugin-request-transformer/pull/24)\n- acl: Fix migration of ACLs table for the Kong 2.1 series.\n [#6250](https://github.com/Kong/kong/pull/6250)\n\n\n## [2.1.2]\n\n> Released 2020/08/13\n\n:white_check_mark: **Update (2020/08/13)**: This release fixed a balancer\nbug that may cause incorrect request payloads to be sent to unrelated\nupstreams during balancer retries, potentially causing responses for\nother requests to be returned. Therefore it is **highly recommended**\nthat Kong users running versions `2.1.0` and `2.1.1` to upgrade to this\nversion as soon as possible, or apply mitigation from the\n[2.1.0](#210) section below.\n\n### Fixes\n\n##### Core\n\n- Fix a bug that balancer retries causes incorrect requests to be sent to\n subsequent upstream connections of unrelated requests.\n [#6224](https://github.com/Kong/kong/pull/6224)\n- Fix an issue where plugins iterator was being built before setting the\n default workspace id, therefore indexing the plugins under the wrong workspace.\n [#6206](https://github.com/Kong/kong/pull/6206)\n\n##### Migrations\n\n- Improve reentrancy of Cassandra migrations.\n [#6206](https://github.com/Kong/kong/pull/6206)\n\n##### PDK\n\n- Make sure the `kong.response.error` PDK function respects gRPC related\n content types.\n [#6214](https://github.com/Kong/kong/pull/6214)\n\n\n## [2.1.1]\n\n> Released 2020/08/05\n\n:red_circle: **Post-release note (as of 2020/08/13)**: A faulty behavior\nhas been observed with this change. When Kong proxies using the balancer\nand a request to one of the upstream `Target` fails, Kong might send the\nsame request to another healthy `Target` in a different request later,\ncausing response for the failed request to be returned.\n\nThis bug could be mitigated temporarily by disabling upstream keepalive pools.\nIt can be achieved by either:\n\n1. In `kong.conf`, set `upstream_keepalive_pool_size=0`, or\n2. Setting the environment `KONG_UPSTREAM_KEEPALIVE_POOL_SIZE=0` when starting\n Kong with the CLI.\n\nThen restart/reload the Kong instance.\n\nThanks Nham Le (@nhamlh) for reporting it in [#6212](https://github.com/Kong/kong/issues/6212).\n\n:white_check_mark: **Update (2020/08/13)**: A fix to this regression has been\nreleased as part of [2.1.2](#212). See the section of the Changelog related to this\nrelease for more details.\n\n### Dependencies\n\n- Bump [lua-multipart](https://github.com/Kong/lua-multipart) to `0.5.9`.\n [#6148](https://github.com/Kong/kong/pull/6148)\n\n### Fixes\n\n##### Core\n\n- No longer reject valid characters (as specified in the RFC 3986) in the `path` attribute of the\n Service entity.\n [#6183](https://github.com/Kong/kong/pull/6183)\n\n##### Migrations\n\n- Fix issue in Cassandra migrations where empty values in some entities would be incorrectly migrated.\n [#6171](https://github.com/Kong/kong/pull/6171)\n\n##### Admin API\n\n- Fix issue where consumed worker memory as reported by the `kong.node.get_memory_stats()` PDK method would be incorrectly reported in kilobytes, rather than bytes, leading to inaccurate values in the `/status` Admin API endpoint (and other users of said PDK method).\n [#6170](https://github.com/Kong/kong/pull/6170)\n\n##### Plugins\n\n- rate-limiting: fix issue where rate-limiting by Service would result in a global limit, rather than per Service.\n [#6157](https://github.com/Kong/kong/pull/6157)\n- rate-limiting: fix issue where a TTL would not be set to some Redis keys.\n [#6150](https://github.com/Kong/kong/pull/6150)\n\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.1.0]\n\n> Released 2020/07/16\n\n:red_circle: **Post-release note (as of 2020/08/13)**: A faulty behavior\nhas been observed with this change. When Kong proxies using the balancer\nand a request to one of the upstream `Target` fails, Kong might send the\nsame request to another healthy `Target` in a different request later,\ncausing response for the failed request to be returned.\n\nThis bug could be mitigated temporarily by disabling upstream keepalive pools.\nIt can be achieved by either:\n\n1. In `kong.conf`, set `upstream_keepalive_pool_size=0`, or\n2. Setting the environment `KONG_UPSTREAM_KEEPALIVE_POOL_SIZE=0` when starting\n Kong with the CLI.\n\nThen restart/reload the Kong instance.\n\nThanks Nham Le (@nhamlh) for reporting it in [#6212](https://github.com/Kong/kong/issues/6212).\n\n:white_check_mark: **Update (2020/08/13)**: A fix to this regression has been\nreleased as part of [2.1.2](#212). See the section of the Changelog related to this\nrelease for more details.\n\n### Distributions\n\n- :gift: Introduce package for Ubuntu 20.04.\n [#6006](https://github.com/Kong/kong/pull/6006)\n- Add `ca-certificates` to the Alpine Docker image.\n [#373](https://github.com/Kong/docker-kong/pull/373)\n- :warning: The [go-pluginserver](https://github.com/Kong/go-pluginserver) no\n longer ships with Kong packages; users are encouraged to build it along with\n their Go plugins. For more info, check out the [Go Guide](https://docs.konghq.com/latest/go/).\n\n### Dependencies\n\n- :warning: In order to use all Kong features, including the new\n dynamic upstream keepalive behavior, the required OpenResty version is\n [1.15.8.3](http://openresty.org/en/changelog-1015008.html).\n If you are installing Kong from one of our distribution\n packages, this version and all required patches and modules are included.\n If you are building from source, you must apply\n Kong's [OpenResty patches](https://github.com/Kong/kong-build-tools/tree/master/openresty-build-tools/openresty-patches)\n as well as include [lua-kong-nginx-module](https://github.com/Kong/lua-kong-nginx-module).\n Our [kong-build-tools](https://github.com/Kong/kong-build-tools)\n repository allows you to do both easily.\n- Bump OpenSSL version from `1.1.1f` to `1.1.1g`.\n [#5820](https://github.com/Kong/kong/pull/5810)\n- Bump [lua-resty-dns-client](https://github.com/Kong/lua-resty-dns-client) from `4.1.3`\n to `5.0.1`.\n [#5499](https://github.com/Kong/kong/pull/5499)\n- Bump [lyaml](https://github.com/gvvaughan/lyaml) from `0.2.4` to `0.2.5`.\n [#5984](https://github.com/Kong/kong/pull/5984)\n- Bump [lua-resty-openssl](https://github.com/fffonion/lua-resty-openssl)\n from `0.6.0` to `0.6.2`.\n [#5941](https://github.com/Kong/kong/pull/5941)\n\n### Changes\n\n##### Core\n\n- Increase maximum allowed payload size in hybrid mode.\n [#5654](https://github.com/Kong/kong/pull/5654)\n- Targets now support a weight range of 0-65535.\n [#5871](https://github.com/Kong/kong/pull/5871)\n\n##### Configuration\n\n- :warning: The configuration properties `router_consistency` and\n `router_update_frequency` have been renamed to `worker_consistency` and\n `worker_state_update_frequency`, respectively. The new properties allow for\n configuring the consistency settings of additional internal structures, see\n below for details.\n [#5325](https://github.com/Kong/kong/pull/5325)\n- :warning: The `nginx_upstream_keepalive_*` configuration properties have been\n renamed to `upstream_keepalive_*`. This is due to the introduction of dynamic\n upstream keepalive pools, see below for details.\n [#5771](https://github.com/Kong/kong/pull/5771)\n- :warning: The default value of `worker_state_update_frequency` (previously\n `router_update_frequency`) was changed from `1` to `5`.\n [#5325](https://github.com/Kong/kong/pull/5325)\n\n##### Plugins\n\n- :warning: Change authentication plugins to standardize on `allow` and\n `deny` as terms for access control. Previous nomenclature is deprecated and\n support will be removed in Kong 3.0.\n * ACL: use `allow` and `deny` instead of `whitelist` and `blacklist`\n * bot-detection: use `allow` and `deny` instead of `whitelist` and `blacklist`\n * ip-restriction: use `allow` and `deny` instead of `whitelist` and `blacklist`\n [#6014](https://github.com/Kong/kong/pull/6014)\n\n### Additions\n\n##### Core\n\n- :fireworks: **Asynchronous upstream updates**: Kong's load balancer is now able to\n update its internal structures asynchronously instead of onto the request/stream\n path.\n\n This change required the introduction of new configuration properties and the\n deprecation of older ones:\n - New properties:\n * `worker_consistency`\n * `worker_state_update_frequency`\n - Deprecated properties:\n * `router_consistency`\n * `router_update_frequency`\n\n The new `worker_consistency` property is similar to `router_consistency` and accepts\n either of `strict` (default, synchronous) or `eventual` (asynchronous). Unlike its\n deprecated counterpart, this new property aims at configuring the consistency of *all*\n internal structures of Kong, and not only the router.\n [#5325](https://github.com/Kong/kong/pull/5325)\n- :fireworks: **Read-Only Postgres**: Kong users are now able to configure\n a read-only Postgres replica. When configured, Kong will attempt to fulfill\n read operations through the read-only replica instead of the main Postgres\n connection.\n [#5584](https://github.com/Kong/kong/pull/5584)\n- Introducing **dynamic upstream keepalive pools**. This change prevents virtual\n host confusion when Kong proxies traffic to virtual services (hosted on the\n same IP/port) over TLS.\n Keepalive pools are now created by the `upstream IP/upstream port/SNI/client\n certificate` tuple instead of `IP/port` only. Users running Kong in front of\n virtual services should consider adjusting their keepalive settings\n appropriately.\n\n This change required the introduction of new configuration properties and\n the deprecation of older ones:\n - New properties:\n * `upstream_keepalive_pool_size`\n * `upstream_keepalive_max_requests`\n * `upstream_keepalive_idle_timeout`\n - Deprecated properties:\n * `nginx_upstream_keepalive`\n * `nginx_upstream_keepalive_requests`\n * `nginx_upstream_keepalive_timeout`\n\n Additionally, this change allows for specifying an indefinite amount of max\n requests and idle timeout threshold for upstream keepalive connections, a\n capability that was previously removed by Nginx 1.15.3.\n [#5771](https://github.com/Kong/kong/pull/5771)\n- The default certificate for the proxy can now be configured via Admin API\n using the `/certificates` endpoint. A special `*` SNI has been introduced\n which stands for the default certificate.\n [#5404](https://github.com/Kong/kong/pull/5404)\n- Add support for PKI in Hybrid Mode mTLS.\n [#5396](https://github.com/Kong/kong/pull/5396)\n- Add `X-Forwarded-Prefix` to set of headers forwarded to upstream requests.\n [#5620](https://github.com/Kong/kong/pull/5620)\n- Introduce a `_transform` option to declarative configuration, which allows\n importing basicauth credentials with and without hashed passwords. This change\n is only supported in declarative configuration format version `2.1`.\n [#5835](https://github.com/Kong/kong/pull/5835)\n- Add capability to define different consistency levels for read and write\n operations in Cassandra. New configuration properties `cassandra_write_consistency`\n and `cassandra_read_consistency` were introduced and the existing\n `cassandra_consistency` property was deprecated.\n Thanks [Abhishekvrshny](https://github.com/Abhishekvrshny) for the patch!\n [#5812](https://github.com/Kong/kong/pull/5812)\n- Introduce certificate expiry and CA constraint checks to Hybrid Mode\n certificates (`cluster_cert` and `cluster_ca_cert`).\n [#6000](https://github.com/Kong/kong/pull/6000)\n- Introduce new attributes to the Services entity, allowing for customizations\n in TLS verification parameters:\n [#5976](https://github.com/Kong/kong/pull/5976)\n * `tls_verify`: whether TLS verification is enabled while handshaking\n with the upstream Service\n * `tls_verify_depth`: the maximum depth of verification when validating\n upstream Service's TLS certificate\n * `ca_certificates`: the CA trust store to use when validating upstream\n Service's TLS certificate\n- Introduce new attribute `client_certificate` in Upstreams entry, used\n for supporting mTLS in active health checks.\n [#5838](https://github.com/Kong/kong/pull/5838)\n\n##### CLI\n\n- Migrations: add a new `--force` flag to `kong migrations bootstrap`.\n [#5635](https://github.com/Kong/kong/pull/5635)\n\n##### Configuration\n\n- Introduce configuration property `db_cache_neg_ttl`, allowing the configuration\n of negative TTL for DB entities.\n Thanks [ealogar](https://github.com/ealogar) for the patch!\n [#5397](https://github.com/Kong/kong/pull/5397)\n\n##### PDK\n\n- Support `kong.response.exit` in Stream (L4) proxy mode.\n [#5524](https://github.com/Kong/kong/pull/5524)\n- Introduce `kong.request.get_forwarded_path` method, which returns\n the path component of the request's URL, but also considers\n `X-Forwarded-Prefix` if it comes from a trusted source.\n [#5620](https://github.com/Kong/kong/pull/5620)\n- Introduce `kong.response.error` method, that allows PDK users to exit with\n an error while honoring the Accept header or manually forcing a content-type.\n [#5562](https://github.com/Kong/kong/pull/5562)\n- Introduce `kong.client.tls` module, which provides the following methods for\n interacting with downstream mTLS:\n * `kong.client.tls.request_client_certificate()`: request client to present its\n client-side certificate to initiate mutual TLS authentication between server\n and client.\n * `kong.client.tls.disable_session_reuse()`: prevent the TLS session for the current\n connection from being reused by disabling session ticket and session ID for\n the current TLS connection.\n * `kong.client.tls.get_full_client_certificate_chain()`: return the PEM encoded\n downstream client certificate chain with the client certificate at the top\n and intermediate certificates (if any) at the bottom.\n [#5890](https://github.com/Kong/kong/pull/5890)\n- Introduce `kong.log.serialize` method.\n [#5995](https://github.com/Kong/kong/pull/5995)\n- Introduce new methods to the `kong.service` PDK module:\n * `kong.service.set_tls_verify()`: set whether TLS verification is enabled while\n handshaking with the upstream Service\n * `kong.service.set_tls_verify_depth()`: set the maximum depth of verification\n when validating upstream Service's TLS certificate\n * `kong.service.set_tls_verify_store()`: set the CA trust store to use when\n validating upstream Service's TLS certificate\n\n##### Plugins\n\n- :fireworks: **New Plugin**: introduce the [grpc-web plugin](https://github.com/Kong/kong-plugin-grpc-web), allowing clients\n to consume gRPC services via the gRPC-Web protocol.\n [#5607](https://github.com/Kong/kong/pull/5607)\n- :fireworks: **New Plugin**: introduce the [grpc-gateway plugin](https://github.com/Kong/kong-plugin-grpc-gateway), allowing\n access to upstream gRPC services through a plain HTTP request.\n [#5939](https://github.com/Kong/kong/pull/5939)\n- Go: add getter and setter methods for `kong.ctx.shared`.\n [#5496](https://github.com/Kong/kong/pull/5496/)\n- Add `X-Credential-Identifier` header to the following authentication plugins:\n * basic-auth\n * key-auth\n * ldap-auth\n * oauth2\n [#5516](https://github.com/Kong/kong/pull/5516)\n- Rate-Limiting: auto-cleanup expired rate-limiting metrics in Postgres.\n [#5498](https://github.com/Kong/kong/pull/5498)\n- OAuth2: add ability to persist refresh tokens throughout their life cycle.\n Thanks [amberheilman](https://github.com/amberheilman) for the patch!\n [#5264](https://github.com/Kong/kong/pull/5264)\n- IP-Restriction: add support for IPv6.\n [#5640](https://github.com/Kong/kong/pull/5640)\n- OAuth2: add support for PKCE.\n Thanks [amberheilman](https://github.com/amberheilman) for the patch!\n [#5268](https://github.com/Kong/kong/pull/5268)\n- OAuth2: allow optional hashing of client secrets.\n [#5610](https://github.com/Kong/kong/pull/5610)\n- aws-lambda: bump from v3.1.0 to v3.4.0\n * Add `host` configuration to allow for custom Lambda endpoints.\n [#35](https://github.com/Kong/kong-plugin-aws-lambda/pull/35)\n- zipkin: bump from 0.2 to 1.1.0\n * Add support for B3 single header\n [#66](https://github.com/Kong/kong-plugin-zipkin/pull/66)\n * Add `traceid_byte_count` config option\n [#74](https://github.com/Kong/kong-plugin-zipkin/pull/74)\n * Add support for W3C header\n [#75](https://github.com/Kong/kong-plugin-zipkin/pull/75)\n * Add new option `header_type`\n [#75](https://github.com/Kong/kong-plugin-zipkin/pull/75)\n- serverless-functions: bump from 0.3.1 to 1.0.0\n * Add ability to run functions in each request processing phase.\n [#21](https://github.com/Kong/kong-plugin-serverless-functions/pull/21)\n- prometheus: bump from 0.7.1 to 0.9.0\n * Performance: significant improvements in throughput and CPU usage.\n [#79](https://github.com/Kong/kong-plugin-prometheus/pull/79)\n * Expose healthiness of upstreams targets.\n Thanks [carnei-ro](https://github.com/carnei-ro) for the patch!\n [#88](https://github.com/Kong/kong-plugin-prometheus/pull/88)\n- rate-limiting: allow rate-limiting by custom header.\n Thanks [carnei-ro](https://github.com/carnei-ro) for the patch!\n [#5969](https://github.com/Kong/kong/pull/5969)\n- session: bumped from 2.3.0 to 2.4.0.\n [#5868](https://github.com/Kong/kong/pull/5868)\n\n### Fixes\n\n##### Core\n\n- Fix memory leak when loading a declarative configuration that fails\n schema validation.\n [#5759](https://github.com/Kong/kong/pull/5759)\n- Fix migration issue where the index for the `ca_certificates` table would\n fail to be created.\n [#5764](https://github.com/Kong/kong/pull/5764)\n- Fix issue where DNS resolution would fail in DB-less mode.\n [#5831](https://github.com/Kong/kong/pull/5831)\n\n##### Admin API\n\n- Disallow `PATCH` on `/upstreams/:upstreams/targets/:targets`\n\n##### Plugins\n\n- Go: fix issue where instances of the same Go plugin applied to different\n Routes would get mixed up.\n [#5597](https://github.com/Kong/kong/pull/5597)\n- Strip `Authorization` value from logged headers. Values are now shown as\n `REDACTED`.\n [#5628](https://github.com/Kong/kong/pull/5628).\n- ACL: respond with HTTP 401 rather than 403 if credentials are not provided.\n [#5452](https://github.com/Kong/kong/pull/5452)\n- ldap-auth: set credential ID upon authentication, allowing subsequent\n plugins (e.g., rate-limiting) to act on said value.\n [#5497](https://github.com/Kong/kong/pull/5497)\n- ldap-auth: hash the cache key generated by the plugin.\n [#5497](https://github.com/Kong/kong/pull/5497)\n- zipkin: bump from 0.2 to 1.1.0\n * Stopped tagging non-erroneous spans with `error=false`.\n [#63](https://github.com/Kong/kong-plugin-zipkin/pull/63)\n * Changed the structure of `localEndpoint` and `remoteEndpoint`.\n [#63](https://github.com/Kong/kong-plugin-zipkin/pull/63)\n * Store annotation times in microseconds.\n [#71](https://github.com/Kong/kong-plugin-zipkin/pull/71)\n * Prevent an error triggered when timing-related kong variables\n were not present.\n [#71](https://github.com/Kong/kong-plugin-zipkin/pull/71)\n- aws-lambda: AWS regions are no longer validated against a hardcoded list; if an\n invalid region name is provided, a proxy Internal Server Error is raised,\n and a DNS resolution error message is logged.\n [#33](https://github.com/Kong/kong-plugin-aws-lambda/pull/33)\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.0.5]\n\n> Released 2020/06/30\n\n### Dependencies\n\n- Bump OpenSSL version from `1.1.1f` to `1.1.1g`.\n [#5820](https://github.com/Kong/kong/pull/5810)\n- Bump [go-pluginserver](https://github.com/Kong/go-pluginserver) from version\n from `0.2.0` to `0.3.2`, leveraging [go-pdk](https://github.com/Kong/go-pdk) `0.3.1`.\n See the [go-pdk changelog](https://github.com/Kong/go-pdk/blob/master/CHANGELOG.md#v031).\n\n### Fixes\n\n##### Core\n\n- Fix a race condition leading to random config fetching failure in DB-less mode.\n [#5833](https://github.com/Kong/kong/pull/5833)\n- Fix issue where a respawned worker would not use the existing configuration\n in DB-less mode.\n [#5850](https://github.com/Kong/kong/pull/5850)\n- Fix issue where declarative configuration would fail with the error:\n `Cannot serialise table: excessively sparse array`.\n [#5768](https://github.com/Kong/kong/pull/5865)\n- Targets now support a weight range of 0-65535.\n [#5871](https://github.com/Kong/kong/pull/5871)\n- Make kong.ctx.plugin light-thread safe\n Thanks [tdelaune](https://github.com/tdelaune) for the assistance!\n [#5873](https://github.com/Kong/kong/pull/5873)\n- Go: fix issue with Go plugins where the plugin instance would be\n intermittently killed.\n Thanks [primableatom](https://github.com/primableatom) for the patch!\n [#5903](https://github.com/Kong/kong/pull/5903)\n- Auto-convert `config.anonymous` from empty string to the `ngx.null` value.\n [#5906](https://github.com/Kong/kong/pull/5906)\n- Fix issue where DB-less wouldn't correctly validate input with missing IDs,\n names, or cache key.\n [#5929](https://github.com/Kong/kong/pull/5929)\n- Fix issue where a request to the upstream health endpoint would fail with\n HTTP 500 Internal Server Error.\n [#5943](https://github.com/Kong/kong/pull/5943)\n- Fix issue where providing a declarative configuration file containing\n fields with explicit null values would result in an error.\n [#5999](https://github.com/Kong/kong/pull/5999)\n- Fix issue where the balancer wouldn't be built for all workers.\n [#5931](https://github.com/Kong/kong/pull/5931)\n- Fix issue where a declarative configuration file with primary keys specified\n as numbers would result in an error.\n [#6005](https://github.com/Kong/kong/pull/6005)\n\n##### CLI\n\n##### Configuration\n\n- Fix issue where the Postgres password from the Kong configuration file\n would be truncated if it contained a `#` character.\n [#5822](https://github.com/Kong/kong/pull/5822)\n\n##### Admin API\n\n- Fix issue where a `PUT` request on `/upstreams/:upstreams/targets/:targets`\n would result in HTTP 500 Internal Server Error.\n [#6012](https://github.com/Kong/kong/pull/6012)\n\n##### PDK\n\n- Stop request processing flow if body encoding fails.\n [#5829](https://github.com/Kong/kong/pull/5829)\n- Ensure `kong.service.set_target()` includes the port number if a non-default\n port is used.\n [#5996](https://github.com/Kong/kong/pull/5996)\n\n##### Plugins\n\n- Go: fix issue where the go-pluginserver would not reload Go plugins'\n configurations.\n Thanks [wopol](https://github.com/wopol) for the patch!\n [#5866](https://github.com/Kong/kong/pull/5866)\n- basic-auth: avoid fetching credentials when password is not given.\n Thanks [Abhishekvrshny](https://github.com/Abhishekvrshny) for the patch!\n [#5880](https://github.com/Kong/kong/pull/5880)\n- cors: avoid overwriting upstream response `Vary` header; new values are now\n added as additional `Vary` headers.\n Thanks [aldor007](https://github.com/aldor007) for the patch!\n [#5794](https://github.com/Kong/kong/pull/5794)\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.0.4]\n\n> Released 2020/04/22\n\n### Fixes\n\n##### Core\n\n - Disable JIT mlcache:get_bulk() on ARM64\n [#5797](https://github.com/Kong/kong/pull/5797)\n - Don't incrementing log counters on unexpected errors\n [#5783](https://github.com/Kong/kong/pull/5783)\n - Invalidate target history at cleanup so balancers stay synced\n [#5775](https://github.com/Kong/kong/pull/5775)\n - Set a log prefix with the upstream name\n [#5773](https://github.com/Kong/kong/pull/5773)\n - Fix memory leaks when loading a declarative config that fails schema validation\n [#5766](https://github.com/Kong/kong/pull/5766)\n - Fix some balancer and cluster_events issues\n [#5804](https://github.com/Kong/kong/pull/5804)\n\n##### Configuration\n\n - Send declarative config updates to stream subsystem via Unix domain\n [#5786](https://github.com/Kong/kong/pull/5786)\n - Now when using declarative configurations the cache is purged on reload, cleaning any references to removed entries\n [#5769](https://github.com/Kong/kong/pull/5769)\n\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.0.3]\n\n> Released 2020/04/06\n\nThis is a patch release in the 2.0 series. Being a patch release, it strictly\ncontains performance improvements and bugfixes. The are no new features or\nbreaking changes.\n\n### Fixes\n\n##### Core\n\n - Setting the target weight to 0 does not automatically remove the upstream.\n [#5710](https://github.com/Kong/kong/pull/5710).\n - The plugins iterator is now always fully built, even if the initialization\n of any of them fails.\n [#5692](https://github.com/Kong/kong/pull/5692).\n - Fixed the load of `dns_not_found_ttl` and `dns_error_ttl` configuration\n options.\n [#5684](https://github.com/Kong/kong/pull/5684).\n - Consumers and tags are properly warmed-up from the plugins' perspective,\n i.e. they are loaded to the cache space that plugins access.\n [#5669](https://github.com/Kong/kong/pull/5669).\n - Customized error messages don't affect subsequent default error responses\n now.\n [#5673](https://github.com/Kong/kong/pull/5673).\n\n##### CLI\n\n - Fixed the `lua_package_path` option precedence over `LUA_PATH` environment\n variable.\n [#5729](https://github.com/Kong/kong/pull/5729).\n - Support to Nginx binary upgrade by correctly handling the `USR2` signal.\n [#5657](https://github.com/Kong/kong/pull/5657).\n\n##### Configuration\n\n - Fixed the logrotate configuration file with the right line terminators.\n [#243](https://github.com/Kong/kong-build-tools/pull/243).\n Thanks, [WALL-E](https://github.com/WALL-E)\n\n##### Admin API\n\n - Fixed the `sni is duplicated` error when sending multiple `SNIs` as body\n arguments and an `SNI` on URL that matched one from the body.\n [#5660](https://github.com/Kong/kong/pull/5660).\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.0.2]\n\n> Released 2020/02/27\n\nThis is a patch release in the 2.0 series. Being a patch release, it strictly\ncontains performance improvements and bugfixes. The are no new features or\nbreaking changes.\n\n### Fixes\n\n##### Core\n\n - Fix issue related to race condition in Cassandra select each method\n [#5564](https://github.com/Kong/kong/pull/5564).\n Thanks, [vasuharish](https://github.com/vasuharish)!\n - Fix issue related to running control plane under multiple Nginx workers\n [#5612](https://github.com/Kong/kong/pull/5612).\n - Don't change route paths when marshaling\n [#5587](https://github.com/Kong/kong/pull/5587).\n - Fix propagation of posted health across workers\n [#5539](https://github.com/Kong/kong/pull/5539).\n - Use proper units for timeouts with cassandra\n [#5571](https://github.com/Kong/kong/pull/5571).\n - Fix broken SNI based routing in L4 proxy mode\n [#5533](https://github.com/Kong/kong/pull/5533).\n\n##### Plugins\n\n - Enable the ACME plugin by default\n [#5555](https://github.com/Kong/kong/pull/5555).\n - Accept consumer username in anonymous field\n [#5552](https://github.com/Kong/kong/pull/5552).\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.0.1]\n\n> Released 2020/02/04\n\nThis is a patch release in the 2.0 series. Being a patch release, it strictly\ncontains performance improvements and bugfixes. The are no new features or\nbreaking changes.\n\n\n### Fixes\n\n##### Core\n\n - Migrations include the configured Lua path now\n [#5509](https://github.com/Kong/kong/pull/5509).\n - Hop-by-hop headers to not clear upgrade header on upgrade\n [#5495](https://github.com/Kong/kong/pull/5495).\n - Balancers now properly check if a response is produced by an upstream\n [#5493](https://github.com/Kong/kong/pull/5493).\n Thanks, [onematchfox](https://github.com/onematchfox)!\n - Kong correctly logs an error message when the Lua VM cannot allocate memory\n [#5479](https://github.com/Kong/kong/pull/5479)\n Thanks, [pamiel](https://github.com/pamiel)!\n - Schema validations work again in DB-less mode\n [#5464](https://github.com/Kong/kong/pull/5464).\n\n##### Plugins\n\n - oauth2: handle `Authorization` headers with missing `access_token` correctly.\n [#5514](https://github.com/Kong/kong/pull/5514).\n Thanks, [jeremyjpj0916](https://github.com/jeremyjpj0916)!\n - oauth2: hash oauth2_tokens cache key via the DAO\n [#5507](https://github.com/Kong/kong/pull/5507)\n\n\n[Back to TOC](#table-of-contents)\n\n\n## [2.0.0]\n\n> Released 2020/01/20\n\nThis is a new major release of Kong, including new features such as **Hybrid\nmode**, **Go language support for plugins** and **buffered proxying**, and\nmuch more.\n\nKong 2.0.0 removes the deprecated service mesh functionality, which was\nbeen retired in favor of [Kuma](https://kuma.io), as Kong continues to\nfocus on its core gateway capabilities.\n\nPlease note that Kong 2.0.0 also removes support for migrating from versions\nbelow 1.0.0. If you are running Kong 0.x versions below 0.14.1, you need to\nmigrate to 0.14.1 first, and once you are running 0.14.1, you can migrate to\nKong 1.5.0, which includes special provisions for migrating from Kong 0.x,\nsuch as the `kong migrations migrate-apis` command, and then finally to Kong\n2.0.0.\n\n### Dependencies\n\n- :warning: The required OpenResty version is\n [1.15.8.2](http://openresty.org/en/changelog-1015008.html), and the\n the set of patches included has changed, including the latest release of\n [lua-kong-nginx-module](https://github.com/Kong/lua-kong-nginx-module).\n If you are installing Kong from one of our distribution\n packages, you are not affected by this change.\n\n**Note:** if you are not using one of our distribution packages and compiling\nOpenResty from source, you must still apply Kong's [OpenResty\npatches](https://github.com/Kong/kong-build-tools/tree/master/openresty-build-tools/openresty-patches)\n(and, as highlighted above, compile OpenResty with the new\nlua-kong-nginx-module). Our [kong-build-tools](https://github.com/Kong/kong-build-tools)\nrepository will allow you to do both easily.\n\n### Packaging\n\n- RPM packages are now signed with our own GPG keys. You can download our public\n key at https://bintray.com/user/downloadSubjectPublicKey?username=kong\n- Kong now ships with a systemd unit file\n\n### Additions\n\n##### Core\n\n - :fireworks: **Hybrid mode** for management of control-plane and\n data-plane nodes. This allows running control-plane nodes using a\n database and have them deliver configuration updates to DB-less\n data-plane nodes.\n [#5294](https://github.com/Kong/kong/pull/5294)\n - :fireworks: **Buffered proxying** - plugins can now request buffered\n reading of the service response (as opposed to the streaming default),\n allowing them to modify headers based on the contents of the body\n [#5234](https://github.com/Kong/kong/pull/5234)\n - The `transformations` in DAO schemas now also support `on_read`,\n allowing for two-way (read/write) data transformations between\n Admin API input/output and database storage.\n [#5100](https://github.com/Kong/kong/pull/5100)\n - Added `threshold` attribute for health checks\n [#5206](https://github.com/Kong/kong/pull/5206)\n - Caches for core entities and plugin-controlled entities (such as\n credentials, etc.) are now separated, protecting the core entities\n from cache eviction caused by plugin behavior.\n [#5114](https://github.com/Kong/kong/pull/5114)\n - Cipher suite was updated to the Mozilla v5 release.\n [#5342](https://github.com/Kong/kong/pull/5342)\n - Better support for using already existing Cassandra keyspaces\n when migrating\n [#5361](https://github.com/Kong/kong/pull/5361)\n - Better log messages when plugin modules fail to load\n [#5357](https://github.com/Kong/kong/pull/5357)\n - `stream_listen` now supports the `backlog` option.\n [#5346](https://github.com/Kong/kong/pull/5346)\n - The internal cache was split into two independent segments,\n `kong.core_cache` and `kong.cache`. The `core_cache` region is\n used by the Kong core to store configuration data that doesn't\n change often. The other region is used to store plugin\n runtime data that is dependent on traffic pattern and user\n behavior. This change should decrease the cache contention\n between Kong core and plugins and result in better performance\n overall.\n - :warning: Note that both structures rely on the already existent\n `mem_cache_size` configuration option to set their size,\n so when upgrading from a previous Kong version, the cache\n memory consumption might double if this value is not adjusted\n [#5114](https://github.com/Kong/kong/pull/5114)\n\n##### CLI\n\n - `kong config init` now accepts a filename argument\n [#4451](https://github.com/Kong/kong/pull/4451)\n\n##### Configuration\n\n - :fireworks: **Extended support for Nginx directive injections**\n via Kong configurations, reducing the needs for custom Nginx\n templates. New injection contexts were added: `nginx_main_`,\n `nginx_events` and `nginx_supstream_` (`upstream` in `stream`\n mode).\n [#5390](https://github.com/Kong/kong/pull/5390)\n - Enable `reuseport` option in the listen directive by default\n and allow specifying both `reuseport` and `backlog=N` in the\n listener flags.\n [#5332](https://github.com/Kong/kong/pull/5332)\n - Check existence of `lua_ssl_trusted_certificate` at startup\n [#5345](https://github.com/Kong/kong/pull/5345)\n\n##### Admin API\n\n - Added `/upstreams//health?balancer_health=1` attribute for\n detailed information about balancer health based on health\n threshold configuration\n [#5206](https://github.com/Kong/kong/pull/5206)\n\n##### PDK\n\n - New functions `kong.service.request.enable_buffering`,\n `kong.service.response.get_raw_body` and\n `kong.service.response.get_body` for use with buffered proxying\n [#5315](https://github.com/Kong/kong/pull/5315)\n\n##### Plugins\n\n - :fireworks: **Go plugin support** - plugins can now be written in\n Go as well as Lua, through the use of an out-of-process Go plugin server.\n [#5326](https://github.com/Kong/kong/pull/5326)\n - The lifecycle of the Plugin Server daemon for Go language support is\n managed by Kong itself.\n [#5366](https://github.com/Kong/kong/pull/5366)\n - :fireworks: **New plugin: ACME** - Let's Encrypt and ACMEv2 integration with Kong\n [#5333](https://github.com/Kong/kong/pull/5333)\n - :fireworks: aws-lambda: bumped version to 3.0.1, with a number of new features!\n [#5083](https://github.com/Kong/kong/pull/5083)\n - :fireworks: prometheus: bumped to version 0.7.0 including major performance improvements\n [#5295](https://github.com/Kong/kong/pull/5295)\n - zipkin: bumped to version 0.2.1\n [#5239](https://github.com/Kong/kong/pull/5239)\n - session: bumped to version 2.2.0, adding `authenticated_groups` support\n [#5108](https://github.com/Kong/kong/pull/5108)\n - rate-limiting: added experimental support for standardized headers based on the\n ongoing [RFC draft](https://tools.ietf.org/html/draft-polli-ratelimit-headers-01)\n [#5335](https://github.com/Kong/kong/pull/5335)\n - rate-limiting: added Retry-After header on HTTP 429 responses\n [#5329](https://github.com/Kong/kong/pull/5329)\n - datadog: report metrics with tags --\n Thanks [mvanholsteijn](https://github.com/mvanholsteijn) for the patch!\n [#5154](https://github.com/Kong/kong/pull/5154)\n - request-size-limiting: added `size_unit` configuration option.\n [#5214](https://github.com/Kong/kong/pull/5214)\n - request-termination: add extra check for `conf.message` before sending\n response back with body object included.\n [#5202](https://github.com/Kong/kong/pull/5202)\n - jwt: add `X-Credential-Identifier` header in response --\n Thanks [davinwang](https://github.com/davinwang) for the patch!\n [#4993](https://github.com/Kong/kong/pull/4993)\n\n### Fixes\n\n##### Core\n\n - Correct detection of update upon deleting Targets --\n Thanks [pyrl247](https://github.com/pyrl247) for the patch!\n - Fix declarative config loading of entities with abstract records\n [#5343](https://github.com/Kong/kong/pull/5343)\n - Fix sort priority when matching routes by longest prefix\n [#5430](https://github.com/Kong/kong/pull/5430)\n - Detect changes in Routes that happen halfway through a router update\n [#5431](https://github.com/Kong/kong/pull/5431)\n\n##### Admin API\n\n - Corrected the behavior when overwriting a Service configuration using\n the `url` shorthand\n [#5315](https://github.com/Kong/kong/pull/5315)\n\n##### Core\n\n - :warning: **Removed Service Mesh support** - That has been deprecated in\n Kong 1.4 and made off-by-default already, and the code is now gone in 2.0.\n For Service Mesh, we now have [Kuma](https://kuma.io), which is something\n designed for Mesh patterns from day one, so we feel at peace with removing\n Kong's native Service Mesh functionality and focus on its core capabilities\n as a gateway.\n\n##### Configuration\n\n - Routes using `tls` are now supported in stream mode by adding an\n entry in `stream_listen` with the `ssl` keyword enabled.\n [#5346](https://github.com/Kong/kong/pull/5346)\n - As part of service mesh removal, serviceless proxying was removed.\n You can still set `service = null` when creating a route for use with\n serverless plugins such as `aws-lambda`, or `request-termination`.\n [#5353](https://github.com/Kong/kong/pull/5353)\n - Removed the `origins` property which was used for service mesh.\n [#5351](https://github.com/Kong/kong/pull/5351)\n - Removed the `transparent` property which was used for service mesh.\n [#5350](https://github.com/Kong/kong/pull/5350)\n - Removed the `nginx_optimizations` property; the equivalent settings\n can be performed via Nginx directive injections.\n [#5390](https://github.com/Kong/kong/pull/5390)\n - The Nginx directive injection prefixes `nginx_http_upstream_`\n and `nginx_http_status_` were renamed to `nginx_upstream_` and\n `nginx_status_` respectively.\n [#5390](https://github.com/Kong/kong/pull/5390)\n\n##### Plugins\n\n - Removed the Sidecar Injector plugin which was used for service mesh.\n [#5199](https://github.com/Kong/kong/pull/5199)\n\n\n[Back to TOC](#table-of-contents)\n\n\n## [1.5.1]\n\n> Released 2020/02/19\n\nThis is a patch release over 1.5.0, fixing a minor issue in the `kong migrations migrate-apis`\ncommand, which assumed execution in a certain order in the migration process. This now\nallows the command to be executed prior to running the migrations from 0.x to 1.5.1.\n\n### Fixes\n\n##### CLI\n\n - Do not assume new fields are already available when running `kong migrations migrate-apis`\n [#5572](https://github.com/Kong/kong/pull/5572)\n\n\n[Back to TOC](#table-of-contents)\n\n\n## [1.5.0]\n\n> Released 2020/01/20\n\nKong 1.5.0 is the last release in the Kong 1.x series, and it was designed to\nhelp Kong 0.x users upgrade out of that series and into more current releases.\nKong 1.5.0 includes two features designed to ease the transition process: the\nnew `kong migrations migrate-apis` commands, to help users migrate away from\nold `apis` entities which were deprecated in Kong 0.13.0 and removed in Kong\n1.0.0, and a compatibility flag to provide better router compatibility across\nKong versions.\n\n### Additions\n\n##### Core\n\n - New `path_handling` attribute in Routes entities, which selects the behavior\n the router will have when combining the Service Path, the Route Path, and\n the Request path into a single path sent to the upstream. This attribute\n accepts two values, `v0` or `v1`, making the router behave as in Kong 0.x or\n Kong 1.x, respectively. [#5360](https://github.com/Kong/kong/pull/5360)\n\n##### CLI\n\n - New command `kong migrations migrate-apis`, which converts any existing\n `apis` from an old Kong 0.x installation and generates Route, Service and\n Plugin entities with equivalent configurations. The converted routes are\n set to use `path_handling = v0`, to ensure compatibility.\n [#5176](https://github.com/Kong/kong/pull/5176)\n\n### Fixes\n\n##### Core\n\n - Fixed the routing prioritization that could lead to a match in a lower\n priority path. [#5443](https://github.com/Kong/kong/pull/5443)\n - Changes in router or plugins entities while the rebuild is in progress now\n are treated in the next rebuild, avoiding to build invalid iterators.\n [#5431](https://github.com/Kong/kong/pull/5431)\n - Fixed invalid incorrect calculation of certificate validity period.\n [#5449](https://github.com/Kong/kong/pull/5449) -- Thanks\n [Bevisy](https://github.com/Bevisy) for the patch!\n\n\n[Back to TOC](#table-of-contents)\n\n\n## [1.4.3]\n\n> Released 2020/01/09\n\n:warning: This release includes a security fix to address potentially\nsensitive information being written to the error log file. This affects\ncertain uses of the Admin API for DB-less mode, described below.\n\nThis is a patch release in the 1.4 series, and as such, strictly contains\nbugfixes. There are no new features nor breaking changes.\n\n### Fixes\n\n##### Core\n\n - Fix the detection of the need for balancer updates\n when deleting targets\n [#5352](https://github.com/kong/kong/issues/5352) --\n Thanks [zeeshen](https://github.com/zeeshen) for the patch!\n - Fix behavior of longest-path criteria when matching routes\n [#5383](https://github.com/kong/kong/issues/5383)\n - Fix incorrect use of cache when using header-based routing\n [#5267](https://github.com/kong/kong/issues/5267) --\n Thanks [marlonfan](https://github.com/marlonfan) for the patch!\n\n##### Admin API\n\n - Do not make a debugging dump of the declarative config input into\n `error.log` when posting it with `/config` and using `_format_version`\n as a top-level parameter (instead of embedded in the `config` parameter).\n [#5411](https://github.com/kong/kong/issues/5411)\n - Fix incorrect behavior of PUT for /certificates\n [#5321](https://github.com/kong/kong/issues/5321)\n\n##### Plugins\n\n - acl: fixed an issue where getting ACLs by group failed when multiple\n consumers share the same group\n [#5322](https://github.com/kong/kong/issues/5322)\n\n\n[Back to TOC](#table-of-contents)\n\n\n## [1.4.2]\n\n> Released 2019/12/10\n\nThis is another patch release in the 1.4 series, and as such, strictly\ncontains bugfixes. There are no new features nor breaking changes.\n\n### Fixes\n\n##### Core\n\n - Fixes some corner cases in the balancer behavior\n [#5318](https://github.com/Kong/kong/pull/5318)\n\n##### Plugins\n\n - http-log: disable queueing when using the default\n settings, to avoid memory consumption issues\n [#5323](https://github.com/Kong/kong/pull/5323)\n - prometheus: restore compatibility with version 0.6.0\n [#5303](https://github.com/Kong/kong/pull/5303)\n\n\n[Back to TOC](#table-of-contents)\n\n\n## [1.4.1]\n\n> Released 2019/12/03\n\nThis is a patch release in the 1.4 series, and as such, strictly contains\nbugfixes. There are no new features nor breaking changes.\n\n### Fixes\n\n##### Core\n\n - Fixed a memory leak in the balancer\n [#5229](https://github.com/Kong/kong/pull/5229) --\n Thanks [zeeshen](https://github.com/zeeshen) for the patch!\n - Removed arbitrary limit on worker connections.\n [#5148](https://github.com/Kong/kong/pull/5148)\n - Fixed `preserve_host` behavior for gRPC routes\n [#5225](https://github.com/Kong/kong/pull/5225)\n - Fix migrations for ttl for OAuth2 tokens\n [#5253](https://github.com/Kong/kong/pull/5253)\n - Improve handling of errors when creating balancers\n [#5284](https://github.com/Kong/kong/pull/5284)\n\n##### CLI\n\n - Fixed an issue with `kong config db_export` when reading\n entities that are ttl-enabled and whose ttl value is `null`.\n [#5185](https://github.com/Kong/kong/pull/5185)\n\n##### Admin API\n\n - Various fixes for Admin API behavior\n [#5174](https://github.com/Kong/kong/pull/5174),\n [#5178](https://github.com/Kong/kong/pull/5178),\n [#5191](https://github.com/Kong/kong/pull/5191),\n [#5186](https://github.com/Kong/kong/pull/5186)\n\n##### Plugins\n\n - http-log: do not impose a retry delay on successful sends\n [#5282](https://github.com/Kong/kong/pull/5282)\n\n\n[Back to TOC](#table-of-contents)\n\n## [1.4.0]\n\n> Released on 2019/10/22\n\n### Installation\n\n - :warning: All Bintray assets have been renamed from `.all.` / `.noarch.` to be\n architecture specific namely `.arm64.` and `.amd64.`\n\n### Additions\n\n##### Core\n\n - :fireworks: New configuration option `cassandra_refresh_frequency` to set\n the frequency that Kong will check for Cassandra cluster topology changes,\n avoiding restarts when Cassandra nodes are added or removed.\n [#5071](https://github.com/Kong/kong/pull/5071)\n - New `transformations` property in DAO schemas, which allows adding functions\n that run when database rows are inserted or updated.\n [#5047](https://github.com/Kong/kong/pull/5047)\n - The new attribute `hostname` has been added to `upstreams` entities. This\n attribute is used as the `Host` header when proxying requests through Kong\n to servers that are listening on server names that are different from the\n names to which they resolve.\n [#4959](https://github.com/Kong/kong/pull/4959)\n - New status interface has been introduced. It exposes insensitive health,\n metrics and error read-only information from Kong, which can be consumed by\n other services in the infrastructure to monitor Kong's health.\n This removes the requirement of the long-used workaround to monitor Kong's\n health by injecting a custom server block.\n [#4977](https://github.com/Kong/kong/pull/4977)\n - New Admin API response header `X-Kong-Admin-Latency`, reporting the time\n taken by Kong to process an Admin API request.\n [#4966](https://github.com/Kong/kong/pull/4996/files)\n\n##### Configuration\n\n - :warning: New configuration option `service_mesh` which enables or disables\n the Service Mesh functionality. The Service Mesh is being deprecated and\n will not be available in the next releases of Kong.\n [#5124](https://github.com/Kong/kong/pull/5124)\n - New configuration option `router_update_frequency` that allows setting the\n frequency that router and plugins will be checked for changes. This new\n option avoids performance degradation when Kong routes or plugins are\n frequently changed. [#4897](https://github.com/Kong/kong/pull/4897)\n\n##### Plugins\n\n - rate-limiting: in addition to consumer, credential, and IP levels, now\n rate-limiting plugin has service-level support. Thanks\n [wuguangkuo](https://github.com/wuguangkuo) for the patch!\n [#5031](https://github.com/Kong/kong/pull/5031)\n - Now rate-limiting `local` policy counters expire using the shared\n dictionary's TTL, avoiding to keep unnecessary counters in memory. Thanks\n [cb372](https://github.com/cb372) for the patch!\n [#5029](https://github.com/Kong/kong/pull/5029)\n - Authentication plugins have support for tags now.\n [#4945](https://github.com/Kong/kong/pull/4945)\n - response-transformer plugin now supports renaming response headers. Thanks\n [aalmazanarbs](https://github.com/aalmazanarbs) for the patch!\n [#5040](https://github.com/Kong/kong/pull/5040)\n\n### Fixes\n\n##### Core\n\n - :warning: Service Mesh is known to cause HTTPS requests to upstream to\n ignore `proxy_ssl*` directives, so it is being discontinued in the next\n major release of Kong. In this release it is disabled by default, avoiding\n this issue, and it can be enabled as aforementioned in the configuration\n section. [#5124](https://github.com/Kong/kong/pull/5124)\n - Fixed an issue on reporting the proper request method and URL arguments on\n NGINX-produced errors in logging plugins.\n [#5073](https://github.com/Kong/kong/pull/5073)\n - Fixed an issue where targets were not properly updated in all Kong workers\n when they were removed. [#5041](https://github.com/Kong/kong/pull/5041)\n - Deadlocks cases in database access functions when using Postgres and\n cleaning up `cluster_events` in high-changing scenarios were fixed.\n [#5118](https://github.com/Kong/kong/pull/5118)\n - Fixed issues with tag-filtered GETs on Cassandra-backed nodes.\n [#5105](https://github.com/Kong/kong/pull/5105)\n\n##### Configuration\n\n - Fixed Lua parsing and error handling in declarative configurations.\n [#5019](https://github.com/Kong/kong/pull/5019)\n - Automatically escape any unescaped `#` characters in parsed `KONG_*`\n environment variables. [#5062](https://github.com/Kong/kong/pull/5062)\n\n##### Plugins\n\n - file-log: creates log file with proper permissions when Kong uses\n declarative config. [#5028](https://github.com/Kong/kong/pull/5028)\n - basic-auth: fixed credentials parsing when using DB-less\n configurations. [#5080](https://github.com/Kong/kong/pull/5080)\n - jwt: plugin handles empty claims and return the correct error message.\n [#5123](https://github.com/Kong/kong/pull/5123)\n Thanks to [@jeremyjpj0916](https://github.com/jeremyjpj0916) for the patch!\n - serverless-functions: Lua code in declarative configurations is validated\n and loaded correctly.\n [#24](https://github.com/Kong/kong-plugin-serverless-functions/pull/24)\n - request-transformer: fixed bug on removing and then adding request headers\n with the same name.\n [#9](https://github.com/Kong/kong-plugin-request-transformer/pull/9)\n\n\n[Back to TOC](#table-of-contents)\n\n## [1.3.0]\n\n> Released on 2019/08/21\n\nKong 1.3 is the first version to officially support **gRPC proxying**!\n\nFollowing our vision for Kong to proxy modern Web services protocols, we are\nexcited for this newest addition to the family of protocols already supported\nby Kong (HTTP(s), WebSockets, and TCP). As we have recently stated in our\nlatest [Community Call](https://konghq.com/community-call/), more protocols are\nto be expected in the future.\n\nAdditionally, this release includes several highly-requested features such as\nsupport for upstream **mutual TLS**, **header-based routing** (not only\n`Host`), **database export**, and **configurable upstream keepalive\ntimeouts**.\n\n### Changes\n\n##### Dependencies\n\n- :warning: The required OpenResty version has been bumped to\n [1.15.8.1](http://openresty.org/en/changelog-1015008.html). If you are\n installing Kong from one of our distribution packages, you are not affected\n by this change. See [#4382](https://github.com/Kong/kong/pull/4382).\n With this new version comes a number of improvements:\n 1. The new [ngx\\_http\\_grpc\\_module](https://nginx.org/en/docs/http/ngx_http_grpc_module.html).\n 2. Configurable of upstream keepalive connections by timeout or number of\n requests.\n 3. Support for ARM64 architectures.\n 4. LuaJIT GC64 mode for x86_64 architectures, raising the LuaJIT GC-managed\n memory limit from 2GB to 128TB and producing more predictable GC\n performance.\n- :warning: From this version on, the new\n [lua-kong-nginx-module](https://github.com/Kong/lua-kong-nginx-module) Nginx\n module is **required** to be built into OpenResty for Kong to function\n properly. This new module allows Kong to support new features such as mutual\n TLS authentication. If you are installing Kong from one of our distribution\n packages, you are not affected by this change.\n [openresty-build-tools#26](https://github.com/Kong/openresty-build-tools/pull/26)\n\n**Note:** if you are not using one of our distribution packages and compiling\nOpenResty from source, you must still apply Kong's [OpenResty\npatches](https://github.com/kong/openresty-patches) (and, as highlighted above,\ncompile OpenResty with the new lua-kong-nginx-module). Our new\n[openresty-build-tools](https://github.com/Kong/openresty-build-tools)\nrepository will allow you to do both easily.\n\n##### Core\n\n- :warning: Bugfixes in the router *may, in some edge-cases*, result in\n different Routes being matched. It was reported to us that the router behaved\n incorrectly in some cases when configuring wildcard Hosts and regex paths\n (e.g. [#3094](https://github.com/Kong/kong/issues/3094)). It may be so that\n you are subject to these bugs without realizing it. Please ensure that\n wildcard Hosts and regex paths Routes you have configured are matching as\n expected before upgrading.\n See [9ca4dc0](https://github.com/Kong/kong/commit/9ca4dc09fdb12b340531be8e0f9d1560c48664d5),\n [2683b86](https://github.com/Kong/kong/commit/2683b86c2f7680238e3fe85da224d6f077e3425d), and\n [6a03e1b](https://github.com/Kong/kong/commit/6a03e1bd95594716167ccac840ff3e892ed66215)\n for details.\n- Upstream connections are now only kept-alive for 100 requests or 60 seconds\n (idle) by default. Previously, upstream connections were not actively closed\n by Kong. This is a (non-breaking) change in behavior, inherited from Nginx\n 1.15, and configurable via new configuration properties (see below).\n\n##### Configuration\n\n- :warning: The `upstream_keepalive` configuration property is deprecated, and\n replaced by the new `nginx_http_upstream_keepalive` property. Its behavior is\n almost identical, but the notable difference is that the latter leverages the\n [injected Nginx\n directives](https://konghq.com/blog/kong-ce-nginx-injected-directives/)\n feature added in Kong 0.14.0.\n In future releases, we will gradually increase support for injected Nginx\n directives. We have high hopes that this will remove the occasional need for\n custom Nginx configuration templates.\n [#4382](https://github.com/Kong/kong/pull/4382)\n\n### Additions\n\n##### Core\n\n- :fireworks: **Native gRPC proxying.** Two new protocol types; `grpc` and\n `grpcs` correspond to gRPC over h2c and gRPC over h2. They can be specified\n on a Route or a Service's `protocol` attribute (e.g. `protocol = grpcs`).\n When an incoming HTTP/2 request matches a Route with a `grpc(s)` protocol,\n the request will be handled by the\n [ngx\\_http\\_grpc\\_module](https://nginx.org/en/docs/http/ngx_http_grpc_module.html),\n and proxied to the upstream Service according to the gRPC protocol\n specifications. :warning: Note that not all Kong plugins are compatible with\n gRPC requests yet. [#4801](https://github.com/Kong/kong/pull/4801)\n- :fireworks: **Mutual TLS** handshake with upstream services. The Service\n entity now has a new `client_certificate` attribute, which is a foreign key\n to a Certificate entity. If specified, Kong will use the Certificate as a\n client TLS cert during the upstream TLS handshake.\n [#4800](https://github.com/Kong/kong/pull/4800)\n- :fireworks: **Route by any request header**. The router now has the ability\n to match Routes by any request header (not only `Host`). The Route entity now\n has a new `headers` attribute, which is a map of headers names and values.\n E.g. `{ \"X-Forwarded-Host\": [\"example.org\"], \"Version\": [\"2\", \"3\"] }`.\n [#4758](https://github.com/Kong/kong/pull/4758)\n- :fireworks: **Least-connection load-balancing**. A new `algorithm` attribute\n has been added to the Upstream entity. It can be set to `\"round-robin\"`\n (default), `\"consistent-hashing\"`, or `\"least-connections\"`.\n [#4528](https://github.com/Kong/kong/pull/4528)\n- A new core entity, \"CA Certificates\" has been introduced and can be accessed\n via the new `/ca_certificates` Admin API endpoint. CA Certificates entities\n will be used as CA trust store by Kong. Certificates stored by this entity\n need not include their private key.\n [#4798](https://github.com/Kong/kong/pull/4798)\n- Healthchecks now use the combination of IP + Port + Hostname when storing\n upstream health information. Previously, only IP + Port were used. This means\n that different virtual hosts served behind the same IP/port will be treated\n differently with regards to their health status. New endpoints were added to\n the Admin API to manually set a Target's health status.\n [#4792](https://github.com/Kong/kong/pull/4792)\n\n##### Configuration\n\n- :fireworks: A new section in the `kong.conf` file describes [injected Nginx\n directives](https://konghq.com/blog/kong-ce-nginx-injected-directives/)\n (added to Kong 0.14.0) and specifies a few default ones.\n In future releases, we will gradually increase support for injected Nginx\n directives. We have high hopes that this will remove the occasional need for\n custom Nginx configuration templates.\n [#4382](https://github.com/Kong/kong/pull/4382)\n- :fireworks: New configuration properties allow for controlling the behavior of\n upstream keepalive connections. `nginx_http_upstream_keepalive_requests` and\n `nginx_http_upstream_keepalive_timeout` respectively control the maximum\n number of proxied requests and idle timeout of an upstream connection.\n [#4382](https://github.com/Kong/kong/pull/4382)\n- New flags have been added to the `*_listen` properties: `deferred`, `bind`,\n and `reuseport`.\n [#4692](https://github.com/Kong/kong/pull/4692)\n\n##### CLI\n\n- :fireworks: **Database export** via the new `kong config db_export` CLI\n command. This command will export the configuration present in the database\n Kong is connected to (Postgres or Cassandra) as a YAML file following Kong's\n declarative configuration syntax. This file can thus be imported later on\n in a DB-less Kong node or in another database via `kong config db_import`.\n [#4809](https://github.com/Kong/kong/pull/4809)\n\n##### Admin API\n\n- Many endpoints now support more levels of nesting for ease of access.\n For example: `/services/:services/routes/:routes` is now a valid API\n endpoint.\n [#4713](https://github.com/Kong/kong/pull/4713)\n- The API now accepts `form-urlencoded` payloads with deeply nested data\n structures. Previously, it was only possible to send such data structures\n via JSON payloads.\n [#4768](https://github.com/Kong/kong/pull/4768)\n\n##### Plugins\n\n- :fireworks: **New bundled plugin**: the [session\n plugin](https://github.com/Kong/kong-plugin-session) is now bundled in Kong.\n It can be used to manage browser sessions for APIs proxied and authenticated\n by Kong.\n [#4685](https://github.com/Kong/kong/pull/4685)\n- ldap-auth: A new `config.ldaps` property allows configuring the plugin to\n connect to the LDAP server via TLS. It provides LDAPS support instead of only\n relying on STARTTLS.\n [#4743](https://github.com/Kong/kong/pull/4743)\n- jwt-auth: The new `header_names` property accepts an array of header names\n the JWT plugin should inspect when authenticating a request. It defaults to\n `[\"Authorization\"]`.\n [#4757](https://github.com/Kong/kong/pull/4757)\n- [azure-functions](https://github.com/Kong/kong-plugin-azure-functions):\n Bumped to 0.4 for minor fixes and performance improvements.\n- [kubernetes-sidecar-injector](https://github.com/Kong/kubernetes-sidecar-injector):\n The plugin is now more resilient to Kubernetes schema changes.\n- [serverless-functions](https://github.com/Kong/kong-plugin-serverless-functions):\n - Bumped to 0.3 for minor performance improvements.\n - Functions can now have upvalues.\n- [prometheus](https://github.com/Kong/kong-plugin-prometheus): Bumped to\n 0.4.1 for minor performance improvements.\n- cors: add OPTIONS, TRACE and CONNECT to default allowed methods\n [#4899](https://github.com/Kong/kong/pull/4899)\n Thanks to [@eshepelyuk](https://github.com/eshepelyuk) for the patch!\n\n##### PDK\n\n- New function `kong.service.set_tls_cert_key()`. This functions sets the\n client TLS certificate used while handshaking with the upstream service.\n [#4797](https://github.com/Kong/kong/pull/4797)\n\n### Fixes\n\n##### Core\n\n- Fix WebSocket protocol upgrades in some cases due to case-sensitive\n comparisons of the `Upgrade` header.\n [#4780](https://github.com/Kong/kong/pull/4780)\n- Router: Fixed a bug causing invalid matches when configuring two or more\n Routes with a plain `hosts` attribute shadowing another Route's wildcard\n `hosts` attribute. Details of the issue can be seen in\n [01b1cb8](https://github.com/Kong/kong/pull/4775/commits/01b1cb871b1d84e5e93c5605665b68c2f38f5a31).\n [#4775](https://github.com/Kong/kong/pull/4775)\n- Router: Ensure regex paths always have priority over plain paths. Details of\n the issue can be seen in\n [2683b86](https://github.com/Kong/kong/commit/2683b86c2f7680238e3fe85da224d6f077e3425d).\n [#4775](https://github.com/Kong/kong/pull/4775)\n- Cleanup of expired rows in PostgreSQL is now much more efficient thanks to a\n new query plan.\n [#4716](https://github.com/Kong/kong/pull/4716)\n- Improved various query plans against Cassandra instances by increasing the\n default page size.\n [#4770](https://github.com/Kong/kong/pull/4770)\n\n##### Plugins\n\n- cors: ensure non-preflight OPTIONS requests can be proxied.\n [#4899](https://github.com/Kong/kong/pull/4899)\n Thanks to [@eshepelyuk](https://github.com/eshepelyuk) for the patch!\n- Consumer references in various plugin entities are now\n properly marked as required, avoiding credentials that map to no Consumer.\n [#4879](https://github.com/Kong/kong/pull/4879)\n- hmac-auth: Correct the encoding of HTTP/1.0 requests.\n [#4839](https://github.com/Kong/kong/pull/4839)\n- oauth2: empty client_id wasn't checked, causing a server error.\n [#4884](https://github.com/Kong/kong/pull/4884)\n- response-transformer: preserve empty arrays correctly.\n [#4901](https://github.com/Kong/kong/pull/4901)\n\n##### CLI\n\n- Fixed an issue when running `kong restart` and Kong was not running,\n causing stdout/stderr logging to turn off.\n [#4772](https://github.com/Kong/kong/pull/4772)\n\n##### Admin API\n\n- Ensure PUT works correctly when applied to plugin configurations.\n [#4882](https://github.com/Kong/kong/pull/4882)\n\n##### PDK\n\n- Prevent PDK calls from failing in custom content blocks.\n This fixes a misbehavior affecting the Prometheus plugin.\n [#4904](https://github.com/Kong/kong/pull/4904)\n- Ensure `kong.response.add_header` works in the `rewrite` phase.\n [#4888](https://github.com/Kong/kong/pull/4888)\n\n[Back to TOC](#table-of-contents)\n\n## [1.2.2]\n\n> Released on 2019/08/14\n\n:warning: This release includes patches to the NGINX core (1.13.6) fixing\nvulnerabilities in the HTTP/2 module (CVE-2019-9511 CVE-2019-9513\nCVE-2019-9516).\n\nThis is a patch release in the 1.2 series, and as such, strictly contains\nbugfixes. There are no new features nor breaking changes.\n\n### Fixes\n\n##### Core\n\n- Case sensitivity fix when clearing the Upgrade header.\n [#4779](https://github.com/kong/kong/issues/4779)\n\n### Performance\n\n##### Core\n\n- Speed up cascade deletes in Cassandra.\n [#4770](https://github.com/kong/kong/pull/4770)\n\n## [1.2.1]\n\n> Released on 2019/06/26\n\nThis is a patch release in the 1.2 series, and as such, strictly contains\nbugfixes. There are no new features nor breaking changes.\n\n### Fixes\n\n##### Core\n\n- Fix an issue preventing WebSocket connections from being established by\n clients. This issue was introduced in Kong 1.1.2, and would incorrectly clear\n the `Upgrade` response header.\n [#4719](https://github.com/Kong/kong/pull/4719)\n- Fix a memory usage growth issue in the `/config` endpoint when configuring\n Upstream entities. This issue was mostly observed by users of the [Kong\n Ingress Controller](https://github.com/Kong/kubernetes-ingress-controller).\n [#4733](https://github.com/Kong/kong/pull/4733)\n- Cassandra: ensure serial consistency is `LOCAL_SERIAL` when a\n datacenter-aware load balancing policy is in use. This fixes unavailability\n exceptions sometimes experienced when connecting to a multi-datacenter\n cluster with cross-datacenter connectivity issues.\n [#4734](https://github.com/Kong/kong/pull/4734)\n- Schemas: fix an issue in the schema validator that would not allow specifying\n `false` in some schema rules, such a `{ type = \"boolean\", eq = false }`.\n [#4708](https://github.com/Kong/kong/pull/4708)\n [#4727](https://github.com/Kong/kong/pull/4727)\n- Fix an underlying issue with regards to database entities cache keys\n generation.\n [#4717](https://github.com/Kong/kong/pull/4717)\n\n##### Configuration\n\n- Ensure the `cassandra_local_datacenter` configuration property is specified\n when a datacenter-aware Cassandra load balancing policy is in use.\n [#4734](https://github.com/Kong/kong/pull/4734)\n\n##### Plugins\n\n- request-transformer: fix an issue that would prevent adding a body to\n requests without one.\n [Kong/kong-plugin-request-transformer#4](https://github.com/Kong/kong-plugin-request-transformer/pull/4)\n- kubernetes-sidecar-injector: fix an issue causing mutating webhook calls to\n fail.\n [Kong/kubernetes-sidecar-injector#9](https://github.com/Kong/kubernetes-sidecar-injector/pull/9)\n\n[Back to TOC](#table-of-contents)\n\n## [1.2.0]\n\n> Released on: 2019/06/07\n\nThis release brings **improvements to reduce long latency tails**,\n**consolidates declarative configuration support**, and comes with **newly open\nsourced plugins** previously only available to Enterprise customers. It also\nships with new features improving observability and usability.\n\nThis release includes database migrations. Please take a few minutes to read\nthe [1.2 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md)\nfor more details regarding changes and migrations before planning to upgrade\nyour Kong cluster.\n\n### Installation\n\n- :warning: All Bintray repositories have been renamed from\n `kong-community-edition-*` to `kong-*`.\n- :warning: All Kong packages have been renamed from `kong-community-edition`\n to `kong`.\n\nFor more details about the updated installation, please visit the official docs:\n[https://konghq.com/install](https://konghq.com/install/).\n\n### Additions\n\n##### Core\n\n- :fireworks: Support for **wildcard SNI matching**: the\n `ssl_certificate_by_lua` phase and the stream `preread` phase) is now able to\n match a client hello SNI against any registered wildcard SNI. This is\n particularly helpful for deployments serving a certificate for multiple\n subdomains.\n [#4457](https://github.com/Kong/kong/pull/4457)\n- :fireworks: **HTTPS Routes can now be matched by SNI**: the `snis` Route\n attribute (previously only available for `tls` Routes) can now be set for\n `https` Routes and is evaluated by the HTTP router.\n [#4633](https://github.com/Kong/kong/pull/4633)\n- :fireworks: **Native support for HTTPS redirects**: Routes have a new\n `https_redirect_status_code` attribute specifying the status code to send\n back to the client if a plain text request was sent to an `https` Route.\n [#4424](https://github.com/Kong/kong/pull/4424)\n- The loading of declarative configuration is now done atomically, and with a\n safety check to verify that the new configuration fits in memory.\n [#4579](https://github.com/Kong/kong/pull/4579)\n- Schema fields can now be marked as immutable.\n [#4381](https://github.com/Kong/kong/pull/4381)\n- Support for loading custom DAO strategies from plugins.\n [#4518](https://github.com/Kong/kong/pull/4518)\n- Support for IPv6 to `tcp` and `tls` Routes.\n [#4333](https://github.com/Kong/kong/pull/4333)\n\n##### Configuration\n\n- :fireworks: **Asynchronous router updates**: a new configuration property\n `router_consistency` accepts two possible values: `strict` and `eventual`.\n The former is the default setting and makes router rebuilds highly\n consistent between Nginx workers. It can result in long tail latency if\n frequent Routes and Services updates are expected. The latter helps\n preventing long tail latency issues by instructing Kong to rebuild the router\n asynchronously (with eventual consistency between Nginx workers).\n [#4639](https://github.com/Kong/kong/pull/4639)\n- :fireworks: **Database cache warmup**: Kong can now preload entities during\n its initialization. A new configuration property (`db_cache_warmup_entities`)\n was introduced, allowing users to specify which entities should be preloaded.\n DB cache warmup allows for ahead-of-time DNS resolution for Services with a\n hostname. This feature reduces first requests latency, improving the overall\n P99 latency tail.\n [#4565](https://github.com/Kong/kong/pull/4565)\n- Improved PostgreSQL connection management: two new configuration properties\n have been added: `pg_max_concurrent_queries` sets the maximum number of\n concurrent queries to the database, and `pg_semaphore_timeout` allows for\n tuning the timeout when acquiring access to a database connection. The\n default behavior remains the same, with no concurrency limitation.\n [#4551](https://github.com/Kong/kong/pull/4551)\n\n##### Admin API\n\n- :fireworks: Add declarative configuration **hash checking** avoiding\n reloading if the configuration has not changed. The `/config` endpoint now\n accepts a `check_hash` query argument. Hash checking only happens if this\n argument's value is set to `1`.\n [#4609](https://github.com/Kong/kong/pull/4609)\n- :fireworks: Add a **schema validation endpoint for entities**: a new\n endpoint `/schemas/:entity_name/validate` can be used to validate an instance\n of any entity type in Kong without creating the entity itself.\n [#4413](https://github.com/Kong/kong/pull/4413)\n- :fireworks: Add **memory statistics** to the `/status` endpoint. The response\n now includes a `memory` field, which contains the `lua_shared_dicts` and\n `workers_lua_vms` fields with statistics on shared dictionaries and workers\n Lua VM memory usage.\n [#4592](https://github.com/Kong/kong/pull/4592)\n\n##### PDK\n\n- New function `kong.node.get_memory_stats()`. This function returns statistics\n on shared dictionaries and workers Lua VM memory usage, and powers the memory\n statistics newly exposed by the `/status` endpoint.\n [#4632](https://github.com/Kong/kong/pull/4632)\n\n##### Plugins\n\n- :fireworks: **Newly open-sourced plugin**: the HTTP [proxy-cache\n plugin](https://github.com/kong/kong-plugin-proxy-cache) (previously only\n available in Enterprise) is now bundled in Kong.\n [#4650](https://github.com/Kong/kong/pull/4650)\n- :fireworks: **Newly open-sourced plugin capabilities**: The\n [request-transformer\n plugin](https://github.com/Kong/kong-plugin-request-transformer) now includes\n capabilities previously only available in Enterprise, among which templating\n and variables interpolation.\n [#4658](https://github.com/Kong/kong/pull/4658)\n- Logging plugins: log request TLS version, cipher, and verification status.\n [#4581](https://github.com/Kong/kong/pull/4581)\n [#4626](https://github.com/Kong/kong/pull/4626)\n- Plugin development: inheriting from `BasePlugin` is now optional. Avoiding\n the inheritance paradigm improves plugins' performance.\n [#4590](https://github.com/Kong/kong/pull/4590)\n\n### Fixes\n\n##### Core\n\n- Active healthchecks: `http` checks are not performed for `tcp` and `tls`\n Services anymore; only `tcp` healthchecks are performed against such\n Services.\n [#4616](https://github.com/Kong/kong/pull/4616)\n- Fix an issue where updates in migrations would not correctly populate default\n values.\n [#4635](https://github.com/Kong/kong/pull/4635)\n- Improvements in the reentrancy of Cassandra migrations.\n [#4611](https://github.com/Kong/kong/pull/4611)\n- Fix an issue causing the PostgreSQL strategy to not bootstrap the schema when\n using a PostgreSQL account with limited permissions.\n [#4506](https://github.com/Kong/kong/pull/4506)\n\n##### CLI\n\n- Fix `kong db_import` to support inserting entities without specifying a UUID\n for their primary key. Entities with a unique identifier (e.g. `name` for\n Services) can have their primary key omitted.\n [#4657](https://github.com/Kong/kong/pull/4657)\n- The `kong migrations [up|finish] -f` commands does not run anymore if there\n are no previously executed migrations.\n [#4617](https://github.com/Kong/kong/pull/4617)\n\n##### Plugins\n\n- ldap-auth: ensure TLS connections are reused.\n [#4620](https://github.com/Kong/kong/pull/4620)\n- oauth2: ensured access tokens preserve their `token_expiration` value when\n migrating from previous Kong versions.\n [#4572](https://github.com/Kong/kong/pull/4572)\n\n[Back to TOC](#table-of-contents)\n\n## [1.1.2]\n\n> Released on: 2019/04/24\n\nThis is a patch release in the 1.0 series. Being a patch release, it strictly\ncontains bugfixes. The are no new features or breaking changes.\n\n### Fixes\n\n- core: address issue where field type \"record\" nested values reset on update\n [#4495](https://github.com/Kong/kong/pull/4495)\n- core: correctly manage primary keys of type \"foreign\"\n [#4429](https://github.com/Kong/kong/pull/4429)\n- core: declarative config is not parsed on db-mode anymore\n [#4487](https://github.com/Kong/kong/pull/4487)\n [#4509](https://github.com/Kong/kong/pull/4509)\n- db-less: Fixed a problem in Kong balancer timing out.\n [#4534](https://github.com/Kong/kong/pull/4534)\n- db-less: Accept declarative config directly in JSON requests.\n [#4527](https://github.com/Kong/kong/pull/4527)\n- db-less: do not mis-detect mesh mode\n [#4498](https://github.com/Kong/kong/pull/4498)\n- db-less: fix crash when field has same name as entity\n [#4478](https://github.com/Kong/kong/pull/4478)\n- basic-auth: ignore password if nil on basic auth credential patch\n [#4470](https://github.com/Kong/kong/pull/4470)\n- http-log: Simplify queueing mechanism. Fixed a bug where traces were lost\n in some cases.\n [#4510](https://github.com/Kong/kong/pull/4510)\n- request-transformer: validate header values in plugin configuration.\n Thanks, [@rune-chan](https://github.com/rune-chan)!\n [#4512](https://github.com/Kong/kong/pull/4512).\n- rate-limiting: added index on rate-limiting metrics.\n Thanks, [@mvanholsteijn](https://github.com/mvanholsteijn)!\n [#4486](https://github.com/Kong/kong/pull/4486)\n\n[Back to TOC](#table-of-contents)\n\n## [1.1.1]\n\n> Released on: 2019/03/28\n\nThis release contains a fix for 0.14 Kong clusters using Cassandra to safely\nmigrate to Kong 1.1.\n\n### Fixes\n\n- Ensure the 0.14 -> 1.1 migration path for Cassandra does not corrupt the\n database schema.\n [#4450](https://github.com/Kong/kong/pull/4450)\n- Allow the `kong config init` command to run without a pointing to a prefix\n directory.\n [#4451](https://github.com/Kong/kong/pull/4451)\n\n[Back to TOC](#table-of-contents)\n\n## [1.1.0]\n\n> Released on: 2019/03/27\n\nThis release introduces new features such as **Declarative\nConfiguration**, **DB-less Mode**, **Bulk Database Import**, **Tags**, as well\nas **Transparent Proxying**. It contains a large number of other features and\nfixes, listed below. Also, the Plugin Development kit also saw a minor\nupdated, bumped to version 1.1.\n\nThis release includes database migrations. Please take a few minutes to read\nthe [1.1 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md)\nfor more details regarding changes and migrations before planning to upgrade\nyour Kong cluster.\n\n:large_orange_diamond: **Post-release note (as of 2019/03/28):** an issue has\nbeen found when migrating from a 0.14 Kong cluster to 1.1.0 when running on top\nof Cassandra. Kong 1.1.1 has been released to address this issue. Kong clusters\nrunning on top of PostgreSQL are not affected by this issue, and can migrate to\n1.1.0 or 1.1.1 safely.\n\n### Additions\n\n##### Core\n\n- :fireworks: Kong can now run **without a database**, using in-memory\n storage only. When running Kong in DB-less mode, entities are loaded via a\n **declarative configuration** file, specified either through Kong's\n configuration file, or uploaded via the Admin API.\n [#4315](https://github.com/Kong/kong/pull/4315)\n- :fireworks: **Transparent proxying** - the `service` attribute on\n Routes is now optional; a Route without an assigned Service will\n proxy transparently\n [#4286](https://github.com/Kong/kong/pull/4286)\n- Support for **tags** in entities\n [#4275](https://github.com/Kong/kong/pull/4275)\n - Every core entity now adds a `tags` field\n- New `protocols` field in the Plugin entity, allowing plugin instances\n to be set for specific protocols only (`http`, `https`, `tcp` or `tls`).\n [#4248](https://github.com/Kong/kong/pull/4248)\n - It filters out plugins during execution according to their `protocols` field\n - It throws an error when trying to associate a Plugin to a Route\n which is not compatible, protocols-wise, or to a Service with no\n compatible routes.\n\n##### Configuration\n\n- New option in `kong.conf`: `database=off` to start Kong without\n a database\n- New option in `kong.conf`: `declarative_config=kong.yml` to\n load a YAML file using Kong's new [declarative config\n format](https://discuss.konghq.com/t/rfc-kong-native-declarative-config-format/2719)\n- New option in `kong.conf`: `pg_schema` to specify Postgres schema\n to be used\n- The Stream subsystem now supports Nginx directive injections\n [#4148](https://github.com/Kong/kong/pull/4148)\n - `nginx_stream_*` (or `KONG_NGINX_STREAM_*` environment variables)\n for injecting entries to the `stream` block\n - `nginx_sproxy_*` (or `KONG_NGINX_SPROXY_*` environment variables)\n for injecting entries to the `server` block inside `stream`\n\n##### CLI\n\n- :fireworks: **Bulk database import** using the same declarative\n configuration format as the in-memory mode, using the new command:\n `kong config db_import kong.yml`. This command upserts all\n entities specified in the given `kong.yml` file in bulk\n [#4284](https://github.com/Kong/kong/pull/4284)\n- New command: `kong config init` to generate a template `kong.yml`\n file to get you started\n- New command: `kong config parse kong.yml` to verify the syntax of\n the `kong.yml` file before using it\n- New option `--wait` in `kong quit` to ease graceful termination when using orchestration tools\n [#4201](https://github.com/Kong/kong/pull/4201)\n\n##### Admin API\n\n- New Admin API endpoint: `/config` to replace the configuration of\n Kong entities entirely, replacing it with the contents of a new\n declarative config file\n - When using the new `database=off` configuration option,\n the Admin API endpoints for entities (such as `/routes` and\n `/services`) are read-only, since the configuration can only\n be updated via `/config`\n [#4308](https://github.com/Kong/kong/pull/4308)\n- Admin API endpoints now support searching by tag\n (for example, `/consumers?tags=example_tag`)\n - You can search by multiple tags:\n - `/services?tags=serv1,mobile` to search for services matching tags `serv1` and `mobile`\n - `/services?tags=serv1/serv2` to search for services matching tags `serv1` or `serv2`\n- New Admin API endpoint `/tags/` for listing entities by tag: `/tags/example_tag`\n\n##### PDK\n\n- New PDK function: `kong.client.get_protocol` for obtaining the protocol\n in use during the current request\n [#4307](https://github.com/Kong/kong/pull/4307)\n- New PDK function: `kong.nginx.get_subsystem`, so plugins can detect whether\n they are running on the HTTP or Stream subsystem\n [#4358](https://github.com/Kong/kong/pull/4358)\n\n##### Plugins\n\n- :fireworks: Support for ACL **authenticated groups**, so that authentication plugins\n that use a 3rd party (other than Kong) to store credentials can benefit\n from using a central ACL plugin to do authorization for them\n [#4013](https://github.com/Kong/kong/pull/4013)\n- The Kubernetes Sidecar Injection plugin is now bundled into Kong for a smoother K8s experience\n [#4304](https://github.com/Kong/kong/pull/4304)\n- aws-lambda: includes AWS China region.\n Thanks [@wubins](https://github.com/wubins) for the patch!\n [#4176](https://github.com/Kong/kong/pull/4176)\n\n### Changes\n\n##### Dependencies\n\n- The required OpenResty version is still 1.13.6.2, but for a full feature set\n including stream routing and Service Mesh abilities with mutual TLS, Kong's\n [openresty-patches](https://github.com/kong/openresty-patches) must be\n applied (those patches are already bundled with our official distribution\n packages). The openresty-patches bundle was updated in Kong 1.1.0 to include\n the `stream_realip_module` as well.\n Kong in HTTP(S) Gateway scenarios does not require these patches.\n [#4163](https://github.com/Kong/kong/pull/4163)\n- Service Mesh abilities require at least OpenSSL version 1.1.1. In our\n official distribution packages, OpenSSL has been bumped to 1.1.1b.\n [#4345](https://github.com/Kong/kong/pull/4345),\n [#4440](https://github.com/Kong/kong/pull/4440)\n\n### Fixes\n\n##### Core\n\n- Resolve hostnames properly during initialization of Cassandra contact points\n [#4296](https://github.com/Kong/kong/pull/4296),\n [#4378](https://github.com/Kong/kong/pull/4378)\n- Fix health checks for Targets that need two-level DNS resolution\n (e.g. SRV → A → IP) [#4386](https://github.com/Kong/kong/pull/4386)\n- Fix serialization of map types in the Cassandra backend\n [#4383](https://github.com/Kong/kong/pull/4383)\n- Fix target cleanup and cascade-delete for Targets\n [#4319](https://github.com/Kong/kong/pull/4319)\n- Avoid crash when failing to obtain list of Upstreams\n [#4301](https://github.com/Kong/kong/pull/4301)\n- Disallow invalid timeout value of 0ms for attributes in Services\n [#4430](https://github.com/Kong/kong/pull/4430)\n- DAO fix for foreign fields used as primary keys\n [#4387](https://github.com/Kong/kong/pull/4387)\n\n##### Admin API\n\n- Proper support for `PUT /{entities}/{entity}/plugins/{plugin}`\n [#4288](https://github.com/Kong/kong/pull/4288)\n- Fix Admin API inferencing of map types using form-encoded\n [#4368](https://github.com/Kong/kong/pull/4368)\n- Accept UUID-like values in `/consumers?custom_id=`\n [#4435](https://github.com/Kong/kong/pull/4435)\n\n##### Plugins\n\n- basic-auth, ldap-auth, key-auth, jwt, hmac-auth: fixed\n status code for unauthorized requests: they now return HTTP 401\n instead of 403\n [#4238](https://github.com/Kong/kong/pull/4238)\n- tcp-log: remove spurious trailing carriage return\n Thanks [@cvuillemez](https://github.com/cvuillemez) for the patch!\n [#4158](https://github.com/Kong/kong/pull/4158)\n- jwt: fix `typ` handling for supporting JOSE (JSON Object\n Signature and Validation)\n Thanks [@cdimascio](https://github.com/cdimascio) for the patch!\n [#4256](https://github.com/Kong/kong/pull/4256)\n- Fixes to the best-effort auto-converter for legacy plugin schemas\n [#4396](https://github.com/Kong/kong/pull/4396)\n\n[Back to TOC](#table-of-contents)\n\n## [1.0.3]\n\n> Released on: 2019/01/31\n\nThis is a patch release addressing several regressions introduced some plugins,\nand improving the robustness of our migrations and core components.\n\n### Core\n\n- Improve Cassandra schema consensus logic when running migrations.\n [#4233](https://github.com/Kong/kong/pull/4233)\n- Ensure Routes that don't have a `regex_priority` (e.g. if it was removed as\n part of a `PATCH`) don't prevent the router from being built.\n [#4255](https://github.com/Kong/kong/pull/4255)\n- Reduce rebuild time of the load balancer by retrieving larger sized pages of\n Target entities.\n [#4206](https://github.com/Kong/kong/pull/4206)\n- Ensure schema definitions of Arrays and Sets with `default = {}` are\n JSON-encoded as `[]`.\n [#4257](https://github.com/Kong/kong/pull/4257)\n\n##### Plugins\n\n- request-transformer: fix a regression causing the upstream Host header to be\n unconditionally set to that of the client request (effectively, as if the\n Route had `preserve_host` enabled).\n [#4253](https://github.com/Kong/kong/pull/4253)\n- cors: fix a regression that prevented regex origins from being matched.\n Regexes such as `(.*[.])?example\\.org` can now be used to match all\n sub-domains, while regexes containing `:` will be evaluated against the\n scheme and port of an origin (i.e.\n `^https?://(.*[.])?example\\.org(:8000)?$`).\n [#4261](https://github.com/Kong/kong/pull/4261)\n- oauth2: fix a runtime error when using a global token against a plugin\n not configured as global (i.e. with `global_credentials = false`).\n [#4262](https://github.com/Kong/kong/pull/4262)\n\n##### Admin API\n\n- Improve performance of the `PUT` method in auth plugins endpoints (e.g.\n `/consumers/:consumers/basic-auth/:basicauth_credentials`) by preventing\n a unnecessary read-before-write.\n [#4206](https://github.com/Kong/kong/pull/4206)\n\n[Back to TOC](#table-of-contents)\n\n## [1.0.2]\n\n> Released on: 2019/01/18\n\nThis is a hotfix release mainly addressing an issue when connecting to the\ndatastore over TLS (Cassandra and PostgreSQL).\n\n### Fixes\n\n##### Core\n\n- Fix an issue that would prevent Kong from starting when connecting to\n its datastore over TLS. [#4214](https://github.com/Kong/kong/pull/4214)\n [#4218](https://github.com/Kong/kong/pull/4218)\n- Ensure plugins added via `PUT` get enabled without requiring a restart.\n [#4220](https://github.com/Kong/kong/pull/4220)\n\n##### Plugins\n\n- zipkin\n - Fix a logging failure when DNS is not resolved.\n [kong-plugin-zipkin@a563f51](https://github.com/Kong/kong-plugin-zipkin/commit/a563f513f943ba0a30f3c69373d9092680a8f670)\n - Avoid sending redundant tags.\n [kong-plugin-zipkin/pull/28](https://github.com/Kong/kong-plugin-zipkin/pull/28)\n - Move `run_on` field to top level plugin schema instead of its config.\n [kong-plugin-zipkin/pull/38](https://github.com/Kong/kong-plugin-zipkin/pull/38)\n\n[Back to TOC](#table-of-contents)\n\n## [1.0.1]\n\n> Released on: 2019/01/16\n\nThis is a patch release in the 1.0 series. Being a patch release, it strictly\ncontains performance improvements and bugfixes. The are no new features or\nbreaking changes.\n\n:red_circle: **Post-release note (as of 2019/01/17)**: A regression has been\nobserved with this version, preventing Kong from starting when connecting to\nits datastore over TLS. Installing this version is discouraged; consider\nupgrading to [1.0.2](#102).\n\n### Changes\n\n##### Core\n\n- :rocket: Assorted changes for warmup time improvements over Kong 1.0.0\n [#4138](https://github.com/kong/kong/issues/4138),\n [#4164](https://github.com/kong/kong/issues/4164),\n [#4178](https://github.com/kong/kong/pull/4178),\n [#4179](https://github.com/kong/kong/pull/4179),\n [#4182](https://github.com/kong/kong/pull/4182)\n\n### Fixes\n\n##### Configuration\n\n- Ensure `lua_ssl_verify_depth` works even when `lua_ssl_trusted_certificate`\n is not set\n [#4165](https://github.com/kong/kong/pull/4165).\n Thanks [@rainest](https://github.com/rainest) for the patch.\n- Ensure Kong starts when only a `stream` listener is enabled\n [#4195](https://github.com/kong/kong/pull/4195)\n- Ensure Postgres works with non-`public` schemas\n [#4198](https://github.com/kong/kong/pull/4198)\n\n##### Core\n\n- Fix an artifact in upstream migrations where `created_at`\n timestamps would occasionally display fractional values\n [#4183](https://github.com/kong/kong/issues/4183),\n [#4204](https://github.com/kong/kong/pull/4204)\n- Fixed issue with HTTP/2 support advertisement\n [#4203](https://github.com/kong/kong/pull/4203)\n\n##### Admin API\n\n- Fixed handling of invalid targets in `/upstreams` endpoints\n for health checks\n [#4132](https://github.com/kong/kong/issues/4132),\n [#4205](https://github.com/kong/kong/pull/4205)\n- Fixed the `/plugins/schema/:name` endpoint, as it was failing in\n some cases (e.g. the `datadog` plugin) and producing incorrect\n results in others (e.g. `request-transformer`).\n [#4136](https://github.com/kong/kong/issues/4136),\n [#4137](https://github.com/kong/kong/issues/4137)\n [#4151](https://github.com/kong/kong/pull/4151),\n [#4162](https://github.com/kong/kong/pull/4151)\n\n##### Plugins\n\n- Fix PDK memory leaks in `kong.service.response` and `kong.ctx`\n [#4143](https://github.com/kong/kong/pull/4143),\n [#4172](https://github.com/kong/kong/pull/4172)\n\n[Back to TOC](#table-of-contents)\n\n## [1.0.0]\n\n> Released on: 2018/12/18\n\nThis is a major release, introducing new features such as **Service Mesh** and\n**Stream Routing** support, as well as a **New Migrations** framework. It also\nincludes version 1.0.0 of the **Plugin Development Kit**. It contains a large\nnumber of other features and fixes, listed below. Also, all plugins included\nwith Kong 1.0 are updated to use version 1.0 of the PDK.\n\nAs usual, major version upgrades require database migrations and changes to the\nNginx configuration file (if you customized the default template). Please take\na few minutes to read the [1.0 Upgrade\nPath](https://github.com/Kong/kong/blob/master/UPGRADE.md) for more details\nregarding breaking changes and migrations before planning to upgrade your Kong\ncluster.\n\nBeing a major version, all entities and concepts that were marked as deprecated\nin Kong 0.x are now removed in Kong 1.0. The deprecated features are retained\nin [Kong 0.15](#0150), the final entry in the Kong 0.x series, which is being\nreleased simultaneously to Kong 1.0.\n\n### Changes\n\nKong 1.0 includes all breaking changes from 0.15, as well as the removal\nof deprecated concepts.\n\n##### Dependencies\n\n- The required OpenResty version is still 1.13.6.2, but for a full feature set\n including stream routing and Service Mesh abilities with mutual TLS, Kong's\n [openresty-patches](https://github.com/kong/openresty-patches) must be\n applied (those patches are already bundled with our official distribution\n packages). Kong in HTTP(S) Gateway scenarios does not require these patches.\n- Service Mesh abilities require at least OpenSSL version 1.1.1. In our\n official distribution packages, OpenSSL has been bumped to 1.1.1.\n [#4005](https://github.com/Kong/kong/pull/4005)\n\n##### Configuration\n\n- :warning: The `custom_plugins` directive is removed (deprecated since 0.14.0,\n July 2018). Use `plugins` instead.\n- Modifications must be applied to the Nginx configuration. You are not\n affected by this change if you do not use a custom Nginx template. See the\n [1.0 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md) for\n a diff of changes to apply.\n- The default value for `cassandra_lb_policy` changed from `RoundRobin` to\n `RequestRoundRobin`. This helps reducing the amount of new connections being\n opened during a request when using the Cassandra strategy.\n [#4004](https://github.com/Kong/kong/pull/4004)\n\n##### Core\n\n- :warning: The **API** entity and related concepts such as the `/apis`\n endpoint, are removed (deprecated since 0.13.0, March 2018). Use **Routes**\n and **Services** instead.\n- :warning: The **old DAO** implementation is removed, along with the\n **old schema** validation library (`apis` was the last entity using it).\n Use the new schema format instead in custom plugins.\n To ease the transition of plugins, the plugin loader in 1.0 includes\n a _best-effort_ schema auto-translator, which should be sufficient for many\n plugins.\n- Timestamps now bear millisecond precision in their decimal part.\n [#3660](https://github.com/Kong/kong/pull/3660)\n- The PDK function `kong.request.get_body` will now return `nil, err, mime`\n when the body is valid JSON but neither an object nor an array.\n [#4063](https://github.com/Kong/kong/pull/4063)\n\n##### CLI\n\n- :warning: The new migrations framework (detailed below) has a different usage\n (and subcommands) compared to its predecessor.\n [#3802](https://github.com/Kong/kong/pull/3802)\n\n##### Admin API\n\n- :warning: In the 0.14.x release, Upstreams, Targets, and Plugins were still\n implemented using the old DAO and Admin API. In 0.15.0 and 1.0.0, all core\n entities use the new `kong.db` DAO, and their endpoints have been upgraded to\n the new Admin API (see below for details).\n [#3689](https://github.com/Kong/kong/pull/3689)\n [#3739](https://github.com/Kong/kong/pull/3739)\n [#3778](https://github.com/Kong/kong/pull/3778)\n\nA summary of the changes introduced in the new Admin API:\n\n- Pagination has been included in all \"multi-record\" endpoints, and pagination\n control fields are different than in 0.14.x.\n- Filtering now happens via URL path changes (`/consumers/x/plugins`) instead\n of querystring fields (`/plugins?consumer_id=x`).\n- Array values can't be coerced from comma-separated strings anymore. They must\n now be \"proper\" JSON values on JSON requests, or use a new syntax on\n form-url-encoded or multipart requests.\n- Error messages have been been reworked from the ground up to be more\n consistent, precise and informative.\n- The `PUT` method has been reimplemented with idempotent behavior and has\n been added to some entities that didn't have it.\n\nFor more details about the new Admin API, please visit the official docs:\nhttps://docs.konghq.com/\n\n##### Plugins\n\n- :warning: The `galileo` plugin has been removed (deprecated since 0.13.0).\n [#3960](https://github.com/Kong/kong/pull/3960)\n- :warning: Some internal modules that were occasionally used by plugin authors\n before the introduction of the Plugin Development Kit (PDK) in 0.14.0 are now\n removed:\n - The `kong.tools.ip` module was removed. Use `kong.ip` from the PDK instead.\n - The `kong.tools.public` module was removed. Use the various equivalent\n features from the PDK instead.\n - The `kong.tools.responses` module was removed. Please use\n `kong.response.exit` from the PDK instead. You might want to use\n `kong.log.err` to log internal server errors as well.\n - The `kong.api.crud_helpers` module was removed (deprecated since the\n introduction of the new DAO in 0.13.0). Use `kong.api.endpoints` instead\n if you need to customize the auto-generated endpoints.\n- All bundled plugins' schemas and custom entities have been updated to the new\n `kong.db` module, and their APIs have been updated to the new Admin API,\n which is described in the above section.\n [#3766](https://github.com/Kong/kong/pull/3766)\n [#3774](https://github.com/Kong/kong/pull/3774)\n [#3778](https://github.com/Kong/kong/pull/3778)\n [#3839](https://github.com/Kong/kong/pull/3839)\n- :warning: All plugins migrations have been converted to the new migration\n framework. Custom plugins must use the new migration framework from 0.15\n onwards.\n\n### Additions\n\n##### :fireworks: Service Mesh and Stream Routes\n\nKong's Service Mesh support resulted in a number of additions to Kong's\nconfiguration, Admin API, and plugins that deserve their own section in\nthis changelog.\n\n- **Support for TCP & TLS Stream Routes** via the new `stream_listen` config\n option. [#4009](https://github.com/Kong/kong/pull/4009)\n- A new `origins` config property allows overriding hosts from Kong.\n [#3679](https://github.com/Kong/kong/pull/3679)\n- A `transparent` suffix added to stream listeners allows for setting up a\n dynamic Service Mesh with `iptables`.\n [#3884](https://github.com/Kong/kong/pull/3884)\n- Kong instances can now create a shared internal Certificate Authority, which\n is used for Service Mesh TLS traffic.\n [#3906](https://github.com/Kong/kong/pull/3906)\n [#3861](https://github.com/Kong/kong/pull/3861)\n- Plugins get a new `run_on` field to control how they behave in a Service Mesh\n environment.\n [#3930](https://github.com/Kong/kong/pull/3930)\n [#4066](https://github.com/Kong/kong/pull/4066)\n- There is a new phase called `preread`. This is where stream traffic routing\n is done.\n\n##### Configuration\n\n- A new `dns_valid_ttl` property can be set to forcefully override the TTL\n value of all resolved DNS records.\n [#3730](https://github.com/Kong/kong/pull/3730)\n- A new `pg_timeout` property can be set to configure the timeout of PostgreSQL\n connections. [#3808](https://github.com/Kong/kong/pull/3808)\n- `upstream_keepalive` can now be disabled when set to 0.\n Thanks [@pryorda](https://github.com/pryorda) for the patch.\n [#3716](https://github.com/Kong/kong/pull/3716)\n- The new `transparent` suffix also applies to the `proxy_listen` directive.\n\n##### CLI\n\n- :fireworks: **New migrations framework**. This new implementation supports\n no-downtime, Blue/Green migrations paths that will help sustain Kong 1.0's\n stability. It brings a considerable number of other improvements, such as new\n commands, better support for automation, improved CLI logging, and many\n more. Additionally, this new framework alleviates the old limitation around\n multiple nodes running concurrent migrations. See the related PR for a\n complete list of improvements.\n [#3802](https://github.com/Kong/kong/pull/3802)\n\n##### Core\n\n- :fireworks: **Support for TLS 1.3**. The support for OpenSSL 1.1.1 (bumped in our\n official distribution packages) not only enabled Service Mesh features, but\n also unlocks support for the latest version of the TLS protocol.\n- :fireworks: **Support for HTTPS in active healthchecks**.\n [#3815](https://github.com/Kong/kong/pull/3815)\n- :fireworks: Improved router rebuilds resiliency by reducing database accesses\n in high concurrency scenarios.\n [#3782](https://github.com/Kong/kong/pull/3782)\n- :fireworks: Significant performance improvements in the core's plugins\n runloop. [#3794](https://github.com/Kong/kong/pull/3794)\n- PDK improvements:\n - New `kong.node` module. [#3826](https://github.com/Kong/kong/pull/3826)\n - New functions `kong.response.get_path_with_query()` and\n `kong.request.get_start_time()`.\n [#3842](https://github.com/Kong/kong/pull/3842)\n - Getters and setters for Service, Route, Consumer, and Credential.\n [#3916](https://github.com/Kong/kong/pull/3916)\n - `kong.response.get_source()` returns `error` on nginx-produced errors.\n [#4006](https://github.com/Kong/kong/pull/4006)\n - `kong.response.exit()` can be used in the `header_filter` phase, but only\n without a body. [#4039](https://github.com/Kong/kong/pull/4039)\n- Schema improvements:\n - New field validators: `distinct`, `ne`, `is_regex`, `contains`, `gt`.\n - Adding a new field which has a default value to a schema no longer requires\n a migration.\n [#3756](https://github.com/Kong/kong/pull/3756)\n\n##### Admin API\n\n- :fireworks: **Routes now have a `name` field (like Services)**.\n [#3764](https://github.com/Kong/kong/pull/3764)\n- Multipart parsing support. [#3776](https://github.com/Kong/kong/pull/3776)\n- Admin API errors expose the name of the current strategy.\n [#3612](https://github.com/Kong/kong/pull/3612)\n\n##### Plugins\n\n- :fireworks: aws-lambda: **Support for Lambda Proxy Integration** with the new\n `is_proxy_integration` property.\n Thanks [@aloisbarreras](https://github.com/aloisbarreras) for the patch!\n [#3427](https://github.com/Kong/kong/pull/3427/).\n- http-log: Support for buffering logging messages in a configurable logging\n queue. [#3604](https://github.com/Kong/kong/pull/3604)\n- Most plugins' logic has been rewritten with the PDK instead of using internal\n Kong functions or ngx_lua APIs.\n\n### Fixes\n\n##### Core\n\n- Fix an issue which would insert an extra `/` in the upstream URL when the\n request path was longer than the configured Route's `path` attribute.\n [#3780](https://github.com/kong/kong/pull/3780)\n- Ensure better backwards-compatibility between the new DAO and existing core\n runloop code regarding null values.\n [#3772](https://github.com/Kong/kong/pull/3772)\n [#3710](https://github.com/Kong/kong/pull/3710)\n- Ensure support for Datastax Enterprise 6.x. Thanks\n [@gchristidis](https://github.com/gchristidis) for the patch!\n [#3873](https://github.com/Kong/kong/pull/3873)\n- Various issues with the PostgreSQL DAO strategy were addressed.\n- Various issues related to the new schema library bundled with the new DAO\n were addressed.\n- PDK improvements:\n - `kong.request.get_path()` and other functions now properly handle cases\n when `$request_uri` is nil.\n [#3842](https://github.com/Kong/kong/pull/3842)\n\n##### Admin API\n\n- Ensure the `/certificates` endpoints properly returns all SNIs configured on\n a given certificate. [#3722](https://github.com/Kong/kong/pull/3722)\n- Ensure the `upstreams/:upstream/targets/...` endpoints returns an empty JSON\n array (`[]`) instead of an empty object (`{}`) when no targets exist.\n [#4058](https://github.com/Kong/kong/pull/4058)\n- Improved inferring of arguments with `application/x-www-form-urlencoded`.\n [#3770](https://github.com/Kong/kong/pull/3770)\n- Fix the handling of defaults values in some cases when using `PATCH`.\n [#3910](https://github.com/Kong/kong/pull/3910)\n\n##### Plugins\n\n- cors:\n - Ensure `Vary: Origin` is set when `config.credentials` is enabled.\n Thanks [@marckhouzam](https://github.com/marckhouzam) for the patch!\n [#3765](https://github.com/Kong/kong/pull/3765)\n - Return HTTP 200 instead of 204 for preflight requests. Thanks\n [@aslafy-z](https://github.com/aslafy-z) for the patch!\n [#4029](https://github.com/Kong/kong/pull/4029)\n - Ensure request origins specified as flat strings are safely validated.\n [#3872](https://github.com/Kong/kong/pull/3872)\n- acl: Minor performance improvements by ensuring proper caching of computed\n values.\n [#4040](https://github.com/Kong/kong/pull/4040)\n- correlation-id: Prevent an error to be thrown when the access phase was\n skipped, such as on nginx-produced errors.\n [#4006](https://github.com/Kong/kong/issues/4006)\n- aws-lambda: When the client uses HTTP/2, strip response headers that are\n disallowed by the protocols.\n [#4032](https://github.com/Kong/kong/pull/4032)\n- rate-limiting & response-ratelimiting: Improve efficiency by avoiding\n unnecessary Redis `SELECT` operations.\n [#3973](https://github.com/Kong/kong/pull/3973)\n\n[Back to TOC](#table-of-contents)\n\n## [0.15.0]\n\n> Released on: 2018/12/18\n\nThis is the last release in the 0.x series, giving users one last chance to\nupgrade while still using some of the options and concepts that were marked as\ndeprecated in Kong 0.x and were removed in Kong 1.0.\n\nFor a list of additions and fixes in Kong 0.15, see the [1.0.0](#100)\nchangelog. This release includes all new features included in 1.0 (Service\nMesh, Stream Routes and New Migrations), but unlike Kong 1.0, it retains a lot\nof the deprecated functionality, like the **API** entity, around. Still, Kong\n0.15 does have a number of breaking changes related to functionality that has\nchanged since version 0.14 (see below).\n\nIf you are starting with Kong, we recommend you to use 1.0.0 instead of this\nrelease.\n\nIf you are already using Kong 0.14, our recommendation is to plan to move to\n1.0 -- see the [1.0 Upgrade\nPath](https://github.com/kong/kong/blob/master/UPGRADE.md) document for\ndetails. Upgrading to 0.15.0 is only recommended if you can't do away with the\ndeprecated features but you need some fixes or new features right now.\n\n### Changes\n\n##### Dependencies\n\n- The required OpenResty version is still 1.13.6.2, but for a full feature set\n including stream routing and Service Mesh abilities with mutual TLS, Kong's\n [openresty-patches](https://github.com/kong/openresty-patches) must be\n applied (those patches are already bundled with our official distribution\n packages). Kong in HTTP(S) Gateway scenarios does not require these patches.\n- Service Mesh abilities require at least OpenSSL version 1.1.1. In our\n official distribution packages, OpenSSL has been bumped to 1.1.1.\n [#4005](https://github.com/Kong/kong/pull/4005)\n\n##### Configuration\n\n- The default value for `cassandra_lb_policy` changed from `RoundRobin` to\n `RequestRoundRobin`. This helps reducing the amount of new connections being\n opened during a request when using the Cassandra strategy.\n [#4004](https://github.com/Kong/kong/pull/4004)\n\n##### Core\n\n- Timestamps now bear millisecond precision in their decimal part.\n [#3660](https://github.com/Kong/kong/pull/3660)\n- The PDK function `kong.request.get_body` will now return `nil, err, mime`\n when the body is valid JSON but neither an object nor an array.\n [#4063](https://github.com/Kong/kong/pull/4063)\n\n##### CLI\n\n- :warning: The new migrations framework (detailed in the [1.0.0\n changelog](#100)) has a different usage (and subcommands) compared to its\n predecessor.\n [#3802](https://github.com/Kong/kong/pull/3802)\n\n##### Admin API\n\n- :warning: In the 0.14.x release, Upstreams, Targets, and Plugins were still\n implemented using the old DAO and Admin API. In 0.15.0 and 1.0.0, all core\n entities use the new `kong.db` DAO, and their endpoints have been upgraded to\n the new Admin API (see below for details).\n [#3689](https://github.com/Kong/kong/pull/3689)\n [#3739](https://github.com/Kong/kong/pull/3739)\n [#3778](https://github.com/Kong/kong/pull/3778)\n\nA summary of the changes introduced in the new Admin API:\n\n- Pagination has been included in all \"multi-record\" endpoints, and pagination\n control fields are different than in 0.14.x.\n- Filtering now happens via URL path changes (`/consumers/x/plugins`) instead\n of querystring fields (`/plugins?consumer_id=x`).\n- Array values can't be coherced from comma-separated strings. They must be\n \"proper\" JSON values on JSON requests, or use a new syntax on\n form-url-encoded or multipart requests.\n- Error messages have been been reworked from the ground up to be more\n consistent, precise and informative.\n- The `PUT` method has been reimplemented with idempotent behavior and has\n been added to some entities that didn't have it.\n\nFor more details about the new Admin API, please visit the official docs:\nhttps://docs.konghq.com/\n\n##### Plugins\n\n- All bundled plugins' schemas and custom entities have been updated to the new\n `kong.db` module, and their APIs have been updated to the new Admin API,\n which is described in the above section.\n [#3766](https://github.com/Kong/kong/pull/3766)\n [#3774](https://github.com/Kong/kong/pull/3774)\n [#3778](https://github.com/Kong/kong/pull/3778)\n [#3839](https://github.com/Kong/kong/pull/3839)\n- :warning: All plugins migrations have been converted to the new migration\n framework. Custom plugins must use the new migration framework from 0.15\n onwards.\n\n### Additions\n\nKong 0.15.0 contains the same additions as 1.0.0. See the [1.0.0\nchangelog](#100) for a complete list.\n\n### Fixes\n\nKong 0.15.0 contains the same fixes as 1.0.0. See the [1.0.0 changelog](#100)\nfor a complete list.\n\n[Back to TOC](#table-of-contents)\n\n## [0.14.1]\n\n> Released on: 2018/08/21\n\n### Additions\n\n##### Plugins\n\n- jwt: Support for tokens signed with HS384 and HS512.\n Thanks [@kepkin](https://github.com/kepkin) for the patch.\n [#3589](https://github.com/Kong/kong/pull/3589)\n- acl: Add a new `hide_groups_header` configuration option. If enabled, this\n option prevents the plugin from injecting the `X-Consumer-Groups` header\n into the upstream request.\n Thanks [@jeremyjpj0916](https://github.com/jeremyjpj0916) for the patch!\n [#3703](https://github.com/Kong/kong/pull/3703)\n\n### Fixes\n\n##### Core\n\n- Prevent some plugins from breaking in subtle ways when manipulating some\n entities and their attributes. An example of such breaking behavior could be\n observed when Kong was wrongly injecting `X-Consumer-Username: userdata:\n NULL` in upstream requests headers, instead of not injecting this header at\n all.\n [#3714](https://github.com/Kong/kong/pull/3714)\n- Fix an issue which, in some cases, prevented the use of Kong with Cassandra\n in environments where DNS load-balancing is in effect for contact points\n provided as hostnames (e.g. Kubernetes with `cassandra_contact_points =\n cassandra`).\n [#3693](https://github.com/Kong/kong/pull/3693)\n- Fix an issue which prevented the use of UNIX domain sockets in some logging\n plugins, and custom plugins making use of such sockets.\n Thanks [@rucciva](https://github.com/rucciva) for the patch.\n [#3633](https://github.com/Kong/kong/pull/3633)\n- Avoid logging false-negative error messages related to worker events.\n [#3692](https://github.com/Kong/kong/pull/3692)\n\n##### CLI\n\n- Database connectivity errors are properly prefixed with the database name\n again (e.g. `[postgres]`).\n [#3648](https://github.com/Kong/kong/pull/3648)\n\n##### Plugins\n\n- zipkin\n - Allow usage of the plugin with the deprecated \"API\" entity, and introduce\n a new `kong.api` tag.\n [kong-plugin-zipkin/commit/4a645e9](https://github.com/Kong/kong-plugin-zipkin/commit/4a645e940e560f2e50567e0360b5df3b38f74853)\n - Properly report the `kong.credential` tag.\n [kong-plugin-zipkin/commit/c627c36](https://github.com/Kong/kong-plugin-zipkin/commit/c627c36402c9a14cc48011baa773f4ee08efafcf)\n - Ensure the plugin does not throw errors when no Route was matched.\n [kong-plugin-zipkin#19](https://github.com/Kong/kong-plugin-zipkin/issues/19)\n- basic-auth: Passwords with whitespaces are not trimmed anymore.\n Thanks [@aloisbarreras](https://github.com/aloisbarreras) for the patch.\n [#3650](https://github.com/Kong/kong/pull/3650)\n- hmac-auth: Ensure backward compatibility for clients generating signatures\n without the request's querystring, as is the case for Kong versions prior to\n 0.14.0, which broke this behavior. Users of this plugin on previous versions\n of Kong can now safely upgrade to the 0.14 family.\n Thanks [@mlehner616](https://github.com/mlehner616) for the patch!\n [#3699](https://github.com/Kong/kong/pull/3699)\n- ldap-auth\n - Set the WWW-Authenticate header authentication scheme accordingly with\n the `conf.header_type` property, which allows browsers to show the\n authentication popup automatically. Thanks\n [@francois-maillard](https://github.com/francois-maillard) for the patch.\n [#3656](https://github.com/Kong/kong/pull/3656)\n - Invalid authentication attempts do not block subsequent valid attempts\n anymore.\n [#3677](https://github.com/Kong/kong/pull/3677)\n\n[Back to TOC](#table-of-contents)\n\n## [0.14.0] - 2018/07/05\n\nThis release introduces the first version of the **Plugin Development Kit**: a\nLua SDK, comprised of a set of functions to ease the development of\ncustom plugins.\n\nAdditionally, it contains several major improvements consolidating Kong's\nfeature set and flexibility, such as the support for `PUT` endpoints on the\nAdmin API for idempotent workflows, the execution of plugins during\nNginx-produced errors, and the injection of **Nginx directives** without having\nto rely on the custom Nginx configuration pattern!\n\nFinally, new bundled plugins allow Kong to better integrate with **Cloud\nNative** environments, such as Zipkin and Prometheus.\n\nAs usual, major version upgrades require database migrations and changes to the\nNginx configuration file (if you customized the default template). Please take\na few minutes to read the [0.14 Upgrade\nPath](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-014x) for\nmore details regarding breaking changes and migrations before planning to\nupgrade your Kong cluster.\n\n### Breaking Changes\n\n##### Dependencies\n\n- :warning: The required OpenResty version has been bumped to 1.13.6.2. If you\n are installing Kong from one of our distribution packages, you are not\n affected by this change.\n [#3498](https://github.com/Kong/kong/pull/3498)\n- :warning: Support for PostgreSQL 9.4 (deprecated in 0.12.0) is now dropped.\n [#3490](https://github.com/Kong/kong/pull/3490)\n- :warning: Support for Cassandra 2.1 (deprecated in 0.12.0) is now dropped.\n [#3490](https://github.com/Kong/kong/pull/3490)\n\n##### Configuration\n\n- :warning: The `server_tokens` and `latency_tokens` configuration properties\n have been removed. Instead, a new `headers` configuration properties replaces\n them and allows for more granular settings of injected headers (e.g.\n `Server`, `Via`, `X-Kong-*-Latency`, etc...).\n [#3300](https://github.com/Kong/kong/pull/3300)\n- :warning: New required `lua_shared_dict` entries must be added to the Nginx\n configuration. You are not affected by this change if you do not use a custom\n Nginx template.\n [#3557](https://github.com/Kong/kong/pull/3557)\n- :warning: Other important modifications must be applied to the Nginx\n configuration. You are not affected by this change if you do not use a custom\n Nginx template.\n [#3533](https://github.com/Kong/kong/pull/3533)\n\n##### Plugins\n\n- :warning: The Runscope plugin has been dropped, based on the EoL announcement\n made by Runscope about their Traffic Inspector product.\n [#3495](https://github.com/Kong/kong/pull/3495)\n\n##### Admin API\n\n- :warning: The SSL Certificates and SNI entities have moved to the new DAO\n implementation. As such, the `/certificates` and `/snis` endpoints have\n received notable usability improvements, but suffer from a few breaking\n changes.\n [#3386](https://github.com/Kong/kong/pull/3386)\n- :warning: The Consumers entity has moved to the new DAO implementation. As\n such, the `/consumers` endpoint has received notable usability improvements,\n but suffers from a few breaking changes.\n [#3437](https://github.com/Kong/kong/pull/3437)\n\n### Changes\n\n##### Configuration\n\n- The default value of `db_cache_ttl` is now `0` (disabled). Now that our level\n of confidence around the new caching mechanism introduced in 0.11.0 is high\n enough, we consider `0` (no TTL) to be an appropriate default for production\n environments, as it offers a smoother cache consumption behavior and reduces\n database pressure.\n [#3492](https://github.com/Kong/kong/pull/3492)\n\n##### Core\n\n- :fireworks: Serve stale data from the database cache when the datastore\n cannot be reached. Such stale items are \"resurrected\" for `db_resurrect_ttl`\n seconds (see configuration section).\n [#3579](https://github.com/Kong/kong/pull/3579)\n- Reduce LRU churning in the database cache against some workloads.\n [#3550](https://github.com/Kong/kong/pull/3550)\n\n### Additions\n\n##### Configuration\n\n- :fireworks: **Support for injecting Nginx directives via configuration\n properties** (in the `kong.conf` file or via environment variables)! This new\n way of customizing the Nginx configuration should render obsolete the old way\n of maintaining a custom Nginx template in most cases!\n [#3530](https://github.com/Kong/kong/pull/3530)\n- :fireworks: **Support for selectively disabling bundled plugins**. A new\n `plugins` configuration property is introduced, and is used to specify which\n plugins should be loaded by the node. Custom plugins should now be specified\n in this new property, and the `custom_plugins` property is **deprecated**.\n If desired, Kong administrators can specify a minimal set of plugins to load\n (instead of the default, bundled plugins), and **improve P99 latency**\n thanks to the resulting decrease in database traffic.\n [#3387](https://github.com/Kong/kong/pull/3387)\n- The new `headers` configuration property allows for specifying the injection\n of a new header: `X-Kong-Upstream-Status`. When enabled, Kong will inject\n this header containing the HTTP status code of the upstream response in the\n client response. This is particularly useful for clients to distinguish\n upstream statuses upon rewriting of the response by Kong.\n [#3263](https://github.com/Kong/kong/pull/3263)\n- A new `db_resurrect_ttl` configuration property can be set to customize\n the amount of time stale data can be resurrected for when it cannot be\n refreshed. Defaults to 30 seconds.\n [#3579](https://github.com/Kong/kong/pull/3579)\n- Two new Cassandra load balancing policies are available: `RequestRoundRobin`\n and `RequestDCAwareRoundRobin`. Both policies guarantee that the same peer\n will be reused across several queries during the lifetime of a request, thus\n guaranteeing no new connection will be opened against a peer during this\n request.\n [#3545](https://github.com/Kong/kong/pull/3545)\n\n##### Core\n\n- :fireworks: **Execute plugins on Nginx-produced errors.** Now, when Nginx\n produces a 4xx error (upon invalid requests) or 5xx (upon failure from the\n load balancer to connect to a Service), Kong will execute the response phases\n of its plugins (`header_filter`, `body_filter`, `log`). As such, Kong logging\n plugins are not blind to such Nginx-produced errors anymore, and will start\n properly reporting them. Plugins should be built defensively against cases\n where their `rewrite` or `access` phases were not executed.\n [#3533](https://github.com/Kong/kong/pull/3533)\n- :fireworks: **Support for cookie-based load balancing!**\n [#3472](https://github.com/Kong/kong/pull/3472)\n\n##### Plugins\n\n- :fireworks: **Introduction of the Plugin Development Kit!** A set of Lua\n functions and variables that will greatly ease and speed up the task of\n developing custom plugins.\n The Plugin Development Kit (PDK) allows the retrieval and manipulation of the\n request and response objects, as well as interacting with various core\n components (e.g. logging, load balancing, DAO, etc...) without having to rely\n on OpenResty functions, and with the guarantee of their forward-compatibility\n with future versions of Kong.\n [#3556](https://github.com/Kong/kong/pull/3556)\n- :fireworks: **New bundled plugin: Zipkin**! This plugin allows Kong to sample\n traces and report them to a running Zipkin instance.\n (See: https://github.com/Kong/kong-plugin-zipkin)\n [#3434](https://github.com/Kong/kong/pull/3434)\n- :fireworks: **New bundled plugin: Prometheus**! This plugin allows Kong to\n expose metrics in the Prometheus Exposition format. Available metrics include\n HTTP status codes, latencies histogram, bandwidth, and more...\n (See: https://github.com/Kong/kong-plugin-prometheus)\n [#3547](https://github.com/Kong/kong/pull/3547)\n- :fireworks: **New bundled plugin: Azure Functions**! This plugin can be used\n to invoke [Microsoft Azure\n Functions](https://azure.microsoft.com/en-us/services/functions/), similarly\n to the already existing AWS Lambda and OpenWhisk plugins.\n (See: https://github.com/Kong/kong-plugin-azure-functions)\n [#3428](https://github.com/Kong/kong/pull/3428)\n- :fireworks: **New bundled plugin: Serverless Functions**! Dynamically run Lua\n without having to write a full-fledged plugin. Lua code snippets can be\n uploaded via the Admin API and be executed during Kong's `access` phase.\n (See: https://github.com/Kong/kong-plugin-serverless-functions)\n [#3551](https://github.com/Kong/kong/pull/3551)\n- jwt: Support for limiting the allowed expiration period of JWT tokens. A new\n `config.maximum_expiration` property can be set to indicate the maximum\n number of seconds the `exp` claim may be ahead in the future.\n Thanks [@mvanholsteijn](https://github.com/mvanholsteijn) for the patch!\n [#3331](https://github.com/Kong/kong/pull/3331)\n- aws-lambda: Add `us-gov-west-1` to the list of allowed regions.\n [#3529](https://github.com/Kong/kong/pull/3529)\n\n##### Admin API\n\n- :fireworks: Support for `PUT` in new endpoints (e.g. `/services/{id or\n name}`, `/routes/{id}`, `/consumers/{id or username}`), allowing the\n development of idempotent configuration workflows when scripting the Admin\n API.\n [#3416](https://github.com/Kong/kong/pull/3416)\n- Support for `PATCH` and `DELETE` on the `/services/{name}`,\n `/consumers/{username}`, and `/snis/{name}` endpoints.\n [#3416](https://github.com/Kong/kong/pull/3416)\n\n### Fixes\n\n##### Configuration\n\n- Properly support IPv6 addresses in `proxy_listen` and `admin_listen`\n configuration properties.\n [#3508](https://github.com/Kong/kong/pull/3508)\n\n##### Core\n\n- IPv6 nameservers with a scope are now ignored by the DNS resolver.\n [#3478](https://github.com/Kong/kong/pull/3478)\n- SRV records without a port number now returns the default port instead of\n `0`.\n [#3478](https://github.com/Kong/kong/pull/3478)\n- Ensure DNS-based round robin load balancing starts at a randomized position\n to prevent all Nginx workers from starting with the same peer.\n [#3478](https://github.com/Kong/kong/pull/3478)\n- Properly report timeouts in passive health checks. Previously, connection\n timeouts were counted as `tcp_failures`, and upstream timeouts were ignored.\n Health check users should ensure that their `timeout` settings reflect their\n intended behavior.\n [#3539](https://github.com/Kong/kong/pull/3539)\n- Ensure active health check probe requests send the `Host` header.\n [#3496](https://github.com/Kong/kong/pull/3496)\n- Overall, more reliable health checks healthiness counters behavior.\n [#3496](https://github.com/Kong/kong/pull/3496)\n- Do not set `Content-Type` headers on HTTP 204 No Content responses.\n [#3351](https://github.com/Kong/kong/pull/3351)\n- Ensure the PostgreSQL connector of the new DAO (used by Services, Routes,\n Consumers, and SSL certs/SNIs) is now fully re-entrant and properly behaves\n in busy workloads (e.g. scripting requests to the Admin API).\n [#3423](https://github.com/Kong/kong/pull/3423)\n- Properly route HTTP/1.0 requests without a Host header when using the old\n deprecated \"API\" entity.\n [#3438](https://github.com/Kong/kong/pull/3438)\n- Ensure that all Kong-produced errors respect the `headers` configuration\n setting (previously `server_tokens`) and do not include the `Server` header\n if not configured.\n [#3511](https://github.com/Kong/kong/pull/3511)\n- Harden an existing Cassandra migration.\n [#3532](https://github.com/Kong/kong/pull/3532)\n- Prevent the load balancer from needlessly rebuilding its state when creating\n Targets.\n [#3477](https://github.com/Kong/kong/pull/3477)\n- Prevent some harmless error logs to be printed during startup when\n initialization takes more than a few seconds.\n [#3443](https://github.com/Kong/kong/pull/3443)\n\n##### Plugins\n\n- hmac: Ensure that empty request bodies do not pass validation if there is no\n digest header.\n Thanks [@mvanholsteijn](https://github.com/mvanholsteijn) for the patch!\n [#3347](https://github.com/Kong/kong/pull/3347)\n- response-transformer: Prevent the plugin from throwing an error when its\n `access` handler did not get a chance to run (e.g. on short-circuited,\n unauthorized requests).\n [#3524](https://github.com/Kong/kong/pull/3524)\n- aws-lambda: Ensure logging plugins subsequently run when this plugin\n terminates.\n [#3512](https://github.com/Kong/kong/pull/3512)\n- request-termination: Ensure logging plugins subsequently run when this plugin\n terminates.\n [#3513](https://github.com/Kong/kong/pull/3513)\n\n##### Admin API\n\n- Requests to `/healthy` and `/unhealthy` endpoints for upstream health checks\n now properly propagate the new state to other nodes of a Kong cluster.\n [#3464](https://github.com/Kong/kong/pull/3464)\n- Do not produce an HTTP 500 error when POST-ing to `/services` with an empty\n `url` argument.\n [#3452](https://github.com/Kong/kong/pull/3452)\n- Ensure foreign keys are required when creating child entities (e.g.\n `service.id` when creating a Route). Previously some rows could have an empty\n `service_id` field.\n [#3548](https://github.com/Kong/kong/pull/3548)\n- Better type inference in new endpoints (e.g. `/services`, `/routes`,\n `/consumers`) when using `application/x-www-form-urlencoded` MIME type.\n [#3416](https://github.com/Kong/kong/pull/3416)\n\n[Back to TOC](#table-of-contents)\n\n## [0.13.1] - 2018/04/23\n\nThis release contains numerous bug fixes and a few convenience features.\nNotably, a best-effort/backwards-compatible approach is followed to resolve\n`no memory` errors caused by the fragmentation of shared memory between the\ncore and plugins.\n\n### Added\n\n##### Core\n\n- Cache misses are now stored in a separate shared memory zone from hits if\n such a zone is defined. This reduces cache turnover and can increase the\n cache hit ratio quite considerably.\n Users with a custom Nginx template are advised to define such a zone to\n benefit from this behavior:\n `lua_shared_dict kong_db_cache_miss 12m;`.\n- We now ensure that the Cassandra or PostgreSQL instance Kong is connecting\n to falls within the supported version range. Deprecated versions result in\n warning logs. As a reminder, Kong 0.13.x supports Cassandra 2.2+,\n and PostgreSQL 9.5+. Cassandra 2.1 and PostgreSQL 9.4 are supported, but\n deprecated.\n [#3310](https://github.com/Kong/kong/pull/3310)\n- HTTP 494 errors thrown by Nginx are now caught by Kong and produce a native,\n Kong-friendly response.\n Thanks [@ti-mo](https://github.com/ti-mo) for the contribution!\n [#3112](https://github.com/Kong/kong/pull/3112)\n\n##### CLI\n\n- Report errors when compiling custom Nginx templates.\n [#3294](https://github.com/Kong/kong/pull/3294)\n\n##### Admin API\n\n- Friendlier behavior of Routes schema validation: PATCH requests can be made\n without specifying all three of `methods`, `hosts`, or `paths` if at least\n one of the three is specified in the body.\n [#3364](https://github.com/Kong/kong/pull/3364)\n\n##### Plugins\n\n- jwt: Support for identity providers using JWKS by ensuring the\n `config.key_claim_name` values is looked for in the token header.\n Thanks [@brycehemme](https://github.com/brycehemme) for the contribution!\n [#3313](https://github.com/Kong/kong/pull/3313)\n- basic-auth: Allow specifying empty passwords.\n Thanks [@zhouzhuojie](https://github.com/zhouzhuojie) and\n [@perryao](https://github.com/perryao) for the contributions!\n [#3243](https://github.com/Kong/kong/pull/3243)\n\n### Fixed\n\n##### Core\n\n- Numerous users have reported `no memory` errors which were caused by\n circumstantial memory fragmentation. Such errors, while still possible if\n plugin authors are not careful, should now mostly be addressed.\n [#3311](https://github.com/Kong/kong/pull/3311)\n\n **If you are using a custom Nginx template, be sure to define the following\n shared memory zones to benefit from these fixes**:\n\n ```\n lua_shared_dict kong_db_cache_miss 12m;\n lua_shared_dict kong_rate_limiting_counters 12m;\n ```\n\n##### CLI\n\n- Redirect Nginx's stdout and stderr output to `kong start` when\n `nginx_daemon` is enabled (such as when using the Kong Docker image). This\n also prevents growing log files when Nginx redirects logs to `/dev/stdout`\n and `/dev/stderr` but `nginx_daemon` is disabled.\n [#3297](https://github.com/Kong/kong/pull/3297)\n\n##### Admin API\n\n- Set a Service's `port` to `443` when the `url` convenience parameter uses\n the `https://` scheme.\n [#3358](https://github.com/Kong/kong/pull/3358)\n- Ensure PATCH requests do not return an error when un-setting foreign key\n fields with JSON `null`.\n [#3355](https://github.com/Kong/kong/pull/3355)\n- Ensure the `/plugin/schema/:name` endpoint does not corrupt plugins' schemas.\n [#3348](https://github.com/Kong/kong/pull/3348)\n- Properly URL-decode path segments of plugins endpoints accepting spaces\n (e.g. `/consumers//basic-auth/John%20Doe/`).\n [#3250](https://github.com/Kong/kong/pull/3250)\n- Properly serialize boolean filtering values when using Cassandra.\n [#3362](https://github.com/Kong/kong/pull/3362)\n\n##### Plugins\n\n- rate-limiting/response-rate-limiting:\n - If defined in the Nginx configuration, will use a dedicated\n `lua_shared_dict` instead of using the `kong_cache` shared memory zone.\n This prevents memory fragmentation issues resulting in `no memory` errors\n observed by numerous users. Users with a custom Nginx template are advised\n to define such a zone to benefit from this fix:\n `lua_shared_dict kong_rate_limiting_counters 12m;`.\n [#3311](https://github.com/Kong/kong/pull/3311)\n - When using the Redis strategy, ensure the correct Redis database is\n selected. This issue could occur when several request and response\n rate-limiting were configured using different Redis databases.\n Thanks [@mengskysama](https://github.com/mengskysama) for the patch!\n [#3293](https://github.com/Kong/kong/pull/3293)\n- key-auth: Respect request MIME type when re-encoding the request body\n if both `config.key_in_body` and `config.hide_credentials` are enabled.\n Thanks [@p0pr0ck5](https://github.com/p0pr0ck5) for the patch!\n [#3213](https://github.com/Kong/kong/pull/3213)\n- oauth2: Return HTTP 400 on invalid `scope` type.\n Thanks [@Gman98ish](https://github.com/Gman98ish) for the patch!\n [#3206](https://github.com/Kong/kong/pull/3206)\n- ldap-auth: Ensure the plugin does not throw errors when configured as a\n global plugin.\n [#3354](https://github.com/Kong/kong/pull/3354)\n- hmac-auth: Verify signature against non-normalized (`$request_uri`) request\n line (instead of `$uri`).\n [#3339](https://github.com/Kong/kong/pull/3339)\n- aws-lambda: Fix a typo in upstream headers sent to the function. We now\n properly send the `X-Amz-Log-Type` header.\n [#3398](https://github.com/Kong/kong/pull/3398)\n\n[Back to TOC](#table-of-contents)\n\n## [0.13.0] - 2018/03/22\n\nThis release introduces two new core entities that will improve the way you\nconfigure Kong: **Routes** & **Services**. Those entities replace the \"API\"\nentity and simplify the setup of non-naive use-cases by providing better\nseparation of concerns and allowing for plugins to be applied to specific\n**endpoints**.\n\nAs usual, major version upgrades require database migrations and changes to\nthe Nginx configuration file (if you customized the default template).\nPlease take a few minutes to read the [0.13 Upgrade\nPath](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-013x) for\nmore details regarding breaking changes and migrations before planning to\nupgrade your Kong cluster.\n\n### Breaking Changes\n\n##### Configuration\n\n- :warning: The `proxy_listen` and `admin_listen` configuration values have a\n new syntax. This syntax is more aligned with that of NGINX and is more\n powerful while also simpler. As a result, the following configuration values\n have been removed because superfluous: `ssl`, `admin_ssl`, `http2`,\n `admin_http2`, `proxy_listen_ssl`, and `admin_listen_ssl`.\n [#3147](https://github.com/Kong/kong/pull/3147)\n\n##### Plugins\n\n- :warning: galileo: As part of the Galileo deprecation path, the galileo\n plugin is not enabled by default anymore, although still bundled with 0.13.\n Users are advised to stop using the plugin, but for the time being can keep\n enabling it by adding it to the `custom_plugin` configuration value.\n [#3233](https://github.com/Kong/kong/pull/3233)\n- :warning: rate-limiting (Cassandra): The default migration for including\n Routes and Services in plugins will remove and re-create the Cassandra\n rate-limiting counters table. This means that users that were rate-limited\n because of excessive API consumption will be able to consume the API until\n they reach their limit again. There is no such data deletion in PostgreSQL.\n [def201f](https://github.com/Kong/kong/commit/def201f566ccf2dd9b670e2f38e401a0450b1cb5)\n\n### Changes\n\n##### Dependencies\n\n- **Note to Docker users**: The `latest` tag on Docker Hub now points to the\n **alpine** image instead of CentOS. This also applies to the `0.13.0` tag.\n- The OpenResty version shipped with our default packages has been bumped to\n `1.13.6.1`. The 0.13.0 release should still be compatible with the OpenResty\n `1.11.2.x` series for the time being.\n- Bumped [lua-resty-dns-client](https://github.com/Kong/lua-resty-dns-client)\n to `2.0.0`.\n [#3220](https://github.com/Kong/kong/pull/3220)\n- Bumped [lua-resty-http](https://github.com/pintsized/lua-resty-http) to\n `0.12`.\n [#3196](https://github.com/Kong/kong/pull/3196)\n- Bumped [lua-multipart](https://github.com/Kong/lua-multipart) to `0.5.5`.\n [#3318](https://github.com/Kong/kong/pull/3318)\n- Bumped [lua-resty-healthcheck](https://github.com/Kong/lua-resty-healthcheck)\n to `0.4.0`.\n [#3321](https://github.com/Kong/kong/pull/3321)\n\n### Additions\n\n##### Configuration\n\n- :fireworks: Support for **control-plane** and **data-plane** modes. The new\n syntax of `proxy_listen` and `admin_listen` supports `off`, which\n disables either one of those interfaces. It is now simpler than ever to\n make a Kong node \"Proxy only\" (data-plane) or \"Admin only\" (control-plane).\n [#3147](https://github.com/Kong/kong/pull/3147)\n\n##### Core\n\n- :fireworks: This release introduces two new entities: **Routes** and\n **Services**. Those entities will provide a better separation of concerns\n than the \"API\" entity offers. Routes will define rules for matching a\n client's request (e.g., method, host, path...), and Services will represent\n upstream services (or backends) that Kong should proxy those requests to.\n Plugins can also be added to both Routes and Services, enabling use-cases to\n apply plugins more granularly (e.g., per endpoint).\n Following this addition, the API entity and related Admin API endpoints are\n now deprecated. This release is backwards-compatible with the previous model\n and all of your currently defined APIs and matching rules are still\n supported, although we advise users to migrate to Routes and Services as soon\n as possible.\n [#3224](https://github.com/Kong/kong/pull/3224)\n\n##### Admin API\n\n- :fireworks: New endpoints: `/routes` and `/services` to interact with the new\n core entities. More specific endpoints are also available such as\n `/services/{service id or name}/routes`,\n `/services/{service id or name}/plugins`, and `/routes/{route id}/plugins`.\n [#3224](https://github.com/Kong/kong/pull/3224)\n- :fireworks: Our new endpoints (listed above) provide much better responses\n with regards to producing responses for incomplete entities, errors, etc...\n In the future, existing endpoints will gradually be moved to using this new\n Admin API content producer.\n [#3224](https://github.com/Kong/kong/pull/3224)\n- :fireworks: Improved argument parsing in form-urlencoded requests to the new\n endpoints as well.\n Kong now expects the following syntaxes for representing\n arrays: `hosts[]=a.com&hosts[]=b.com`, `hosts[1]=a.com&hosts[2]=b.com`, which\n avoid comma-separated arrays and related issues that can arise.\n In the future, existing endpoints will gradually be moved to using this new\n Admin API content parser.\n [#3224](https://github.com/Kong/kong/pull/3224)\n\n##### Plugins\n\n- jwt: `ngx.ctx.authenticated_jwt_token` is available for other plugins to use.\n [#2988](https://github.com/Kong/kong/pull/2988)\n- statsd: The fields `host`, `port` and `metrics` are no longer marked as\n \"required\", since they have a default value.\n [#3209](https://github.com/Kong/kong/pull/3209)\n\n### Fixes\n\n##### Core\n\n- Fix an issue causing nodes in a cluster to use the default health checks\n configuration when the user configured them from another node (event\n propagated via the cluster).\n [#3319](https://github.com/Kong/kong/pull/3319)\n- Increase the default load balancer wheel size from 100 to 10.000. This allows\n for a better distribution of the load between Targets in general.\n [#3296](https://github.com/Kong/kong/pull/3296)\n\n##### Admin API\n\n- Fix several issues with application/multipart MIME type parsing of payloads.\n [#3318](https://github.com/Kong/kong/pull/3318)\n- Fix several issues with the parsing of health checks configuration values.\n [#3306](https://github.com/Kong/kong/pull/3306)\n [#3321](https://github.com/Kong/kong/pull/3321)\n\n[Back to TOC](#table-of-contents)\n\n## [0.12.3] - 2018/03/12\n\n### Fixed\n\n- Suppress a memory leak in the core introduced in 0.12.2.\n Thanks [@mengskysama](https://github.com/mengskysama) for the report.\n [#3278](https://github.com/Kong/kong/pull/3278)\n\n[Back to TOC](#table-of-contents)\n\n## [0.12.2] - 2018/02/28\n\n### Added\n\n##### Core\n\n- Load balancers now log DNS errors to facilitate debugging.\n [#3177](https://github.com/Kong/kong/pull/3177)\n- Reports now can include custom immutable values.\n [#3180](https://github.com/Kong/kong/pull/3180)\n\n##### CLI\n\n- The `kong migrations reset` command has a new `--yes` flag. This flag makes\n the command run non-interactively, and ensures no confirmation prompt will\n occur.\n [#3189](https://github.com/Kong/kong/pull/3189)\n\n##### Admin API\n\n- A new endpoint `/upstreams/:upstream_id/health` will return the health of the\n specified upstream.\n [#3232](https://github.com/Kong/kong/pull/3232)\n- The `/` endpoint in the Admin API now exposes the `node_id` field.\n [#3234](https://github.com/Kong/kong/pull/3234)\n\n### Fixed\n\n##### Core\n\n- HTTP/1.0 requests without a Host header are routed instead of being rejected.\n HTTP/1.1 requests without a Host are considered invalid and will still be\n rejected.\n Thanks to [@rainiest](https://github.com/rainest) for the patch!\n [#3216](https://github.com/Kong/kong/pull/3216)\n- Fix the load balancer initialization when some Targets would contain\n hostnames.\n [#3187](https://github.com/Kong/kong/pull/3187)\n- Fix incomplete handling of errors when initializing DAO objects.\n [637532e](https://github.com/Kong/kong/commit/637532e05d8ed9a921b5de861cc7f463e96c6e04)\n- Remove bogus errors in the logs provoked by healthcheckers between the time\n they are unregistered and the time they are garbage-collected\n ([#3207](https://github.com/Kong/kong/pull/3207)) and when receiving an HTTP\n status not tracked by healthy or unhealthy lists\n ([c8eb5ae](https://github.com/Kong/kong/commit/c8eb5ae28147fc02473c05a7b1dbf502fbb64242)).\n- Fix soft errors not being handled correctly inside the Kong cache.\n [#3150](https://github.com/Kong/kong/pull/3150)\n\n##### Migrations\n\n- Better handling of already existing Cassandra keyspaces in migrations.\n [#3203](https://github.com/Kong/kong/pull/3203).\n Thanks to [@pamiel](https://github.com/pamiel) for the patch!\n\n##### Admin API\n\n- Ensure `GET /certificates/{uuid}` does not return HTTP 500 when the given\n identifier does not exist.\n Thanks to [@vdesjardins](https://github.com/vdesjardins) for the patch!\n [#3148](https://github.com/Kong/kong/pull/3148)\n\n[Back to TOC](#table-of-contents)\n\n## [0.12.1] - 2018/01/18\n\nThis release addresses a few issues encountered with 0.12.0, including one\nwhich would prevent upgrading from a previous version. The [0.12 Upgrade\nPath](https://github.com/Kong/kong/blob/master/UPGRADE.md)\nis still relevant for upgrading existing clusters to 0.12.1.\n\n### Fixed\n\n- Fix a migration between previous Kong versions and 0.12.0.\n [#3159](https://github.com/Kong/kong/pull/3159)\n- Ensure Lua errors are propagated when thrown in the `access` handler by\n plugins.\n [38580ff](https://github.com/Kong/kong/commit/38580ff547cbd4a557829e3ad135cd6a0f821f7c)\n\n[Back to TOC](#table-of-contents)\n\n## [0.12.0] - 2018/01/16\n\nThis major release focuses on two new features we are very excited about:\n**health checks** and **hash based load balancing**!\n\nWe also took this as an opportunity to fix a few prominent issues, sometimes\nat the expense of breaking changes but overall improving the flexibility and\nusability of Kong! Do keep in mind that this is a major release, and as such,\nthat we require of you to run the **migrations step**, via the\n`kong migrations up` command.\n\nPlease take a few minutes to thoroughly read the [0.12 Upgrade\nPath](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-012x)\nfor more details regarding breaking changes and migrations before planning to\nupgrade your Kong cluster.\n\n### Deprecation notices\n\nStarting with 0.12.0, we are announcing the deprecation of older versions\nof our supported databases:\n\n- Support for PostgreSQL 9.4 is deprecated. Users are advised to upgrade to\n 9.5+\n- Support for Cassandra 2.1 and below is deprecated. Users are advised to\n upgrade to 2.2+\n\nNote that the above deprecated versions are still supported in this release,\nbut will be dropped in subsequent ones.\n\n### Breaking changes\n\n##### Core\n\n- :warning: The required OpenResty version has been bumped to 1.11.2.5. If you\n are installing Kong from one of our distribution packages, you are not\n affected by this change.\n [#3097](https://github.com/Kong/kong/pull/3097)\n- :warning: As Kong now executes subsequent plugins when a request is being\n short-circuited (e.g. HTTP 401 responses from auth plugins), plugins that\n run in the header or body filter phases will be run upon such responses\n from the access phase. We consider this change a big improvement in the\n Kong run-loop as it allows for more flexibility for plugins. However, it is\n unlikely, but possible that some of these plugins (e.g. your custom plugins)\n now run in scenarios where they were not previously expected to run.\n [#3079](https://github.com/Kong/kong/pull/3079)\n\n##### Admin API\n\n- :warning: By default, the Admin API now only listens on the local interface.\n We consider this change to be an improvement in the default security policy\n of Kong. If you are already using Kong, and your Admin API still binds to all\n interfaces, consider updating it as well. You can do so by updating the\n `admin_listen` configuration value, like so: `admin_listen = 127.0.0.1:8001`.\n Thanks [@pduldig-at-tw](https://github.com/pduldig-at-tw) for the suggestion\n and the patch.\n [#3016](https://github.com/Kong/kong/pull/3016)\n\n :red_circle: **Note to Docker users**: Beware of this change as you may have\n to ensure that your Admin API is reachable via the host's interface.\n You can use the `-e KONG_ADMIN_LISTEN` argument when provisioning your\n container(s) to update this value; for example,\n `-e KONG_ADMIN_LISTEN=0.0.0.0:8001`.\n\n- :warning: To reduce confusion, the `/upstreams/:upstream_name_or_id/targets/`\n has been updated to not show the full list of Targets anymore, but only\n the ones that are currently active in the load balancer. To retrieve the full\n history of Targets, you can now query\n `/upstreams/:upstream_name_or_id/targets/all`. The\n `/upstreams/:upstream_name_or_id/targets/active` endpoint has been removed.\n Thanks [@hbagdi](https://github.com/hbagdi) for tackling this backlog item!\n [#3049](https://github.com/Kong/kong/pull/3049)\n- :warning: The `orderlist` property of Upstreams has been removed, along with\n any confusion it may have brought. The balancer is now able to fully function\n without it, yet with the same level of entropy in its load distribution.\n [#2748](https://github.com/Kong/kong/pull/2748)\n\n##### CLI\n\n- :warning: The `$ kong compile` command which was deprecated in 0.11.0 has\n been removed.\n [#3069](https://github.com/Kong/kong/pull/3069)\n\n##### Plugins\n\n- :warning: In logging plugins, the `request.request_uri` field has been\n renamed to `request.url`.\n [#2445](https://github.com/Kong/kong/pull/2445)\n [#3098](https://github.com/Kong/kong/pull/3098)\n\n### Added\n\n##### Core\n\n- :fireworks: Support for **health checks**! Kong can now short-circuit some\n of your upstream Targets (replicas) from its load balancer when it encounters\n too many TCP or HTTP errors. You can configure the number of failures, or the\n HTTP status codes that should be considered invalid, and Kong will monitor\n the failures and successes of proxied requests to each upstream Target. We\n call this feature **passive health checks**.\n Additionally, you can configure **active health checks**, which will make\n Kong perform periodic HTTP test requests to actively monitor the health of\n your upstream services, and pre-emptively short-circuit them.\n Upstream Targets can be manually taken up or down via two new Admin API\n endpoints: `/healthy` and `/unhealthy`.\n [#3096](https://github.com/Kong/kong/pull/3096)\n- :fireworks: Support for **hash based load balancing**! Kong now offers\n consistent hashing/sticky sessions load balancing capabilities via the new\n `hash_*` attributes of the Upstream entity. Hashes can be based off client\n IPs, request headers, or Consumers!\n [#2875](https://github.com/Kong/kong/pull/2875)\n- :fireworks: Logging plugins now log requests that were short-circuited by\n Kong! (e.g. HTTP 401 responses from auth plugins or HTTP 429 responses from\n rate limiting plugins, etc.) Kong now executes any subsequent plugins once a\n request has been short-circuited. Your plugin must be using the\n `kong.tools.responses` module for this behavior to be respected.\n [#3079](https://github.com/Kong/kong/pull/3079)\n- Kong is now compatible with OpenResty up to version 1.13.6.1. Be aware that\n the recommended (and default) version shipped with this release is still\n 1.11.2.5.\n [#3070](https://github.com/Kong/kong/pull/3070)\n\n##### CLI\n\n- `$ kong start` now considers the commonly used `/opt/openresty` prefix when\n searching for the `nginx` executable.\n [#3074](https://github.com/Kong/kong/pull/3074)\n\n##### Admin API\n\n- Two new endpoints, `/healthy` and `/unhealthy` can be used to manually bring\n upstream Targets up or down, as part of the new health checks feature of the\n load balancer.\n [#3096](https://github.com/Kong/kong/pull/3096)\n\n##### Plugins\n\n- logging plugins: A new field `upstream_uri` now logs the value of the\n upstream request's path. This is useful to help debugging plugins or setups\n that aim at rewriting a request's URL during proxying.\n Thanks [@shiprabehera](https://github.com/shiprabehera) for the patch!\n [#2445](https://github.com/Kong/kong/pull/2445)\n- tcp-log: Support for TLS handshake with the logs recipients for secure\n transmissions of logging data.\n [#3091](https://github.com/Kong/kong/pull/3091)\n- jwt: Support for JWTs passed in cookies. Use the new `config.cookie_names`\n property to configure the behavior to your liking.\n Thanks [@mvanholsteijn](https://github.com/mvanholsteijn) for the patch!\n [#2974](https://github.com/Kong/kong/pull/2974)\n- oauth2\n - New `config.auth_header_name` property to customize the authorization\n header's name.\n Thanks [@supraja93](https://github.com/supraja93)\n [#2928](https://github.com/Kong/kong/pull/2928)\n - New `config.refresh_ttl` property to customize the TTL of refresh tokens,\n previously hard-coded to 14 days.\n Thanks [@bob983](https://github.com/bob983) for the patch!\n [#2942](https://github.com/Kong/kong/pull/2942)\n - Avoid an error in the logs when trying to retrieve an access token from\n a request without a body.\n Thanks [@WALL-E](https://github.com/WALL-E) for the patch.\n [#3063](https://github.com/Kong/kong/pull/3063)\n- ldap: New `config.header_type` property to customize the authorization method\n in the `Authorization` header.\n Thanks [@francois-maillard](https://github.com/francois-maillard) for the\n patch!\n [#2963](https://github.com/Kong/kong/pull/2963)\n\n### Fixed\n\n##### CLI\n\n- Fix a potential vulnerability in which an attacker could read the Kong\n configuration file with insufficient permissions for a short window of time\n while Kong is being started.\n [#3057](https://github.com/Kong/kong/pull/3057)\n- Proper log message upon timeout in `$ kong quit`.\n [#3061](https://github.com/Kong/kong/pull/3061)\n\n##### Admin API\n\n- The `/certificates` endpoint now properly supports the `snis` parameter\n in PUT and PATCH requests.\n Thanks [@hbagdi](https://github.com/hbagdi) for the contribution!\n [#3040](https://github.com/Kong/kong/pull/3040)\n- Avoid sending the `HTTP/1.1 415 Unsupported Content Type` response when\n receiving a request with a valid `Content-Type`, but with an empty payload.\n [#3077](https://github.com/Kong/kong/pull/3077)\n\n##### Plugins\n\n- basic-auth:\n - Accept passwords containing `:`.\n Thanks [@nico-acidtango](https://github.com/nico-acidtango) for the patch!\n [#3014](https://github.com/Kong/kong/pull/3014)\n - Performance improvements, courtesy of\n [@nico-acidtango](https://github.com/nico-acidtango)\n [#3014](https://github.com/Kong/kong/pull/3014)\n\n[Back to TOC](#table-of-contents)\n\n## [0.11.2] - 2017/11/29\n\n### Added\n\n##### Plugins\n\n- key-auth: New endpoints to manipulate API keys.\n Thanks [@hbagdi](https://github.com/hbagdi) for the contribution.\n [#2955](https://github.com/Kong/kong/pull/2955)\n - `/key-auths/` to paginate through all keys.\n - `/key-auths/:credential_key_or_id/consumer` to retrieve the Consumer\n associated with a key.\n- basic-auth: New endpoints to manipulate basic-auth credentials.\n Thanks [@hbagdi](https://github.com/hbagdi) for the contribution.\n [#2998](https://github.com/Kong/kong/pull/2998)\n - `/basic-auths/` to paginate through all basic-auth credentials.\n - `/basic-auths/:credential_username_or_id/consumer` to retrieve the\n Consumer associated with a credential.\n- jwt: New endpoints to manipulate JWTs.\n Thanks [@hbagdi](https://github.com/hbagdi) for the contribution.\n [#3003](https://github.com/Kong/kong/pull/3003)\n - `/jwts/` to paginate through all JWTs.\n - `/jwts/:jwt_key_or_id/consumer` to retrieve the Consumer\n associated with a JWT.\n- hmac-auth: New endpoints to manipulate hmac-auth credentials.\n Thanks [@hbagdi](https://github.com/hbagdi) for the contribution.\n [#3009](https://github.com/Kong/kong/pull/3009)\n - `/hmac-auths/` to paginate through all hmac-auth credentials.\n - `/hmac-auths/:hmac_username_or_id/consumer` to retrieve the Consumer\n associated with a credential.\n- acl: New endpoints to manipulate ACLs.\n Thanks [@hbagdi](https://github.com/hbagdi) for the contribution.\n [#3039](https://github.com/Kong/kong/pull/3039)\n - `/acls/` to paginate through all ACLs.\n - `/acls/:acl_id/consumer` to retrieve the Consumer\n associated with an ACL.\n\n### Fixed\n\n##### Core\n\n- Avoid logging some unharmful error messages related to clustering.\n [#3002](https://github.com/Kong/kong/pull/3002)\n- Improve performance and memory footprint when parsing multipart request\n bodies.\n [Kong/lua-multipart#13](https://github.com/Kong/lua-multipart/pull/13)\n\n##### Configuration\n\n- Add a format check for the `admin_listen_ssl` property, ensuring it contains\n a valid port.\n [#3031](https://github.com/Kong/kong/pull/3031)\n\n##### Admin API\n\n- PUT requests with payloads containing non-existing primary keys for entities\n now return HTTP 404 Not Found, instead of HTTP 200 OK without a response\n body.\n [#3007](https://github.com/Kong/kong/pull/3007)\n- On the `/` endpoint, ensure `enabled_in_cluster` shows up as an empty JSON\n Array (`[]`), instead of an empty JSON Object (`{}`).\n Thanks [@hbagdi](https://github.com/hbagdi) for the patch!\n [#2982](https://github.com/Kong/kong/issues/2982)\n\n##### Plugins\n\n- hmac-auth: Better parsing of the `Authorization` header to avoid internal\n errors resulting in HTTP 500.\n Thanks [@mvanholsteijn](https://github.com/mvanholsteijn) for the patch!\n [#2996](https://github.com/Kong/kong/pull/2996)\n- Improve the performance of the rate-limiting and response-rate-limiting\n plugins when using the Redis policy.\n [#2956](https://github.com/Kong/kong/pull/2956)\n- Improve the performance of the response-transformer plugin.\n [#2977](https://github.com/Kong/kong/pull/2977)\n\n## [0.11.1] - 2017/10/24\n\n### Changed\n\n##### Configuration\n\n- Drop the `lua_code_cache` configuration property. This setting has been\n considered harmful since 0.11.0 as it interferes with Kong's internals.\n [#2854](https://github.com/Kong/kong/pull/2854)\n\n### Fixed\n\n##### Core\n\n- DNS: SRV records pointing to an A record are now properly handled by the\n load balancer when `preserve_host` is disabled. Such records used to throw\n Lua errors on the proxy code path.\n [Kong/lua-resty-dns-client#19](https://github.com/Kong/lua-resty-dns-client/pull/19)\n- Fixed an edge-case where `preserve_host` would sometimes craft an upstream\n request with a Host header from a previous client request instead of the\n current one.\n [#2832](https://github.com/Kong/kong/pull/2832)\n- Ensure APIs with regex URIs are evaluated in the order that they are created.\n [#2924](https://github.com/Kong/kong/pull/2924)\n- Fixed a typo that caused the load balancing components to ignore the Upstream\n slots property.\n [#2747](https://github.com/Kong/kong/pull/2747)\n\n##### CLI\n\n- Fixed the verification of self-signed SSL certificates for PostgreSQL and\n Cassandra in the `kong migrations` command. Self-signed SSL certificates are\n now properly verified during migrations according to the\n `lua_ssl_trusted_certificate` configuration property.\n [#2908](https://github.com/Kong/kong/pull/2908)\n\n##### Admin API\n\n- The `/upstream/{upstream}/targets/active` endpoint used to return HTTP\n `405 Method Not Allowed` when called with a trailing slash. Both notations\n (with and without the trailing slash) are now supported.\n [#2884](https://github.com/Kong/kong/pull/2884)\n\n##### Plugins\n\n- bot-detection: Fixed an issue which would prevent the plugin from running and\n result in an HTTP `500` error if configured globally.\n [#2906](https://github.com/Kong/kong/pull/2906)\n- ip-restriction: Fixed support for the `0.0.0.0/0` CIDR block. This block is\n now supported and won't trigger an error when used in this plugin's properties.\n [#2918](https://github.com/Kong/kong/pull/2918)\n\n### Added\n\n##### Plugins\n\n- aws-lambda: Added support to forward the client request's HTTP method,\n headers, URI, and body to the Lambda function.\n [#2823](https://github.com/Kong/kong/pull/2823)\n- key-auth: New `run_on_preflight` configuration option to control\n authentication on preflight requests.\n [#2857](https://github.com/Kong/kong/pull/2857)\n- jwt: New `run_on_preflight` configuration option to control authentication\n on preflight requests.\n [#2857](https://github.com/Kong/kong/pull/2857)\n\n##### Plugin development\n\n- Ensure migrations have valid, unique names to avoid conflicts between custom\n plugins.\n Thanks [@ikogan](https://github.com/ikogan) for the patch!\n [#2821](https://github.com/Kong/kong/pull/2821)\n\n### Improved\n\n##### Migrations & Deployments\n\n- Improve migrations reliability for future major releases.\n [#2869](https://github.com/Kong/kong/pull/2869)\n\n##### Plugins\n\n- Improve the performance of the acl and oauth2 plugins.\n [#2736](https://github.com/Kong/kong/pull/2736)\n [#2806](https://github.com/Kong/kong/pull/2806)\n\n[Back to TOC](#table-of-contents)\n\n## [0.10.4] - 2017/10/24\n\n### Fixed\n\n##### Core\n\n- DNS: SRV records pointing to an A record are now properly handled by the\n load balancer when `preserve_host` is disabled. Such records used to throw\n Lua errors on the proxy code path.\n [Kong/lua-resty-dns-client#19](https://github.com/Kong/lua-resty-dns-client/pull/19)\n- HTTP `400` errors thrown by Nginx are now correctly caught by Kong and return\n a native, Kong-friendly response.\n [#2476](https://github.com/Mashape/kong/pull/2476)\n- Fix an edge-case where an API with multiple `uris` and `strip_uri = true`\n would not always strip the client URI.\n [#2562](https://github.com/Mashape/kong/issues/2562)\n- Fix an issue where Kong would match an API with a shorter URI (from its\n `uris` value) as a prefix instead of a longer, matching prefix from\n another API.\n [#2662](https://github.com/Mashape/kong/issues/2662)\n- Fixed a typo that caused the load balancing components to ignore the\n Upstream `slots` property.\n [#2747](https://github.com/Mashape/kong/pull/2747)\n\n##### Configuration\n\n- Octothorpes (`#`) can now be escaped (`\\#`) and included in the Kong\n configuration values such as your datastore passwords or usernames.\n [#2411](https://github.com/Mashape/kong/pull/2411)\n\n##### Admin API\n\n- The `data` response field of the `/upstreams/{upstream}/targets/active`\n Admin API endpoint now returns a list (`[]`) instead of an object (`{}`)\n when no active targets are present.\n [#2619](https://github.com/Mashape/kong/pull/2619)\n\n##### Plugins\n\n- datadog: Avoid a runtime error if the plugin is configured as a global plugin\n but the downstream request did not match any configured API.\n Thanks [@kjsteuer](https://github.com/kjsteuer) for the fix!\n [#2702](https://github.com/Mashape/kong/pull/2702)\n- ip-restriction: Fixed support for the `0.0.0.0/0` CIDR block. This block is\n now supported and won't trigger an error when used in this plugin's properties.\n [#2918](https://github.com/Mashape/kong/pull/2918)\n\n[Back to TOC](#table-of-contents)\n\n## [0.11.0] - 2017/08/16\n\nThe latest and greatest version of Kong features improvements all over the\nboard for a better and easier integration with your infrastructure!\n\nThe highlights of this release are:\n\n- Support for **regex URIs** in routing, one of the oldest requested\n features from the community.\n- Support for HTTP/2 traffic from your clients.\n- Kong does not depend on Serf anymore, which makes deployment and networking\n requirements **considerably simpler**.\n- A better integration with orchestration tools thanks to the support for **non\n FQDNs** in Kong's DNS resolver.\n\nAs per usual, our major releases include datastore migrations which are\nconsidered **breaking changes**. Additionally, this release contains numerous\nbreaking changes to the deployment process and proxying behavior that you\nshould be familiar with.\n\nWe strongly advise that you read this changeset thoroughly, as well as the\n[0.11 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-011x)\nif you are planning to upgrade a Kong cluster.\n\n### Breaking changes\n\n##### Configuration\n\n- :warning: Numerous updates were made to the Nginx configuration template.\n If you are using a custom template, you **must** apply those\n modifications. See the [0.11 Upgrade\n Path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-011x)\n for a complete list of changes to apply.\n\n##### Migrations & Deployment\n\n- :warning: Migrations are **not** executed automatically by `kong start`\n anymore. Migrations are now a **manual** process, which must be executed via\n the `kong migrations` command. In practice, this means that you have to run\n `kong migrations up [-c kong.conf]` in one of your nodes **before** starting\n your Kong nodes. This command should be run from a **single** node/container\n to avoid several nodes running migrations concurrently and potentially\n corrupting your database. Once the migrations are up-to-date, it is\n considered safe to start multiple Kong nodes concurrently.\n [#2421](https://github.com/Kong/kong/pull/2421)\n- :warning: :fireworks: Serf is **not** a dependency anymore. Kong nodes now\n handle cache invalidation events via a built-in database polling mechanism.\n See the new \"Datastore Cache\" section of the configuration file which\n contains 3 new documented properties: `db_update_frequency`,\n `db_update_propagation`, and `db_cache_ttl`. If you are using Cassandra, you\n **should** pay a particular attention to the `db_update_propagation` setting,\n as you **should not** use the default value of `0`.\n [#2561](https://github.com/Kong/kong/pull/2561)\n\n##### Core\n\n- :warning: Kong now requires OpenResty `1.11.2.4`. OpenResty's LuaJIT can\n now be built with Lua 5.2 compatibility.\n [#2489](https://github.com/Kong/kong/pull/2489)\n [#2790](https://github.com/Kong/kong/pull/2790)\n- :warning: Previously, the `X-Forwarded-*` and `X-Real-IP` headers were\n trusted from any client by default, and forwarded upstream. With the\n introduction of the new `trusted_ips` property (see the below \"Added\"\n section) and to enforce best security practices, Kong *does not* trust\n any client IP address by default anymore. This will make Kong *not*\n forward incoming `X-Forwarded-*` headers if not coming from configured,\n trusted IP addresses blocks. This setting also affects the API\n `check_https` field, which itself relies on *trusted* `X-Forwarded-Proto`\n headers **only**.\n [#2236](https://github.com/Kong/kong/pull/2236)\n- :warning: The API Object property `http_if_terminated` is now set to `false`\n by default. For Kong to evaluate the client `X-Forwarded-Proto` header, you\n must now configure Kong to trust the client IP (see above change), **and**\n you must explicitly set this value to `true`. This affects you if you are\n doing SSL termination somewhere before your requests hit Kong, and if you\n have configured `https_only` on the API, or if you use a plugin that requires\n HTTPS traffic (e.g. OAuth2).\n [#2588](https://github.com/Kong/kong/pull/2588)\n- :warning: The internal DNS resolver now honours the `search` and `ndots`\n configuration options of your `resolv.conf` file. Make sure that DNS\n resolution is still consistent in your environment, and consider\n eventually not using FQDNs anymore.\n [#2425](https://github.com/Kong/kong/pull/2425)\n\n##### Admin API\n\n- :warning: As a result of the Serf removal, Kong is now entirely stateless,\n and as such, the `/cluster` endpoint has disappeared.\n [#2561](https://github.com/Kong/kong/pull/2561)\n- :warning: The Admin API `/status` endpoint does not return a count of the\n database entities anymore. Instead, it now returns a `database.reachable`\n boolean value, which reflects the state of the connection between Kong\n and the underlying database. Please note that this flag **does not**\n reflect the health of the database itself.\n [#2567](https://github.com/Kong/kong/pull/2567)\n\n##### Plugin development\n\n- :warning: The upstream URI is now determined via the Nginx\n `$upstream_uri` variable. Custom plugins using the `ngx.req.set_uri()`\n API will not be taken into consideration anymore. One must now set the\n `ngx.var.upstream_uri` variable from the Lua land.\n [#2519](https://github.com/Kong/kong/pull/2519)\n- :warning: The `hooks.lua` module for custom plugins is dropped, along\n with the `database_cache.lua` module. Database entities caching and\n eviction has been greatly improved to simplify and automate most caching\n use-cases. See the [Plugins Development\n Guide](https://getkong.org/docs/0.11.x/plugin-development/entities-cache/)\n and the [0.11 Upgrade\n Path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-011x)\n for more details.\n [#2561](https://github.com/Kong/kong/pull/2561)\n- :warning: To ensure that the order of execution of plugins is still the same\n for vanilla Kong installations, we had to update the `PRIORITY` field of some\n of our bundled plugins. If your custom plugin must run after or before a\n specific bundled plugin, you might have to update your plugin's `PRIORITY`\n field as well. The complete list of plugins and their priorities is available\n on the [Plugins Development\n Guide](https://getkong.org/docs/0.11.x/plugin-development/custom-logic/).\n [#2489](https://github.com/Kong/kong/pull/2489)\n [#2813](https://github.com/Kong/kong/pull/2813)\n\n### Deprecated\n\n##### CLI\n\n- The `kong compile` command has been deprecated. Instead, prefer using\n the new `kong prepare` command.\n [#2706](https://github.com/Kong/kong/pull/2706)\n\n### Changed\n\n##### Core\n\n- Performance around DNS resolution has been greatly improved in some\n cases.\n [#2625](https://github.com/Kong/kong/pull/2425)\n- Secret values are now generated with a kernel-level, Cryptographically\n Secure PRNG.\n [#2536](https://github.com/Kong/kong/pull/2536)\n- The `.kong_env` file created by Kong in its running prefix is now written\n without world-read permissions.\n [#2611](https://github.com/Kong/kong/pull/2611)\n\n##### Plugin development\n\n- The `marshall_event` function on schemas is now ignored by Kong, and can be\n safely removed as the new cache invalidation mechanism natively handles\n safer events broadcasting.\n [#2561](https://github.com/Kong/kong/pull/2561)\n\n### Added\n\n##### Core\n\n- :fireworks: Support for regex URIs! You can now define regexes in your\n APIs `uris` property. Those regexes can have capturing groups which can\n be extracted by Kong during a request, and accessed later in the plugins\n (useful for URI rewriting). See the [Proxy\n Guide](https://getkong.org/docs/0.11.x/proxy/#using-regexes-in-uris) for\n documentation on how to use regex URIs.\n [#2681](https://github.com/Kong/kong/pull/2681)\n- :fireworks: Support for HTTP/2. A new `http2` directive now enables\n HTTP/2 traffic on the `proxy_listen_ssl` address.\n [#2541](https://github.com/Kong/kong/pull/2541)\n- :fireworks: Support for the `search` and `ndots` configuration options of\n your `resolv.conf` file.\n [#2425](https://github.com/Kong/kong/pull/2425)\n- Kong now forwards new headers to your upstream services:\n `X-Forwarded-Host`, `X-Forwarded-Port`, and `X-Forwarded-Proto`.\n [#2236](https://github.com/Kong/kong/pull/2236)\n- Support for the PROXY protocol. If the new `real_ip_header` configuration\n property is set to `real_ip_header = proxy_protocol`, then Kong will\n append the `proxy_protocol` parameter to the Nginx `listen` directive of\n the Kong proxy port.\n [#2236](https://github.com/Kong/kong/pull/2236)\n- Support for BDR compatibility in the PostgreSQL migrations.\n Thanks [@AlexBloor](https://github.com/AlexBloor) for the patch!\n [#2672](https://github.com/Kong/kong/pull/2672)\n\n##### Configuration\n\n- Support for DNS nameservers specified in IPv6 format.\n [#2634](https://github.com/Kong/kong/pull/2634)\n- A few new DNS configuration properties allow you to tweak the Kong DNS\n resolver, and in particular, how it handles the resolution of different\n record types or the eviction of stale records.\n [#2625](https://github.com/Kong/kong/pull/2625)\n- A new `trusted_ips` configuration property allows you to define a list of\n trusted IP address blocks that are known to send trusted `X-Forwarded-*`\n headers. Requests from trusted IPs will make Kong forward those headers\n upstream. Requests from non-trusted IP addresses will make Kong override\n the `X-Forwarded-*` headers with its own values. In addition, this\n property also sets the ngx_http_realip_module `set_real_ip_from`\n directive(s), which makes Kong trust the incoming `X-Real-IP` header as\n well, which is used for operations such as rate-limiting by IP address,\n and that Kong forwards upstream as well.\n [#2236](https://github.com/Kong/kong/pull/2236)\n- You can now configure the ngx_http_realip_module from the Kong\n configuration. In addition to `trusted_ips` which sets the\n `set_real_ip_from` directives(s), two new properties, `real_ip_header`\n and `real_ip_recursive` allow you to configure the ngx_http_realip_module\n directives bearing the same name.\n [#2236](https://github.com/Kong/kong/pull/2236)\n- Ability to hide Kong-specific response headers. Two new configuration\n fields: `server_tokens` and `latency_tokens` will respectively toggle\n whether the `Server` and `X-Kong-*-Latency` headers should be sent to\n downstream clients.\n [#2259](https://github.com/Kong/kong/pull/2259)\n- New configuration property to tune handling request body data via the\n `client_max_body_size` and `client_body_buffer_size` directives\n (mirroring their Nginx counterparts). Note these settings are only\n defined for proxy requests; request body handling in the Admin API\n remains unchanged.\n [#2602](https://github.com/Kong/kong/pull/2602)\n- New `error_default_type` configuration property. This setting is to\n specify a MIME type that will be used as the error response body format\n when Nginx encounters an error, but no `Accept` header was present in the\n request. The default value is `text/plain` for backwards compatibility.\n Thanks [@therealgambo](https://github.com/therealgambo) for the\n contribution!\n [#2500](https://github.com/Kong/kong/pull/2500)\n- New `nginx_user` configuration property, which interfaces with the Nginx\n `user` directive.\n Thanks [@depay](https://github.com/depay) for the contribution!\n [#2180](https://github.com/Kong/kong/pull/2180)\n\n##### CLI\n\n- New `kong prepare` command to prepare the Kong running prefix (creating\n log files, SSL certificates, etc...) and allow for Kong to be started via\n the `nginx` binary. This is useful for environments like containers,\n where the foreground process should be the Nginx master process. The\n `kong compile` command has been deprecated as a result of this addition.\n [#2706](https://github.com/Kong/kong/pull/2706)\n\n##### Admin API\n\n- Ability to retrieve plugins added to a Consumer via two new endpoints:\n `/consumers/:username_or_id/plugins/` and\n `/consumers/:username_or_id/plugins/:plugin_id`.\n [#2714](https://github.com/Kong/kong/pull/2714)\n- Support for JSON `null` in `PATCH` requests to unset a value on any\n entity.\n [#2700](https://github.com/Kong/kong/pull/2700)\n\n##### Plugins\n\n- jwt: Support for RS512 signed tokens.\n Thanks [@sarraz1](https://github.com/sarraz1) for the patch!\n [#2666](https://github.com/Kong/kong/pull/2666)\n- rate-limiting/response-ratelimiting: Optionally hide informative response\n headers.\n [#2087](https://github.com/Kong/kong/pull/2087)\n- aws-lambda: Define a custom response status when the upstream\n `X-Amz-Function-Error` header is \"Unhandled\".\n Thanks [@erran](https://github.com/erran) for the contribution!\n [#2587](https://github.com/Kong/kong/pull/2587)\n- aws-lambda: Add new AWS regions that were previously unsupported.\n [#2769](https://github.com/Kong/kong/pull/2769)\n- hmac: New option to validate the client-provided SHA-256 of the request\n body.\n Thanks [@vaibhavatul47](https://github.com/vaibhavatul47) for the\n contribution!\n [#2419](https://github.com/Kong/kong/pull/2419)\n- hmac: Added support for `enforce_headers` option and added HMAC-SHA256,\n HMAC-SHA384, and HMAC-SHA512 support.\n [#2644](https://github.com/Kong/kong/pull/2644)\n- statsd: New metrics and more flexible configuration. Support for\n prefixes, configurable stat type, and added metrics.\n [#2400](https://github.com/Kong/kong/pull/2400)\n- datadog: New metrics and more flexible configuration. Support for\n prefixes, configurable stat type, and added metrics.\n [#2394](https://github.com/Kong/kong/pull/2394)\n\n### Fixed\n\n##### Core\n\n- Kong now ensures that your clients URIs are transparently proxied\n upstream. No percent-encoding/decoding or querystring stripping will\n occur anymore.\n [#2519](https://github.com/Kong/kong/pull/2519)\n- Fix an issue where Kong would match an API with a shorter URI (from its\n `uris` value) as a prefix instead of a longer, matching prefix from\n another API.\n [#2662](https://github.com/Kong/kong/issues/2662)\n- Fix an edge-case where an API with multiple `uris` and `strip_uri = true`\n would not always strip the client URI.\n [#2562](https://github.com/Kong/kong/issues/2562)\n- HTTP `400` errors thrown by Nginx are now correctly caught by Kong and return\n a native, Kong-friendly response.\n [#2476](https://github.com/Kong/kong/pull/2476)\n\n##### Configuration\n\n- Octothorpes (`#`) can now be escaped (`\\#`) and included in the Kong\n configuration values such as your datastore passwords or usernames.\n [#2411](https://github.com/Kong/kong/pull/2411)\n\n##### Admin API\n\n- The `data` response field of the `/upstreams/{upstream}/targets/active`\n Admin API endpoint now returns a list (`[]`) instead of an object (`{}`)\n when no active targets are present.\n [#2619](https://github.com/Kong/kong/pull/2619)\n\n##### Plugins\n\n- The `unique` constraint on OAuth2 `client_secrets` has been removed.\n [#2447](https://github.com/Kong/kong/pull/2447)\n- The `unique` constraint on JWT Credentials `secrets` has been removed.\n [#2548](https://github.com/Kong/kong/pull/2548)\n- oauth2: When requesting a token from `/oauth2/token`, one can now pass the\n `client_id` as a request body parameter, while `client_id:client_secret` is\n passed via the Authorization header. This allows for better integration\n with some OAuth2 flows proposed out there, such as from Cloudflare Apps.\n Thanks [@cedum](https://github.com/cedum) for the patch!\n [#2577](https://github.com/Kong/kong/pull/2577)\n- datadog: Avoid a runtime error if the plugin is configured as a global plugin\n but the downstream request did not match any configured API.\n Thanks [@kjsteuer](https://github.com/kjsteuer) for the fix!\n [#2702](https://github.com/Kong/kong/pull/2702)\n- Logging plugins: the produced logs `latencies.kong` field used to omit the\n time Kong spent in its Load Balancing logic, which includes DNS resolution\n time. This latency is now included in `latencies.kong`.\n [#2494](https://github.com/Kong/kong/pull/2494)\n\n[Back to TOC](#table-of-contents)\n\n## [0.10.3] - 2017/05/24\n\n### Changed\n\n- We noticed that some distribution packages were not\n building OpenResty against a JITable PCRE library. This\n happened on Ubuntu and RHEL environments where OpenResty was\n built against the system's PCRE installation.\n We now compile OpenResty against a JITable PCRE source for\n those platforms, which should result in significant performance\n improvements in regex matching.\n [Mashape/kong-distributions #9](https://github.com/Kong/kong-distributions/pull/9)\n- TLS connections are now handled with a modern list of\n accepted ciphers, as per the Mozilla recommended TLS\n ciphers list.\n See https://wiki.mozilla.org/Security/Server_Side_TLS.\n This behavior is configurable via the newly\n introduced configuration properties described in the\n below \"Added\" section.\n- Plugins:\n - rate-limiting: Performance improvements when using the\n `cluster` policy. The number of round trips to the\n database has been limited to the number of configured\n limits.\n [#2488](https://github.com/Kong/kong/pull/2488)\n\n### Added\n\n- New `ssl_cipher_suite` and `ssl_ciphers` configuration\n properties to configure the desired set of accepted ciphers,\n based on the Mozilla recommended TLS ciphers list.\n [#2555](https://github.com/Kong/kong/pull/2555)\n- New `proxy_ssl_certificate` and `proxy_ssl_certificate_key`\n configuration properties. These properties configure the\n Nginx directives bearing the same name, to set client\n certificates to Kong when connecting to your upstream services.\n [#2556](https://github.com/Kong/kong/pull/2556)\n- Proxy and Admin API access and error log paths are now\n configurable. Access logs can be entirely disabled if\n desired.\n [#2552](https://github.com/Kong/kong/pull/2552)\n- Plugins:\n - Logging plugins: The produced logs include a new `tries`\n field which contains, which includes the upstream\n connection successes and failures of the load-balancer.\n [#2429](https://github.com/Kong/kong/pull/2429)\n - key-auth: Credentials can now be sent in the request body.\n [#2493](https://github.com/Kong/kong/pull/2493)\n - cors: Origins can now be defined as regular expressions.\n [#2482](https://github.com/Kong/kong/pull/2482)\n\n### Fixed\n\n- APIs matching: prioritize APIs with longer `uris` when said\n APIs also define `hosts` and/or `methods` as well. Thanks\n [@leonzz](https://github.com/leonzz) for the patch.\n [#2523](https://github.com/Kong/kong/pull/2523)\n- SSL connections to Cassandra can now properly verify the\n certificate in use (when `cassandra_ssl_verify` is enabled).\n [#2531](https://github.com/Kong/kong/pull/2531)\n- The DNS resolver no longer sends a A or AAAA DNS queries for SRV\n records. This should improve performance by avoiding unnecessary\n lookups.\n [#2563](https://github.com/Kong/kong/pull/2563) &\n [Mashape/lua-resty-dns-client #12](https://github.com/Kong/lua-resty-dns-client/pull/12)\n- Plugins\n - All authentication plugins don't throw an error anymore when\n invalid credentials are given and the `anonymous` user isn't\n configured.\n [#2508](https://github.com/Kong/kong/pull/2508)\n - rate-limiting: Effectively use the desired Redis database when\n the `redis` policy is in use and the `config.redis_database`\n property is set.\n [#2481](https://github.com/Kong/kong/pull/2481)\n - cors: The regression introduced in 0.10.1 regarding not\n sending the `*` wildcard when `conf.origin` was not specified\n has been fixed.\n [#2518](https://github.com/Kong/kong/pull/2518)\n - oauth2: properly check the client application ownership of a\n token before refreshing it.\n [#2461](https://github.com/Kong/kong/pull/2461)\n\n[Back to TOC](#table-of-contents)\n\n## [0.10.2] - 2017/05/01\n\n### Changed\n\n- The Kong DNS resolver now honors the `MAXNS` setting (3) when parsing the\n nameservers specified in `resolv.conf`.\n [#2290](https://github.com/Kong/kong/issues/2290)\n- Kong now matches incoming requests via the `$request_uri` property, instead\n of `$uri`, in order to better handle percent-encoded URIS. A more detailed\n explanation will be included in the below \"Fixed\" section.\n [#2377](https://github.com/Kong/kong/pull/2377)\n- Upstream calls do not unconditionally include a trailing `/` anymore. See the\n below \"Added\" section for more details.\n [#2315](https://github.com/Kong/kong/pull/2315)\n- Admin API:\n - The \"active targets\" endpoint now only return the most recent nonzero\n weight Targets, instead of all nonzero weight targets. This is to provide\n a better picture of the Targets currently in use by the Kong load balancer.\n [#2310](https://github.com/Kong/kong/pull/2310)\n\n### Added\n\n- :fireworks: Plugins can implement a new `rewrite` handler to execute code in\n the Nginx rewrite phase. This phase is executed prior to matching a\n registered Kong API, and prior to any authentication plugin. As such, only\n global plugins (neither tied to an API or Consumer) will execute this phase.\n [#2354](https://github.com/Kong/kong/pull/2354)\n- Ability for the client to chose whether the upstream request (Kong <->\n upstream) should contain a trailing slash in its URI. Prior to this change,\n Kong 0.10 would unconditionally append a trailing slash to all upstream\n requests. The added functionality is described in\n [#2211](https://github.com/Kong/kong/issues/2211), and was implemented in\n [#2315](https://github.com/Kong/kong/pull/2315).\n- Ability to hide Kong-specific response headers. Two new configuration fields:\n `server_tokens` and `latency_tokens` will respectively toggle whether the\n `Server` and `X-Kong-*-Latency` headers should be sent to downstream clients.\n [#2259](https://github.com/Kong/kong/pull/2259)\n- New `cassandra_schema_consensus_timeout` configuration property, to allow for\n Kong to wait for the schema consensus of your Cassandra cluster during\n migrations.\n [#2326](https://github.com/Kong/kong/pull/2326)\n- Serf commands executed by a running Kong node are now logged in the Nginx\n error logs with a `DEBUG` level.\n [#2410](https://github.com/Kong/kong/pull/2410)\n- Ensure the required shared dictionaries are defined in the Nginx\n configuration. This will prevent custom Nginx templates from potentially\n resulting in a breaking upgrade for users.\n [#2466](https://github.com/Kong/kong/pull/2466)\n- Admin API:\n - Target Objects can now be deleted with their ID as well as their name. The\n endpoint becomes: `/upstreams/:name_or_id/targets/:target_or_id`.\n [#2304](https://github.com/Kong/kong/pull/2304)\n- Plugins:\n - :fireworks: **New Request termination plugin**. This plugin allows to\n temporarily disable an API and return a pre-configured response status and\n body to your client. Useful for use-cases such as maintenance mode for your\n upstream services. Thanks to [@pauldaustin](https://github.com/pauldaustin)\n for the contribution.\n [#2051](https://github.com/Kong/kong/pull/2051)\n - Logging plugins: The produced logs include two new fields: a `consumer`\n field, which contains the properties of the authenticated Consumer\n (`id`, `custom_id`, and `username`), if any, and a `tries` field, which\n includes the upstream connection successes and failures of the load-\n balancer.\n [#2367](https://github.com/Kong/kong/pull/2367)\n [#2429](https://github.com/Kong/kong/pull/2429)\n - http-log: Now set an upstream HTTP basic access authentication header if\n the configured `conf.http_endpoint` parameter includes an authentication\n section. Thanks [@amir](https://github.com/amir) for the contribution.\n [#2432](https://github.com/Kong/kong/pull/2432)\n - file-log: New `config.reopen` property to close and reopen the log file on\n every request, in order to effectively rotate the logs.\n [#2348](https://github.com/Kong/kong/pull/2348)\n - jwt: Returns `401 Unauthorized` on invalid claims instead of the previous\n `403 Forbidden` status.\n [#2433](https://github.com/Kong/kong/pull/2433)\n - key-auth: Allow setting API key header names with an underscore.\n [#2370](https://github.com/Kong/kong/pull/2370)\n - cors: When `config.credentials = true`, we do not send an ACAO header with\n value `*`. The ACAO header value will be that of the request's `Origin: `\n header.\n [#2451](https://github.com/Kong/kong/pull/2451)\n\n### Fixed\n\n- Upstream connections over TLS now set their Client Hello SNI field. The SNI\n value is taken from the upstream `Host` header value, and thus also depends\n on the `preserve_host` setting of your API. Thanks\n [@konrade](https://github.com/konrade) for the original patch.\n [#2225](https://github.com/Kong/kong/pull/2225)\n- Correctly match APIs with percent-encoded URIs in their `uris` property.\n Generally, this change also avoids normalizing (and thus, potentially\n altering) the request URI when trying to match an API's `uris` value. Instead\n of relying on the Nginx `$uri` variable, we now use `$request_uri`.\n [#2377](https://github.com/Kong/kong/pull/2377)\n- Handle a routing edge-case under some conditions with the `uris` matching\n rule of APIs that would falsely lead Kong into believing no API was matched\n for what would actually be a valid request.\n [#2343](https://github.com/Kong/kong/pull/2343)\n- If no API was configured with a `hosts` matching rule, then the\n `preserve_host` flag would never be honored.\n [#2344](https://github.com/Kong/kong/pull/2344)\n- The `X-Forwarded-For` header sent to your upstream services by Kong is not\n set from the Nginx `$proxy_add_x_forwarded_for` variable anymore. Instead,\n Kong uses the `$realip_remote_addr` variable to append the real IP address\n of a client, instead of `$remote_addr`, which can come from a previous proxy\n hop.\n [#2236](https://github.com/Kong/kong/pull/2236)\n- CNAME records are now properly being cached by the DNS resolver. This results\n in a performance improvement over previous 0.10 versions.\n [#2303](https://github.com/Kong/kong/pull/2303)\n- When using Cassandra, some migrations would not be performed on the same\n coordinator as the one originally chosen. The same migrations would also\n require a response from other replicas in a cluster, but were not waiting\n  for a schema consensus beforehand, causing indeterministic failures in the\n migrations, especially if the cluster's inter-nodes communication is slow.\n [#2326](https://github.com/Kong/kong/pull/2326)\n- The `cassandra_timeout` configuration property is now correctly taken into\n consideration by Kong.\n [#2326](https://github.com/Kong/kong/pull/2326)\n- Correctly trigger plugins configured on the anonymous Consumer for anonymous\n requests (from auth plugins with the new `config.anonymous` parameter).\n [#2424](https://github.com/Kong/kong/pull/2424)\n- When multiple auth plugins were configured with the recent `config.anonymous`\n parameter for \"OR\" authentication, such plugins would override each other's\n results and response headers, causing false negatives.\n [#2222](https://github.com/Kong/kong/pull/2222)\n- Ensure the `cassandra_contact_points` property does not contain any port\n information. Those should be specified in `cassandra_port`. Thanks\n [@Vermeille](https://github.com/Vermeille) for the contribution.\n [#2263](https://github.com/Kong/kong/pull/2263)\n- Prevent an upstream or legitimate internal error in the load balancing code\n from throwing a Lua-land error as well.\n [#2327](https://github.com/Kong/kong/pull/2327)\n- Allow backwards compatibility with custom Nginx configurations that still\n define the `resolver ${{DNS_RESOLVER}}` directive. Vales from the Kong\n `dns_resolver` property will be flattened to a string and appended to the\n directive.\n [#2386](https://github.com/Kong/kong/pull/2386)\n- Plugins:\n - hmac: Better handling of invalid base64-encoded signatures. Previously Kong\n would return an HTTP 500 error. We now properly return HTTP 403 Forbidden.\n [#2283](https://github.com/Kong/kong/pull/2283)\n- Admin API:\n - Detect conflicts between SNI Objects in the `/snis` and `/certificates`\n endpoint.\n [#2285](https://github.com/Kong/kong/pull/2285)\n - The `/certificates` route used to not return the `total` and `data` JSON\n fields. We now send those fields back instead of a root list of certificate\n objects.\n [#2463](https://github.com/Kong/kong/pull/2463)\n - Endpoints with path parameters like `/xxx_or_id` will now also yield the\n proper result if the `xxx` field is formatted as a UUID. Most notably, this\n fixes a problem for Consumers whose `username` is a UUID, that could not be\n found when requesting `/consumers/{username_as_uuid}`.\n [#2420](https://github.com/Kong/kong/pull/2420)\n - The \"active targets\" endpoint does not require a trailing slash anymore.\n [#2307](https://github.com/Kong/kong/pull/2307)\n - Upstream Objects can now be deleted properly when using Cassandra.\n [#2404](https://github.com/Kong/kong/pull/2404)\n\n[Back to TOC](#table-of-contents)\n\n## [0.10.1] - 2017/03/27\n\n### Changed\n\n- :warning: Serf has been downgraded to version 0.7 in our distributions,\n although versions up to 0.8.1 are still supported. This fixes a problem when\n automatically detecting the first non-loopback private IP address, which was\n defaulted to `127.0.0.1` in Kong 0.10.0. Greater versions of Serf can still\n be used, but the IP address needs to be manually specified in the\n `cluster_advertise` configuration property.\n- :warning: The [CORS Plugin](https://getkong.org/plugins/cors/) parameter\n `config.origin` is now `config.origins`.\n [#2203](https://github.com/Kong/kong/pull/2203)\n\n :red_circle: **Post-release note (as of 2017/05/12)**: A faulty behavior\n has been observed with this change. Previously, the plugin would send the\n `*` wildcard when `config.origin` was not specified. With this change, the\n plugin **does not** send the `*` wildcard by default anymore. You will need\n to specify it manually when configuring the plugin, with `config.origins=*`.\n This behavior is to be fixed in a future release.\n\n :white_check_mark: **Update (2017/05/24)**: A fix to this regression has been\n released as part of 0.10.3. See the section of the Changelog related to this\n release for more details.\n- Admin API:\n - Disable support for TLS/1.0.\n [#2212](https://github.com/Kong/kong/pull/2212)\n\n### Added\n\n- Admin API:\n - Active targets can be pulled with `GET /upstreams/{name}/targets/active`.\n [#2230](https://github.com/Kong/kong/pull/2230)\n - Provide a convenience endpoint to disable targets at:\n `DELETE /upstreams/{name}/targets/{target}`.\n Under the hood, this creates a new target with `weight = 0` (the\n correct way of disabling targets, which used to cause confusion).\n [#2256](https://github.com/Kong/kong/pull/2256)\n- Plugins:\n - cors: Support for configuring multiple Origin domains.\n [#2203](https://github.com/Kong/kong/pull/2203)\n\n### Fixed\n\n- Use an LRU cache for Lua-land entities caching to avoid exhausting the Lua\n VM memory in long-running instances.\n [#2246](https://github.com/Kong/kong/pull/2246)\n- Avoid potential deadlocks upon callback errors in the caching module for\n database entities.\n [#2197](https://github.com/Kong/kong/pull/2197)\n- Relax multipart MIME type parsing. A space is allowed in between values\n of the Content-Type header.\n [#2215](https://github.com/Kong/kong/pull/2215)\n- Admin API:\n - Better handling of non-supported HTTP methods on endpoints of the Admin\n API. In some cases this used to throw an internal error. Calling any\n endpoint with a non-supported HTTP method now always returns `405 Method\n Not Allowed` as expected.\n [#2213](https://github.com/Kong/kong/pull/2213)\n- CLI:\n - Better error handling when missing Serf executable.\n [#2218](https://github.com/Kong/kong/pull/2218)\n - Fix a bug in the `kong migrations` command that would prevent it to run\n correctly.\n [#2238](https://github.com/Kong/kong/pull/2238)\n - Trim list values specified in the configuration file.\n [#2206](https://github.com/Kong/kong/pull/2206)\n - Align the default configuration file's values to the actual, hard-coded\n default values to avoid confusion.\n [#2254](https://github.com/Kong/kong/issues/2254)\n- Plugins:\n - hmac: Generate an HMAC secret value if none is provided.\n [#2158](https://github.com/Kong/kong/pull/2158)\n - oauth2: Don't try to remove credential values from request bodies if the\n MIME type is multipart, since such attempts would result in an error.\n [#2176](https://github.com/Kong/kong/pull/2176)\n - ldap: This plugin should not be applied to a single Consumer, however, this\n was not properly enforced. It is now impossible to apply this plugin to a\n single Consumer (as per all authentication plugin).\n [#2237](https://github.com/Kong/kong/pull/2237)\n - aws-lambda: Support for `us-west-2` region in schema.\n [#2257](https://github.com/Kong/kong/pull/2257)\n\n[Back to TOC](#table-of-contents)\n\n## [0.10.0] - 2017/03/07\n\nKong 0.10 is one of most significant releases to this day. It ships with\nexciting new features that have been heavily requested for the last few months,\nsuch as load balancing, Cassandra 3.0 compatibility, Websockets support,\ninternal DNS resolution (A and SRV records without Dnsmasq), and more flexible\nmatching capabilities for APIs routing.\n\nOn top of those new features, this release received a particular attention to\nperformance, and brings many improvements and refactors that should make it\nperform significantly better than any previous version.\n\n### Changed\n\n- :warning: API Objects (as configured via the Admin API) do **not** support\n the `request_host` and `request_uri` fields anymore. The 0.10 migrations\n should upgrade your current API Objects, but make sure to read the new [0.10\n Proxy Guide](https://getkong.org/docs/0.10.x/proxy) to learn the new routing\n capabilities of Kong. On the good side, this means that Kong can now route\n incoming requests according to a combination of Host headers, URIs, and HTTP\n methods.\n- :warning: Final slashes in `upstream_url` are no longer allowed.\n [#2115](https://github.com/Kong/kong/pull/2115)\n- :warning: The SSL plugin has been removed and dynamic SSL capabilities have\n been added to Kong core, and are configurable via new properties on the API\n entity. See the related PR for a detailed explanation of this change.\n [#1970](https://github.com/Kong/kong/pull/1970)\n- :warning: Drop the Dnsmasq dependency. We now internally resolve both A and\n SRV DNS records.\n [#1587](https://github.com/Kong/kong/pull/1587)\n- :warning: Dropping support for insecure `TLS/1.0` and defaulting `Upgrade`\n responses to `TLS/1.2`.\n [#2119](https://github.com/Kong/kong/pull/2119)\n- Bump the compatible OpenResty version to `1.11.2.1` and `1.11.2.2`. Support\n for OpenResty `1.11.2.2` requires the `--without-luajit-lua52` compilation\n flag.\n- Separate Admin API and Proxy error logs. Admin API logs are now written to\n `logs/admin_access.log`.\n [#1782](https://github.com/Kong/kong/pull/1782)\n- Auto-generates stronger SHA-256 with RSA encryption SSL certificates.\n [#2117](https://github.com/Kong/kong/pull/2117)\n\n### Added\n\n- :fireworks: Support for Cassandra 3.x.\n [#1709](https://github.com/Kong/kong/pull/1709)\n- :fireworks: SRV records resolution.\n [#1587](https://github.com/Kong/kong/pull/1587)\n- :fireworks: Load balancing. When an A or SRV record resolves to multiple\n entries, Kong now rotates those upstream targets with a Round-Robin\n algorithm. This is a first step towards implementing more load balancing\n algorithms.\n Another way to specify multiple upstream targets is to use the newly\n introduced `/upstreams` and `/targets` entities of the Admin API.\n [#1587](https://github.com/Kong/kong/pull/1587)\n [#1735](https://github.com/Kong/kong/pull/1735)\n- :fireworks: Multiple hosts and paths per API. Kong can now route incoming\n requests to your services based on a combination of Host headers, URIs and\n HTTP methods. See the related PR for a detailed explanation of the new\n properties and capabilities of the new router.\n [#1970](https://github.com/Kong/kong/pull/1970)\n- :fireworks: Maintain upstream connection pools which should greatly improve\n performance, especially for HTTPS upstream connections. We now use HTTP/1.1\n for upstream connections as well as an nginx `upstream` block with a\n configurable`keepalive` directive, thanks to the new `nginx_keepalive`\n configuration property.\n [#1587](https://github.com/Kong/kong/pull/1587)\n [#1827](https://github.com/Kong/kong/pull/1827)\n- :fireworks: Websockets support. Kong can now upgrade client connections to\n use the `ws` protocol when `Upgrade: websocket` is present.\n [#1827](https://github.com/Kong/kong/pull/1827)\n- Use an in-memory caching strategy for database entities in order to reduce\n CPU load during requests proxying.\n [#1688](https://github.com/Kong/kong/pull/1688)\n- Provide negative-caching for missed database entities. This should improve\n performance in some cases.\n [#1914](https://github.com/Kong/kong/pull/1914)\n- Support for serving the Admin API over SSL. This introduces new properties in\n the configuration file: `admin_listen_ssl`, `admin_ssl`, `admin_ssl_cert` and\n `admin_ssl_cert_key`.\n [#1706](https://github.com/Kong/kong/pull/1706)\n- Support for upstream connection timeouts. APIs now have 3 new fields:\n `upstream_connect_timeout`, `upstream_send_timeout`, `upstream_read_timeout`\n to specify, in milliseconds, a timeout value for requests between Kong and\n your APIs.\n [#2036](https://github.com/Kong/kong/pull/2036)\n- Support for clustering key rotation in the underlying Serf process:\n - new `cluster_keyring_file` property in the configuration file.\n - new `kong cluster keys ..` CLI commands that expose the underlying\n `serf keys ..` commands.\n [#2069](https://github.com/Kong/kong/pull/2069)\n- Support for `lua_socket_pool_size` property in configuration file.\n [#2109](https://github.com/Kong/kong/pull/2109)\n- Plugins:\n - :fireworks: **New AWS Lambda plugin**. Thanks Tim Erickson for his\n collaboration on this new addition.\n [#1777](https://github.com/Kong/kong/pull/1777)\n [#1190](https://github.com/Kong/kong/pull/1190)\n - Anonymous authentication for auth plugins. When such plugins receive the\n `config.anonymous=` property, even non-authenticated requests\n will be proxied by Kong, with the traditional Consumer headers set to the\n designated anonymous consumer, but also with a `X-Anonymous-Consumer`\n header. Multiple auth plugins will work in a logical `OR` fashion.\n [#1666](https://github.com/Kong/kong/pull/1666) and\n [#2035](https://github.com/Kong/kong/pull/2035)\n - request-transformer: Ability to change the HTTP method of the upstream\n request. [#1635](https://github.com/Kong/kong/pull/1635)\n - jwt: Support for ES256 signatures.\n [#1920](https://github.com/Kong/kong/pull/1920)\n - rate-limiting: Ability to select the Redis database to use via the new\n `config.redis_database` plugin property.\n [#1941](https://github.com/Kong/kong/pull/1941)\n\n### Fixed\n\n- Looking for Serf in known installation paths.\n [#1997](https://github.com/Kong/kong/pull/1997)\n- Including port in upstream `Host` header.\n [#2045](https://github.com/Kong/kong/pull/2045)\n- Clarify the purpose of the `cluster_listen_rpc` property in\n the configuration file. Thanks Jeremy Monin for the patch.\n [#1860](https://github.com/Kong/kong/pull/1860)\n- Admin API:\n - Properly Return JSON responses (instead of HTML) on HTTP 409 Conflict\n when adding Plugins.\n [#2014](https://github.com/Kong/kong/issues/2014)\n- CLI:\n - Avoid double-prefixing migration error messages with the database name\n (PostgreSQL/Cassandra).\n- Plugins:\n - Fix fault tolerance logic and error reporting in rate-limiting plugins.\n - CORS: Properly return `Access-Control-Allow-Credentials: false` if\n `Access-Control-Allow-Origin: *`.\n [#2104](https://github.com/Kong/kong/pull/2104)\n - key-auth: enforce `key_names` to be proper header names according to Nginx.\n [#2142](https://github.com/Kong/kong/pull/2142)\n\n[Back to TOC](#table-of-contents)\n\n## [0.9.9] - 2017/02/02\n\n### Fixed\n\n- Correctly put Cassandra sockets into the Nginx connection pool for later\n reuse. This greatly improves the performance for rate-limiting and\n response-ratelimiting plugins.\n [f8f5306](https://github.com/Kong/kong/commit/f8f53061207de625a29bbe5d80f1807da468a1bc)\n- Correct length of a year in seconds for rate-limiting and\n response-ratelimiting plugins. A year was wrongly assumed to only be 360\n days long.\n [e4fdb2a](https://github.com/Kong/kong/commit/e4fdb2a3af4a5f2bf298c7b6488d88e67288c98b)\n- Prevent misinterpretation of the `%` character in proxied URLs encoding.\n Thanks Thomas Jouannic for the patch.\n [#1998](https://github.com/Kong/kong/pull/1998)\n [#2040](https://github.com/Kong/kong/pull/2040)\n\n[Back to TOC](#table-of-contents)\n\n## [0.9.8] - 2017/01/19\n\n### Fixed\n\n- Properly set the admin IP in the Serf script.\n\n### Changed\n\n- Provide negative-caching for missed database entities. This should improve\n performance in some cases.\n [#1914](https://github.com/Kong/kong/pull/1914)\n\n### Fixed\n\n- Plugins:\n - Fix fault tolerance logic and error reporting in rate-limiting plugins.\n\n[Back to TOC](#table-of-contents)\n\n## [0.9.7] - 2016/12/21\n\n### Fixed\n\n- Fixed a performance issue in Cassandra by removing an old workaround that was\n forcing Cassandra to use LuaSocket instead of cosockets.\n [#1916](https://github.com/Kong/kong/pull/1916)\n- Fixed an issue that was causing a recursive attempt to stop Kong's services\n when an error was occurring.\n [#1877](https://github.com/Kong/kong/pull/1877)\n- Custom plugins are now properly loaded again.\n [#1910](https://github.com/Kong/kong/pull/1910)\n- Plugins:\n - Galileo: properly encode empty arrays.\n [#1909](https://github.com/Kong/kong/pull/1909)\n - OAuth 2: implements a missing Postgres migration for `redirect_uri` in\n every OAuth 2 credential. [#1911](https://github.com/Kong/kong/pull/1911)\n - OAuth 2: safely parse the request body even when no data has been sent.\n [#1915](https://github.com/Kong/kong/pull/1915)\n\n[Back to TOC](#table-of-contents)\n\n## [0.9.6] - 2016/11/29\n\n### Fixed\n\n- Resolve support for PostgreSQL SSL connections.\n [#1720](https://github.com/Kong/kong/issues/1720)\n- Ensure `kong start` honors the `--conf` flag is a config file already exists\n at one of the default locations (`/etc/kong.conf`, `/etc/kong/kong.conf`).\n [#1681](https://github.com/Kong/kong/pull/1681)\n- Obfuscate sensitive properties from the `/` Admin API route which returns\n the current node's configuration.\n [#1650](https://github.com/Kong/kong/pull/1650)\n\n[Back to TOC](#table-of-contents)\n\n## [0.9.5] - 2016/11/07\n\n### Changed\n\n- Dropping support for OpenResty 1.9.15.1 in favor of 1.11.2.1\n [#1797](https://github.com/Kong/kong/pull/1797)\n\n### Fixed\n\n- Fixed an error (introduced in 0.9.4) in the auto-clustering event\n\n[Back to TOC](#table-of-contents)\n\n## [0.9.4] - 2016/11/02\n\n### Fixed\n\n- Fixed the random string generator that was causing some problems, especially\n in Serf for clustering. [#1754](https://github.com/Kong/kong/pull/1754)\n- Seed random number generator in CLI.\n [#1641](https://github.com/Kong/kong/pull/1641)\n- Reducing log noise in the Admin API.\n [#1781](https://github.com/Kong/kong/pull/1781)\n- Fixed the reports lock implementation that was generating a periodic error\n message. [#1783](https://github.com/Kong/kong/pull/1783)\n\n[Back to TOC](#table-of-contents)\n\n## [0.9.3] - 2016/10/07\n\n### Added\n\n- Added support for Serf 0.8. [#1693](https://github.com/Kong/kong/pull/1693)\n\n### Fixed\n\n- Properly invalidate global plugins.\n [#1723](https://github.com/Kong/kong/pull/1723)\n\n[Back to TOC](#table-of-contents)\n\n## [0.9.2] - 2016/09/20\n\n### Fixed\n\n- Correctly report migrations errors. This was caused by an error being thrown\n from the error handler, and superseding the actual error. [#1605]\n (https://github.com/Kong/kong/pull/1605)\n- Prevent Kong from silently failing to start. This would be caused by an\n erroneous error handler. [28f5d10]\n (https://github.com/Kong/kong/commit/28f5d10)\n- Only report a random number generator seeding error when it is not already\n seeded. [#1613](https://github.com/Kong/kong/pull/1613)\n- Reduce intra-cluster noise by not propagating keepalive requests events.\n [#1660](https://github.com/Kong/kong/pull/1660)\n- Admin API:\n - Obfuscates sensitive configuration settings from the `/` route.\n [#1650](https://github.com/Kong/kong/pull/1650)\n- CLI:\n - Prevent a failed `kong start` to stop an already running Kong node.\n [#1645](https://github.com/Kong/kong/pull/1645)\n - Remove unset configuration placeholders from the nginx configuration\n template. This would occur when no Internet connection would be\n available and would cause Kong to compile an erroneous nginx config.\n [#1606](https://github.com/Kong/kong/pull/1606)\n - Properly count the number of executed migrations.\n [#1649](https://github.com/Kong/kong/pull/1649)\n- Plugins:\n - OAuth2: remove the \"Kong\" mentions in missing `provision_key` error\n messages. [#1633](https://github.com/Kong/kong/pull/1633)\n - OAuth2: allow to correctly delete applications when using Cassandra.\n [#1659](https://github.com/Kong/kong/pull/1659)\n - galileo: provide a default `bodySize` value when `log_bodies=true` but the\n current request/response has no body.\n [#1657](https://github.com/Kong/kong/pull/1657)\n\n[Back to TOC](#table-of-contents)\n\n## [0.9.1] - 2016/09/02\n\n### Added\n\n- Plugins:\n - ACL: allow to retrieve/update/delete an ACL by group name.\n [#1544](https://github.com/Kong/kong/pull/1544)\n - Basic Authentication: allow to retrieve/update/delete a credential by `username`.\n [#1570](https://github.com/Kong/kong/pull/1570)\n - HMAC Authentication: allow to retrieve/update/delete a credential by `username`.\n [#1570](https://github.com/Kong/kong/pull/1570)\n - JWT Authentication: allow to retrieve/update/delete a credential by `key`.\n [#1570](https://github.com/Kong/kong/pull/1570)\n - Key Authentication: allow to retrieve/update/delete a credential by `key`.\n [#1570](https://github.com/Kong/kong/pull/1570)\n - OAuth2 Authentication: allow to retrieve/update/delete a credential by `client_id` and tokens by `access_token`.\n [#1570](https://github.com/Kong/kong/pull/1570)\n\n### Fixed\n\n- Correctly parse configuration file settings containing comments.\n [#1569](https://github.com/Kong/kong/pull/1569)\n- Prevent third-party Lua modules (and plugins) to override the seed for random\n number generation. This prevents the creation of conflicting UUIDs.\n [#1558](https://github.com/Kong/kong/pull/1558)\n- Use [pgmoon-mashape](https://github.com/Kong/pgmoon) `2.0.0` which\n properly namespaces our fork, avoiding conflicts with other versions of\n pgmoon, such as the one installed by Lapis.\n [#1582](https://github.com/Kong/kong/pull/1582)\n- Avoid exposing OpenResty's information on HTTP `4xx` errors.\n [#1567](https://github.com/Kong/kong/pull/1567)\n- ulimit with `unlimited` value is now properly handled.\n [#1545](https://github.com/Kong/kong/pull/1545)\n- CLI:\n - Stop third-party services (Dnsmasq/Serf) when Kong could not start.\n [#1588](https://github.com/Kong/kong/pull/1588)\n - Prefix database migration errors (such as Postgres' `connection refused`)\n with the database name (`postgres`/`cassandra`) to avoid confusions.\n [#1583](https://github.com/Kong/kong/pull/1583)\n- Plugins:\n - galileo: Use `Content-Length` header to get request/response body size when\n `log_bodies` is disabled.\n [#1584](https://github.com/Kong/kong/pull/1584)\n- Admin API:\n - Revert the `/plugins/enabled` endpoint's response to be a JSON array, and\n not an Object. [#1529](https://github.com/Kong/kong/pull/1529)\n\n[Back to TOC](#table-of-contents)\n\n## [0.9.0] - 2016/08/18\n\nThe main focus of this release is Kong's new CLI. With a simpler configuration file, new settings, environment variables support, new commands as well as a new interpreter, the new CLI gives more power and flexibility to Kong users and allow for an easier integration in your deployment workflow, as well as better testing for developers and plugins authors. Additionally, some new plugins and performance improvements are included as well as the regular bug fixes.\n\n### Changed\n\n- :warning: PostgreSQL is the new default datastore for Kong. If you were using Cassandra and you are upgrading, you need to explicitly set `cassandra` as your `database`.\n- :warning: New CLI, with new commands and refined arguments. This new CLI uses the `resty-cli` interpreter (see [lua-resty-cli](https://github.com/openresty/resty-cli)) instead of LuaJIT. As a result, the `resty` executable must be available in your `$PATH` (resty-cli is shipped in the OpenResty bundle) as well as the `bin/kong` executable. Kong does not rely on Luarocks installing the `bin/kong` executable anymore. This change of behavior is taken care of if you are using one of the official Kong packages.\n- :warning: Kong uses a new configuration file, with an easier syntax than the previous YAML file.\n- New arguments for the CLI, such as verbose, debug and tracing flags. We also avoid requiring the configuration file as an argument to each command as per the previous CLI.\n- Customization of the Nginx configuration can now be taken care of using two different approaches: with a custom Nginx configuration template and using `kong start --template `, or by using `kong compile` to generate the Kong Nginx sub-configuration, and `include` it in a custom Nginx instance.\n- Plugins:\n - Rate Limiting: the `continue_on_error` property is now called `fault_tolerant`.\n - Response Rate Limiting: the `continue_on_error` property is now called `fault_tolerant`.\n\n### Added\n\n- :fireworks: Support for overriding configuration settings with environment variables.\n- :fireworks: Support for SSL connections between Kong and PostgreSQL. [#1425](https://github.com/Kong/kong/pull/1425)\n- :fireworks: Ability to apply plugins with more granularity: per-consumer, and global plugins are now possible. [#1403](https://github.com/Kong/kong/pull/1403)\n- New `kong check` command: validates a Kong configuration file.\n- Better version check for third-party dependencies (OpenResty, Serf, Dnsmasq). [#1307](https://github.com/Kong/kong/pull/1307)\n- Ability to configure the validation depth of database SSL certificates from the configuration file. [#1420](https://github.com/Kong/kong/pull/1420)\n- `request_host`: internationalized url support; utf-8 domain names through punycode support and paths through %-encoding. [#1300](https://github.com/Kong/kong/issues/1300)\n- Implements caching locks when fetching database configuration (APIs, Plugins...) to avoid dog pile effect on cold nodes. [#1402](https://github.com/Kong/kong/pull/1402)\n- Plugins:\n - :fireworks: **New bot-detection plugin**: protect your APIs by detecting and rejecting common bots and crawlers. [#1413](https://github.com/Kong/kong/pull/1413)\n - correlation-id: new \"tracker\" generator, identifying requests per worker and connection. [#1288](https://github.com/Kong/kong/pull/1288)\n - request/response-transformer: ability to add strings including colon characters. [#1353](https://github.com/Kong/kong/pull/1353)\n - rate-limiting: support for new rate-limiting policies (`cluster`, `local` and `redis`), and for a new `limit_by` property to force rate-limiting by `consumer`, `credential` or `ip`.\n - response-rate-limiting: support for new rate-limiting policies (`cluster`, `local` and `redis`), and for a new `limit_by` property to force rate-limiting by `consumer`, `credential` or `ip`.\n - galileo: performance improvements of ALF serialization. ALFs are not discarded when exceeding 20MBs anymore. [#1463](https://github.com/Kong/kong/issues/1463)\n - statsd: new `upstream_stream` latency metric. [#1466](https://github.com/Kong/kong/pull/1466)\n - datadog: new `upstream_stream` latency metric and tagging support for each metric. [#1473](https://github.com/Kong/kong/pull/1473)\n\n### Removed\n\n- We now use [lua-resty-jit-uuid](https://github.com/thibaultCha/lua-resty-jit-uuid) for UUID generation, which is a pure Lua implementation of [RFC 4122](https://www.ietf.org/rfc/rfc4122.txt). As a result, libuuid is not a dependency of Kong anymore.\n\n### Fixed\n\n- Sensitive configuration settings are not printed to stdout anymore. [#1256](https://github.com/Kong/kong/issues/1256)\n- Fixed bug that caused nodes to remove themselves from the database when they attempted to join the cluster. [#1437](https://github.com/Kong/kong/pull/1437)\n- Plugins:\n - request-size-limiting: use proper constant for MB units while setting the size limit. [#1416](https://github.com/Kong/kong/pull/1416)\n - OAuth2: security and config validation fixes. [#1409](https://github.com/Kong/kong/pull/1409) [#1112](https://github.com/Kong/kong/pull/1112)\n - request/response-transformer: better validation of fields provided without a value. [#1399](https://github.com/Kong/kong/pull/1399)\n - JWT: handle some edge-cases that could result in HTTP 500 errors. [#1362](https://github.com/Kong/kong/pull/1362)\n\n> **internal**\n> - new test suite using resty-cli and removing the need to monkey-patch the `ngx` global.\n> - custom assertions and new helper methods (`wait_until()`) to gracefully fail in case of timeout.\n> - increase atomicity of the testing environment.\n> - lighter testing instance, only running 1 worker and not using Dnsmasq by default.\n\n[Back to TOC](#table-of-contents)\n\n## [0.8.3] - 2016/06/01\n\nThis release includes some bugfixes:\n\n### Changed\n\n- Switched the log level of the \"No nodes found in cluster\" warning to `INFO`, that was printed when starting up the first Kong node in a new cluster.\n- Kong now requires OpenResty `1.9.7.5`.\n\n### Fixed\n\n- New nodes are now properly registered into the `nodes` table when running on the same machine. [#1281](https://github.com/Kong/kong/pull/1281)\n- Fixed a failed error parsing on Postgres. [#1269](https://github.com/Kong/kong/pull/1269)\n- Plugins:\n - Response Transformer: Slashes are now encoded properly, and fixed a bug that hang the execution of the plugin. [#1257](https://github.com/Kong/kong/pull/1257) and [#1263](https://github.com/Kong/kong/pull/1263)\n - JWT: If a value for `algorithm` is missing, it's now `HS256` by default. This problem occurred when migrating from older versions of Kong.\n - OAuth 2.0: Fixed a Postgres problem that was preventing an application from being created, and fixed a check on the `redirect_uri` field. [#1264](https://github.com/Kong/kong/pull/1264) and [#1267](https://github.com/Kong/kong/issues/1267)\n\n[Back to TOC](#table-of-contents)\n\n## [0.8.2] - 2016/05/25\n\nThis release includes bugfixes and minor updates:\n\n### Added\n\n- Support for a simple slash in `request_path`. [#1227](https://github.com/Kong/kong/pull/1227)\n- Plugins:\n - Response Rate Limiting: it now appends usage headers to the upstream requests in the form of `X-Ratelimit-Remaining-{limit_name}` and introduces a new `config.block_on_first_violation` property. [#1235](https://github.com/Kong/kong/pull/1235)\n\n#### Changed\n\n- Plugins:\n - **Mashape Analytics: The plugin is now called \"Galileo\", and added support for Galileo v3. [#1159](https://github.com/Kong/kong/pull/1159)**\n\n#### Fixed\n\n- Postgres now relies on the `search_path` configured on the database and its default value `$user, public`. [#1196](https://github.com/Kong/kong/issues/1196)\n- Kong now properly encodes an empty querystring parameter like `?param=` when proxying the request. [#1210](https://github.com/Kong/kong/pull/1210)\n- The configuration now checks that `cluster.ttl_on_failure` is at least 60 seconds. [#1199](https://github.com/Kong/kong/pull/1199)\n- Plugins:\n - Loggly: Fixed an issue that was triggering 400 and 500 errors. [#1184](https://github.com/Kong/kong/pull/1184)\n - JWT: The `TYP` value in the header is not optional and case-insensitive. [#1192](https://github.com/Kong/kong/pull/1192)\n - Request Transformer: Fixed a bug when transforming request headers. [#1202](https://github.com/Kong/kong/pull/1202)\n - OAuth 2.0: Multiple redirect URIs are now supported. [#1112](https://github.com/Kong/kong/pull/1112)\n - IP Restriction: Fixed that prevented the plugin for working properly when added on an API. [#1245](https://github.com/Kong/kong/pull/1245)\n - CORS: Fixed an issue when `config.preflight_continue` was enabled. [#1240](https://github.com/Kong/kong/pull/1240)\n\n[Back to TOC](#table-of-contents)\n\n## [0.8.1] - 2016/04/27\n\nThis release includes some fixes and minor updates:\n\n### Added\n\n- Adds `X-Forwarded-Host` and `X-Forwarded-Prefix` to the upstream request headers. [#1180](https://github.com/Kong/kong/pull/1180)\n- Plugins:\n - Datadog: Added two new metrics, `unique_users` and `request_per_user`, that log the consumer information. [#1179](https://github.com/Kong/kong/pull/1179)\n\n### Fixed\n\n- Fixed a DAO bug that affected full entity updates. [#1163](https://github.com/Kong/kong/pull/1163)\n- Fixed a bug when setting the authentication provider in Cassandra.\n- Updated the Cassandra driver to v0.5.2.\n- Properly enforcing required fields in PUT requests. [#1177](https://github.com/Kong/kong/pull/1177)\n- Fixed a bug that prevented to retrieve the hostname of the local machine on certain systems. [#1178](https://github.com/Kong/kong/pull/1178)\n\n[Back to TOC](#table-of-contents)\n\n## [0.8.0] - 2016/04/18\n\nThis release includes support for PostgreSQL as Kong's primary datastore!\n\n### Breaking changes\n\n- Remove support for the long deprecated `/consumers/:consumer/keyauth/` and `/consumers/:consumer/basicauth/` routes (deprecated in `0.5.0`). The new routes (available since `0.5.0` too) use the real name of the plugin: `/consumers/:consumer/key-auth` and `/consumers/:consumer/basic-auth`.\n\n### Added\n\n- Support for PostgreSQL 9.4+ as Kong's primary datastore. [#331](https://github.com/Kong/kong/issues/331) [#1054](https://github.com/Kong/kong/issues/1054)\n- Configurable Cassandra reading/writing consistency. [#1026](https://github.com/Kong/kong/pull/1026)\n- Admin API: including pending and running timers count in the response to `/`. [#992](https://github.com/Kong/kong/pull/992)\n- Plugins\n - **New correlation-id plugin**: assign unique identifiers to the requests processed by Kong. Courtesy of [@opyate](https://github.com/opyate). [#1094](https://github.com/Kong/kong/pull/1094)\n - LDAP: add support for LDAP authentication. [#1133](https://github.com/Kong/kong/pull/1133)\n - StatsD: add support for StatsD logging. [#1142](https://github.com/Kong/kong/pull/1142)\n - JWT: add support for RS256 signed tokens thanks to [@kdstew](https://github.com/kdstew)! [#1053](https://github.com/Kong/kong/pull/1053)\n - ACL: appends `X-Consumer-Groups` to the request, so the upstream service can check what groups the consumer belongs to. [#1154](https://github.com/Kong/kong/pull/1154)\n - Galileo (mashape-analytics): increase batch sending timeout to 30s. [#1091](https://github.com/Kong/kong/pull/1091)\n- Added `ttl_on_failure` option in the cluster configuration, to configure the TTL of failed nodes. [#1125](https://github.com/Kong/kong/pull/1125)\n\n### Fixed\n\n- Introduce a new `port` option when connecting to your Cassandra cluster instead of using the CQL default (9042). [#1139](https://github.com/Kong/kong/issues/1139)\n- Plugins\n - Request/Response Transformer: add missing migrations for upgrades from ` <= 0.5.x`. [#1064](https://github.com/Kong/kong/issues/1064)\n - OAuth2\n - Error responses comply to RFC 6749. [#1017](https://github.com/Kong/kong/issues/1017)\n - Handle multipart requests. [#1067](https://github.com/Kong/kong/issues/1067)\n - Make access_tokens correctly expire. [#1089](https://github.com/Kong/kong/issues/1089)\n\n> **internal**\n> - replace globals with singleton pattern thanks to [@mars](https://github.com/mars).\n> - fixed resolution mismatches when using deep paths in the path resolver.\n\n[Back to TOC](#table-of-contents)\n\n## [0.7.0] - 2016/02/24\n\n### Breaking changes\n\nDue to the NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747), OpenResty was bumped to `1.9.7.3` which is not backwards compatible, and thus requires changes to be made to the `nginx` property of Kong's configuration file. See the [0.7 upgrade path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-07x) for instructions.\n\nHowever by upgrading the underlying OpenResty version, source installations do not have to patch the NGINX core and use the old `ssl-cert-by-lua` branch of ngx_lua anymore. This will make source installations much easier.\n\n### Added\n\n- Support for OpenResty `1.9.7.*`. This includes NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747). [#906](https://github.com/Kong/kong/pull/906)\n- Plugins\n - **New Runscope plugin**: Monitor your APIs from Kong with Runscope. Courtesy of [@mansilladev](https://github.com/mansilladev). [#924](https://github.com/Kong/kong/pull/924)\n - Datadog: New `response.size` metric. [#923](https://github.com/Kong/kong/pull/923)\n - Rate-Limiting and Response Rate-Limiting\n - New `config.async` option to asynchronously increment counters to reduce latency at the cost of slightly reducing the accuracy. [#912](https://github.com/Kong/kong/pull/912)\n - New `config.continue_on_error` option to keep proxying requests in case the datastore is unreachable. rate-limiting operations will be disabled until the datastore is responsive again. [#953](https://github.com/Kong/kong/pull/953)\n- CLI\n - Perform a simple permission check on the NGINX working directory when starting, to prevent errors during execution. [#939](https://github.com/Kong/kong/pull/939)\n- Send 50x errors with the appropriate format. [#927](https://github.com/Kong/kong/pull/927) [#970](https://github.com/Kong/kong/pull/970)\n\n### Fixed\n\n- Plugins\n - OAuth2\n - Better handling of `redirect_uri` (prevent the use of fragments and correctly handle querystrings). Courtesy of [@PGBI](https://github.com/PGBI). [#930](https://github.com/Kong/kong/pull/930)\n - Add `PUT` support to the `/auth2_tokens` route. [#897](https://github.com/Kong/kong/pull/897)\n - Better error message when the `access_token` is missing. [#1003](https://github.com/Kong/kong/pull/1003)\n - IP restriction: Fix an issue that could arise when restarting Kong. Now Kong does not need to be restarted for the ip-restriction configuration to take effect. [#782](https://github.com/Kong/kong/pull/782) [#960](https://github.com/Kong/kong/pull/960)\n - ACL: Properly invalidating entities when assigning a new ACL group. [#996](https://github.com/Kong/kong/pull/996)\n - SSL: Replace shelled out openssl calls with native `ngx.ssl` conversion utilities, which preserve the certificate chain. [#968](https://github.com/Kong/kong/pull/968)\n- Avoid user warning on start when the user is not root. [#964](https://github.com/Kong/kong/pull/964)\n- Store Serf logs in NGINX working directory to prevent eventual permission issues. [#975](https://github.com/Kong/kong/pull/975)\n- Allow plugins configured on a Consumer *without* being configured on an API to run. [#978](https://github.com/Kong/kong/issues/978) [#980](https://github.com/Kong/kong/pull/980)\n- Fixed an edge-case where Kong nodes would not be registered in the `nodes` table. [#1008](https://github.com/Kong/kong/pull/1008)\n\n[Back to TOC](#table-of-contents)\n\n## [0.6.1] - 2016/02/03\n\nThis release contains tiny bug fixes that were especially annoying for complex Cassandra setups and power users of the Admin API!\n\n### Added\n\n- A `timeout` property for the Cassandra configuration. In ms, this timeout is effective as a connection and a reading timeout. [#937](https://github.com/Kong/kong/pull/937)\n\n### Fixed\n\n- Correctly set the Cassandra SSL certificate in the Nginx configuration while starting Kong. [#921](https://github.com/Kong/kong/pull/921)\n- Rename the `user` Cassandra property to `username` (Kong looks for `username`, hence `user` would fail). [#922](https://github.com/Kong/kong/pull/922)\n- Allow Cassandra authentication with arbitrary plain text auth providers (such as Instaclustr uses), fixing authentication with them. [#937](https://github.com/Kong/kong/pull/937)\n- Admin API\n - Fix the `/plugins/:id` route for `PATCH` method. [#941](https://github.com/Kong/kong/pull/941)\n- Plugins\n - HTTP logging: remove the additional `\\r\\n` at the end of the logging request body. [#926](https://github.com/Kong/kong/pull/926)\n - Galileo: catch occasional internal errors happening when a request was cancelled by the client and fix missing shm for the retry policy. [#931](https://github.com/Kong/kong/pull/931)\n\n[Back to TOC](#table-of-contents)\n\n## [0.6.0] - 2016/01/22\n\n### Breaking changes\n\n We would recommended to consult the suggested [0.6 upgrade path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-06x) for this release.\n\n- [Serf](https://www.serf.io/) is now a Kong dependency. It allows Kong nodes to communicate between each other opening the way to many features and improvements.\n- The configuration file changed. Some properties were renamed, others were moved, and some are new. We would recommend checking out the new default configuration file.\n- Drop the Lua 5.1 dependency which was only used by the CLI. The CLI now runs with LuaJIT, which is consistent with other Kong components (Luarocks and OpenResty) already relying on LuaJIT. Make sure the LuaJIT interpreter is included in your `$PATH`. [#799](https://github.com/Kong/kong/pull/799)\n\n### Added\n\nOne of the biggest new features of this release is the cluster-awareness added to Kong in [#729](https://github.com/Kong/kong/pull/729), which deserves its own section:\n\n- Each Kong node is now aware of belonging to a cluster through Serf. Nodes automatically join the specified cluster according to the configuration file's settings.\n- The datastore cache is not invalidated by expiration time anymore, but following an invalidation strategy between the nodes of a same cluster, leading to improved performance.\n- Admin API\n - Expose a `/cache` endpoint for retrieving elements stored in the in-memory cache of a node.\n - Expose a `/cluster` endpoint used to add/remove/list members of the cluster, and also used internally for data propagation.\n- CLI\n - New `kong cluster` command for cluster management.\n - New `kong status` command for cluster healthcheck.\n\nOther additions include:\n\n- New Cassandra driver which makes Kong aware of the Cassandra cluster. Kong is now unaffected if one of your Cassandra nodes goes down as long as a replica is available on another node. Load balancing policies also improve the performance along with many other smaller improvements. [#803](https://github.com/Kong/kong/pull/803)\n- Admin API\n - A new `total` field in API responses, that counts the total number of entities in the datastore. [#635](https://github.com/Kong/kong/pull/635)\n- Configuration\n - Possibility to configure the keyspace replication strategy for Cassandra. It will be taken into account by the migrations when the configured keyspace does not already exist. [#350](https://github.com/Kong/kong/issues/350)\n - Dnsmasq is now optional. You can specify a custom DNS resolver address that Kong will use when resolving hostnames. This can be configured in `kong.yml`. [#625](https://github.com/Kong/kong/pull/625)\n- Plugins\n - **New \"syslog\" plugin**: send logs to local system log. [#698](https://github.com/Kong/kong/pull/698)\n - **New \"loggly\" plugin**: send logs to Loggly over UDP. [#698](https://github.com/Kong/kong/pull/698)\n - **New \"datadog\" plugin**: send logs to Datadog server. [#758](https://github.com/Kong/kong/pull/758)\n - OAuth2\n - Add support for `X-Forwarded-Proto` header. [#650](https://github.com/Kong/kong/pull/650)\n - Expose a new `/oauth2_tokens` endpoint with the possibility to retrieve, update or delete OAuth 2.0 access tokens. [#729](https://github.com/Kong/kong/pull/729)\n - JWT\n - Support for base64 encoded secrets. [#838](https://github.com/Kong/kong/pull/838) [#577](https://github.com/Kong/kong/issues/577)\n - Support to configure the claim in which the key is given into the token (not `iss` only anymore). [#838](https://github.com/Kong/kong/pull/838)\n - Request transformer\n - Support for more transformation options: `remove`, `replace`, `add`, `append` motivated by [#393](https://github.com/Kong/kong/pull/393). See [#824](https://github.com/Kong/kong/pull/824)\n - Support JSON body transformation. [#569](https://github.com/Kong/kong/issues/569)\n - Response transformer\n - Support for more transformation options: `remove`, `replace`, `add`, `append` motivated by [#393](https://github.com/Kong/kong/pull/393). See [#822](https://github.com/Kong/kong/pull/822)\n\n### Changed\n\n- As mentioned in the breaking changes section, a new configuration file format and validation. All properties are now documented and commented out with their default values. This allows for a lighter configuration file and more clarity as to what properties relate to. It also catches configuration mistakes. [#633](https://github.com/Kong/kong/pull/633)\n- Replace the UUID generator library with a new implementation wrapping lib-uuid, fixing eventual conflicts happening in cases such as described in [#659](https://github.com/Kong/kong/pull/659). See [#695](https://github.com/Kong/kong/pull/695)\n- Admin API\n - Increase the maximum body size to 10MB in order to handle configuration requests with heavy payloads. [#700](https://github.com/Kong/kong/pull/700)\n - Disable access logs for the `/status` endpoint.\n - The `/status` endpoint now includes `database` statistics, while the previous stats have been moved to a `server` response field. [#635](https://github.com/Kong/kong/pull/635)\n\n### Fixed\n\n- Behaviors described in [#603](https://github.com/Kong/kong/issues/603) related to the failure of Cassandra nodes thanks to the new driver. [#803](https://github.com/Kong/kong/issues/803)\n- Latency headers are now properly included in responses sent to the client. [#708](https://github.com/Kong/kong/pull/708)\n- `strip_request_path` does not add a trailing slash to the API's `upstream_url` anymore before proxying. [#675](https://github.com/Kong/kong/issues/675)\n- Do not URL decode querystring before proxying the request to the upstream service. [#749](https://github.com/Kong/kong/issues/749)\n- Handle cases when the request would be terminated prior to the Kong execution (that is, before ngx_lua reaches the `access_by_lua` context) in cases such as the use of a custom nginx module. [#594](https://github.com/Kong/kong/issues/594)\n- Admin API\n - The PUT method now correctly updates boolean fields (such as `strip_request_path`). [#765](https://github.com/Kong/kong/pull/765)\n - The PUT method now correctly resets a plugin configuration. [#720](https://github.com/Kong/kong/pull/720)\n - PATCH correctly set previously unset fields. [#861](https://github.com/Kong/kong/pull/861)\n - In the responses, the `next` link is not being displayed anymore if there are no more entities to be returned. [#635](https://github.com/Kong/kong/pull/635)\n - Prevent the update of `created_at` fields. [#820](https://github.com/Kong/kong/pull/820)\n - Better `request_path` validation for APIs. \"/\" is not considered a valid path anymore. [#881](https://github.com/Kong/kong/pull/881)\n- Plugins\n - Galileo: ensure the `mimeType` value is always a string in ALFs. [#584](https://github.com/Kong/kong/issues/584)\n - JWT: allow to update JWT credentials using the PATCH method. It previously used to reply with `405 Method not allowed` because the PATCH method was not implemented. [#667](https://github.com/Kong/kong/pull/667)\n - Rate limiting: fix a warning when many periods are configured. [#681](https://github.com/Kong/kong/issues/681)\n - Basic Authentication: do not re-hash the password field when updating a credential. [#726](https://github.com/Kong/kong/issues/726)\n - File log: better permissions for on file creation for file-log plugin. [#877](https://github.com/Kong/kong/pull/877)\n - OAuth2\n - Implement correct responses when the OAuth2 challenges are refused. [#737](https://github.com/Kong/kong/issues/737)\n - Handle querystring on `/authorize` and `/token` URLs. [#687](https://github.com/Kong/kong/pull/667)\n - Handle punctuation in scopes on `/authorize` and `/token` endpoints. [#658](https://github.com/Kong/kong/issues/658)\n\n> ***internal***\n> - Event bus for local and cluster-wide events propagation. Plans for this event bus is to be widely used among Kong in the future.\n> - The Kong Public Lua API (Lua helpers integrated in Kong such as DAO and Admin API helpers) is now documented with [ldoc](http://stevedonovan.github.io/ldoc/).\n> - Work has been done to restore the reliability of the CI platforms.\n> - Migrations can now execute DML queries (instead of DDL queries only). Handy for migrations implying plugin configuration changes, plugins renamings etc... [#770](https://github.com/Kong/kong/pull/770)\n\n[Back to TOC](#table-of-contents)\n\n## [0.5.4] - 2015/12/03\n\n### Fixed\n\n- Mashape Analytics plugin (renamed Galileo):\n - Improve stability under heavy load. [#757](https://github.com/Kong/kong/issues/757)\n - base64 encode ALF request/response bodies, enabling proper support for Galileo bodies inspection capabilities. [#747](https://github.com/Kong/kong/pull/747)\n - Do not include JSON bodies in ALF `postData.params` field. [#766](https://github.com/Kong/kong/pull/766)\n\n[Back to TOC](#table-of-contents)\n\n## [0.5.3] - 2015/11/16\n\n### Fixed\n\n- Avoids additional URL encoding when proxying to an upstream service. [#691](https://github.com/Kong/kong/pull/691)\n- Potential timing comparison bug in HMAC plugin. [#704](https://github.com/Kong/kong/pull/704)\n\n### Added\n\n- The Galileo plugin now supports arbitrary host, port and path values. [#721](https://github.com/Kong/kong/pull/721)\n\n[Back to TOC](#table-of-contents)\n\n## [0.5.2] - 2015/10/21\n\nA few fixes requested by the community!\n\n### Fixed\n\n- Kong properly search the `nginx` in your $PATH variable.\n- Plugins:\n - OAuth2: can detect that the originating protocol for a request was HTTPS through the `X-Forwarded-Proto` header and work behind another reverse proxy (load balancer). [#650](https://github.com/Kong/kong/pull/650)\n - HMAC signature: support for `X-Date` header to sign the request for usage in browsers (since the `Date` header is protected). [#641](https://github.com/Kong/kong/issues/641)\n\n[Back to TOC](#table-of-contents)\n\n## [0.5.1] - 2015/10/13\n\nFixing a few glitches we let out with 0.5.0!\n\n### Added\n\n- Basic Authentication and HMAC Authentication plugins now also send the `X-Credential-Username` to the upstream server.\n- Admin API now accept JSON when receiving a CORS request. [#580](https://github.com/Kong/kong/pull/580)\n- Add a `WWW-Authenticate` header for HTTP 401 responses for basic-auth and key-auth. [#588](https://github.com/Kong/kong/pull/588)\n\n### Changed\n\n- Protect Kong from POODLE SSL attacks by omitting SSLv3 (CVE-2014-3566). [#563](https://github.com/Kong/kong/pull/563)\n- Remove support for key-auth key in body. [#566](https://github.com/Kong/kong/pull/566)\n\n### Fixed\n\n- Plugins\n - HMAC\n - The migration for this plugin is now correctly being run. [#611](https://github.com/Kong/kong/pull/611)\n - Wrong username doesn't return HTTP 500 anymore, but 403. [#602](https://github.com/Kong/kong/pull/602)\n - JWT: `iss` not being found doesn't return HTTP 500 anymore, but 403. [#578](https://github.com/Kong/kong/pull/578)\n - OAuth2: client credentials flow does not include a refresh token anymore. [#562](https://github.com/Kong/kong/issues/562)\n- Fix an occasional error when updating a plugin without a config. [#571](https://github.com/Kong/kong/pull/571)\n\n[Back to TOC](#table-of-contents)\n\n## [0.5.0] - 2015/09/25\n\nWith new plugins, many improvements and bug fixes, this release comes with breaking changes that will require your attention.\n\n### Breaking changes\n\nSeveral breaking changes are introduced. You will have to slightly change your configuration file and a migration script will take care of updating your database cluster. **Please follow the instructions in [UPGRADE.md](/UPGRADE.md#update-to-kong-050) for an update without downtime.**\n- Many plugins were renamed due to new naming conventions for consistency. [#480](https://github.com/Kong/kong/issues/480)\n- In the configuration file, the Cassandra `hosts` property was renamed to `contact_points`. [#513](https://github.com/Kong/kong/issues/513)\n- Properties belonging to APIs entities have been renamed for clarity. [#513](https://github.com/Kong/kong/issues/513)\n - `public_dns` -> `request_host`\n - `path` -> `request_path`\n - `strip_path` -> `strip_request_path`\n - `target_url` -> `upstream_url`\n- `plugins_configurations` have been renamed to `plugins`, and their `value` property has been renamed to `config` to avoid confusions. [#513](https://github.com/Kong/kong/issues/513)\n- The database schema has been updated to handle the separation of plugins outside of the core repository.\n- The Key authentication and Basic authentication plugins routes have changed:\n\n```\nOld route New route\n/consumers/:consumer/keyauth -> /consumers/:consumer/key-auth\n/consumers/:consumer/keyauth/:id -> /consumers/:consumer/key-auth/:id\n/consumers/:consumer/basicauth -> /consumers/:consumer/basic-auth\n/consumers/:consumer/basicauth/:id -> /consumers/:consumer/basic-auth/:id\n```\n\nThe old routes are still maintained but will be removed in upcoming versions. Consider them **deprecated**.\n\n- Admin API\n - The route to retrieve enabled plugins is now under `/plugins/enabled`.\n - The route to retrieve a plugin's configuration schema is now under `/plugins/schema/{plugin name}`.\n\n#### Added\n\n- Plugins\n - **New Response Rate Limiting plugin**: Give a usage quota to your users based on a parameter in your response. [#247](https://github.com/Kong/kong/pull/247)\n - **New ACL (Access Control) plugin**: Configure authorizations for your Consumers. [#225](https://github.com/Kong/kong/issues/225)\n - **New JWT (JSON Web Token) plugin**: Verify and authenticate JWTs. [#519](https://github.com/Kong/kong/issues/519)\n - **New HMAC signature plugin**: Verify and authenticate HMAC signed HTTP requests. [#549](https://github.com/Kong/kong/pull/549)\n - Plugins migrations. Each plugin can now have its own migration scripts if it needs to store data in your cluster. This is a step forward to improve Kong's pluggable architecture. [#443](https://github.com/Kong/kong/pull/443)\n - Basic Authentication: the password field is now sha1 encrypted. [#33](https://github.com/Kong/kong/issues/33)\n - Basic Authentication: now supports credentials in the `Proxy-Authorization` header. [#460](https://github.com/Kong/kong/issues/460)\n\n#### Changed\n\n- Basic Authentication and Key Authentication now require authentication parameters even when the `Expect: 100-continue` header is being sent. [#408](https://github.com/Kong/kong/issues/408)\n- Key Auth plugin does not support passing the key in the request payload anymore. [#566](https://github.com/Kong/kong/pull/566)\n- APIs' names cannot contain characters from the RFC 3986 reserved list. [#589](https://github.com/Kong/kong/pull/589)\n\n#### Fixed\n\n- Resolver\n - Making a request with a querystring will now correctly match an API's path. [#496](https://github.com/Kong/kong/pull/496)\n- Admin API\n - Data associated to a given API/Consumer will correctly be deleted if related Consumer/API is deleted. [#107](https://github.com/Kong/kong/issues/107) [#438](https://github.com/Kong/kong/issues/438) [#504](https://github.com/Kong/kong/issues/504)\n - The `/api/{api_name_or_id}/plugins/{plugin_name_or_id}` changed to `/api/{api_name_or_id}/plugins/{plugin_id}` to avoid requesting the wrong plugin if two are configured for one API. [#482](https://github.com/Kong/kong/pull/482)\n - APIs created without a `name` but with a `request_path` will now have a name which defaults to the set `request_path`. [#547](https://github.com/Kong/kong/issues/547)\n- Plugins\n - Mashape Analytics: More robust buffer and better error logging. [#471](https://github.com/Kong/kong/pull/471)\n - Mashape Analytics: Several ALF (API Log Format) serialization fixes. [#515](https://github.com/Kong/kong/pull/515)\n - Oauth2: A response is now returned on `http://kong:8001/consumers/{consumer}/oauth2/{oauth2_id}`. [#469](https://github.com/Kong/kong/issues/469)\n - Oauth2: Saving `authenticated_userid` on Password Grant. [#476](https://github.com/Kong/kong/pull/476)\n - Oauth2: Proper handling of the `/oauth2/authorize` and `/oauth2/token` endpoints in the OAuth 2.0 Plugin when an API with a `path` is being consumed using the `public_dns` instead. [#503](https://github.com/Kong/kong/issues/503)\n - OAuth2: Properly returning `X-Authenticated-UserId` in the `client_credentials` and `password` flows. [#535](https://github.com/Kong/kong/issues/535)\n - Response-Transformer: Properly handling JSON responses that have a charset specified in their `Content-Type` header.\n\n[Back to TOC](#table-of-contents)\n\n## [0.4.2] - 2015/08/10\n\n#### Added\n\n- Cassandra authentication and SSL encryption. [#405](https://github.com/Kong/kong/pull/405)\n- `preserve_host` flag on APIs to preserve the Host header when a request is proxied. [#444](https://github.com/Kong/kong/issues/444)\n- Added the Resource Owner Password Credentials Grant to the OAuth 2.0 Plugin. [#448](https://github.com/Kong/kong/issues/448)\n- Auto-generation of default SSL certificate. [#453](https://github.com/Kong/kong/issues/453)\n\n#### Changed\n\n- Remove `cassandra.port` property in configuration. Ports are specified by having `cassandra.hosts` addresses using the `host:port` notation (RFC 3986). [#457](https://github.com/Kong/kong/pull/457)\n- Default SSL certificate is now auto-generated and stored in the `nginx_working_dir`.\n- OAuth 2.0 plugin now properly forces HTTPS.\n\n#### Fixed\n\n- Better handling of multi-nodes Cassandra clusters. [#450](https://github.com/Kong/kong/pull/405)\n- mashape-analytics plugin: handling of numerical values in querystrings. [#449](https://github.com/Kong/kong/pull/405)\n- Path resolver `strip_path` option wrongfully matching the `path` property multiple times in the request URI. [#442](https://github.com/Kong/kong/issues/442)\n- File Log Plugin bug that prevented the file creation in some environments. [#461](https://github.com/Kong/kong/issues/461)\n- Clean output of the Kong CLI. [#235](https://github.com/Kong/kong/issues/235)\n\n[Back to TOC](#table-of-contents)\n\n## [0.4.1] - 2015/07/23\n\n#### Fixed\n\n- Issues with the Mashape Analytics plugin. [#425](https://github.com/Kong/kong/pull/425)\n- Handle hyphens when executing path routing with `strip_path` option enabled. [#431](https://github.com/Kong/kong/pull/431)\n- Adding the Client Credentials OAuth 2.0 flow. [#430](https://github.com/Kong/kong/issues/430)\n- A bug that prevented \"dnsmasq\" from being started on some systems, including Debian. [f7da790](https://github.com/Kong/kong/commit/f7da79057ce29c7d1f6d90f4bc160cc3d9c8611f)\n- File Log plugin: optimizations by avoiding the buffered I/O layer. [20bb478](https://github.com/Kong/kong/commit/20bb478952846faefec6091905bd852db24a0289)\n\n[Back to TOC](#table-of-contents)\n\n## [0.4.0] - 2015/07/15\n\n#### Added\n\n- Implement wildcard subdomains for APIs' `public_dns`. [#381](https://github.com/Kong/kong/pull/381) [#297](https://github.com/Kong/kong/pull/297)\n- Plugins\n - **New OAuth 2.0 plugin.** [#341](https://github.com/Kong/kong/pull/341) [#169](https://github.com/Kong/kong/pull/169)\n - **New Mashape Analytics plugin.** [#360](https://github.com/Kong/kong/pull/360) [#272](https://github.com/Kong/kong/pull/272)\n - **New IP restriction plugin.** [#379](https://github.com/Kong/kong/pull/379)\n - Ratelimiting: support for multiple limits. [#382](https://github.com/Kong/kong/pull/382) [#205](https://github.com/Kong/kong/pull/205)\n - HTTP logging: support for HTTPS endpoint. [#342](https://github.com/Kong/kong/issues/342)\n - Logging plugins: new properties for logs timing. [#351](https://github.com/Kong/kong/issues/351)\n - Key authentication: now auto-generates a key if none is specified. [#48](https://github.com/Kong/kong/pull/48)\n- Resolver\n - `path` property now accepts arbitrary depth. [#310](https://github.com/Kong/kong/issues/310)\n- Admin API\n - Enable CORS by default. [#371](https://github.com/Kong/kong/pull/371)\n - Expose a new endpoint to get a plugin configuration's schema. [#376](https://github.com/Kong/kong/pull/376) [#309](https://github.com/Kong/kong/pull/309)\n - Expose a new endpoint to retrieve a node's status. [417c137](https://github.com/Kong/kong/commit/417c1376c08d3562bebe0c0816c6b54df045f515)\n- CLI\n - `$ kong migrations reset` now asks for confirmation. [#365](https://github.com/Kong/kong/pull/365)\n\n#### Fixed\n\n- Plugins\n - Basic authentication not being executed if added to an API with default configuration. [6d732cd](https://github.com/Kong/kong/commit/6d732cd8b0ec92ef328faa843215d8264f50fb75)\n - SSL plugin configuration parsing. [#353](https://github.com/Kong/kong/pull/353)\n - SSL plugin doesn't accept a `consumer_id` anymore, as this wouldn't make sense. [#372](https://github.com/Kong/kong/pull/372) [#322](https://github.com/Kong/kong/pull/322)\n - Authentication plugins now return `401` when missing credentials. [#375](https://github.com/Kong/kong/pull/375) [#354](https://github.com/Kong/kong/pull/354)\n- Admin API\n - Non supported HTTP methods now return `405` instead of `500`. [38f1b7f](https://github.com/Kong/kong/commit/38f1b7fa9f45f60c4130ef5ff9fe2c850a2ba586)\n - Prevent PATCH requests from overriding a plugin's configuration if partially updated. [9a7388d](https://github.com/Kong/kong/commit/9a7388d695c9de105917cde23a684a7d6722a3ca)\n- Handle occasionally missing `schema_migrations` table. [#365](https://github.com/Kong/kong/pull/365) [#250](https://github.com/Kong/kong/pull/250)\n\n> **internal**\n> - DAO:\n> - Complete refactor. No more need for hard-coded queries. [#346](https://github.com/Kong/kong/pull/346)\n> - Schemas:\n> - New `self_check` test for schema definitions. [5bfa7ca](https://github.com/Kong/kong/commit/5bfa7ca13561173161781f872244d1340e4152c1)\n\n[Back to TOC](#table-of-contents)\n\n## [0.3.2] - 2015/06/08\n\n#### Fixed\n\n- Uppercase Cassandra keyspace bug that prevented Kong to work with [kongdb.org](http://kongdb.org/)\n- Multipart requests not properly parsed in the admin API. [#344](https://github.com/Kong/kong/issues/344)\n\n[Back to TOC](#table-of-contents)\n\n## [0.3.1] - 2015/06/07\n\n#### Fixed\n\n- Schema migrations are now automatic, which was missing from previous releases. [#303](https://github.com/Kong/kong/issues/303)\n\n[Back to TOC](#table-of-contents)\n\n## [0.3.0] - 2015/06/04\n\n#### Added\n\n- Support for SSL.\n- Plugins\n - New HTTP logging plugin. [#226](https://github.com/Kong/kong/issues/226) [#251](https://github.com/Kong/kong/pull/251)\n - New SSL plugin.\n - New request size limiting plugin. [#292](https://github.com/Kong/kong/pull/292)\n - Default logging format improvements. [#226](https://github.com/Kong/kong/issues/226) [#262](https://github.com/Kong/kong/issues/262)\n - File logging now logs to a custom file. [#202](https://github.com/Kong/kong/issues/202)\n - Keyauth plugin now defaults `key_names` to \"apikey\".\n- Admin API\n - RESTful routing. Much nicer Admin API routing. Ex: `/apis/{name_or_id}/plugins`. [#98](https://github.com/Kong/kong/issues/98) [#257](https://github.com/Kong/kong/pull/257)\n - Support `PUT` method for endpoints such as `/apis/`, `/apis/plugins/`, `/consumers/`\n - Support for `application/json` and `x-www-form-urlencoded` Content Types for all `PUT`, `POST` and `PATCH` endpoints by passing a `Content-Type` header. [#236](https://github.com/Kong/kong/pull/236)\n- Resolver\n - Support resolving APIs by Path as well as by Header. [#192](https://github.com/Kong/kong/pull/192) [#282](https://github.com/Kong/kong/pull/282)\n - Support for `X-Host-Override` as an alternative to `Host` for browsers. [#203](https://github.com/Kong/kong/issues/203) [#246](https://github.com/Kong/kong/pull/246)\n- Auth plugins now send user informations to your upstream services. [#228](https://github.com/Kong/kong/issues/228)\n- Invalid `target_url` value are now being caught when creating an API. [#149](https://github.com/Kong/kong/issues/149)\n\n#### Fixed\n\n- Uppercase Cassandra keyspace causing migration failure. [#249](https://github.com/Kong/kong/issues/249)\n- Guarantee that ratelimiting won't allow requests in case the atomicity of the counter update is not guaranteed. [#289](https://github.com/Kong/kong/issues/289)\n\n> **internal**\n> - Schemas:\n> - New property type: `array`. [#277](https://github.com/Kong/kong/pull/277)\n> - Entities schemas now live in their own files and are starting to be unit tested.\n> - Subfields are handled better: (notify required subfields and auto-vivify is subfield has default values).\n> - Way faster unit tests. Not resetting the DB anymore between tests.\n> - Improved coverage computation (exclude `vendor/`).\n> - Travis now lints `kong/`.\n> - Way faster Travis setup.\n> - Added a new HTTP client for in-nginx usage, using the cosocket API.\n> - Various refactorings.\n> - Fix [#196](https://github.com/Kong/kong/issues/196).\n> - Disabled ipv6 in resolver.\n\n[Back to TOC](#table-of-contents)\n\n## [0.2.1] - 2015/05/12\n\nThis is a maintenance release including several bug fixes and usability improvements.\n\n#### Added\n- Support for local DNS resolution. [#194](https://github.com/Kong/kong/pull/194)\n- Support for Debian 8 and Ubuntu 15.04.\n- DAO\n - Cassandra version bumped to 2.1.5\n - Support for Cassandra downtime. If Cassandra goes down and is brought back up, Kong will not need to restart anymore, statements will be re-prepared on-the-fly. This is part of an ongoing effort from [jbochi/lua-resty-cassandra#47](https://github.com/jbochi/lua-resty-cassandra/pull/47), [#146](https://github.com/Kong/kong/pull/146) and [#187](https://github.com/Kong/kong/pull/187).\nQueries effectuated during the downtime will still be lost. [#11](https://github.com/Kong/kong/pull/11)\n - Leverage reused sockets. If the DAO reuses a socket, it will not re-set their keyspace. This should give a small but appreciable performance improvement. [#170](https://github.com/Kong/kong/pull/170)\n - Cascade delete plugins configurations when deleting a Consumer or an API associated with it. [#107](https://github.com/Kong/kong/pull/107)\n - Allow Cassandra hosts listening on different ports than the default. [#185](https://github.com/Kong/kong/pull/185)\n- CLI\n - Added a notice log when Kong tries to connect to Cassandra to avoid user confusion. [#168](https://github.com/Kong/kong/pull/168)\n - The CLI now tests if the ports are already being used before starting and warns.\n- Admin API\n - `name` is now an optional property for APIs. If none is being specified, the name will be the API `public_dns`. [#181](https://github.com/Kong/kong/pull/181)\n- Configuration\n - The memory cache size is now configurable. [#208](https://github.com/Kong/kong/pull/208)\n\n#### Fixed\n- Resolver\n - More explicit \"API not found\" message from the resolver if the Host was not found in the system. \"API not found with Host: %s\".\n - If multiple hosts headers are being sent, Kong will test them all to see if one of the API is in the system. [#186](https://github.com/Kong/kong/pull/186)\n- Admin API: responses now have a new line after the body. [#164](https://github.com/Kong/kong/issues/164)\n- DAO: keepalive property is now properly passed when Kong calls `set_keepalive` on Cassandra sockets.\n- Multipart dependency throwing error at startup. [#213](https://github.com/Kong/kong/pull/213)\n\n> **internal**\n> - Separate Migrations from the DAO factory.\n> - Update dev config + Makefile rules (`run` becomes `start`).\n> - Introducing an `ngx` stub for unit tests and CLI.\n> - Switch many PCRE regexes to using patterns.\n\n[Back to TOC](#table-of-contents)\n\n## [0.2.0-2] - 2015/04/27\n\nFirst public release of Kong. This version brings a lot of internal improvements as well as more usability and a few additional plugins.\n\n#### Added\n- Plugins\n - CORS plugin.\n - Request transformation plugin.\n - NGINX plus monitoring plugin.\n- Configuration\n - New properties: `proxy_port` and `api_admin_port`. [#142](https://github.com/Kong/kong/issues/142)\n- CLI\n - Better info, help and error messages. [#118](https://github.com/Kong/kong/issues/118) [#124](https://github.com/Kong/kong/issues/124)\n - New commands: `kong reload`, `kong quit`. [#114](https://github.com/Kong/kong/issues/114) Alias of `version`: `kong --version` [#119](https://github.com/Kong/kong/issues/119)\n - `kong restart` simply starts Kong if not previously running + better pid file handling. [#131](https://github.com/Kong/kong/issues/131)\n- Package distributions: .rpm, .deb and .pkg for easy installs on most common platforms.\n\n#### Fixed\n- Admin API: trailing slash is not necessary anymore for core resources such as `/apis` or `/consumers`.\n- Leaner default configuration. [#156](https://github.com/Kong/kong/issues/156)\n\n> **internal**\n> - All scripts moved to the CLI as \"hidden\" commands (`kong db`, `kong config`).\n> - More tests as always, and they are structured better. The coverage went down mainly because of plugins which will later move to their own repos. We are all eagerly waiting for that!\n> - `src/` was renamed to `kong/` for ease of development\n> - All system dependencies versions for package building and travis-ci are now listed in `versions.sh`\n> - DAO doesn't need to `:prepare()` prior to run queries. Queries can be prepared at runtime. [#146](https://github.com/Kong/kong/issues/146)\n\n[Back to TOC](#table-of-contents)\n\n## [0.1.1beta-2] - 2015/03/30\n\n#### Fixed\n\n- Wrong behavior of auto-migration in `kong start`.\n\n[Back to TOC](#table-of-contents)\n\n## [0.1.0beta-3] - 2015/03/25\n\nFirst public beta. Includes caching and better usability.\n\n#### Added\n- Required Openresty is now `1.7.10.1`.\n- Freshly built CLI, rewritten in Lua\n- `kong start` using a new DB keyspace will automatically migrate the schema. [#68](https://github.com/Kong/kong/issues/68)\n- Anonymous error reporting on Proxy and API. [#64](https://github.com/Kong/kong/issues/64)\n- Configuration\n - Simplified configuration file (unified in `kong.yml`).\n - In configuration, `plugins_installed` was renamed to `plugins_available`. [#59](https://github.com/Kong/kong/issues/59)\n - Order of `plugins_available` doesn't matter anymore. [#17](https://github.com/Kong/kong/issues/17)\n - Better handling of plugins: Kong now detects which plugins are configured and if they are installed on the current machine.\n - `bin/kong` now defaults on `/etc/kong.yml` for config and `/var/logs/kong` for output. [#71](https://github.com/Kong/kong/issues/71)\n- Proxy: APIs/Consumers caching with expiration for faster authentication.\n- Admin API: Plugins now use plain form parameters for configuration. [#70](https://github.com/Kong/kong/issues/70)\n- Keep track of already executed migrations. `rollback` now behaves as expected. [#8](https://github.com/Kong/kong/issues/8)\n\n#### Fixed\n- `Server` header now sends Kong. [#57](https://github.com/Kong/kong/issues/57)\n- migrations not being executed in order on Linux. This issue wasn't noticed until unit testing the migrations because for now we only have 1 migration file.\n- Admin API: Errors responses are now sent as JSON. [#58](https://github.com/Kong/kong/issues/58)\n\n> **internal**\n> - We now have code linting and coverage.\n> - Faker and Migrations instances don't live in the DAO Factory anymore, they are only used in scripts and tests.\n> - `scripts/config.lua` allows environment based configurations. `make dev` generates a `kong.DEVELOPMENT.yml` and `kong_TEST.yml`. Different keyspaces and ports.\n> - `spec_helpers.lua` allows tests to not rely on the `Makefile` anymore. Integration tests can run 100% from `busted`.\n> - Switch integration testing from [httpbin.org] to [mockbin.com].\n> - `core` plugin was renamed to `resolver`.\n\n[Back to TOC](#table-of-contents)\n\n## [0.0.1alpha-1] - 2015/02/25\n\nFirst version running with Cassandra.\n\n#### Added\n- Basic proxying.\n- Built-in authentication plugin (api key, HTTP basic).\n- Built-in ratelimiting plugin.\n- Built-in TCP logging plugin.\n- Configuration API (for consumers, apis, plugins).\n- CLI `bin/kong` script.\n- Database migrations (using `db.lua`).\n\n[2.8.1]: https://github.com/Kong/kong/compare/2.8.0...2.8.1\n[2.8.0]: https://github.com/Kong/kong/compare/2.7.0...2.8.0\n[2.7.1]: https://github.com/Kong/kong/compare/2.7.0...2.7.1\n[2.7.0]: https://github.com/Kong/kong/compare/2.6.0...2.7.0\n[2.6.0]: https://github.com/Kong/kong/compare/2.5.1...2.6.0\n[2.5.1]: https://github.com/Kong/kong/compare/2.5.0...2.5.1\n[2.5.0]: https://github.com/Kong/kong/compare/2.4.1...2.5.0\n[2.4.1]: https://github.com/Kong/kong/compare/2.4.0...2.4.1\n[2.4.0]: https://github.com/Kong/kong/compare/2.3.3...2.4.0\n[2.3.3]: https://github.com/Kong/kong/compare/2.3.2...2.3.3\n[2.3.2]: https://github.com/Kong/kong/compare/2.3.1...2.3.2\n[2.3.1]: https://github.com/Kong/kong/compare/2.3.0...2.3.1\n[2.3.0]: https://github.com/Kong/kong/compare/2.2.0...2.3.0\n[2.2.2]: https://github.com/Kong/kong/compare/2.2.1...2.2.2\n[2.2.1]: https://github.com/Kong/kong/compare/2.2.0...2.2.1\n[2.2.0]: https://github.com/Kong/kong/compare/2.1.3...2.2.0\n[2.1.4]: https://github.com/Kong/kong/compare/2.1.3...2.1.4\n[2.1.3]: https://github.com/Kong/kong/compare/2.1.2...2.1.3\n[2.1.2]: https://github.com/Kong/kong/compare/2.1.1...2.1.2\n[2.1.1]: https://github.com/Kong/kong/compare/2.1.0...2.1.1\n[2.1.0]: https://github.com/Kong/kong/compare/2.0.5...2.1.0\n[2.0.5]: https://github.com/Kong/kong/compare/2.0.4...2.0.5\n[2.0.4]: https://github.com/Kong/kong/compare/2.0.3...2.0.4\n[2.0.3]: https://github.com/Kong/kong/compare/2.0.2...2.0.3\n[2.0.2]: https://github.com/Kong/kong/compare/2.0.1...2.0.2\n[2.0.1]: https://github.com/Kong/kong/compare/2.0.0...2.0.1\n[2.0.0]: https://github.com/Kong/kong/compare/1.5.0...2.0.0\n[1.5.1]: https://github.com/Kong/kong/compare/1.5.0...1.5.1\n[1.5.0]: https://github.com/Kong/kong/compare/1.4.3...1.5.0\n[1.4.3]: https://github.com/Kong/kong/compare/1.4.2...1.4.3\n[1.4.2]: https://github.com/Kong/kong/compare/1.4.1...1.4.2\n[1.4.1]: https://github.com/Kong/kong/compare/1.4.0...1.4.1\n[1.4.0]: https://github.com/Kong/kong/compare/1.3.0...1.4.0\n[1.3.0]: https://github.com/Kong/kong/compare/1.2.2...1.3.0\n[1.2.2]: https://github.com/Kong/kong/compare/1.2.1...1.2.2\n[1.2.1]: https://github.com/Kong/kong/compare/1.2.0...1.2.1\n[1.2.0]: https://github.com/Kong/kong/compare/1.1.2...1.2.0\n[1.1.2]: https://github.com/Kong/kong/compare/1.1.1...1.1.2\n[1.1.1]: https://github.com/Kong/kong/compare/1.1.0...1.1.1\n[1.1.0]: https://github.com/Kong/kong/compare/1.0.3...1.1.0\n[1.0.3]: https://github.com/Kong/kong/compare/1.0.2...1.0.3\n[1.0.2]: https://github.com/Kong/kong/compare/1.0.1...1.0.2\n[1.0.1]: https://github.com/Kong/kong/compare/1.0.0...1.0.1\n[1.0.0]: https://github.com/Kong/kong/compare/0.15.0...1.0.0\n[0.15.0]: https://github.com/Kong/kong/compare/0.14.1...0.15.0\n[0.14.1]: https://github.com/Kong/kong/compare/0.14.0...0.14.1\n[0.14.0]: https://github.com/Kong/kong/compare/0.13.1...0.14.0\n[0.13.1]: https://github.com/Kong/kong/compare/0.13.0...0.13.1\n[0.13.0]: https://github.com/Kong/kong/compare/0.12.3...0.13.0\n[0.12.3]: https://github.com/Kong/kong/compare/0.12.2...0.12.3\n[0.12.2]: https://github.com/Kong/kong/compare/0.12.1...0.12.2\n[0.12.1]: https://github.com/Kong/kong/compare/0.12.0...0.12.1\n[0.12.0]: https://github.com/Kong/kong/compare/0.11.2...0.12.0\n[0.11.2]: https://github.com/Kong/kong/compare/0.11.1...0.11.2\n[0.11.1]: https://github.com/Kong/kong/compare/0.11.0...0.11.1\n[0.10.4]: https://github.com/Kong/kong/compare/0.10.3...0.10.4\n[0.11.0]: https://github.com/Kong/kong/compare/0.10.3...0.11.0\n[0.10.3]: https://github.com/Kong/kong/compare/0.10.2...0.10.3\n[0.10.2]: https://github.com/Kong/kong/compare/0.10.1...0.10.2\n[0.10.1]: https://github.com/Kong/kong/compare/0.10.0...0.10.1\n[0.10.0]: https://github.com/Kong/kong/compare/0.9.9...0.10.0\n[0.9.9]: https://github.com/Kong/kong/compare/0.9.8...0.9.9\n[0.9.8]: https://github.com/Kong/kong/compare/0.9.7...0.9.8\n[0.9.7]: https://github.com/Kong/kong/compare/0.9.6...0.9.7\n[0.9.6]: https://github.com/Kong/kong/compare/0.9.5...0.9.6\n[0.9.5]: https://github.com/Kong/kong/compare/0.9.4...0.9.5\n[0.9.4]: https://github.com/Kong/kong/compare/0.9.3...0.9.4\n[0.9.3]: https://github.com/Kong/kong/compare/0.9.2...0.9.3\n[0.9.2]: https://github.com/Kong/kong/compare/0.9.1...0.9.2\n[0.9.1]: https://github.com/Kong/kong/compare/0.9.0...0.9.1\n[0.9.0]: https://github.com/Kong/kong/compare/0.8.3...0.9.0\n[0.8.3]: https://github.com/Kong/kong/compare/0.8.2...0.8.3\n[0.8.2]: https://github.com/Kong/kong/compare/0.8.1...0.8.2\n[0.8.1]: https://github.com/Kong/kong/compare/0.8.0...0.8.1\n[0.8.0]: https://github.com/Kong/kong/compare/0.7.0...0.8.0\n[0.7.0]: https://github.com/Kong/kong/compare/0.6.1...0.7.0\n[0.6.1]: https://github.com/Kong/kong/compare/0.6.0...0.6.1\n[0.6.0]: https://github.com/Kong/kong/compare/0.5.4...0.6.0\n[0.5.4]: https://github.com/Kong/kong/compare/0.5.3...0.5.4\n[0.5.3]: https://github.com/Kong/kong/compare/0.5.2...0.5.3\n[0.5.2]: https://github.com/Kong/kong/compare/0.5.1...0.5.2\n[0.5.1]: https://github.com/Kong/kong/compare/0.5.0...0.5.1\n[0.5.0]: https://github.com/Kong/kong/compare/0.4.2...0.5.0\n[0.4.2]: https://github.com/Kong/kong/compare/0.4.1...0.4.2\n[0.4.1]: https://github.com/Kong/kong/compare/0.4.0...0.4.1\n[0.4.0]: https://github.com/Kong/kong/compare/0.3.2...0.4.0\n[0.3.2]: https://github.com/Kong/kong/compare/0.3.1...0.3.2\n[0.3.1]: https://github.com/Kong/kong/compare/0.3.0...0.3.1\n[0.3.0]: https://github.com/Kong/kong/compare/0.2.1...0.3.0\n[0.2.1]: https://github.com/Kong/kong/compare/0.2.0-2...0.2.1\n[0.2.0-2]: https://github.com/Kong/kong/compare/0.1.1beta-2...0.2.0-2\n[0.1.1beta-2]: https://github.com/Kong/kong/compare/0.1.0beta-3...0.1.1beta-2\n[0.1.0beta-3]: https://github.com/Kong/kong/compare/2236374d5624ad98ea21340ca685f7584ec35744...0.1.0beta-3\n[0.0.1alpha-1]: https://github.com/Kong/kong/compare/ffd70b3101ba38d9acc776038d124f6e2fccac3c...2236374d5624ad98ea21340ca685f7584ec35744\n" }, { "path": "CHANGELOG.md", "content": "# Table of Contents\n\n- [3.9.1](#391)\n- [3.9.0](#390)\n- [3.8.1](#381)\n- [3.8.0](#380)\n- [3.7.1](#371)\n- [3.7.0](#370)\n- [3.6.1](#361)\n- [3.6.0](#360)\n- [3.5.0](#350)\n- [3.4.2](#342)\n- [3.4.1](#341)\n- [3.4.0](#340)\n- [3.3.0](#330)\n- [3.2.0](#320)\n- [3.1.0](#310)\n- [3.0.1](#301)\n- [3.0.0](#300)\n- [Previous releases](#previous-releases)\n\n## Unreleased\n\nIndividual unreleased changelog entries can be located at [changelog/unreleased](changelog/unreleased). They will be assembled into [CHANGELOG.md](CHANGELOG.md) once released.\n\n## 3.9.1\n\n### Kong\n\n\n#### Dependencies\n##### Core\n\n- Bumped libexpat from 2.6.2 to 2.6.4 to fix a crash in the XML_ResumeParser function caused by XML_StopParser stopping an uninitialized parser.\n [#14208](https://github.com/Kong/kong/issues/14208)\n\n- Bump lua-kong-nginx-module from 0.13.0 to 0.13.2\n [#14047](https://github.com/Kong/kong/issues/14047)\n\n\n#### Features\n##### Plugin\n\n- **ai**: Added support for boto3 SDKs for the Bedrock provider, and for Google GenAI SDKs for the Gemini provider.\n [#14579](https://github.com/Kong/kong/issues/14579)\n\n\n#### Fixes\n##### Core\n\n- Added support for the new Ollama streaming content type in AI driver.\n [#14579](https://github.com/Kong/kong/issues/14579)\n\n##### Plugin\n\n- **ai-proxy**: Fixed a bug in the Azure provider where `model.options.upstream_path` overrides would always return a 404 error.\n [#14185](https://github.com/Kong/kong/issues/14185)\n\n- **ai-proxy**: Fixed a bug where Azure streaming responses would be missing individual tokens.\n [#14172](https://github.com/Kong/kong/issues/14172)\n\n- **ai-proxy**: Fixed a bug where response streaming in Gemini and Bedrock providers was returning whole chat responses in one chunk.\n [#14579](https://github.com/Kong/kong/issues/14579)\n\n\n- **ai-proxy**: Fixed a bug where multimodal requests (in OpenAI format) would not transform properly, when using the Gemini provider.\n [#14579](https://github.com/Kong/kong/issues/14579)\n\n\n- **ai-proxy**: Fixed Gemini streaming responses getting truncated and/or missing tokens.\n [#14579](https://github.com/Kong/kong/issues/14579)\n\n\n- **ai-proxy**: Fixed an incorrect error thrown when trying to log streaming responses.\n [#14579](https://github.com/Kong/kong/issues/14579)\n\n\n- **ai-proxy**: Fixed a issue where tool calls weren't working in streaming mode for the Bedrock and Gemini providers.\n [#14579](https://github.com/Kong/kong/issues/14579)\n\n\n- **ai-proxy**: Fixed an issue where AI Proxy would use corrupted plugin config.\n [#14579](https://github.com/Kong/kong/issues/14579)\n\n\n- **ai-proxy**: Fixed preserve mode.\n [#14579](https://github.com/Kong/kong/issues/14579)\n\n\n- **AI Plugins**: Fixed AI upstream URL trailing being empty.\n [#14578](https://github.com/Kong/kong/issues/14578)\n\n\n- **AI Plugins**: Fixed an issue where the template wasn't being resolved correctly and supported nested fields.\n [#14579](https://github.com/Kong/kong/issues/14579)\n\n\n\n\n## 3.9.0\n\n### Kong\n\n#### Deprecations\n##### Core\n\n- `node_id` in configuration has been deprecated.\n [#13687](https://github.com/Kong/kong/issues/13687)\n\n#### Dependencies\n##### Core\n\n- Bumped lua-kong-nginx-module from 0.11.0 to 0.11.1 to fix an issue where the upstream cert chain wasn't properly set.\n [#12752](https://github.com/Kong/kong/issues/12752)\n\n- Bumped lua-resty-events to 0.3.1. Optimized the memory usage.\n [#13097](https://github.com/Kong/kong/issues/13097)\n\n- Bumped lua-resty-lmdb to 1.6.0. Allowing page_size to be 1.\n [#13908](https://github.com/Kong/kong/issues/13908)\n\n- Bumped lua-resty-lmdb to 1.5.0. Added page_size parameter to allow overriding page size from caller side.\n [#12786](https://github.com/Kong/kong/issues/12786)\n\n##### Default\n\n- Kong Gateway now supports Ubuntu 24.04 (Noble Numbat) with both open-source and Enterprise packages.\n [#13626](https://github.com/Kong/kong/issues/13626)\n\n- Bumped rpm dockerfile default base UBI 8 -> 9\n [#13574](https://github.com/Kong/kong/issues/13574)\n\n- Bumped lua-resty-aws to 1.5.4 to fix a bug inside region prefix generation.\n [#12846](https://github.com/Kong/kong/issues/12846)\n\n- Bumped lua-resty-ljsonschema to 1.2.0, adding support for `null` as a valid option in `enum` types and properly calculation of utf8 string length instead of byte count\n [#13783](https://github.com/Kong/kong/issues/13783)\n\n- Bumped `ngx_wasm_module` to `9136e463a6f1d80755ce66c88c3ddecd0eb5e25d`\n [#12011](https://github.com/Kong/kong/issues/12011)\n\n\n- Bumped `Wasmtime` version to `26.0.0`\n [#12011](https://github.com/Kong/kong/issues/12011)\n\n- Bumped OpenSSL to 3.2.3 to fix unbounded memory growth with session handling in TLSv1.3 and other CVEs.\n [#13448](https://github.com/Kong/kong/issues/13448)\n\n - **Wasm**: Removed the experimental datakit Wasm filter\n [#14012](https://github.com/Kong/kong/issues/14012)\n\n#### Features\n##### CLI Command\n- Added the `kong drain` CLI command to make the `/status/ready` endpoint return a `503 Service Unavailable` response.\n [#13838](https://github.com/Kong/kong/issues/13838)\n##### Core\n\n- Added a new feature for Kong Manager that supports multiple domains, enabling dynamic cross-origin access for Admin API requests.\n [#13664](https://github.com/Kong/kong/issues/13664)\n\n- Added an ADA dependency: WHATWG-compliant and fast URL parser.\n [#13120](https://github.com/Kong/kong/issues/13120)\n\n- Addded a new LLM driver for interfacing with the Hugging Face inference API.\nThe driver supports both serverless and dedicated LLM instances hosted by\nHugging Face for conversational and text generation tasks.\n [#13484](https://github.com/Kong/kong/issues/13484)\n\n\n- Increased the priority order of the correlation id to 100001 from 1 so that the plugin can be used\nwith other plugins especially custom auth plugins.\n [#13581](https://github.com/Kong/kong/issues/13581)\n\n- Added a `tls.disable_http2_alpn()` function patch for disabling HTTP/2 ALPN when performing a TLS handshake.\n [#13709](https://github.com/Kong/kong/issues/13709)\n\n\n- Improved the output of the request debugger:\n - The resolution of field `total_time` is now in microseconds.\n - A new field, `total_time_without_upstream`, shows the latency only introduced by Kong.\n [#13460](https://github.com/Kong/kong/issues/13460)\n- **proxy-wasm**: Added support for Wasm filters to be configured via the `/plugins` Admin API.\n [#13843](https://github.com/Kong/kong/issues/13843)\n##### PDK\n\n- Added `kong.service.request.clear_query_arg(name)` to PDK.\n [#13619](https://github.com/Kong/kong/issues/13619)\n\n- Array and Map type span attributes are now supported by the tracing PDK\n [#13818](https://github.com/Kong/kong/issues/13818)\n##### Plugin\n- **Prometheus**: Increased the upper limit of `KONG_LATENCY_BUCKETS` to 6000 to enhance latency tracking precision.\n [#13588](https://github.com/Kong/kong/issues/13588)\n\n- **ai-proxy**: Disabled HTTP/2 ALPN handshake for connections on routes configured with AI-proxy.\n [#13735](https://github.com/Kong/kong/issues/13735)\n\n- **Redirect**: Added a new plugin to redirect requests to another location.\n [#13900](https://github.com/Kong/kong/issues/13900)\n\n\n- **Prometheus**: Added support for Proxy-Wasm metrics.\n [#13681](https://github.com/Kong/kong/issues/13681)\n\n##### Admin API\n- **Admin API**: Added support for official YAML media-type (`application/yaml`) to the `/config` endpoint.\n [#13713](https://github.com/Kong/kong/issues/13713)\n##### Clustering\n\n- Added a remote procedure call (RPC) framework for Hybrid mode deployments.\n [#12320](https://github.com/Kong/kong/issues/12320)\n\n#### Fixes\n##### Core\n\n- Fixed an issue where the `ngx.balancer.recreate_request` API did not refresh the body buffer when `ngx.req.set_body_data` is used in the balancer phase.\n [#13882](https://github.com/Kong/kong/issues/13882)\n\n- Fix to always pass `ngx.ctx` to `log_init_worker_errors` as otherwise it may runtime crash.\n [#13731](https://github.com/Kong/kong/issues/13731)\n\n- Fixed an issue where the workspace ID was not included in the plugin config in the plugins iterator.\n [#13377](https://github.com/Kong/kong/issues/13377)\n\n- Fixed an issue where the workspace id was not included in the plugin config in the plugins iterator.\n [#13872](https://github.com/Kong/kong/issues/13872)\n\n- Fixed a 500 error triggered by unhandled nil fields during schema validation.\n [#13861](https://github.com/Kong/kong/issues/13861)\n\n- **Vault**: Fixed an issue where array-like configuration fields cannot contain vault reference.\n [#13953](https://github.com/Kong/kong/issues/13953)\n\n- **Vault**: Fixed an issue where updating a vault entity in a non-default workspace wouldn't take effect.\n [#13610](https://github.com/Kong/kong/issues/13610)\n\n- **Vault**: Fixed an issue where vault reference in kong configuration cannot be dereferenced when both http and stream subsystems are enabled.\n [#13953](https://github.com/Kong/kong/issues/13953)\n\n- **proxy-wasm:** Added a check that prevents Kong from starting when the\ndatabase contains invalid Wasm filters.\n [#13764](https://github.com/Kong/kong/issues/13764)\n\n- Fixed an issue where the `kong.request.enable_buffering` couldn't be used when the downstream used HTTP/2.\n [#13614](https://github.com/Kong/kong/issues/13614)\n##### PDK\n\n- Lined up the `kong.log.inspect` function to log at `notice` level as documented\n [#13642](https://github.com/Kong/kong/issues/13642)\n\n- Fix error message for invalid retries variable\n [#13605](https://github.com/Kong/kong/issues/13605)\n\n##### Plugin\n\n- **ai-proxy**: Fixed a bug where tools (function) calls to Anthropic would return empty results.\n [#13760](https://github.com/Kong/kong/issues/13760)\n\n\n- **ai-proxy**: Fixed a bug where tools (function) calls to Bedrock would return empty results.\n [#13760](https://github.com/Kong/kong/issues/13760)\n\n\n- **ai-proxy**: Fixed a bug where Bedrock Guardrail config was ignored.\n [#13760](https://github.com/Kong/kong/issues/13760)\n\n\n- **ai-proxy**: Fixed a bug where tools (function) calls to Cohere would return empty results.\n [#13760](https://github.com/Kong/kong/issues/13760)\n\n\n- **ai-proxy**: Fixed a bug where Gemini provider would return an error if content safety failed in AI Proxy.\n [#13760](https://github.com/Kong/kong/issues/13760)\n\n\n- **ai-proxy**: Fixed a bug where tools (function) calls to Gemini (or via Vertex) would return empty results.\n [#13760](https://github.com/Kong/kong/issues/13760)\n\n\n- **ai-proxy**: Fixed an issue where AI Transformer plugins always returned a 404 error when using 'Google One' Gemini subscriptions.\n [#13703](https://github.com/Kong/kong/issues/13703)\n\n\n- **ai-transformers**: Fixed a bug where the correct LLM error message was not propagated to the caller.\n [#13703](https://github.com/Kong/kong/issues/13703)\n\n- **AI-Proxy**: Fixed an issue where multi-modal requests were blocked on the Azure AI provider.\n [#13702](https://github.com/Kong/kong/issues/13702)\n\n\n- Fixed an bug that AI semantic cache can't use request provided models\n [#13627](https://github.com/Kong/kong/issues/13627)\n\n- **AWS-Lambda**: Fixed an issue in proxy integration mode that caused an internal server error when the `multiValueHeaders` was null.\n [#13533](https://github.com/Kong/kong/issues/13533)\n\n- **jwt**: ensure `rsa_public_key` isn't base64-decoded.\n [#13717](https://github.com/Kong/kong/issues/13717)\n\n- **key-auth**: Fixed an issue with the order of query arguments, ensuring that arguments retain order when hiding the credentials.\n [#13619](https://github.com/Kong/kong/issues/13619)\n\n- **rate-limiting**: Fixed a bug where the returned values from `get_redis_connection()` were incorrect.\n [#13613](https://github.com/Kong/kong/issues/13613)\n\n- **rate-limiting**: Fixed an issue that caused an HTTP 500 error when `hide_client_headers` was set to `true` and the request exceeded the rate limit.\n [#13722](https://github.com/Kong/kong/issues/13722)\n##### Admin API\n\n- Fix for querying admin API entities with empty tags\n [#13723](https://github.com/Kong/kong/issues/13723)\n\n- Fixed an issue where nested parameters couldn't be parsed correctly when using `form-urlencoded` requests.\n [#13668](https://github.com/Kong/kong/issues/13668)\n##### Clustering\n\n- **Clustering**: Adjusted error log levels for control plane connections.\n [#13863](https://github.com/Kong/kong/issues/13863)\n##### Default\n\n- **Loggly**: Fixed an issue where `/bin/hostname` missing caused an error warning on startup.\n [#13788](https://github.com/Kong/kong/issues/13788)\n\n### Kong-Manager\n\n#### Fixes\n##### Default\n\n- Kong Manager will now hide the scope change field when creating/editing a scoped plugin from another entity.\n [#297](https://github.com/Kong/kong-manager/issues/297)\n\n\n- Improved the user experience in Kong Manager by fixing various UI-related issues.\n [#277](https://github.com/Kong/kong-manager/issues/277) [#283](https://github.com/Kong/kong-manager/issues/283) [#286](https://github.com/Kong/kong-manager/issues/286) [#287](https://github.com/Kong/kong-manager/issues/287) [#288](https://github.com/Kong/kong-manager/issues/288) [#291](https://github.com/Kong/kong-manager/issues/291) [#293](https://github.com/Kong/kong-manager/issues/293) [#295](https://github.com/Kong/kong-manager/issues/295) [#298](https://github.com/Kong/kong-manager/issues/298) [#302](https://github.com/Kong/kong-manager/issues/302) [#304](https://github.com/Kong/kong-manager/issues/304) [#306](https://github.com/Kong/kong-manager/issues/306) [#309](https://github.com/Kong/kong-manager/issues/309) [#317](https://github.com/Kong/kong-manager/issues/317) [#319](https://github.com/Kong/kong-manager/issues/319) [#322](https://github.com/Kong/kong-manager/issues/322) [#325](https://github.com/Kong/kong-manager/issues/325) [#329](https://github.com/Kong/kong-manager/issues/329) [#330](https://github.com/Kong/kong-manager/issues/330)\n\n\n- Unified the redirection logic in Kong Manager upon entity operations.\n [#289](https://github.com/Kong/kong-manager/issues/289)\n\n\n## 3.8.1\n\n## Kong\n\n#### Dependencies\n##### Core\n\n- Bumped lua-kong-nginx-module from 0.11.0 to 0.11.1 to fix an issue where the upstream cert chain wasn't properly set.\n [#12752](https://github.com/Kong/kong/issues/12752)\n##### Default\n\n- Bumped lua-resty-aws to 1.5.4, to fix a bug inside region prefix generating\n [#12846](https://github.com/Kong/kong/issues/12846)\n\n#### Features\n##### Plugin\n\n- **Prometheus**: Bumped KONG_LATENCY_BUCKETS bucket's maximal capacity to 6000\n [#13797](https://github.com/Kong/kong/issues/13797)\n\n#### Fixes\n##### Core\n\n- **Vault**: Fixed an issue where updating a vault entity in a non-default workspace will not take effect.\n [#13670](https://github.com/Kong/kong/issues/13670)\n##### Plugin\n\n- **ai-proxy**: Fixed an issue where AI Transformer plugins always returned a 404 error when using 'Google One' Gemini subscriptions.\n [#13753](https://github.com/Kong/kong/issues/13753)\n\n\n- **ai-transformers**: Fixed a bug where the correct LLM error message was not propagated to the caller.\n [#13753](https://github.com/Kong/kong/issues/13753)\n\n\n- Fixed an bug that AI semantic cache can't use request provided models\n [#13633](https://github.com/Kong/kong/issues/13633)\n\n\n- **Rate-Limiting**: Fixed an issue that caused a 500 error when using the rate-limiting plugin. When the `hide_client_headers` option is set to true and a 429 error is triggered,\nit should return a 429 error code instead of a 500 error code.\n [#13759](https://github.com/Kong/kong/issues/13759)\n##### Admin API\n\n- Fixed an issue where sending `tags= `(empty parameter) resulted in 500 error. Now, Kong returns a 400 error, as empty explicit tags are not allowed.\n [#13813](https://github.com/Kong/kong/issues/13813)\n\n## 3.8.0\n\n### Kong\n\n\n#### Performance\n##### Performance\n\n- Fixed an inefficiency issue in the Luajit hashing algorithm\n [#13240](https://github.com/Kong/kong/issues/13240)\n\n##### Core\n\n- Removed unnecessary DNS client initialization\n [#13479](https://github.com/Kong/kong/issues/13479)\n\n\n- Improved latency performance when gzipping/gunzipping large data (such as CP/DP config data).\n [#13338](https://github.com/Kong/kong/issues/13338)\n\n\n\n#### Deprecations\n##### Default\n\n- Debian 10, CentOS 7, and RHEL 7 reached their End of Life (EOL) dates on June 30, 2024. As of version 3.8.0.0 onward, Kong is not building installation packages or Docker images for these operating systems. Kong is no longer providing official support for any Kong version running on these systems.\n [#13468](https://github.com/Kong/kong/issues/13468)\n\n\n\n\n\n#### Dependencies\n##### Core\n\n- Bumped lua-resty-acme to 0.15.0 to support username/password auth with redis.\n [#12909](https://github.com/Kong/kong/issues/12909)\n\n\n- Bumped lua-resty-aws to 1.5.3 to fix a bug related to STS regional endpoint.\n [#12846](https://github.com/Kong/kong/issues/12846)\n\n\n- Bumped lua-resty-healthcheck from 3.0.1 to 3.1.0 to fix an issue that was causing high memory usage\n [#13038](https://github.com/Kong/kong/issues/13038)\n\n\n- Bumped lua-resty-lmdb to 1.4.3 to get fixes from the upstream (lmdb 0.9.33), which resolved numerous race conditions and fixed a cursor issue.\n [#12786](https://github.com/Kong/kong/issues/12786)\n\n\n- Bumped lua-resty-openssl to 1.5.1 to fix some issues including a potential use-after-free issue.\n [#12665](https://github.com/Kong/kong/issues/12665)\n\n\n- Bumped OpenResty to 1.25.3.2 to improve the performance of the LuaJIT hash computation.\n [#12327](https://github.com/Kong/kong/issues/12327)\n\n\n- Bumped PCRE2 to 10.44 to fix some bugs and tidy-up the release (nothing important)\n [#12366](https://github.com/Kong/kong/issues/12366)\n\n\n\n\n- Introduced a yieldable JSON library `lua-resty-simdjson`,\nwhich would improve the latency significantly.\n [#13421](https://github.com/Kong/kong/issues/13421)\n\n##### Default\n\n- Bumped lua-protobuf 0.5.2\n [#12834](https://github.com/Kong/kong/issues/12834)\n\n\n- Bumped LuaRocks from 3.11.0 to 3.11.1\n [#12662](https://github.com/Kong/kong/issues/12662)\n\n\n- Bumped `ngx_wasm_module` to `96b4e27e10c63b07ed40ea88a91c22f23981db35`\n [#12011](https://github.com/Kong/kong/issues/12011)\n\n\n- Bumped `Wasmtime` version to `23.0.2`\n [#13567](https://github.com/Kong/kong/pull/13567)\n\n\n\n- Made the RPM package relocatable with the default prefix set to `/`.\n [#13468](https://github.com/Kong/kong/issues/13468)\n\n\n#### Features\n##### Configuration\n\n- Configure Wasmtime module cache when Wasm is enabled\n [#12930](https://github.com/Kong/kong/issues/12930)\n\n##### Core\n\n- **prometheus**: Added `ai_requests_total`, `ai_cost_total` and `ai_tokens_total` metrics in the Prometheus plugin to start counting AI usage.\n [#13148](https://github.com/Kong/kong/issues/13148)\n\n\n- Added a new configuration `concurrency_limit`(integer, default to 1) for Queue to specify the number of delivery timers.\nNote that setting `concurrency_limit` to `-1` means no limit at all, and each HTTP log entry would create an individual timer for sending.\n [#13332](https://github.com/Kong/kong/issues/13332)\n\n\n- Append gateway info to upstream `Via` header like `1.1 kong/3.8.0`, and optionally to\nresponse `Via` header if it is present in the `headers` config of \"kong.conf\", like `2 kong/3.8.0`,\naccording to `RFC7230` and `RFC9110`.\n [#12733](https://github.com/Kong/kong/issues/12733)\n\n\n- Starting from this version, a new DNS client library has been implemented and added into Kong, which is disabled by default. The new DNS client library has the following changes - Introduced global caching for DNS records across workers, significantly reducing the query load on DNS servers. - Introduced observable statistics for the new DNS client, and a new Status API `/status/dns` to retrieve them. - Simplified the logic and make it more standardized\n [#12305](https://github.com/Kong/kong/issues/12305)\n\n##### PDK\n\n- Added `0` to support unlimited body size. When parameter `max_allowed_file_size` is `0`, `get_raw_body` will return the entire body, but the size of this body will still be limited by Nginx's `client_max_body_size`.\n [#13431](https://github.com/Kong/kong/issues/13431)\n\n\n- Extend kong.request.get_body and kong.request.get_raw_body to read from buffered file\n [#13158](https://github.com/Kong/kong/issues/13158)\n\n- Added a new PDK module `kong.telemetry` and function: `kong.telemetry.log`\nto generate log entries to be reported via the OpenTelemetry plugin.\n [#13329](https://github.com/Kong/kong/issues/13329)\n\n##### Plugin\n\n- **acl:** Added a new config `always_use_authenticated_groups` to support using authenticated groups even when an authenticated consumer already exists.\n [#13184](https://github.com/Kong/kong/issues/13184)\n\n\n- AI plugins: retrieved latency data and pushed it to logs and metrics.\n [#13428](https://github.com/Kong/kong/issues/13428)\n\n- Allow AI plugin to read request from buffered file\n [#13158](https://github.com/Kong/kong/pull/13158)\n\n\n- **AI-proxy-plugin**: Add `allow_override` option to allow overriding the upstream model auth parameter or header from the caller's request.\n [#13158](https://github.com/Kong/kong/issues/13158)\n\n\n- **AI-proxy-plugin**: Replace the lib and use cycle_aware_deep_copy for the `request_table` object.\n [#13582](https://github.com/Kong/kong/issues/13582)\n\n\n- Kong AI Gateway (AI Proxy and associated plugin family) now supports\nall AWS Bedrock \"Converse API\" models.\n [#12948](https://github.com/Kong/kong/issues/12948)\n\n\n- Kong AI Gateway (AI Proxy and associated plugin family) now supports\nthe Google Gemini \"chat\" (generateContent) interface.\n [#12948](https://github.com/Kong/kong/issues/12948)\n\n\n- **ai-proxy**: Allowed mistral provider to use mistral.ai managed service by omitting upstream_url\n [#13481](https://github.com/Kong/kong/issues/13481)\n\n- **ai-proxy**: Added a new response header X-Kong-LLM-Model that displays the name of the language model used in the AI-Proxy plugin.\n [#13472](https://github.com/Kong/kong/issues/13472)\n\n- **AI-Prompt-Guard**: add `match_all_roles` option to allow match all roles in addition to `user`.\n [#13183](https://github.com/Kong/kong/issues/13183)\n\n- \"**AWS-Lambda**: Added support for a configurable STS endpoint with the new configuration field `aws_sts_endpoint_url`.\n [#13388](https://github.com/Kong/kong/issues/13388)\n\n\n- **AWS-Lambda**: A new configuration field `empty_arrays_mode` is now added to control whether Kong should send `[]` empty arrays (returned by Lambda function) as `[]` empty arrays or `{}` empty objects in JSON responses.`\n [#13084](https://github.com/Kong/kong/issues/13084)\n\n\n\n\n- Added support for json_body rename in response-transformer plugin\n [#13131](https://github.com/Kong/kong/issues/13131)\n\n\n- **OpenTelemetry:** Added support for OpenTelemetry formatted logs.\n [#13291](https://github.com/Kong/kong/issues/13291)\n\n\n- **standard-webhooks**: Added standard webhooks plugin.\n [#12757](https://github.com/Kong/kong/issues/12757)\n\n- **Request-Transformer**: Fixed an issue where renamed query parameters, url-encoded body parameters, and json body parameters were not handled properly when target name is the same as the source name in the request.\n [#13358](https://github.com/Kong/kong/issues/13358)\n\n##### Admin API\n\n- Added support for brackets syntax for map fields configuration via the Admin API\n [#13313](https://github.com/Kong/kong/issues/13313)\n\n\n#### Fixes\n##### CLI Command\n\n- Fixed an issue where some debug level error logs were not being displayed by the CLI.\n [#13143](https://github.com/Kong/kong/issues/13143)\n\n##### Configuration\n\n- Re-enabled the Lua DNS resolver from proxy-wasm by default.\n [#13424](https://github.com/Kong/kong/issues/13424)\n\n##### Core\n\n- Fixed an issue where luarocks-admin was not available in /usr/local/bin.\n [#13372](https://github.com/Kong/kong/issues/13372)\n\n\n- Fixed an issue where 'read' was not always passed to Postgres read-only database operations.\n [#13530](https://github.com/Kong/kong/issues/13530)\n\n\n- Deprecated shorthand fields don't take precedence over replacement fields when both are specified.\n [#13486](https://github.com/Kong/kong/issues/13486)\n\n\n- Fixed an issue where `lua-nginx-module` context was cleared when `ngx.send_header()` triggered `filter_finalize` [openresty/lua-nginx-module#2323](https://github.com/openresty/lua-nginx-module/pull/2323).\n [#13316](https://github.com/Kong/kong/issues/13316)\n\n\n- Changed the way deprecated shorthand fields are used with new fields.\nIf the new field contains null it allows for deprecated field to overwrite it if both are present in the request.\n [#13592](https://github.com/Kong/kong/issues/13592)\n\n\n- Fixed an issue where unnecessary uninitialized variable error log is reported when 400 bad requests were received.\n [#13201](https://github.com/Kong/kong/issues/13201)\n\n\n- Fixed an issue where the URI captures are unavailable when the first capture group is absent.\n [#13024](https://github.com/Kong/kong/issues/13024)\n\n\n- Fixed an issue where the priority field can be set in a traditional mode route\nWhen 'router_flavor' is configured as 'expressions'.\n [#13142](https://github.com/Kong/kong/issues/13142)\n\n\n- Fixed an issue where setting `tls_verify` to `false` didn't override the global level `proxy_ssl_verify`.\n [#13470](https://github.com/Kong/kong/issues/13470)\n\n\n- Fixed an issue where the sni cache isn't invalidated when a sni is updated.\n [#13165](https://github.com/Kong/kong/issues/13165)\n\n\n- The kong.logrotate configuration file will no longer be overwritten during upgrade.\nWhen upgrading, set the environment variable `DEBIAN_FRONTEND=noninteractive` on Debian/Ubuntu to avoid any interactive prompts and enable fully automatic upgrades.\n [#13348](https://github.com/Kong/kong/issues/13348)\n\n\n- Fixed an issue where the Vault secret cache got refreshed during `resurrect_ttl` time and could not be fetched by other workers.\n [#13561](https://github.com/Kong/kong/issues/13561)\n\n\n- Error logs during Vault secret rotation are now logged at the `notice` level instead of `warn`.\n [#13540](https://github.com/Kong/kong/issues/13540)\n\n\n- Fix a bug that the `host_header` attribute of upstream entity can not be set correctly in requests to upstream as Host header when retries to upstream happen.\n [#13135](https://github.com/Kong/kong/issues/13135)\n\n\n- Moved internal Unix sockets to a subdirectory (`sockets`) of the Kong prefix.\n [#13409](https://github.com/Kong/kong/issues/13409)\n\n\n- Changed the behaviour of shorthand fields that are used to describe deprecated fields. If\nboth fields are sent in the request and their values mismatch - the request will be rejected.\n [#13594](https://github.com/Kong/kong/issues/13594)\n\n\n- Reverted DNS client to original behaviour of ignoring ADDITIONAL SECTION in DNS responses.\n [#13278](https://github.com/Kong/kong/issues/13278)\n\n\n- Shortened names of internal Unix sockets to avoid exceeding the socket name limit.\n [#13571](https://github.com/Kong/kong/issues/13571)\n\n##### PDK\n\n- **PDK**: Fixed a bug that log serializer will log `upstream_status` as nil in the requests that contains subrequest\n [#12953](https://github.com/Kong/kong/issues/12953)\n\n\n- **Vault**: Reference ending with slash when parsed should not return a key.\n [#13538](https://github.com/Kong/kong/issues/13538)\n\n\n- Fixed an issue that pdk.log.serialize() will throw an error when JSON entity set by serialize_value contains json.null\n [#13376](https://github.com/Kong/kong/issues/13376)\n\n##### Plugin\n\n- **AI-proxy-plugin**: Fixed a bug where certain Azure models would return partial tokens/words\nwhen in response-streaming mode.\n [#13000](https://github.com/Kong/kong/issues/13000)\n\n\n- **AI-Transformer-Plugins**: Fixed a bug where cloud identity authentication\nwas not used in `ai-request-transformer` and `ai-response-transformer` plugins.\n [#13487](https://github.com/Kong/kong/issues/13487)\n\n\n- **AI-proxy-plugin**: Fixed a bug where Cohere and Anthropic providers don't read the `model` parameter properly\nfrom the caller's request body.\n [#13000](https://github.com/Kong/kong/issues/13000)\n\n\n- **AI-proxy-plugin**: Fixed a bug where using \"OpenAI Function\" inference requests would log a\nrequest error, and then hang until timeout.\n [#13000](https://github.com/Kong/kong/issues/13000)\n\n\n- **AI-proxy-plugin**: Fixed a bug where AI Proxy would still allow callers to specify their own model,\nignoring the plugin-configured model name.\n [#13000](https://github.com/Kong/kong/issues/13000)\n\n\n- **AI-proxy-plugin**: Fixed a bug where AI Proxy would not take precedence of the\nplugin's configured model tuning options, over those in the user's LLM request.\n [#13000](https://github.com/Kong/kong/issues/13000)\n\n\n- **AI-proxy-plugin**: Fixed a bug where setting OpenAI SDK model parameter \"null\" caused analytics\nto not be written to the logging plugin(s).\n [#13000](https://github.com/Kong/kong/issues/13000)\n\n\n- **ACME**: Fixed an issue of DP reporting that deprecated config fields are used when configuration from CP is pushed\n [#13069](https://github.com/Kong/kong/issues/13069)\n\n\n- **ACME**: Fixed an issue where username and password were not accepted as valid authentication methods.\n [#13496](https://github.com/Kong/kong/issues/13496)\n\n\n- **AI-Proxy**: Fixed issue when response is gzipped even if client doesn't accept.\n [#13155](https://github.com/Kong/kong/issues/13155)\n\n- **Prometheus**: Fixed an issue where CP/DP compatibility check was missing for the new configuration field `ai_metrics`.\n [#13417](https://github.com/Kong/kong/issues/13417)\n\n\n- Fixed certain AI plugins cannot be applied per consumer or per service.\n [#13209](https://github.com/Kong/kong/issues/13209)\n\n- **AI-Prompt-Guard**: Fixed an issue when `allow_all_conversation_history` is set to false, the first user request is selected instead of the last one.\n [#13183](https://github.com/Kong/kong/issues/13183)\n\n- **AI-Proxy**: Resolved a bug where the object constructor would set data on the class instead of the instance\n [#13028](https://github.com/Kong/kong/issues/13028)\n\n- **AWS-Lambda**: Fixed an issue that the plugin does not work with multiValueHeaders defined in proxy integration and legacy empty_arrays_mode.\n [#12971](https://github.com/Kong/kong/issues/12971)\n\n- **AWS-Lambda**: Fixed an issue that the `version` field is not set in the request payload when `awsgateway_compatible` is enabled.\n [#13018](https://github.com/Kong/kong/issues/13018)\n\n\n- **correlation-id**: Fixed an issue where the plugin would not work if we explicitly set the `generator` to `null`.\n [#13439](https://github.com/Kong/kong/issues/13439)\n\n\n- **CORS**: Fixed an issue where the `Access-Control-Allow-Origin` header was not sent when `conf.origins` has multiple entries but includes `*`.\n [#13334](https://github.com/Kong/kong/issues/13334)\n\n\n- **grpc-gateway**: When there is a JSON decoding error, respond with status 400 and error information in the body instead of status 500.\n [#12971](https://github.com/Kong/kong/issues/12971)\n\n\n- **HTTP-Log**: Fix an issue where the plugin doesn't include port information in the HTTP host header when sending requests to the log server.\n [#13116](https://github.com/Kong/kong/issues/13116)\n\n- \"**AI Plugins**: Fixed an issue for multi-modal inputs are not properly validated and calculated.\n [#13445](https://github.com/Kong/kong/issues/13445)\n\n\n- **OpenTelemetry:** Fixed an issue where migration fails when upgrading from below version 3.3 to 3.7.\n [#13391](https://github.com/Kong/kong/issues/13391)\n\n\n- **OpenTelemetry / Zipkin**: remove redundant deprecation warnings\n [#13220](https://github.com/Kong/kong/issues/13220)\n\n\n- **Basic-Auth**: Fix an issue of realm field not recognized for older kong versions (before 3.6)\n [#13042](https://github.com/Kong/kong/issues/13042)\n\n\n- **Key-Auth**: Fix an issue of realm field not recognized for older kong versions (before 3.7)\n [#13042](https://github.com/Kong/kong/issues/13042)\n\n\n- **Request Size Limiting**: Fixed an issue where the body size doesn't get checked when the request body is buffered to a temporary file.\n [#13303](https://github.com/Kong/kong/issues/13303)\n\n\n- **Response-RateLimiting**: Fixed an issue of DP reporting that deprecated config fields are used when configuration from CP is pushed\n [#13069](https://github.com/Kong/kong/issues/13069)\n\n\n- **Rate-Limiting**: Fixed an issue of DP reporting that deprecated config fields are used when configuration from CP is pushed\n [#13069](https://github.com/Kong/kong/issues/13069)\n\n\n- **OpenTelemetry:** Improved accuracy of sampling decisions.\n [#13275](https://github.com/Kong/kong/issues/13275)\n\n\n- **hmac-auth**: Add WWW-Authenticate headers to 401 responses.\n [#11791](https://github.com/Kong/kong/issues/11791)\n\n\n- **Prometheus**: Improved error logging when having inconsistent labels count.\n [#13020](https://github.com/Kong/kong/issues/13020)\n\n\n- **jwt**: Add WWW-Authenticate headers to 401 responses.\n [#11792](https://github.com/Kong/kong/issues/11792)\n\n\n- **ldap-auth**: Add WWW-Authenticate headers to all 401 responses.\n [#11820](https://github.com/Kong/kong/issues/11820)\n\n\n- **OAuth2**: Add WWW-Authenticate headers to all 401 responses and realm option.\n [#11833](https://github.com/Kong/kong/issues/11833)\n\n\n- **proxy-cache**: Fixed an issue where the Age header was not being updated correctly when serving cached responses.\n [#13387](https://github.com/Kong/kong/issues/13387)\n\n\n- Fixed an bug that AI semantic cache can't use request provided models\n [#13633](https://github.com/Kong/kong/issues/13633)\n\n##### Admin API\n\n- Fixed an issue where validation of the certificate schema failed if the `snis` field was present in the request body.\n [#13357](https://github.com/Kong/kong/issues/13357)\n\n##### Clustering\n\n- Fixed an issue where hybrid mode not working if the forward proxy password contains special character(#). Note that the `proxy_server` configuration parameter still needs to be url-encoded.\n [#13457](https://github.com/Kong/kong/issues/13457)\n\n##### Default\n\n- **AI-proxy**: A configuration validation is added to prevent from enabling `log_statistics` upon\nproviders not supporting statistics. Accordingly, the default of `log_statistics` is changed from\n`true` to `false`, and a database migration is added as well for disabling `log_statistics` if it\nhas already been enabled upon unsupported providers.\n [#12860](https://github.com/Kong/kong/issues/12860)\n\n### Kong-Manager\n\n\n\n\n\n\n#### Features\n##### Default\n\n- Improved accessibility in Kong Manager.\n [#13522](https://github.com/Kong/kong-manager/issues/13522)\n\n\n- Enhanced entity lists so that you can resize or hide list columns.\n [#13522](https://github.com/Kong/kong-manager/issues/13522)\n\n\n- Added an SNIs field to the certificate form.\n [#264](https://github.com/Kong/kong-manager/issues/264)\n\n\n#### Fixes\n##### Default\n\n- Improved the user experience in Kong Manager by fixing various UI-related issues.\n [#232](https://github.com/Kong/kong-manager/issues/232) [#233](https://github.com/Kong/kong-manager/issues/233) [#234](https://github.com/Kong/kong-manager/issues/234) [#237](https://github.com/Kong/kong-manager/issues/237) [#238](https://github.com/Kong/kong-manager/issues/238) [#240](https://github.com/Kong/kong-manager/issues/240) [#244](https://github.com/Kong/kong-manager/issues/244) [#250](https://github.com/Kong/kong-manager/issues/250) [#252](https://github.com/Kong/kong-manager/issues/252) [#255](https://github.com/Kong/kong-manager/issues/255) [#257](https://github.com/Kong/kong-manager/issues/257) [#263](https://github.com/Kong/kong-manager/issues/263) [#264](https://github.com/Kong/kong-manager/issues/264) [#267](https://github.com/Kong/kong-manager/issues/267) [#272](https://github.com/Kong/kong-manager/issues/272)\n\n\n\n\n## 3.7.1\n### Kong\n\n#### Performance\n\n##### Performance\n\n - Fixed an inefficiency issue in the Luajit hashing algorithm\n [#13240](https://github.com/Kong/kong/issues/13240)\n\n## 3.7.0\n### Kong\n\n\n#### Performance\n##### Performance\n\n- Improved proxy performance by refactoring internal hooking mechanism.\n [#12784](https://github.com/Kong/kong/issues/12784)\n\n- Sped up the router matching when the `router_flavor` is `traditional_compatible` or `expressions`.\n [#12467](https://github.com/Kong/kong/issues/12467)\n##### Plugin\n\n- **Opentelemetry**: Increased queue max batch size to 200.\n [#12488](https://github.com/Kong/kong/issues/12488)\n\n#### Breaking Changes\n##### Plugin\n\n- **AI Proxy**: To support the new messages API of `Anthropic`, the upstream path of the `Anthropic` for `llm/v1/chat` route type has changed from `/v1/complete` to `/v1/messages`.\n [#12699](https://github.com/Kong/kong/issues/12699)\n\n\n#### Dependencies\n##### Core\n\n- Bumped atc-router from v1.6.0 to v1.6.2\n [#12231](https://github.com/Kong/kong/issues/12231)\n\n- Bumped libexpat to 2.6.2\n [#12910](https://github.com/Kong/kong/issues/12910)\n\n- Bumped lua-kong-nginx-module from 0.8.0 to 0.11.0\n [#12752](https://github.com/Kong/kong/issues/12752)\n\n- Bumped lua-protobuf to 0.5.1\n [#12834](https://github.com/Kong/kong/issues/12834)\n\n\n- Bumped lua-resty-acme to 0.13.0\n [#12909](https://github.com/Kong/kong/issues/12909)\n\n- Bumped lua-resty-aws from 1.3.6 to 1.4.1\n [#12846](https://github.com/Kong/kong/issues/12846)\n\n- Bumped lua-resty-lmdb from 1.4.1 to 1.4.2\n [#12786](https://github.com/Kong/kong/issues/12786)\n\n\n- Bumped lua-resty-openssl from 1.2.0 to 1.3.1\n [#12665](https://github.com/Kong/kong/issues/12665)\n\n\n- Bumped lua-resty-timer-ng to 0.2.7\n [#12756](https://github.com/Kong/kong/issues/12756)\n\n- Bumped PCRE from the legacy libpcre 8.45 to libpcre2 10.43\n [#12366](https://github.com/Kong/kong/issues/12366)\n\n- Bumped penlight to 1.14.0\n [#12862](https://github.com/Kong/kong/issues/12862)\n\n##### Default\n\n- Added package `tzdata` to DEB Docker image for convenient timezone setting.\n [#12609](https://github.com/Kong/kong/issues/12609)\n\n- Bumped lua-resty-http to 0.17.2.\n [#12908](https://github.com/Kong/kong/issues/12908)\n\n\n- Bumped LuaRocks from 3.9.2 to 3.11.0\n [#12662](https://github.com/Kong/kong/issues/12662)\n\n- Bumped `ngx_wasm_module` to `91d447ffd0e9bb08f11cc69d1aa9128ec36b4526`\n [#12011](https://github.com/Kong/kong/issues/12011)\n\n\n- Bumped `V8` version to `12.0.267.17`\n [#12704](https://github.com/Kong/kong/issues/12704)\n\n\n- Bumped `Wasmtime` version to `19.0.0`\n [#12011](https://github.com/Kong/kong/issues/12011)\n\n\n- Improved the robustness of lua-cjson when handling unexpected input.\n [#12904](https://github.com/Kong/kong/issues/12904)\n\n#### Features\n##### Configuration\n\n- TLSv1.1 and lower versions are disabled by default in OpenSSL 3.x.\n [#12420](https://github.com/Kong/kong/issues/12420)\n\n- Introduced `nginx_wasm_main_shm_kv` configuration parameter, which enables\nWasm filters to use the Proxy-Wasm operations `get_shared_data` and\n`set_shared_data` without namespaced keys.\n [#12663](https://github.com/Kong/kong/issues/12663)\n\n\n- **Schema**: Added a deprecation field attribute to identify deprecated fields\n [#12686](https://github.com/Kong/kong/issues/12686)\n\n- Added the `wasm_filters` configuration parameter for enabling individual filters\n [#12843](https://github.com/Kong/kong/issues/12843)\n##### Core\n\n- Added `events:ai:response_tokens`, `events:ai:prompt_tokens` and `events:ai:requests` to the anonymous report to start counting AI usage\n [#12924](https://github.com/Kong/kong/issues/12924)\n\n\n- Improved config handling when the CP runs with the router set to the `expressions` flavor:\n - If mixed config is detected and a lower DP is attached to the CP, no config will be sent at all\n - If the expression is invalid on the CP, no config will be sent at all\n - If the expression is invalid on a lower DP, it will be sent to the DP and DP validation will catch this and communicate back to the CP (this could result in partial config application)\n [#12967](https://github.com/Kong/kong/issues/12967)\n\n- The route entity now supports the following fields when the\n`router_flavor` is `expressions`: `methods`, `hosts`, `paths`, `headers`,\n`snis`, `sources`, `destinations`, and `regex_priority`.\nThe meaning of these fields are consistent with the traditional route entity.\n [#12667](https://github.com/Kong/kong/issues/12667)\n##### PDK\n\n- Added the `latencies.receive` property to the log serializer\n [#12730](https://github.com/Kong/kong/issues/12730)\n##### Plugin\n\n- AI Proxy now reads most prompt tuning parameters from the client,\nwhile the plugin config parameters under `model_options` are now just defaults.\nThis fixes support for using the respective provider's native SDK.\n [#12903](https://github.com/Kong/kong/issues/12903)\n\n- AI Proxy now has a `preserve` option for `route_type`, where the requests and responses\nare passed directly to the upstream LLM. This is to enable compatibility with any\nand all models and SDKs that may be used when calling the AI services.\n [#12903](https://github.com/Kong/kong/issues/12903)\n\n- **Prometheus**: Added workspace label to Prometheus plugin metrics.\n [#12836](https://github.com/Kong/kong/issues/12836)\n\n- **AI Proxy**: Added support for streaming event-by-event responses back to the client on supported providers.\n [#12792](https://github.com/Kong/kong/issues/12792)\n\n- **AI Prompt Guard**: Increased the maximum length of regex expressions to 500 for the allow and deny parameters.\n [#12731](https://github.com/Kong/kong/issues/12731)\n\n- Addded support for EdDSA algorithms in JWT plugin\n [#12726](https://github.com/Kong/kong/issues/12726)\n\n\n- Added support for ES512, PS256, PS384, PS512 algorithms in JWT plugin\n [#12638](https://github.com/Kong/kong/issues/12638)\n\n- **OpenTelemetry, Zipkin**: The propagation module has been reworked. The new\noptions allow better control over the configuration of tracing headers propagation.\n [#12670](https://github.com/Kong/kong/issues/12670)\n##### Default\n\n- Added support for debugging with EmmyLuaDebugger. This feature is a\ntech preview and not officially supported by Kong Inc. for now.\n [#12899](https://github.com/Kong/kong/issues/12899)\n\n#### Fixes\n##### CLI Command\n\n- Fixed an issue where the `pg_timeout` was overridden to `60s` even if `--db-timeout`\nwas not explicitly passed in CLI arguments.\n [#12981](https://github.com/Kong/kong/issues/12981)\n##### Configuration\n\n- Fixed the default value in kong.conf.default documentation from 1000 to 10000\nfor the `upstream_keepalive_max_requests` option.\n [#12643](https://github.com/Kong/kong/issues/12643)\n\n- Fixed an issue where an external plugin (Go, Javascript, or Python) would fail to\napply a change to the plugin config via the Admin API.\n [#12718](https://github.com/Kong/kong/issues/12718)\n\n- Disabled usage of the Lua DNS resolver from proxy-wasm by default.\n [#12825](https://github.com/Kong/kong/issues/12825)\n\n- Set security level of gRPC's TLS to 0 when `ssl_cipher_suite` is set to `old`.\n [#12613](https://github.com/Kong/kong/issues/12613)\n##### Core\n\n- Fixed an issue where `POST /config?flatten_errors=1` could not return a proper response if the input included duplicate upstream targets.\n [#12797](https://github.com/Kong/kong/issues/12797)\n\n- **DNS Client**: Ignore a non-positive values on resolv.conf for options timeout, and use a default value of 2 seconds instead.\n [#12640](https://github.com/Kong/kong/issues/12640)\n\n- Updated the file permission of `kong.logrotate` to 644.\n [#12629](https://github.com/Kong/kong/issues/12629)\n\n- Fixed a problem on hybrid mode DPs, where a certificate entity configured with a vault reference may not get refreshed on time.\n [#12868](https://github.com/Kong/kong/issues/12868)\n\n- Fixed the missing router section for the output of the request-debugging.\n [#12234](https://github.com/Kong/kong/issues/12234)\n\n- Fixed an issue in the internal caching logic where mutexes could get never unlocked.\n [#12743](https://github.com/Kong/kong/issues/12743)\n\n\n- Fixed an issue where the router didn't work correctly\nwhen the route's configuration changed.\n [#12654](https://github.com/Kong/kong/issues/12654)\n\n- Fixed an issue where SNI-based routing didn't work\nusing `tls_passthrough` and the `traditional_compatible` router flavor.\n [#12681](https://github.com/Kong/kong/issues/12681)\n\n- Fixed a bug that `X-Kong-Upstream-Status` didn't appear in the response headers even if it was set in the `headers` parameter in the `kong.conf` file when the response was hit and returned by the Proxy Cache plugin.\n [#12744](https://github.com/Kong/kong/issues/12744)\n\n- Fixed vault initialization by postponing vault reference resolving on init_worker\n [#12554](https://github.com/Kong/kong/issues/12554)\n\n- Fixed a bug that allowed vault secrets to refresh even when they had no TTL set.\n [#12877](https://github.com/Kong/kong/issues/12877)\n\n- **Vault**: do not use incorrect (default) workspace identifier when retrieving vault entity by prefix\n [#12572](https://github.com/Kong/kong/issues/12572)\n\n- **Core**: Fixed unexpected table nil panic in the balancer's stop_healthchecks function\n [#12865](https://github.com/Kong/kong/issues/12865)\n\n\n- Use `-1` as the worker ID of privileged agent to avoid access issues.\n [#12385](https://github.com/Kong/kong/issues/12385)\n\n- **Plugin Server**: Fixed an issue where Kong failed to properly restart MessagePack-based pluginservers (used in Python and Javascript plugins, for example).\n [#12582](https://github.com/Kong/kong/issues/12582)\n\n- Reverted the hard-coded limitation of the `ngx.read_body()` API in OpenResty upstreams' new versions when downstream connections are in HTTP/2 or HTTP/3 stream modes.\n [#12658](https://github.com/Kong/kong/issues/12658)\n\n- Each Kong cache instance now utilizes its own cluster event channel. This approach isolates cache invalidation events and reducing the generation of unnecessary worker events.\n [#12321](https://github.com/Kong/kong/issues/12321)\n\n- Updated telemetry collection for AI Plugins to allow multiple plugins data to be set for the same request.\n [#12583](https://github.com/Kong/kong/issues/12583)\n##### PDK\n\n- **PDK:** Fixed `kong.request.get_forwarded_port` to always return a number,\nwhich was caused by an incorrectly stored string value in `ngx.ctx.host_port`.\n [#12806](https://github.com/Kong/kong/issues/12806)\n\n- The value of `latencies.kong` in the log serializer payload no longer includes\nthe response receive time, so it now has the same value as the\n`X-Kong-Proxy-Latency` response header. Response receive time is recorded in\nthe new `latencies.receive` metric, so if desired, the old value can be\ncalculated as `latencies.kong + latencies.receive`. **Note:** this also\naffects payloads from all logging plugins that use the log serializer:\n`file-log`, `tcp-log`, `udp-log`,`http-log`, `syslog`, and `loggly`, e.g.\n[descriptions of JSON objects for the HTTP Log Plugin's log format](https://docs.konghq.com/hub/kong-inc/http-log/log-format/#json-object-descriptions).\n [#12795](https://github.com/Kong/kong/issues/12795)\n\n- **Tracing**: enhanced robustness of trace ID parsing\n [#12848](https://github.com/Kong/kong/issues/12848)\n##### Plugin\n\n- **AI-proxy-plugin**: Fixed the bug that the `route_type` `/llm/v1/chat` didn't include the analytics in the responses.\n [#12781](https://github.com/Kong/kong/issues/12781)\n\n- **ACME**: Fixed an issue where the certificate was not successfully renewed during ACME renewal.\n [#12773](https://github.com/Kong/kong/issues/12773)\n\n- **AWS-Lambda**: Fixed an issue where the latency attributed to AWS Lambda API requests was counted as part of the latency in Kong.\n [#12835](https://github.com/Kong/kong/issues/12835)\n\n- **Jwt**: Fixed an issue where the plugin would fail when using invalid public keys for ES384 and ES512 algorithms.\n [#12724](https://github.com/Kong/kong/issues/12724)\n\n\n- Added WWW-Authenticate headers to all 401 responses in the Key Auth plugin.\n [#11794](https://github.com/Kong/kong/issues/11794)\n\n- **Opentelemetry**: Fixed an OTEL sampling mode Lua panic bug, which happened when the `http_response_header_for_traceid` option was enabled.\n [#12544](https://github.com/Kong/kong/issues/12544)\n\n- Improve error handling in AI plugins.\n [#12991](https://github.com/Kong/kong/issues/12991)\n\n- **ACME**: Fixed migration of redis configuration.\n [#12989](https://github.com/Kong/kong/issues/12989)\n\n- **Response-RateLimiting**: Fixed migration of redis configuration.\n [#12989](https://github.com/Kong/kong/issues/12989)\n\n- **Rate-Limiting**: Fixed migration of redis configuration.\n [#12989](https://github.com/Kong/kong/issues/12989)\n##### Admin API\n\n- **Admin API**: fixed an issue where calling the endpoint `POST /schemas/vaults/validate` was conflicting with the endpoint `/schemas/vaults/:name` which only has GET implemented, hence resulting in a 405.\n [#12607](https://github.com/Kong/kong/issues/12607)\n##### Default\n\n- Fixed a bug where, if the the ulimit setting (open files) was low, Kong would fail to start as the `lua-resty-timer-ng` exhausted the available `worker_connections`. Decreased the concurrency range of the `lua-resty-timer-ng` library from `[512, 2048]` to `[256, 1024]` to fix this bug.\n [#12606](https://github.com/Kong/kong/issues/12606)\n\n- Fix an issue where external plugins using the protobuf-based protocol would fail to call the `kong.Service.SetUpstream` method with an error `bad argument #2 to 'encode' (table expected, got boolean)`.\n [#12727](https://github.com/Kong/kong/issues/12727)\n\n### Kong-Manager\n\n\n\n\n\n\n#### Features\n##### Default\n\n- Kong Manager now supports creating and editing Expressions routes with an interactive in-browser editor with syntax highlighting and autocompletion features for Kong's Expressions language.\n [#217](https://github.com/Kong/kong-manager/issues/217)\n\n\n- Kong Manager now groups the parameters to provide a better user experience while configuring plugins. Meanwhile, several issues with the plugin form page were fixed.\n [#195](https://github.com/Kong/kong-manager/issues/195) [#199](https://github.com/Kong/kong-manager/issues/199) [#201](https://github.com/Kong/kong-manager/issues/201) [#202](https://github.com/Kong/kong-manager/issues/202) [#207](https://github.com/Kong/kong-manager/issues/207) [#208](https://github.com/Kong/kong-manager/issues/208) [#209](https://github.com/Kong/kong-manager/issues/209) [#213](https://github.com/Kong/kong-manager/issues/213) [#216](https://github.com/Kong/kong-manager/issues/216)\n\n\n#### Fixes\n##### Default\n\n- Improved the user experience in Kong Manager by fixing various UI-related issues.\n [#185](https://github.com/Kong/kong-manager/issues/185) [#188](https://github.com/Kong/kong-manager/issues/188) [#190](https://github.com/Kong/kong-manager/issues/190) [#195](https://github.com/Kong/kong-manager/issues/195) [#199](https://github.com/Kong/kong-manager/issues/199) [#201](https://github.com/Kong/kong-manager/issues/201) [#202](https://github.com/Kong/kong-manager/issues/202) [#207](https://github.com/Kong/kong-manager/issues/207) [#208](https://github.com/Kong/kong-manager/issues/208) [#209](https://github.com/Kong/kong-manager/issues/209) [#213](https://github.com/Kong/kong-manager/issues/213) [#216](https://github.com/Kong/kong-manager/issues/216)\n\n## 3.6.1\n\n### Kong\n\n\n#### Performance\n##### Plugin\n\n- **Opentelemetry**: increase queue max batch size to 200\n [#12542](https://github.com/Kong/kong/issues/12542)\n\n\n\n#### Dependencies\n##### Core\n\n- Bumped lua-resty-openssl to 1.2.1\n [#12669](https://github.com/Kong/kong/issues/12669)\n\n\n#### Features\n##### Configuration\n\n- now TLSv1.1 and lower is by default disabled in OpenSSL 3.x\n [#12556](https://github.com/Kong/kong/issues/12556)\n\n#### Fixes\n##### Configuration\n\n- Fixed default value in kong.conf.default documentation from 1000 to 10000\nfor upstream_keepalive_max_requests option.\n [#12648](https://github.com/Kong/kong/issues/12648)\n\n- Set security level of gRPC's TLS to 0 when ssl_cipher_suite is set to old\n [#12616](https://github.com/Kong/kong/issues/12616)\n\n##### Core\n\n- Fix the missing router section for the output of the request-debugging\n [#12649](https://github.com/Kong/kong/issues/12649)\n\n- revert the hard-coded limitation of the ngx.read_body() API in OpenResty upstreams' new versions when downstream connections are in HTTP/2 or HTTP/3 stream modes.\n [#12666](https://github.com/Kong/kong/issues/12666)\n##### Default\n\n- Fix a bug where the ulimit setting (open files) is low Kong will fail to start as the lua-resty-timer-ng exhausts the available worker_connections. Decrease the concurrency range of the lua-resty-timer-ng library from [512, 2048] to [256, 1024] to fix this bug.\n [#12608](https://github.com/Kong/kong/issues/12608)\n### Kong-Manager\n\n## 3.6.0\n\n### Kong\n\n\n#### Performance\n##### Performance\n\n- Bumped the concurrency range of the lua-resty-timer-ng library from [32, 256] to [512, 2048].\n [#12275](https://github.com/Kong/kong/issues/12275)\n\n- Cooperatively yield when building statistics of routes to reduce the impact to proxy path latency.\n [#12013](https://github.com/Kong/kong/issues/12013)\n\n##### Configuration\n\n- Bump `dns_stale_ttl` default to 1 hour so stale DNS record can be used for longer time in case of resolver downtime.\n [#12087](https://github.com/Kong/kong/issues/12087)\n\n- Bumped default values of `nginx_http_keepalive_requests` and `upstream_keepalive_max_requests` to `10000`. These changes are optimized to work better in systems with high throughput. In a low-throughput setting, these new settings may have visible effects in loadbalancing - it can take more requests to start using all the upstreams than before.\n [#12223](https://github.com/Kong/kong/issues/12223)\n##### Core\n\n- Reuse match context between requests to avoid frequent memory allocation/deallocation\n [#12258](https://github.com/Kong/kong/issues/12258)\n##### PDK\n\n- Performance optimization to avoid unnecessary creations and garbage-collections of spans\n [#12080](https://github.com/Kong/kong/issues/12080)\n\n#### Breaking Changes\n##### Core\n\n- **BREAKING:** To avoid ambiguity with other Wasm-related nginx.conf directives, the prefix for Wasm `shm_kv` nginx.conf directives was changed from `nginx_wasm_shm_` to `nginx_wasm_shm_kv_`\n [#11919](https://github.com/Kong/kong/issues/11919)\n\n- In OpenSSL 3.2, the default SSL/TLS security level has been changed from 1 to 2.\n Which means security level set to 112 bits of security. As a result\n RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than\n 224 bits are prohibited. In addition to the level 1 exclusions any cipher\n suite using RC4 is also prohibited. SSL version 3 is also not allowed.\n Compression is disabled.\n [#7714](https://github.com/Kong/kong/issues/7714)\n\n##### Plugin\n\n- **azure-functions**: azure-functions plugin now eliminates upstream/request URI and only use `routeprefix` configuration field to construct request path when requesting Azure API\n [#11850](https://github.com/Kong/kong/issues/11850)\n\n#### Deprecations\n##### Plugin\n\n- **ACME**: Standardize redis configuration across plugins. The redis configuration right now follows common schema that is shared across other plugins.\n [#12300](https://github.com/Kong/kong/issues/12300)\n\n- **Rate Limiting**: Standardize redis configuration across plugins. The redis configuration right now follows common schema that is shared across other plugins.\n [#12301](https://github.com/Kong/kong/issues/12301)\n\n- **Response-RateLimiting**: Standardize redis configuration across plugins. The redis configuration right now follows common schema that is shared across other plugins.\n [#12301](https://github.com/Kong/kong/issues/12301)\n\n#### Dependencies\n##### Core\n\n- Bumped atc-router from 1.2.0 to 1.6.0\n [#12231](https://github.com/Kong/kong/issues/12231)\n\n- Bumped kong-lapis from 1.14.0.3 to 1.16.0.1\n [#12064](https://github.com/Kong/kong/issues/12064)\n\n\n- Bumped LPEG from 1.0.2 to 1.1.0\n [#11955](https://github.com/Kong/kong/issues/11955)\n [UTF-8](https://konghq.atlassian.net/browse/UTF-8)\n\n- Bumped lua-messagepack from 0.5.2 to 0.5.3\n [#11956](https://github.com/Kong/kong/issues/11956)\n\n\n- Bumped lua-messagepack from 0.5.3 to 0.5.4\n [#12076](https://github.com/Kong/kong/issues/12076)\n\n\n- Bumped lua-resty-aws from 1.3.5 to 1.3.6\n [#12439](https://github.com/Kong/kong/issues/12439)\n\n\n- Bumped lua-resty-healthcheck from 3.0.0 to 3.0.1\n [#12237](https://github.com/Kong/kong/issues/12237)\n\n- Bumped lua-resty-lmdb from 1.3.0 to 1.4.1\n [#12026](https://github.com/Kong/kong/issues/12026)\n\n- Bumped lua-resty-timer-ng from 0.2.5 to 0.2.6\n [#12275](https://github.com/Kong/kong/issues/12275)\n\n- Bumped OpenResty from 1.21.4.2 to 1.25.3.1\n [#12327](https://github.com/Kong/kong/issues/12327)\n\n- Bumped OpenSSL from 3.1.4 to 3.2.1\n [#12264](https://github.com/Kong/kong/issues/12264)\n\n- Bump resty-openssl from 0.8.25 to 1.2.0\n [#12265](https://github.com/Kong/kong/issues/12265)\n\n\n- Bumped ngx_brotli to master branch, and disabled it on rhel7 rhel9-arm64 and amazonlinux-2023-arm64 due to toolchain issues\n [#12444](https://github.com/Kong/kong/issues/12444)\n\n- Bumped lua-resty-healthcheck from 1.6.3 to 3.0.0\n [#11834](https://github.com/Kong/kong/issues/11834)\n##### Default\n\n- Bump `ngx_wasm_module` to `a7087a37f0d423707366a694630f1e09f4c21728`\n [#12011](https://github.com/Kong/kong/issues/12011)\n\n\n- Bump `Wasmtime` version to `14.0.3`\n [#12011](https://github.com/Kong/kong/issues/12011)\n\n\n#### Features\n##### Configuration\n\n- display a warning message when Kong Manager is enabled but the Admin API is not enabled\n [#12071](https://github.com/Kong/kong/issues/12071)\n\n- add DHE-RSA-CHACHA20-POLY1305 cipher to the intermediate configuration\n [#12133](https://github.com/Kong/kong/issues/12133)\n\n- The default value of `dns_no_sync` option has been changed to `off`\n [#11869](https://github.com/Kong/kong/issues/11869)\n\n- Allow to inject Nginx directives into Kong's proxy location block\n [#11623](https://github.com/Kong/kong/issues/11623)\n\n\n- Validate LMDB cache by Kong's version (major + minor),\nwiping the content if tag mismatch to avoid compatibility issues\nduring minor version upgrade.\n [#12026](https://github.com/Kong/kong/issues/12026)\n##### Core\n\n- Adds telemetry collection for AI Proxy, AI Request Transformer, and AI Response Transformer, pertaining to model and provider usage.\n [#12495](https://github.com/Kong/kong/issues/12495)\n\n\n- add ngx_brotli module to kong prebuild nginx\n [#12367](https://github.com/Kong/kong/issues/12367)\n\n- Allow primary key passed as a full entity to DAO functions.\n [#11695](https://github.com/Kong/kong/issues/11695)\n\n\n- Build deb packages for Debian 12. The debian variant of kong docker image is built using Debian 12 now.\n [#12218](https://github.com/Kong/kong/issues/12218)\n\n- The expressions route now supports the `!` (not) operator, which allows creating routes like\n`!(http.path =^ \"/a\")` and `!(http.path == \"/a\" || http.path == \"/b\")`\n [#12419](https://github.com/Kong/kong/issues/12419)\n\n- Add `source` property to log serializer, indicating the response is generated by `kong` or `upstream`.\n [#12052](https://github.com/Kong/kong/issues/12052)\n\n- Ensure Kong-owned directories are cleaned up after an uninstall using the system's package manager.\n [#12162](https://github.com/Kong/kong/issues/12162)\n\n- Support `http.path.segments.len` and `http.path.segments.*` fields in the expressions router\nwhich allows matching incoming (normalized) request path by individual segment or ranges of segments,\nplus checking the total number of segments.\n [#12283](https://github.com/Kong/kong/issues/12283)\n\n- `net.src.*` and `net.dst.*` match fields are now accessible in HTTP routes defined using expressions.\n [#11950](https://github.com/Kong/kong/issues/11950)\n\n- Extend support for getting and setting Gateway values via proxy-wasm properties in the `kong.*` namespace.\n [#11856](https://github.com/Kong/kong/issues/11856)\n\n##### PDK\n\n- Increase the precision of JSON number encoding from 14 to 16 decimals\n [#12019](https://github.com/Kong/kong/issues/12019)\n##### Plugin\n\n- Introduced the new **AI Prompt Decorator** plugin that enables prepending and appending llm/v1/chat messages onto consumer LLM requests, for prompt tuning.\n [#12336](https://github.com/Kong/kong/issues/12336)\n\n\n- Introduced the new **AI Prompt Guard** which can allow and/or block LLM requests based on pattern matching.\n [#12427](https://github.com/Kong/kong/issues/12427)\n\n\n- Introduced the new **AI Prompt Template** which can offer consumers and array of LLM prompt templates, with variable substitutions.\n [#12340](https://github.com/Kong/kong/issues/12340)\n\n\n- Introduced the new **AI Proxy** plugin that enables simplified integration with various AI provider Large Language Models.\n [#12323](https://github.com/Kong/kong/issues/12323)\n\n\n- Introduced the new **AI Request Transformer** plugin that enables passing mid-flight consumer requests to an LLM for transformation or sanitization.\n [#12426](https://github.com/Kong/kong/issues/12426)\n\n\n- Introduced the new **AI Response Transformer** plugin that enables passing mid-flight upstream responses to an LLM for transformation or sanitization.\n [#12426](https://github.com/Kong/kong/issues/12426)\n\n\n- Tracing Sampling Rate can now be set via the `config.sampling_rate` property of the OpenTelemetry plugin instead of it just being a global setting for the gateway.\n [#12054](https://github.com/Kong/kong/issues/12054)\n##### Admin API\n\n- add gateway edition to the root endpoint of the admin api\n [#12097](https://github.com/Kong/kong/issues/12097)\n\n- Enable `status_listen` on `127.0.0.1:8007` by default\n [#12304](https://github.com/Kong/kong/issues/12304)\n##### Clustering\n\n- **Clustering**: Expose data plane certificate expiry date on the control plane API.\n [#11921](https://github.com/Kong/kong/issues/11921)\n\n#### Fixes\n##### Configuration\n\n- fix error data loss caused by weakly typed of function in declarative_config_flattened function\n [#12167](https://github.com/Kong/kong/issues/12167)\n\n- respect custom `proxy_access_log`\n [#12073](https://github.com/Kong/kong/issues/12073)\n##### Core\n\n- prevent ca to be deleted when it's still referenced by other entities and invalidate the related ca store caches when a ca cert is updated.\n [#11789](https://github.com/Kong/kong/issues/11789)\n\n- Now cookie names are validated against RFC 6265, which allows more characters than the previous validation.\n [#11881](https://github.com/Kong/kong/issues/11881)\n\n\n- Remove nulls only if the schema has transformations definitions.\nImprove performance as most schemas does not define transformations.\n [#12284](https://github.com/Kong/kong/issues/12284)\n\n- Fix a bug that the error_handler can not provide the meaningful response body when the internal error code 494 is triggered.\n [#12114](https://github.com/Kong/kong/issues/12114)\n\n- Header value matching (`http.headers.*`) in `expressions` router flavor are now case sensitive.\nThis change does not affect on `traditional_compatible` mode\nwhere header value match are always performed ignoring the case.\n [#11905](https://github.com/Kong/kong/issues/11905)\n\n- print error message correctly when plugin fails\n [#11800](https://github.com/Kong/kong/issues/11800)\n\n- fix ldoc intermittent failure caused by LuaJIT error.\n [#11983](https://github.com/Kong/kong/issues/11983)\n\n- use NGX_WASM_MODULE_BRANCH environment variable to set ngx_wasm_module repository branch when building Kong.\n [#12241](https://github.com/Kong/kong/issues/12241)\n\n- Eliminate asynchronous timer in syncQuery() to prevent hang risk\n [#11900](https://github.com/Kong/kong/issues/11900)\n\n- **tracing:** Fixed an issue where a DNS query failure would cause a tracing failure.\n [#11935](https://github.com/Kong/kong/issues/11935)\n\n- Expressions route in `http` and `stream` subsystem now have stricter validation.\nPreviously they share the same validation schema which means admin can configure expressions\nroute using fields like `http.path` even for stream routes. This is no longer allowed.\n [#11914](https://github.com/Kong/kong/issues/11914)\n\n- **Tracing**: dns spans are now correctly generated for upstream dns queries (in addition to cosocket ones)\n [#11996](https://github.com/Kong/kong/issues/11996)\n\n- Validate private and public key for `keys` entity to ensure they match each other.\n [#11923](https://github.com/Kong/kong/issues/11923)\n\n- **proxy-wasm**: Fixed \"previous plan already attached\" error thrown when a filter triggers re-entrancy of the access handler.\n [#12452](https://github.com/Kong/kong/issues/12452)\n##### PDK\n\n- response.set_header support header argument with table array of string\n [#12164](https://github.com/Kong/kong/issues/12164)\n\n- Fix an issue that when using kong.response.exit, the Transfer-Encoding header set by user is not removed\n [#11936](https://github.com/Kong/kong/issues/11936)\n\n- **Plugin Server**: fix an issue where every request causes a new plugin instance to be created\n [#12020](https://github.com/Kong/kong/issues/12020)\n##### Plugin\n\n- Add missing WWW-Authenticate headers to 401 response in basic auth plugin.\n [#11795](https://github.com/Kong/kong/issues/11795)\n\n- Enhance error responses for authentication failures in the Admin API\n [#12456](https://github.com/Kong/kong/issues/12456)\n\n- Expose metrics for serviceless routes\n [#11781](https://github.com/Kong/kong/issues/11781)\n\n- **Rate Limiting**: fix to provide better accuracy in counters when sync_rate is used with the redis policy.\n [#11859](https://github.com/Kong/kong/issues/11859)\n\n- **Rate Limiting**: fix an issuer where all counters are synced to the same DB at the same rate.\n [#12003](https://github.com/Kong/kong/issues/12003)\n\n- **Datadog**: Fix a bug that datadog plugin is not triggered for serviceless routes. In this fix, datadog plugin is always triggered, and the value of tag `name`(service_name) is set as an empty value.\n [#12068](https://github.com/Kong/kong/issues/12068)\n##### Clustering\n\n- Fix a bug causing data-plane status updates to fail when an empty PING frame is received from a data-plane\n [#11917](https://github.com/Kong/kong/issues/11917)\n### Kong-Manager\n\n\n\n\n\n\n#### Features\n##### Default\n\n- Added a JSON/YAML format preview for all entity forms.\n [#157](https://github.com/Kong/kong-manager/issues/157)\n\n\n- Adopted resigned basic components for better UI/UX.\n [#131](https://github.com/Kong/kong-manager/issues/131) [#166](https://github.com/Kong/kong-manager/issues/166)\n\n\n- Kong Manager and Konnect now share the same UI for plugin selection page and plugin form page.\n [#143](https://github.com/Kong/kong-manager/issues/143) [#147](https://github.com/Kong/kong-manager/issues/147)\n\n\n#### Fixes\n##### Default\n\n- Standardized notification text format.\n [#140](https://github.com/Kong/kong-manager/issues/140)\n\n## 3.5.0\n### Kong\n\n\n#### Performance\n##### Configuration\n\n- Bumped the default value of `upstream_keepalive_pool_size` to `512` and `upstream_keepalive_max_requests` to `1000`\n [#11515](https://github.com/Kong/kong/issues/11515)\n##### Core\n\n- refactor workspace id and name retrieval\n [#11442](https://github.com/Kong/kong/issues/11442)\n\n#### Breaking Changes\n##### Plugin\n\n- **Session**: a new configuration field `read_body_for_logout` was added with a default value of `false`, that changes behavior of `logout_post_arg` in a way that it is not anymore considered if the `read_body_for_logout` is not explicitly set to `true`. This is to avoid session plugin from reading request bodies by default on e.g. `POST` request for logout detection.\n [#10333](https://github.com/Kong/kong/issues/10333)\n\n\n#### Dependencies\n##### Core\n\n- Bumped resty.openssl from 0.8.23 to 0.8.25\n [#11518](https://github.com/Kong/kong/issues/11518)\n\n- Fix incorrect LuaJIT register allocation for IR_*LOAD on ARM64\n [#11638](https://github.com/Kong/kong/issues/11638)\n\n- Fix LDP/STP fusing for unaligned accesses on ARM64\n [#11639](https://github.com/Kong/kong/issues/11639)\n\n\n- Bump lua-kong-nginx-module from 0.6.0 to 0.8.0\n [#11663](https://github.com/Kong/kong/issues/11663)\n\n- Fix incorrect LuaJIT LDP/STP fusion on ARM64 which may sometimes cause incorrect logic\n [#11537](https://github.com/Kong/kong/issues/11537)\n\n##### Default\n\n- Bumped lua-resty-healthcheck from 1.6.2 to 1.6.3\n [#11360](https://github.com/Kong/kong/issues/11360)\n\n- Bumped OpenResty from 1.21.4.1 to 1.21.4.2\n [#11360](https://github.com/Kong/kong/issues/11360)\n\n- Bumped LuaSec from 1.3.1 to 1.3.2\n [#11553](https://github.com/Kong/kong/issues/11553)\n\n\n- Bumped lua-resty-aws from 1.3.1 to 1.3.5\n [#11613](https://github.com/Kong/kong/issues/11613)\n\n\n- bump OpenSSL from 3.1.1 to 3.1.4\n [#11844](https://github.com/Kong/kong/issues/11844)\n\n\n- Bumped kong-lapis from 1.14.0.2 to 1.14.0.3\n [#11849](https://github.com/Kong/kong/issues/11849)\n\n\n- Bumped ngx_wasm_module to latest rolling release version.\n [#11678](https://github.com/Kong/kong/issues/11678)\n\n- Bump Wasmtime version to 12.0.2\n [#11738](https://github.com/Kong/kong/issues/11738)\n\n- Bumped lua-resty-aws from 1.3.0 to 1.3.1\n [#11419](https://github.com/Kong/kong/pull/11419)\n\n- Bumped lua-resty-session from 4.0.4 to 4.0.5\n [#11416](https://github.com/Kong/kong/pull/11416)\n\n\n#### Features\n##### Core\n\n- Add a new endpoint `/schemas/vaults/:name` to retrieve the schema of a vault.\n [#11727](https://github.com/Kong/kong/issues/11727)\n\n- rename `privileged_agent` to `dedicated_config_processing. Enable `dedicated_config_processing` by default\n [#11784](https://github.com/Kong/kong/issues/11784)\n\n- Support observing the time consumed by some components in the given request.\n [#11627](https://github.com/Kong/kong/issues/11627)\n\n- Plugins can now implement `Plugin:configure(configs)` function that is called whenever there is a change in plugin entities. An array of current plugin configurations is passed to the function, or `nil` in case there is no active configurations for the plugin.\n [#11703](https://github.com/Kong/kong/issues/11703)\n\n- Add a request-aware table able to detect accesses from different requests.\n [#11017](https://github.com/Kong/kong/issues/11017)\n\n- A unique Request ID is now populated in the error log, access log, error templates, log serializer, and in a new X-Kong-Request-Id header (configurable for upstream/downstream using the `headers` and `headers_upstream` configuration options).\n [#11663](https://github.com/Kong/kong/issues/11663)\n\n- Add support for optional Wasm filter configuration schemas\n [#11568](https://github.com/Kong/kong/issues/11568)\n\n- Support JSON in Wasm filter configuration\n [#11697](https://github.com/Kong/kong/issues/11697)\n\n- Support HTTP query parameters in expression routes.\n [#11348](https://github.com/Kong/kong/pull/11348)\n\n##### Plugin\n\n- **response-ratelimiting**: add support for secret rotation with redis connection\n [#10570](https://github.com/Kong/kong/issues/10570)\n\n\n- **CORS**: Support the `Access-Control-Request-Private-Network` header in crossing-origin pre-light requests\n [#11523](https://github.com/Kong/kong/issues/11523)\n\n- add scan_count to redis storage schema\n [#11532](https://github.com/Kong/kong/issues/11532)\n\n\n- **AWS-Lambda**: the AWS-Lambda plugin has been refactored by using `lua-resty-aws` as an\n underlying AWS library. The refactor simplifies the AWS-Lambda plugin code base and\n adding support for multiple IAM authenticating scenarios.\n [#11350](https://github.com/Kong/kong/pull/11350)\n\n- **OpenTelemetry** and **Zipkin**: Support GCP X-Cloud-Trace-Context header\n The field `header_type` now accepts the value `gcp` to propagate the\n Google Cloud trace header\n [#11254](https://github.com/Kong/kong/pull/11254)\n\n##### Clustering\n\n- **Clustering**: Allow configuring DP metadata labels for on-premise CP Gateway\n [#11625](https://github.com/Kong/kong/issues/11625)\n\n#### Fixes\n##### Configuration\n\n- The default value of `dns_no_sync` option has been changed to `on`\n [#11871](https://github.com/Kong/kong/issues/11871)\n\n##### Core\n\n- Fix an issue that the TTL of the key-auth plugin didnt work in DB-less and Hybrid mode.\n [#11464](https://github.com/Kong/kong/issues/11464)\n\n- Fix a problem that abnormal socket connection will be reused when querying Postgres database.\n [#11480](https://github.com/Kong/kong/issues/11480)\n\n- Fix upstream ssl failure when plugins use response handler\n [#11502](https://github.com/Kong/kong/issues/11502)\n\n- Fix an issue that protocol `tls_passthrough` can not work with expressions flavor\n [#11538](https://github.com/Kong/kong/issues/11538)\n\n- Fix a bug that will cause a failure of sending tracing data to datadog when value of x-datadog-parent-id header in requests is a short dec string\n [#11599](https://github.com/Kong/kong/issues/11599)\n\n- Apply Nginx patch for detecting HTTP/2 stream reset attacks early (CVE-2023-44487)\n [#11743](https://github.com/Kong/kong/issues/11743)\n\n- fix the building failure when applying patches\n [#11696](https://github.com/Kong/kong/issues/11696)\n\n- Vault references can be used in Dbless mode in declarative config\n [#11845](https://github.com/Kong/kong/issues/11845)\n\n\n- Properly warmup Vault caches on init\n [#11827](https://github.com/Kong/kong/issues/11827)\n\n\n- Vault resurrect time is respected in case a vault secret is deleted from a vault\n [#11852](https://github.com/Kong/kong/issues/11852)\n\n- Fixed critical level logs when starting external plugin servers. Those logs cannot be suppressed due to the limitation of OpenResty. We choose to remove the socket availability detection feature.\n [#11372](https://github.com/Kong/kong/pull/11372)\n\n- Fix an issue where a crashing Go plugin server process would cause subsequent\n requests proxied through Kong to execute Go plugins with inconsistent configurations.\n The issue only affects scenarios where the same Go plugin is applied to different Route\n or Service entities.\n [#11306](https://github.com/Kong/kong/pull/11306)\n\n- Fix an issue where cluster_cert or cluster_ca_cert is inserted into lua_ssl_trusted_certificate before being base64 decoded.\n [#11385](https://github.com/Kong/kong/pull/11385)\n\n- Fix cache warmup mechanism not working in `acls` plugin groups config entity scenario.\n [#11414](https://github.com/Kong/kong/pull/11414)\n\n- Fix an issue that queue stops processing when a hard error is encountered in the handler function.\n [#11423](https://github.com/Kong/kong/pull/11423)\n\n- Fix an issue that query parameters are not forwarded in proxied request.\n Thanks [@chirag-manwani](https://github.com/chirag-manwani) for contributing this change.\n [#11328](https://github.com/Kong/kong/pull/11328)\n\n- Fix an issue that response status code is not real upstream status when using kong.response function.\n [#11437](https://github.com/Kong/kong/pull/11437)\n\n- Removed a hardcoded proxy-wasm isolation level setting that was preventing the\n `nginx_http_proxy_wasm_isolation` configuration value from taking effect.\n [#11407](https://github.com/Kong/kong/pull/11407)\n\n##### PDK\n\n- Fix several issues in Vault and refactor the Vault code base: - Make DAOs to fallback to empty string when resolving Vault references fail - Use node level mutex when rotation references - Refresh references on config changes - Update plugin referenced values only once per request - Pass only the valid config options to vault implementations - Resolve multi-value secrets only once when rotating them - Do not start vault secrets rotation timer on control planes - Re-enable negative caching - Reimplement the kong.vault.try function - Remove references from rotation in case their configuration has changed\n [#11652](https://github.com/Kong/kong/issues/11652)\n\n- Fix response body gets repeated when `kong.response.get_raw_body()` is called multiple times in a request lifecycle.\n [#11424](https://github.com/Kong/kong/issues/11424)\n\n- Tracing: fix an issue that resulted in some parent spans to end before their children due to different precision of their timestamps\n [#11484](https://github.com/Kong/kong/issues/11484)\n\n- Fix a bug related to data interference between requests in the kong.log.serialize function.\n [#11566](https://github.com/Kong/kong/issues/11566)\n##### Plugin\n\n- **Opentelemetry**: fix an issue that resulted in invalid parent IDs in the propagated tracing headers\n [#11468](https://github.com/Kong/kong/issues/11468)\n\n- **AWS-Lambda**: let plugin-level proxy take effect on EKS IRSA credential provider\n [#11551](https://github.com/Kong/kong/issues/11551)\n\n- Cache the AWS lambda service by those lambda service related fields\n [#11821](https://github.com/Kong/kong/issues/11821)\n\n- **Opentelemetry**: fix an issue that resulted in traces with invalid parent IDs when `balancer` instrumentation was enabled\n [#11830](https://github.com/Kong/kong/issues/11830)\n\n\n- **tcp-log**: fix an issue of unnecessary handshakes when reusing TLS connection\n [#11848](https://github.com/Kong/kong/issues/11848)\n\n- **OAuth2**: For OAuth2 plugin, `scope` has been taken into account as a new criterion of the request validation. When refreshing token with `refresh_token`, the scopes associated with the `refresh_token` provided in the request must be same with or a subset of the scopes configured in the OAuth2 plugin instance hit by the request.\n [#11342](https://github.com/Kong/kong/pull/11342)\n\n- When the worker is in shutdown mode and more data is immediately available without waiting for `max_coalescing_delay`, queues are now cleared in batches.\n Thanks [@JensErat](https://github.com/JensErat) for contributing this change.\n [#11376](https://github.com/Kong/kong/pull/11376)\n\n- A race condition in the plugin queue could potentially crash the worker when `max_entries` was set to `max_batch_size`.\n [#11378](https://github.com/Kong/kong/pull/11378)\n\n- **AWS-Lambda**: fix an issue that the AWS-Lambda plugin cannot extract a json encoded proxy integration response.\n [#11413](https://github.com/Kong/kong/pull/11413)\n\n##### Default\n\n- Restore lapis & luarocks-admin bins\n [#11578](https://github.com/Kong/kong/issues/11578)\n### Kong-Manager\n\n\n\n\n\n\n#### Features\n##### Default\n\n- Add `JSON` and `YAML` formats in entity config cards.\n [#111](https://github.com/Kong/kong-manager/issues/111)\n\n\n- Plugin form fields now display descriptions from backend schema.\n [#66](https://github.com/Kong/kong-manager/issues/66)\n\n\n- Add the `protocols` field in plugin form.\n [#93](https://github.com/Kong/kong-manager/issues/93)\n\n\n- The upstream target list shows the `Mark Healthy` and `Mark Unhealthy` action items when certain conditions are met.\n [#86](https://github.com/Kong/kong-manager/issues/86)\n\n\n#### Fixes\n##### Default\n\n- Fix incorrect port number in Port Details.\n [#103](https://github.com/Kong/kong-manager/issues/103)\n\n\n- Fix a bug where the `proxy-cache` plugin cannot be installed.\n [#104](https://github.com/Kong/kong-manager/issues/104)\n\n## 3.4.2\n\n### Kong\n\n#### Fixes\n##### Core\n\n- Apply Nginx patch for detecting HTTP/2 stream reset attacks early (CVE-2023-44487)\n [#11743](https://github.com/Kong/kong/issues/11743)\n [CVE-2023](https://konghq.atlassian.net/browse/CVE-2023) [nginx-1](https://konghq.atlassian.net/browse/nginx-1) [SIR-435](https://konghq.atlassian.net/browse/SIR-435)\n\n## 3.4.1\n\n### Kong\n\n\n#### Additions\n\n##### Core\n\n- Support HTTP query parameters in expression routes.\n [#11348](https://github.com/Kong/kong/pull/11348)\n\n\n#### Dependencies\n\n##### Core\n\n- Fix incorrect LuaJIT LDP/STP fusion on ARM64 which may sometimes cause incorrect logic\n [#11537](https://github.com/Kong/kong-ee/issues/11537)\n\n\n\n#### Fixes\n\n##### Core\n\n- Removed a hardcoded proxy-wasm isolation level setting that was preventing the\n `nginx_http_proxy_wasm_isolation` configuration value from taking effect.\n [#11407](https://github.com/Kong/kong/pull/11407)\n- Fix an issue that the TTL of the key-auth plugin didnt work in DB-less and Hybrid mode.\n [#11464](https://github.com/Kong/kong-ee/issues/11464)\n- Fix a problem that abnormal socket connection will be reused when querying Postgres database.\n [#11480](https://github.com/Kong/kong-ee/issues/11480)\n- Fix upstream ssl failure when plugins use response handler\n [#11502](https://github.com/Kong/kong-ee/issues/11502)\n- Fix an issue that protocol `tls_passthrough` can not work with expressions flavor\n [#11538](https://github.com/Kong/kong-ee/issues/11538)\n\n##### PDK\n\n- Fix several issues in Vault and refactor the Vault code base: - Make DAOs to fallback to empty string when resolving Vault references fail - Use node level mutex when rotation references - Refresh references on config changes - Update plugin referenced values only once per request - Pass only the valid config options to vault implementations - Resolve multi-value secrets only once when rotating them - Do not start vault secrets rotation timer on control planes - Re-enable negative caching - Reimplement the kong.vault.try function - Remove references from rotation in case their configuration has changed\n\n[#11402](https://github.com/Kong/kong-ee/issues/11402)\n- Tracing: fix an issue that resulted in some parent spans to end before their children due to different precision of their timestamps\n [#11484](https://github.com/Kong/kong-ee/issues/11484)\n\n##### Plugin\n\n- **Opentelemetry**: fix an issue that resulted in invalid parent IDs in the propagated tracing headers\n [#11468](https://github.com/Kong/kong-ee/issues/11468)\n\n### Kong Manager\n\n#### Fixes\n\n- Fixed entity docs link.\n [#92](https://github.com/Kong/kong-manager/pull/92)\n\n## 3.4.0\n\n### Breaking Changes\n\n- :warning: Alpine packages and Docker images based on Alpine are no longer supported\n [#10926](https://github.com/Kong/kong/pull/10926)\n- :warning: Cassandra as a datastore for Kong is no longer supported\n [#10931](https://github.com/Kong/kong/pull/10931)\n- Ubuntu 18.04 artifacts are no longer supported as it's EOL\n- AmazonLinux 2022 artifacts are renamed to AmazonLinux 2023 according to AWS's decision\n\n### Deprecations\n\n- **CentOS packages are now removed from the release and are no longer supported in future versions.**\n\n### Additions\n\n#### Core\n\n- Enable `expressions` and `traditional_compatible` router flavor in stream subsystem.\n [#11071](https://github.com/Kong/kong/pull/11071)\n- Make upstream `host_header` and router `preserve_host` config work in stream tls proxy.\n [#11244](https://github.com/Kong/kong/pull/11244)\n- Add beta support for WebAssembly/proxy-wasm\n [#11218](https://github.com/Kong/kong/pull/11218)\n- '/schemas' endpoint returns additional information about cross-field validation as part of the schema.\n This should help tools that use the Admin API to perform better client-side validation.\n [#11108](https://github.com/Kong/kong/pull/11108)\n\n#### Kong Manager\n- First release of the Kong Manager Open Source Edition.\n [#11131](https://github.com/Kong/kong/pull/11131)\n\n#### Plugins\n\n- **OpenTelemetry**: Support AWS X-Ray propagation header\n The field `header_type`now accepts the `aws` value to handle this specific\n propagation header.\n [11075](https://github.com/Kong/kong/pull/11075)\n- **Opentelemetry**: Support the `endpoint` parameter as referenceable.\n [#11220](https://github.com/Kong/kong/pull/11220)\n- **Ip-Restriction**: Add TCP support to the plugin.\n Thanks [@scrudge](https://github.com/scrudge) for contributing this change.\n [#10245](https://github.com/Kong/kong/pull/10245)\n\n#### Performance\n\n- In dbless mode, the declarative schema is now fully initialized at startup\n instead of on-demand in the request path. This is most evident in decreased\n response latency when updating configuration via the `/config` API endpoint.\n [#10932](https://github.com/Kong/kong/pull/10932)\n- The Prometheus plugin has been optimized to reduce proxy latency impacts during scraping.\n [#10949](https://github.com/Kong/kong/pull/10949)\n [#11040](https://github.com/Kong/kong/pull/11040)\n [#11065](https://github.com/Kong/kong/pull/11065)\n\n### Fixes\n\n#### Core\n\n- Declarative config now performs proper uniqueness checks against its inputs:\n previously, it would silently drop entries with conflicting primary/endpoint\n keys, or accept conflicting unique fields silently.\n [#11199](https://github.com/Kong/kong/pull/11199)\n- Fixed a bug that causes `POST /config?flatten_errors=1` to throw an exception\n and return a 500 error under certain circumstances.\n [#10896](https://github.com/Kong/kong/pull/10896)\n- Fix a bug when worker consuming dynamic log level setting event and using a wrong reference for notice logging\n [#10897](https://github.com/Kong/kong/pull/10897)\n- Added a `User=` specification to the systemd unit definition so that\n Kong can be controlled by systemd again.\n [#11066](https://github.com/Kong/kong/pull/11066)\n- Fix a bug that caused sampling rate to be applied to individual spans producing split traces.\n [#11135](https://github.com/Kong/kong/pull/11135)\n- Fix a bug that caused spans to not be instrumented with http.status_code when the request was not proxied to an upstream.\n Thanks [@backjo](https://github.com/backjo) for contributing this change.\n [#11152](https://github.com/Kong/kong/pull/11152),\n [#11406](https://github.com/Kong/kong/pull/11406)\n- Fix a bug that caused the router to fail in `traditional_compatible` mode when a route with multiple paths and no service was created.\n [#11158](https://github.com/Kong/kong/pull/11158)\n- Fix an issue where the router of flavor `expressions` can not work correctly\n when `route.protocols` is set to `grpc` or `grpcs`.\n [#11082](https://github.com/Kong/kong/pull/11082)\n- Fix an issue where the router of flavor `expressions` can not configure https redirection.\n [#11166](https://github.com/Kong/kong/pull/11166)\n- Added new span attribute `net.peer.name` if balancer_data.hostname is available.\n Thanks [@backjo](https://github.com/backjo) for contributing this change.\n [#10723](https://github.com/Kong/kong/pull/10729)\n- Make `kong vault get` CLI command work in dbless mode by injecting the necessary directives into the kong cli nginx.conf.\n [#11127](https://github.com/Kong/kong/pull/11127)\n [#11291](https://github.com/Kong/kong/pull/11291)\n- Fix an issue where a crashing Go plugin server process would cause subsequent\n requests proxied through Kong to execute Go plugins with inconsistent configurations.\n The issue only affects scenarios where the same Go plugin is applied to different Route\n or Service entities.\n [#11306](https://github.com/Kong/kong/pull/11306)\n- Fix an issue where cluster_cert or cluster_ca_cert is inserted into lua_ssl_trusted_certificate before being base64 decoded.\n [#11385](https://github.com/Kong/kong/pull/11385)\n- Update the DNS client to follow configured timeouts in a more predictable manner. Also fix a corner case in its\n behavior that could cause it to resolve incorrectly during transient network and DNS server failures.\n [#11386](https://github.com/Kong/kong/pull/11386)\n\n#### Admin API\n\n- Fix an issue where `/schemas/plugins/validate` endpoint fails to validate valid plugin configuration\n when the key of `custom_fields_by_lua` contains dot character(s).\n [#11091](https://github.com/Kong/kong/pull/11091)\n- Fix an issue with the `/tags/:tag` Admin API returning a JSON object (`{}`) instead of an array (`[]`) for empty data sets.\n [#11213](https://github.com/Kong/kong/pull/11213)\n\n#### Plugins\n\n- **Response Transformer**: fix an issue that plugin does not transform the response body while upstream returns a Content-Type with +json suffix at subtype.\n [#10656](https://github.com/Kong/kong/pull/10656)\n- **grpc-gateway**: Fixed an issue that empty (all default value) messages can not be unframed correctly.\n [#10836](https://github.com/Kong/kong/pull/10836)\n- **ACME**: Fixed sanity test can't work with \"kong\" storage in Hybrid mode\n [#10852](https://github.com/Kong/kong/pull/10852)\n- **rate-limiting**: Fixed an issue that impact the accuracy with the `redis` policy.\n Thanks [@giovanibrioni](https://github.com/giovanibrioni) for contributing this change.\n [#10559](https://github.com/Kong/kong/pull/10559)\n- **Zipkin**: Fixed an issue that traces not being generated correctly when instrumentations are enabled.\n [#10983](https://github.com/Kong/kong/pull/10983)\n- **Acme**: Fixed string concatenation on cert renewal errors\n [#11364](https://github.com/Kong/kong/pull/11364)\n- Validation for queue related parameters has been\n improved. `max_batch_size`, `max_entries` and `max_bytes` are now\n `integer`s instead of `number`s. `initial_retry_delay` and\n `max_retry_delay` must now be `number`s greater than 0.001\n (seconds).\n [#10840](https://github.com/Kong/kong/pull/10840)\n\n### Changed\n\n#### Core\n\n- Tracing: new attribute `http.route` added to http request spans.\n [#10981](https://github.com/Kong/kong/pull/10981)\n- The default value of `lmdb_map_size` config has been bumped to `2048m`\n from `128m` to accommodate most commonly deployed config sizes in DB-less\n and Hybrid mode.\n [#11047](https://github.com/Kong/kong/pull/11047)\n- The default value of `cluster_max_payload` config has been bumped to `16m`\n from `4m` to accommodate most commonly deployed config sizes in Hybrid mode.\n [#11090](https://github.com/Kong/kong/pull/11090)\n- Remove kong branding from kong HTML error template.\n [#11150](https://github.com/Kong/kong/pull/11150)\n- Drop luasocket in cli\n [#11177](https://github.com/Kong/kong/pull/11177)\n\n#### Status API\n\n- Remove the database information from the status API when operating in dbless\n mode or data plane.\n [#10995](https://github.com/Kong/kong/pull/10995)\n\n### Dependencies\n\n- Bumped lua-resty-openssl from 0.8.20 to 0.8.23\n [#10837](https://github.com/Kong/kong/pull/10837)\n [#11099](https://github.com/Kong/kong/pull/11099)\n- Bumped kong-lapis from 1.8.3.1 to 1.14.0.2\n [#10841](https://github.com/Kong/kong/pull/10841)\n- Bumped lua-resty-events from 0.1.4 to 0.2.0\n [#10883](https://github.com/Kong/kong/pull/10883)\n [#11083](https://github.com/Kong/kong/pull/11083)\n [#11214](https://github.com/Kong/kong/pull/11214)\n- Bumped lua-resty-session from 4.0.3 to 4.0.4\n [#11011](https://github.com/Kong/kong/pull/11011)\n- Bumped OpenSSL from 1.1.1t to 3.1.1\n [#10180](https://github.com/Kong/kong/pull/10180)\n [#11140](https://github.com/Kong/kong/pull/11140)\n- Bumped pgmoon from 1.16.0 to 1.16.2 (Kong's fork)\n [#11181](https://github.com/Kong/kong/pull/11181)\n [#11229](https://github.com/Kong/kong/pull/11229)\n- Bumped atc-router from 1.0.5 to 1.2.0\n [#10100](https://github.com/Kong/kong/pull/10100)\n [#11071](https://github.com/Kong/kong/pull/11071)\n- Bumped lua-resty-lmdb from 1.1.0 to 1.3.0\n [#11227](https://github.com/Kong/kong/pull/11227)\n- Bumped lua-ffi-zlib from 0.5 to 0.6\n [#11373](https://github.com/Kong/kong/pull/11373)\n\n### Known Issues\n- Some referenceable configuration fields, such as the `http_endpoint` field\n of the `http-log` plugin and the `endpoint` field of the `opentelemetry` plugin,\n do not accept reference values due to incorrect field validation.\n\n## 3.3.0\n\n### Breaking Changes\n\n#### Core\n\n- The `traditional_compatible` router mode has been made more compatible with the\n behavior of `traditional` mode by splitting routes with multiple paths into\n multiple atc routes with separate priorities. Since the introduction of the new\n router in Kong Gateway 3.0, `traditional_compatible` mode assigned only one priority\n to each route, even if different prefix path lengths and regular expressions\n were mixed in a route. This was not how multiple paths were handled in the\n `traditional` router and the behavior has now been changed so that a separate\n priority value is assigned to each path in a route.\n [#10615](https://github.com/Kong/kong/pull/10615)\n\n#### Plugins\n\n- **http-log, statsd, opentelemetry, datadog**: The queueing system\n has been reworked, causing some plugin parameters to not function as expected\n anymore. If you use queues on these plugin, new parameters must be configured.\n The module `kong.tools.batch_queue` has been renamed to `kong.tools.queue` in\n the process and the API was changed. If your custom plugin uses queues, it must\n be updated to use the new API.\n See\n [this blog post](https://konghq.com/blog/product-releases/reworked-plugin-queues-in-kong-gateway-3-3)\n for a tour of the new queues and how they are parametrized.\n [#10172](https://github.com/Kong/kong/pull/10172)\n- **http-log**: If the log server responds with a 3xx HTTP status code, the\n plugin will consider it to be an error and retry according to the retry\n configuration. Previously, 3xx status codes would be interpreted as success,\n causing the log entries to be dropped.\n [#10172](https://github.com/Kong/kong/pull/10172)\n- **Serverless Functions**: `kong.cache` now points to a cache instance that is dedicated to the\n Serverless Functions plugins: it does not provide access to the global kong cache. Access to\n certain fields in kong.configuration has also been restricted.\n [#10417](https://github.com/Kong/kong/pull/10417)\n- **Zipkin**: The zipkin plugin now uses queues for internal\n buffering. The standard queue parameter set is available to\n control queuing behavior.\n [#10753](https://github.com/Kong/kong/pull/10753)\n- Tracing: tracing_sampling_rate defaults to 0.01 (trace one of every 100 requests) instead of the previous 1\n (trace all requests). Tracing all requests is inappropriate for most production systems\n [#10774](https://github.com/Kong/kong/pull/10774)\n- **Proxy Cache**: Add option to remove the proxy cache headers from the response\n [#10445](https://github.com/Kong/kong/pull/10445)\n\n### Additions\n\n#### Core\n\n- Make runloop and init error response content types compliant with Accept header value\n [#10366](https://github.com/Kong/kong/pull/10366)\n- Add a new field `updated_at` for core entities ca_certificates, certificates, consumers,\n targets, upstreams, plugins, workspaces, clustering_data_planes and snis.\n [#10400](https://github.com/Kong/kong/pull/10400)\n- Allow configuring custom error templates\n [#10374](https://github.com/Kong/kong/pull/10374)\n- The maximum number of request headers, response headers, uri args, and post args that are\n parsed by default can now be configured with a new configuration parameters:\n `lua_max_req_headers`, `lua_max_resp_headers`, `lua_max_uri_args` and `lua_max_post_args`\n [#10443](https://github.com/Kong/kong/pull/10443)\n- Allow configuring Labels for data planes to provide metadata information.\n Labels are only compatible with hybrid mode deployments with Kong Konnect (SaaS)\n [#10471](https://github.com/Kong/kong/pull/10471)\n- Add Postgres triggers on the core entites and entities in bundled plugins to delete the\n expired rows in an efficient and timely manner.\n [#10389](https://github.com/Kong/kong/pull/10389)\n- Support for configurable Node IDs\n [#10385](https://github.com/Kong/kong/pull/10385)\n- Request and response buffering options are now enabled for incoming HTTP 2.0 requests too.\n Thanks [@PidgeyBE](https://github.com/PidgeyBE) for contributing this change.\n [#10595](https://github.com/Kong/kong/pull/10595)\n [#10204](https://github.com/Kong/kong/pull/10204)\n- Add `KONG_UPSTREAM_DNS_TIME` to `kong.ctx` so that we can record the time it takes for DNS\n resolution when Kong proxies to upstream.\n [#10355](https://github.com/Kong/kong/pull/10355)\n- Tracing: rename spans to simplify filtering on tracing backends.\n [#10577](https://github.com/Kong/kong/pull/10577)\n- Support timeout for dynamic log level\n [#10288](https://github.com/Kong/kong/pull/10288)\n- Added new span attribute `http.client_ip` to capture the client IP when behind a proxy.\n Thanks [@backjo](https://github.com/backjo) for this contribution!\n [#10723](https://github.com/Kong/kong/pull/10723)\n\n#### Admin API\n\n- The `/upstreams//health?balancer_health=1` endpoint always shows the balancer health,\n through a new attribute balancer_health, which always returns HEALTHY or UNHEALTHY (reporting\n the true state of the balancer), even if the overall upstream health status is HEALTHCHECKS_OFF.\n This is useful for debugging.\n [#5885](https://github.com/Kong/kong/pull/5885)\n\n#### Status API\n\n- The `status_listen` server has been enhanced with the addition of the\n `/status/ready` API for monitoring Kong's health.\n This endpoint provides a `200` response upon receiving a `GET` request,\n but only if a valid, non-empty configuration is loaded and Kong is\n prepared to process user requests.\n Load balancers frequently utilize this functionality to ascertain\n Kong's availability to distribute incoming requests.\n [#10610](https://github.com/Kong/kong/pull/10610)\n [#10787](https://github.com/Kong/kong/pull/10787)\n\n#### Plugins\n\n- **ACME**: acme plugin now supports configuring an `account_key` in `keys` and `key_sets`\n [#9746](https://github.com/Kong/kong/pull/9746)\n- **Proxy-Cache**: add `ignore_uri_case` to configuring cache-key uri to be handled as lowercase\n [#10453](https://github.com/Kong/kong/pull/10453)\n- **HTTP-Log**: add `application/json; charset=utf-8` option for the `Content-Type` header\n in the http-log plugin, for log collectors that require that character set declaration.\n [#10533](https://github.com/Kong/kong/pull/10533)\n- **DataDog**: supports value of `host` to be referenceable.\n [#10484](https://github.com/Kong/kong/pull/10484)\n- **Zipkin&Opentelemetry**: convert traceid in http response headers to hex format\n [#10534](https://github.com/Kong/kong/pull/10534)\n- **ACME**: acme plugin now supports configuring `namespace` for redis storage\n which is default to empty string for backward compatibility.\n [#10562](https://github.com/Kong/kong/pull/10562)\n- **AWS Lambda**: add a new field `disable_https` to support scheme config on lambda service api endpoint\n [#9799](https://github.com/Kong/kong/pull/9799)\n- **OpenTelemetry**: spans are now correctly correlated in downstream Datadog traces.\n [10531](https://github.com/Kong/kong/pull/10531)\n- **OpenTelemetry**: add `header_type` field in OpenTelemetry plugin.\n Previously, the `header_type` was hardcoded to `preserve`, now it can be set to one of the\n following values: `preserve`, `ignore`, `b3`, `b3-single`, `w3c`, `jaeger`, `ot`.\n [#10620](https://github.com/Kong/kong/pull/10620)\n\n#### PDK\n\n- PDK now supports getting plugins' ID with `kong.plugin.get_id`.\n [#9903](https://github.com/Kong/kong/pull/9903)\n\n### Fixes\n\n#### Core\n\n- Fixed an issue where upstream keepalive pool has CRC32 collision.\n [#9856](https://github.com/Kong/kong/pull/9856)\n- Fix an issue where control plane does not downgrade config for `aws_lambda` and `zipkin` for older version of data planes.\n [#10346](https://github.com/Kong/kong/pull/10346)\n- Fix an issue where control plane does not rename fields correctly for `session` for older version of data planes.\n [#10352](https://github.com/Kong/kong/pull/10352)\n- Fix an issue where validation to regex routes may be skipped when the old-fashioned config is used for DB-less Kong.\n [#10348](https://github.com/Kong/kong/pull/10348)\n- Fix and issue where tracing may cause unexpected behavior.\n [#10364](https://github.com/Kong/kong/pull/10364)\n- Fix an issue where balancer passive healthcheck would use wrong status code when kong changes status code\n from upstream in `header_filter` phase.\n [#10325](https://github.com/Kong/kong/pull/10325)\n [#10592](https://github.com/Kong/kong/pull/10592)\n- Fix an issue where schema validations failing in a nested record did not propagate the error correctly.\n [#10449](https://github.com/Kong/kong/pull/10449)\n- Fixed an issue where dangling Unix sockets would prevent Kong from restarting in\n Docker containers if it was not cleanly stopped.\n [#10468](https://github.com/Kong/kong/pull/10468)\n- Fix an issue where sorting function for traditional router sources/destinations lead to \"invalid order\n function for sorting\" error.\n [#10514](https://github.com/Kong/kong/pull/10514)\n- Fix the UDP socket leak caused by frequent DNS queries.\n [#10691](https://github.com/Kong/kong/pull/10691)\n- Fix a typo of mlcache option `shm_set_tries`.\n [#10712](https://github.com/Kong/kong/pull/10712)\n- Fix an issue where slow start up of Go plugin server causes dead lock.\n [#10561](https://github.com/Kong/kong/pull/10561)\n- Tracing: fix an issue that caused the `sampled` flag of incoming propagation\n headers to be handled incorrectly and only affect some spans.\n [#10655](https://github.com/Kong/kong/pull/10655)\n- Tracing: fix an issue that was preventing `http_client` spans to be created for OpenResty HTTP client requests.\n [#10680](https://github.com/Kong/kong/pull/10680)\n- Tracing: fix an approximation issue that resulted in reduced precision of the balancer span start and end times.\n [#10681](https://github.com/Kong/kong/pull/10681)\n- Tracing: tracing_sampling_rate defaults to 0.01 (trace one of every 100 requests) instead of the previous 1\n (trace all requests). Tracing all requests is inappropriate for most production systems\n [#10774](https://github.com/Kong/kong/pull/10774)\n- Fix issue when stopping a Kong could error out if using Vault references\n [#10775](https://github.com/Kong/kong/pull/10775)\n- Fix issue where Vault configuration stayed sticky and cached even when configurations were changed.\n [#10776](https://github.com/Kong/kong/pull/10776)\n- Backported the openresty `ngx.print` chunk encoding buffer double free bug fix that\n leads to the corruption of chunk-encoded response data.\n [#10816](https://github.com/Kong/kong/pull/10816)\n [#10824](https://github.com/Kong/kong/pull/10824)\n\n\n#### Admin API\n\n- Fix an issue where empty value of URI argument `custom_id` crashes `/consumer`.\n [#10475](https://github.com/Kong/kong/pull/10475)\n\n#### Plugins\n\n- **Request-Transformer**: fix an issue where requests would intermittently\n be proxied with incorrect query parameters.\n [10539](https://github.com/Kong/kong/pull/10539)\n- **Request Transformer**: honor value of untrusted_lua configuration parameter\n [#10327](https://github.com/Kong/kong/pull/10327)\n- **OAuth2**: fix an issue that OAuth2 token was being cached to nil while access to the wrong service first.\n [#10522](https://github.com/Kong/kong/pull/10522)\n- **OpenTelemetry**: fix an issue that reconfigure of OpenTelemetry does not take effect.\n [#10172](https://github.com/Kong/kong/pull/10172)\n- **OpenTelemetry**: fix an issue that caused spans to be propagated incorrectly\n resulting in a wrong hierarchy being rendered on tracing backends.\n [#10663](https://github.com/Kong/kong/pull/10663)\n- **gRPC gateway**: `null` in the JSON payload caused an uncaught exception to be thrown during pb.encode.\n [#10687](https://github.com/Kong/kong/pull/10687)\n- **Oauth2**: prevent an authorization code created by one plugin instance to be exchanged for an access token by a different plugin instance.\n [#10011](https://github.com/Kong/kong/pull/10011)\n- **gRPC gateway**: fixed an issue that empty arrays in JSON are incorrectly encoded as `\"{}\"`; they are\nnow encoded as `\"[]\"` to comply with standard.\n [#10790](https://github.com/Kong/kong/pull/10790)\n\n#### PDK\n\n- Fixed an issue for tracing PDK where sample rate does not work.\n [#10485](https://github.com/Kong/kong/pull/10485)\n\n### Changed\n\n#### Core\n\n- Postgres TTL cleanup timer will now only run on traditional and control plane nodes that have enabled the Admin API.\n [#10405](https://github.com/Kong/kong/pull/10405)\n- Postgres TTL cleanup timer now runs a batch delete loop on each ttl enabled table with a number of 50.000 rows per batch.\n [#10407](https://github.com/Kong/kong/pull/10407)\n- Postgres TTL cleanup timer now runs every 5 minutes instead of every 60 seconds.\n [#10389](https://github.com/Kong/kong/pull/10389)\n- Postgres TTL cleanup timer now deletes expired rows based on database server-side timestamp to avoid potential\n problems caused by the difference of clock time between Kong and database server.\n [#10389](https://github.com/Kong/kong/pull/10389)\n\n#### PDK\n\n- `request.get_uri_captures` now returns the unnamed part tagged as an array (for jsonification).\n [#10390](https://github.com/Kong/kong/pull/10390)\n\n#### Plugins\n\n- **Request-Termination**: If the echo option was used, it would not return the uri-captures.\n [#10390](https://github.com/Kong/kong/pull/10390)\n- **OpenTelemetry**: add `http_response_header_for_traceid` field in OpenTelemetry plugin.\n The plugin will set the corresponding header in the response\n if the field is specified with a string value.\n [#10379](https://github.com/Kong/kong/pull/10379)\n\n### Dependencies\n\n- Bumped lua-resty-session from 4.0.2 to 4.0.3\n [#10338](https://github.com/Kong/kong/pull/10338)\n- Bumped lua-protobuf from 0.3.3 to 0.5.0\n [#10137](https://github.com/Kong/kong/pull/10413)\n [#10790](https://github.com/Kong/kong/pull/10790)\n- Bumped lua-resty-timer-ng from 0.2.3 to 0.2.5\n [#10419](https://github.com/Kong/kong/pull/10419)\n [#10664](https://github.com/Kong/kong/pull/10664)\n- Bumped lua-resty-openssl from 0.8.17 to 0.8.20\n [#10463](https://github.com/Kong/kong/pull/10463)\n [#10476](https://github.com/Kong/kong/pull/10476)\n- Bumped lua-resty-http from 0.17.0.beta.1 to 0.17.1\n [#10547](https://github.com/Kong/kong/pull/10547)\n- Bumped LuaSec from 1.2.0 to 1.3.1\n [#10528](https://github.com/Kong/kong/pull/10528)\n- Bumped lua-resty-acme from 0.10.1 to 0.11.0\n [#10562](https://github.com/Kong/kong/pull/10562)\n- Bumped lua-resty-events from 0.1.3 to 0.1.4\n [#10634](https://github.com/Kong/kong/pull/10634)\n- Bumped lua-kong-nginx-module from 0.5.1 to 0.6.0\n [#10288](https://github.com/Kong/kong/pull/10288)\n- Bumped lua-resty-lmdb from 1.0.0 to 1.1.0\n [#10766](https://github.com/Kong/kong/pull/10766)\n\n## 3.2.0\n\n### Breaking Changes\n\n#### Plugins\n\n- **JWT**: JWT plugin now denies a request that has different tokens in the jwt token search locations.\n [#9946](https://github.com/Kong/kong/pull/9946)\n- **Session**: for sessions to work as expected it is required that all nodes run Kong >= 3.2.x.\n For that reason it is advisable that during upgrades mixed versions of proxy nodes run for\n as little as possible. During that time, the invalid sessions could cause failures and partial downtime.\n All existing sessions are invalidated when upgrading to this version.\n The parameter `idling_timeout` now has a default value of `900`: unless configured differently,\n sessions expire after 900 seconds (15 minutes) of idling.\n The parameter `absolute_timeout` has a default value of `86400`: unless configured differently,\n sessions expire after 86400 seconds (24 hours).\n [#10199](https://github.com/Kong/kong/pull/10199)\n- **Proxy Cache**: Add wildcard and parameter match support for content_type\n [#10209](https://github.com/Kong/kong/pull/10209)\n\n### Additions\n\n#### Core\n\n- Expose postgres connection pool configuration.\n [#9603](https://github.com/Kong/kong/pull/9603)\n- When `router_flavor` is `traditional_compatible`, verify routes created using the\n Expression router instead of the traditional router to ensure created routes\n are actually compatible.\n [#9987](https://github.com/Kong/kong/pull/9987)\n- Nginx charset directive can now be configured with Nginx directive injections\n [#10111](https://github.com/Kong/kong/pull/10111)\n- Services upstream TLS config is extended to stream subsystem.\n [#9947](https://github.com/Kong/kong/pull/9947)\n- New configuration option `ssl_session_cache_size` to set the Nginx directive `ssl_session_cache`.\n This config defaults to `10m`.\n Thanks [Michael Kotten](https://github.com/michbeck100) for contributing this change.\n [#10021](https://github.com/Kong/kong/pull/10021)\n\n#### Balancer\n\n- Add a new load-balancing `algorithm` option `latency` to the `Upstream` entity.\n This algorithm will choose a target based on the response latency of each target\n from prior requests.\n [#9787](https://github.com/Kong/kong/pull/9787)\n\n#### Plugins\n\n- **Plugin**: add an optional field `instance_name` that identifies a\n particular plugin entity.\n [#10077](https://github.com/Kong/kong/pull/10077)\n- **Zipkin**: Add support to set the durations of Kong phases as span tags\n through configuration property `config.phase_duration_flavor`.\n [#9891](https://github.com/Kong/kong/pull/9891)\n- **HTTP logging**: Suppport value of `headers` to be referenceable.\n [#9948](https://github.com/Kong/kong/pull/9948)\n- **AWS Lambda**: Add `aws_imds_protocol_version` configuration\n parameter that allows the selection of the IMDS protocol version.\n Defaults to `v1`, can be set to `v2` to enable IMDSv2.\n [#9962](https://github.com/Kong/kong/pull/9962)\n- **OpenTelemetry**: Support scoping with services, routes and consumers.\n [#10096](https://github.com/Kong/kong/pull/10096)\n- **Statsd**: Add `tag_style` configuration\n parameter that allows to send metrics with [tags](https://github.com/prometheus/statsd_exporter#tagging-extensions).\n Defaults to `nil` which means do not add any tags\n to the metrics.\n [#10118](https://github.com/Kong/kong/pull/10118)\n- **Session**: now uses lua-resty-session v4.0.0\n [#10199](https://github.com/Kong/kong/pull/10199)\n\n#### Admin API\n\n- In dbless mode, `/config` API endpoint can now flatten entity-related schema\n validation errors to a single array via the optional `flatten_errors` query\n parameter. Non-entity errors remain unchanged in this mode.\n [#10161](https://github.com/Kong/kong/pull/10161)\n [#10256](https://github.com/Kong/kong/pull/10256)\n\n#### PDK\n\n- Support for `upstream_status` field in log serializer.\n [#10296](https://github.com/Kong/kong/pull/10296)\n\n### Fixes\n\n#### Core\n\n- Add back Postgres `FLOOR` function when calculating `ttl`, so the returned `ttl` is always a whole integer.\n [#9960](https://github.com/Kong/kong/pull/9960)\n- Fix an issue where after a valid declarative configuration is loaded,\n the configuration hash is incorrectly set to the value: `00000000000000000000000000000000`.\n [#9911](https://github.com/Kong/kong/pull/9911)\n- Update the batch queues module so that queues no longer grow without bounds if\n their consumers fail to process the entries. Instead, old batches are now dropped\n and an error is logged.\n [#10247](https://github.com/Kong/kong/pull/10247)\n- Fix an issue where 'X-Kong-Upstream-Status' cannot be emitted when response is buffered.\n [#10056](https://github.com/Kong/kong/pull/10056)\n\n#### Plugins\n\n- **Zipkin**: Fix an issue where the global plugin's sample ratio overrides route-specific.\n [#9877](https://github.com/Kong/kong/pull/9877)\n- **JWT**: Deny requests that have different tokens in the jwt token search locations. Thanks Jackson 'Che-Chun' Kuo from Latacora for reporting this issue.\n [#9946](https://github.com/Kong/kong/pull/9946)\n- **Statsd**: Fix a bug in the StatsD plugin batch queue processing where metrics are published multiple times.\n [#10052](https://github.com/Kong/kong/pull/10052)\n- **Datadog**: Fix a bug in the Datadog plugin batch queue processing where metrics are published multiple times.\n [#10044](https://github.com/Kong/kong/pull/10044)\n- **OpenTelemetry**: Fix non-compliances to specification:\n - For `http.uri` in spans. The field should be full HTTP URI.\n [#10069](https://github.com/Kong/kong/pull/10069)\n - For `http.status_code`. It should be present on spans for requests that have a status code.\n [#10160](https://github.com/Kong/kong/pull/10160)\n - For `http.flavor`. It should be a string value, not a double.\n [#10160](https://github.com/Kong/kong/pull/10160)\n- **OpenTelemetry**: Fix a bug that when getting the trace of other formats, the trace ID reported and propagated could be of incorrect length.\n [#10332](https://github.com/Kong/kong/pull/10332)\n- **OAuth2**: `refresh_token_ttl` is now limited between `0` and `100000000` by schema validator. Previously numbers that are too large causes requests to fail.\n [#10068](https://github.com/Kong/kong/pull/10068)\n\n### Changed\n\n#### Core\n\n- Improve error message for invalid JWK entities.\n [#9904](https://github.com/Kong/kong/pull/9904)\n- Renamed two configuration properties:\n * `opentelemetry_tracing` => `tracing_instrumentations`\n * `opentelemetry_tracing_sampling_rate` => `tracing_sampling_rate`\n\n The old `opentelemetry_*` properties are considered deprecated and will be\n fully removed in a future version of Kong.\n [#10122](https://github.com/Kong/kong/pull/10122)\n [#10220](https://github.com/Kong/kong/pull/10220)\n\n#### Hybrid Mode\n\n- Revert the removal of WebSocket protocol support for configuration sync,\n and disable the wRPC protocol.\n [#9921](https://github.com/Kong/kong/pull/9921)\n\n### Dependencies\n\n- Bumped luarocks from 3.9.1 to 3.9.2\n [#9942](https://github.com/Kong/kong/pull/9942)\n- Bumped atc-router from 1.0.1 to 1.0.5\n [#9925](https://github.com/Kong/kong/pull/9925)\n [#10143](https://github.com/Kong/kong/pull/10143)\n [#10208](https://github.com/Kong/kong/pull/10208)\n- Bumped lua-resty-openssl from 0.8.15 to 0.8.17\n [#9583](https://github.com/Kong/kong/pull/9583)\n [#10144](https://github.com/Kong/kong/pull/10144)\n- Bumped lua-kong-nginx-module from 0.5.0 to 0.5.1\n [#10181](https://github.com/Kong/kong/pull/10181)\n- Bumped lua-resty-session from 3.10 to 4.0.2\n [#10199](https://github.com/Kong/kong/pull/10199)\n [#10230](https://github.com/Kong/kong/pull/10230)\n [#10308](https://github.com/Kong/kong/pull/10308)\n- Bumped OpenSSL from 1.1.1s to 1.1.1t\n [#10266](https://github.com/Kong/kong/pull/10266)\n- Bumped lua-resty-timer-ng from 0.2.0 to 0.2.3\n [#10265](https://github.com/Kong/kong/pull/10265)\n\n\n## 3.1.0\n\n### Breaking Changes\n\n#### Core\n\n- Change the reponse body for a TRACE method from `The upstream server responded with 405`\n to `Method not allowed`, make the reponse to show more clearly that Kong do not support\n TRACE method.\n [#9448](https://github.com/Kong/kong/pull/9448)\n- Add `allow_debug_header` Kong conf to allow use of the `Kong-Debug` header for debugging.\n This option defaults to `off`.\n [#10054](https://github.com/Kong/kong/pull/10054)\n [#10125](https://github.com/Kong/kong/pull/10125)\n\n\n### Additions\n\n#### Core\n\n- Allow `kong.conf` ssl properties to be stored in vaults or environment\n variables. Allow such properties to be configured directly as content\n or base64 encoded content.\n [#9253](https://github.com/Kong/kong/pull/9253)\n- Add support for full entity transformations in schemas\n [#9431](https://github.com/Kong/kong/pull/9431)\n- Allow schema `map` type field being marked as referenceable.\n [#9611](https://github.com/Kong/kong/pull/9611)\n- Add support for dynamically changing the log level\n [#9744](https://github.com/Kong/kong/pull/9744)\n- Add `keys` entity to store and manage asymmetric keys.\n [#9737](https://github.com/Kong/kong/pull/9737)\n- Add `key-sets` entity to group and manage `keys`\n [#9737](https://github.com/Kong/kong/pull/9737)\n\n#### Plugins\n\n- **Rate-limiting**: The HTTP status code and response body for rate-limited\n requests can now be customized. Thanks, [@utix](https://github.com/utix)!\n [#8930](https://github.com/Kong/kong/pull/8930)\n- **Zipkin**: add `response_header_for_traceid` field in Zipkin plugin.\n The plugin will set the corresponding header in the response\n if the field is specified with a string value.\n [#9173](https://github.com/Kong/kong/pull/9173)\n- **AWS Lambda**: add `requestContext` field into `awsgateway_compatible` input data\n [#9380](https://github.com/Kong/kong/pull/9380)\n- **ACME**: add support for Redis SSL, through configuration properties\n `config.storage_config.redis.ssl`, `config.storage_config.redis.ssl_verify`,\n and `config.storage_config.redis.ssl_server_name`.\n [#9626](https://github.com/Kong/kong/pull/9626)\n- **Session**: Add new config `cookie_persistent` that allows browser to persist\n cookies even if browser is closed. This defaults to `false` which means\n cookies are not persistend across browser restarts. Thanks [@tschaume](https://github.com/tschaume)\n for this contribution!\n [#8187](https://github.com/Kong/kong/pull/8187)\n- **Response-rate-limiting**: add support for Redis SSL, through configuration properties\n `redis_ssl` (can be set to `true` or `false`), `ssl_verify`, and `ssl_server_name`.\n [#8595](https://github.com/Kong/kong/pull/8595)\n Thanks [@dominikkukacka](https://github.com/dominikkukacka)!\n- **OpenTelemetry**: add referenceable attribute to the `headers` field\n that could be stored in vaults.\n [#9611](https://github.com/Kong/kong/pull/9611)\n- **HTTP-Log**: Support `http_endpoint` field to be referenceable\n [#9714](https://github.com/Kong/kong/pull/9714)\n- **rate-limiting**: Add a new configuration `sync_rate` to the `redis` policy,\n which synchronizes metrics to redis periodically instead of on every request.\n [#9538](https://github.com/Kong/kong/pull/9538)\n\n\n#### Hybrid Mode\n\n- Data plane node IDs will now persist across restarts.\n [#9067](https://github.com/Kong/kong/pull/9067)\n- Add HTTP CONNECT forward proxy support for Hybrid Mode connections. New configuration\n options `cluster_use_proxy`, `proxy_server` and `proxy_server_ssl_verify` are added.\n [#9758](https://github.com/Kong/kong/pull/9758)\n [#9773](https://github.com/Kong/kong/pull/9773)\n\n#### Performance\n\n- Increase the default value of `lua_regex_cache_max_entries`, a warning will be thrown\n when there are too many regex routes and `router_flavor` is `traditional`.\n [#9624](https://github.com/Kong/kong/pull/9624)\n- Add batch queue into the Datadog and StatsD plugin to reduce timer usage.\n [#9521](https://github.com/Kong/kong/pull/9521)\n\n#### PDK\n\n- Extend `kong.client.tls.request_client_certificate` to support setting\n the Distinguished Name (DN) list hints of the accepted CA certificates.\n [#9768](https://github.com/Kong/kong/pull/9768)\n\n### Fixes\n\n#### Core\n\n- Fix issue where external plugins crashing with unhandled exceptions\n would cause high CPU utilization after the automatic restart.\n [#9384](https://github.com/Kong/kong/pull/9384)\n- Fix issue where Zipkin plugin cannot parse OT baggage headers\n due to invalid OT baggage pattern. [#9280](https://github.com/Kong/kong/pull/9280)\n- Add `use_srv_name` options to upstream for balancer.\n [#9430](https://github.com/Kong/kong/pull/9430)\n- Fix issue in `header_filter` instrumentation where the span was not\n correctly created.\n [#9434](https://github.com/Kong/kong/pull/9434)\n- Fix issue in router building where when field contains an empty table,\n the generated expression is invalid.\n [#9451](https://github.com/Kong/kong/pull/9451)\n- Fix issue in router rebuilding where when paths field is invalid,\n the router's mutex is not released properly.\n [#9480](https://github.com/Kong/kong/pull/9480)\n- Fixed an issue where `kong docker-start` would fail if `KONG_PREFIX` was set to\n a relative path.\n [#9337](https://github.com/Kong/kong/pull/9337)\n- Fixed an issue with error-handling and process cleanup in `kong start`.\n [#9337](https://github.com/Kong/kong/pull/9337)\n\n#### Hybrid Mode\n\n- Fixed a race condition that can cause configuration push events to be dropped\n when the first data-plane connection is established with a control-plane\n worker.\n [#9616](https://github.com/Kong/kong/pull/9616)\n\n#### CLI\n\n- Fix slow CLI performance due to pending timer jobs\n [#9536](https://github.com/Kong/kong/pull/9536)\n\n#### Admin API\n\n- Increase the maximum request argument number from `100` to `1000`,\n and return `400` error if request parameters reach the limitation to\n avoid being truncated.\n [#9510](https://github.com/Kong/kong/pull/9510)\n- Paging size parameter is now propogated to next page if specified\n in current request.\n [#9503](https://github.com/Kong/kong/pull/9503)\n- Non-normalized prefix route path is now rejected. It will also suggest\n how to write the path in normalized form.\n [#9760](https://github.com/Kong/kong/pull/9760)\n\n#### PDK\n\n- Added support for `kong.request.get_uri_captures`\n (`kong.request.getUriCaptures`)\n [#9512](https://github.com/Kong/kong/pull/9512)\n- Fixed parameter type of `kong.service.request.set_raw_body`\n (`kong.service.request.setRawBody`), return type of\n `kong.service.response.get_raw_body`(`kong.service.request.getRawBody`),\n and body parameter type of `kong.response.exit` to bytes. Note that old\n version of go PDK is incompatible after this change.\n [#9526](https://github.com/Kong/kong/pull/9526)\n- Vault will not call `semaphore:wait` in `init` or `init_worker` phase.\n [#9851](https://github.com/Kong/kong/pull/9851)\n\n#### Plugins\n\n- Add missing `protocols` field to various plugin schemas.\n [#9525](https://github.com/Kong/kong/pull/9525)\n- **AWS Lambda**: Fix an issue that is causing inability to\n read environment variables in ECS environment.\n [#9460](https://github.com/Kong/kong/pull/9460)\n- **Request-Transformer**: fix a bug when header renaming will override\n existing header and cause unpredictable result.\n [#9442](https://github.com/Kong/kong/pull/9442)\n- **OpenTelemetry**:\n - Fix an issue that the default propagation header\n is not configured to `w3c` correctly.\n [#9457](https://github.com/Kong/kong/pull/9457)\n - Replace the worker-level table cache with\n `BatchQueue` to avoid data race.\n [#9504](https://github.com/Kong/kong/pull/9504)\n - Fix an issue that the `parent_id` is not set\n on the span when propagating w3c traceparent.\n [#9628](https://github.com/Kong/kong/pull/9628)\n- **Response-Transformer**: Fix the bug that Response-Transformer plugin\n breaks when receiving an unexcepted body.\n [#9463](https://github.com/Kong/kong/pull/9463)\n- **HTTP-Log**: Fix an issue where queue id serialization\n does not include `queue_size` and `flush_timeout`.\n [#9789](https://github.com/Kong/kong/pull/9789)\n\n### Changed\n\n#### Hybrid Mode\n\n- The legacy hybrid configuration protocol has been removed in favor of the wRPC\n protocol introduced in 3.0.\n [#9740](https://github.com/Kong/kong/pull/9740)\n\n### Dependencies\n\n- Bumped openssl from 1.1.1q to 1.1.1s\n [#9674](https://github.com/Kong/kong/pull/9674)\n- Bumped atc-router from 1.0.0 to 1.0.1\n [#9558](https://github.com/Kong/kong/pull/9558)\n- Bumped lua-resty-openssl from 0.8.10 to 0.8.15\n [#9583](https://github.com/Kong/kong/pull/9583)\n [#9600](https://github.com/Kong/kong/pull/9600)\n [#9675](https://github.com/Kong/kong/pull/9675)\n- Bumped lyaml from 6.2.7 to 6.2.8\n [#9607](https://github.com/Kong/kong/pull/9607)\n- Bumped lua-resty-acme from 0.8.1 to 0.9.0\n [#9626](https://github.com/Kong/kong/pull/9626)\n- Bumped resty.healthcheck from 1.6.1 to 1.6.2\n [#9778](https://github.com/Kong/kong/pull/9778)\n- Bumped pgmoon from 1.15.0 to 1.16.0\n [#9815](https://github.com/Kong/kong/pull/9815)\n\n\n## [3.0.1]\n\n### Fixes\n\n#### Core\n\n- Fix issue where Zipkin plugin cannot parse OT baggage headers\n due to invalid OT baggage pattern. [#9280](https://github.com/Kong/kong/pull/9280)\n- Fix issue in `header_filter` instrumentation where the span was not\n correctly created.\n [#9434](https://github.com/Kong/kong/pull/9434)\n- Fix issue in router building where when field contains an empty table,\n the generated expression is invalid.\n [#9451](https://github.com/Kong/kong/pull/9451)\n- Fix issue in router rebuilding where when paths field is invalid,\n the router's mutex is not released properly.\n [#9480](https://github.com/Kong/kong/pull/9480)\n- Fixed an issue where `kong docker-start` would fail if `KONG_PREFIX` was set to\n a relative path.\n [#9337](https://github.com/Kong/kong/pull/9337)\n- Fixed an issue with error-handling and process cleanup in `kong start`.\n [#9337](https://github.com/Kong/kong/pull/9337)\n\n\n## [3.0.0]\n\n> Released 2022/09/12\n\nThis major release adds a new router written in Rust and a tracing API\nthat is compatible with the OpenTelemetry API spec. Furthermore,\nvarious internal changes have been made to improve Kong's performance\nand memory consumption. As it is a major release, users are advised\nto review the list of braking changes to determine whether\nconfiguration changes are needed when upgrading.\n\n### Breaking Changes\n\n#### Deployment\n\n- Blue-green deployment from Kong earlier than `2.1.0` is not supported, upgrade to\n `2.1.0` or later before upgrading to `3.0.0` to have blue-green deployment.\n Thank you [@marc-charpentier]((https://github.com/charpentier)) for reporting issue\n and proposing a pull-request.\n [#8896](https://github.com/Kong/kong/pull/8896)\n- Deprecate/stop producing Amazon Linux (1) containers and packages (EOLed December 31, 2020)\n [Kong/docs.konghq.com #3966](https://github.com/Kong/docs.konghq.com/pull/3966)\n- Deprecate/stop producing Debian 8 \"Jessie\" containers and packages (EOLed June 2020)\n [Kong/kong-build-tools #448](https://github.com/Kong/kong-build-tools/pull/448)\n [Kong/kong-distributions #766](https://github.com/Kong/kong-distributions/pull/766)\n\n#### Core\n\n\n- Kong schema library's `process_auto_fields` function will not any more make a deep\n copy of data that is passed to it when the given context is `\"select\"`. This was\n done to avoid excessive deep copying of tables where we believe the data most of\n the time comes from a driver like `pgmoon` or `lmdb`. If a custom plugin relied\n on `process_auto_fields` not overriding the given table, it must make its own copy\n before passing it to the function now.\n [#8796](https://github.com/Kong/kong/pull/8796)\n- The deprecated `shorthands` field in Kong Plugin or DAO schemas was removed in favor\n or the typed `shorthand_fields`. If your custom schemas still use `shorthands`, you\n need to update them to use `shorthand_fields`.\n [#8815](https://github.com/Kong/kong/pull/8815)\n- The support for `legacy = true/false` attribute was removed from Kong schemas and\n Kong field schemas.\n [#8958](https://github.com/Kong/kong/pull/8958)\n- The deprecated alias of `Kong.serve_admin_api` was removed. If your custom Nginx\n templates still use it, please change it to `Kong.admin_content`.\n [#8815](https://github.com/Kong/kong/pull/8815)\n- The Kong singletons module `\"kong.singletons\"` was removed in favor of the PDK `kong.*`.\n [#8874](https://github.com/Kong/kong/pull/8874)\n- The dataplane config cache was removed. The config persistence is now done automatically with LMDB.\n [#8704](https://github.com/Kong/kong/pull/8704)\n- `ngx.ctx.balancer_address` does not exist anymore, please use `ngx.ctx.balancer_data` instead.\n [#9043](https://github.com/Kong/kong/pull/9043)\n- We have changed the normalization rules for `route.path`: Kong stores the unnormalized path, but\n regex path always pattern matches with the normalized URI. We used to replace percent-encoding\n in regex path pattern to ensure different forms of URI matches.\n That is no longer supported. Except for reserved characters defined in\n [rfc3986](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2),\n we should write all other characters without percent-encoding.\n [#9024](https://github.com/Kong/kong/pull/9024)\n- Kong will no longer use an heuristic to guess whether a `route.path` is a regex pattern. From now 3.0 onwards,\n all regex paths must start with the `\"~\"` prefix, and all paths that don't start with `\"~\"` will be considered plain text.\n The migration process should automatically convert the regex paths when upgrading from 2.x to 3.0\n [#9027](https://github.com/Kong/kong/pull/9027)\n- Bumping version number (`_format_version`) of declarative configuration to \"3.0\" for changes on `route.path`.\n Declaritive configuration with older version are upgraded to \"3.0\" on the fly.\n [#9078](https://github.com/Kong/kong/pull/9078)\n- Removed deprecated `config.functions` from serverless-functions plugin's schema,\n please use `config.access` phase instead.\n [#8559](https://github.com/Kong/kong/pull/8559)\n- Tags may now contain space characters.\n [#9143](https://github.com/Kong/kong/pull/9143)\n- The [Secrets Management](https://docs.konghq.com/gateway/latest/plan-and-deploy/security/secrets-management/)\n feature, which has been in beta since release 2.8.0, is now included as a regular feature.\n [#8871](https://github.com/Kong/kong/pull/8871)\n [#9217](https://github.com/Kong/kong/pull/9217)\n\n#### Admin API\n\n- `POST` requests on Targets endpoint are no longer able to update\n existing entities, they are only able to create new ones.\n [#8596](https://github.com/Kong/kong/pull/8596),\n [#8798](https://github.com/Kong/kong/pull/8798). If you have scripts that use\n `POST` requests to modify Targets, you should change them to `PUT`\n requests to the appropriate endpoints before updating to Kong 3.0.\n- Insert and update operations on duplicated Targets returns 409.\n [#8179](https://github.com/Kong/kong/pull/8179),\n [#8768](https://github.com/Kong/kong/pull/8768)\n- The list of reported plugins available on the server now returns a table of\n metadata per plugin instead of a boolean `true`.\n [#8810](https://github.com/Kong/kong/pull/8810)\n\n#### PDK\n\n- The `kong.request.get_path()` PDK function now performs path normalization\n on the string that is returned to the caller. The raw, non-normalized version\n of the request path can be fetched via `kong.request.get_raw_path()`.\n [#8823](https://github.com/Kong/kong/pull/8823)\n- `pdk.response.set_header()`, `pdk.response.set_headers()`, `pdk.response.exit()` now ignore and emit warnings for manually set `Transfer-Encoding` headers.\n [#8698](https://github.com/Kong/kong/pull/8698)\n- The PDK is no longer versioned\n [#8585](https://github.com/Kong/kong/pull/8585)\n- The JavaScript PDK now returns `Uint8Array` for `kong.request.getRawBody`,\n `kong.response.getRawBody` and `kong.service.response.getRawBody`. The Python PDK returns `bytes` for `kong.request.get_raw_body`,\n `kong.response.get_raw_body`, `kong.service.response.get_raw_body`. All these funtions used to return strings in the past.\n [#8623](https://github.com/Kong/kong/pull/8623)\n\n#### Plugins\n\n- DAOs in plugins must be listed in an array, so that their loading order is explicit. Loading them in a\n hash-like table is no longer supported.\n [#8988](https://github.com/Kong/kong/pull/8988)\n- Plugins MUST now have a valid `PRIORITY` (integer) and `VERSION` (\"x.y.z\" format)\n field in their `handler.lua` file, otherwise the plugin will fail to load.\n [#8836](https://github.com/Kong/kong/pull/8836)\n- The old `kong.plugins.log-serializers.basic` library was removed in favor of the PDK\n function `kong.log.serialize`, please upgrade your plugins to use PDK.\n [#8815](https://github.com/Kong/kong/pull/8815)\n- The support for deprecated legacy plugin schemas was removed. If your custom plugins\n still use the old (`0.x era`) schemas, you are now forced to upgrade them.\n [#8815](https://github.com/Kong/kong/pull/8815)\n- Some plugins received new priority values.\n This is important for those who run custom plugins as it may affect the sequence your plugins are executed.\n Note that this does not change the order of execution for plugins in a standard kong installation.\n List of plugins and their old and new priority value:\n - `acme` changed from 1007 to 1705\n - `basic-auth` changed from 1001 to 1100\n - `hmac-auth` changed from 1000 to 1030\n - `jwt` changed from 1005 to 1450\n - `key-auth` changed from 1003 to 1250\n - `ldap-auth` changed from 1002 to 1200\n - `oauth2` changed from 1004 to 1400\n - `rate-limiting` changed from 901 to 910\n- **HTTP-log**: `headers` field now only takes a single string per header name,\n where it previously took an array of values\n [#6992](https://github.com/Kong/kong/pull/6992)\n- **AWS Lambda**: `aws_region` field must be set through either plugin config or environment variables,\n allow both `host` and `aws_region` fields, and always apply SigV4 signature.\n [#8082](https://github.com/Kong/kong/pull/8082)\n- **Serverless Functions** Removed deprecated `config.functions`,\n please use `config.access` instead.\n [#8559](https://github.com/Kong/kong/pull/8559)\n- **Serverless Functions**: The pre-functions plugin changed priority from `+inf` to `1000000`.\n [#8836](https://github.com/Kong/kong/pull/8836)\n- **JWT**: The authenticated JWT is no longer put into the nginx\n context (ngx.ctx.authenticated_jwt_token). Custom plugins which depend on that\n value being set under that name must be updated to use Kong's shared context\n instead (kong.ctx.shared.authenticated_jwt_token) before upgrading to 3.0\n- **Prometheus**: The prometheus metrics have been reworked extensively for 3.0.\n - Latency has been split into 4 different metrics: kong_latency_ms, upstream_latency_ms and request_latency_ms (http) /tcp_session_duration_ms (stream). Buckets details below.\n - Separate out Kong Latency Bucket values and Upstream Latency Bucket values.\n - `consumer_status` removed.\n - `request_count` and `consumer_status` have been merged into just `http_requests_total`. If the `per_consumer` config is set false, the consumer label will be empty.\n If the `per_consumer` config is true, it will be filled.\n - `http_requests_total` has a new label `source`, set to either `exit`, `error` or `service`.\n - New Metric: `node_info`. Single gauge set to 1 that outputs the node's id and kong version.\n - All Memory metrics have a new label `node_id`\n - `nginx_http_current_connections` merged with `nginx_stream_current_connection` into `nginx_current_connections`\n [#8712](https://github.com/Kong/kong/pull/8712)\n- **Prometheus**: The plugin doesn't export status codes, latencies, bandwidth and upstream\n healthcheck metrics by default. They can still be turned on manually by setting `status_code_metrics`,\n `latency_metrics`, `bandwidth_metrics` and `upstream_health_metrics` respectively. Enabling those metrics will impact the performance if you have a large volume of Kong entities, we recommend using the [statsd](https://github.com/Kong/kong/tree/master/kong/plugins/statsd) plugin with the push model if that is the case. And now `prometheus` plugin new grafana [dashboard](https://grafana.com/grafana/dashboards/7424-kong-official/) updated\n [#9028](https://github.com/Kong/kong/pull/9028)\n- **ACME**: `allow_any_domain` field added. It is default to false and if set to true, the gateway will\n ignore the `domains` field.\n [#9047](https://github.com/Kong/kong/pull/9047)\n- **Statsd**:\n - The metric name that is related to the service has been renamed by adding a `service.` prefix. e.g. `kong.service..request.count` [#9046](https://github.com/Kong/kong/pull/9046)\n - The metric `kong..request.status.` and `kong..user..request.status.` has been renamed to `kong.service..status.` and `kong.service..user..status.` [#9046](https://github.com/Kong/kong/pull/9046)\n - The metric `*.status..total` from metrics `status_count` and `status_count_per_user` has been removed [#9046](https://github.com/Kong/kong/pull/9046)\n- **Proxy-cache**: The plugin does not store the response data in\n `ngx.ctx.proxy_cache_hit` anymore. Logging plugins that need the response data\n must read it from `kong.ctx.shared.proxy_cache_hit` from Kong 3.0 on.\n [#8607](https://github.com/Kong/kong/pull/8607)\n- **Rate-limiting**: The default policy is now `local` for all deployment modes.\n [#9344](https://github.com/Kong/kong/pull/9344)\n- **Response-rate-limiting**: The default policy is now `local` for all deployment modes.\n [#9344](https://github.com/Kong/kong/pull/9344)\n\n### Deprecations\n\n- The `go_pluginserver_exe` and `go_plugins_dir` directives are no longer supported.\n [#8552](https://github.com/Kong/kong/pull/8552). If you are using\n [Go plugin server](https://github.com/Kong/go-pluginserver), please migrate your plugins to use the\n [Go PDK](https://github.com/Kong/go-pdk) before upgrading.\n- The migration helper library (mostly used for Cassandra migrations) is no longer supplied with Kong\n [#8781](https://github.com/Kong/kong/pull/8781)\n- The path_handling algorithm `v1` is deprecated and only supported when `router_flavor` config option\n is set to `traditional`.\n [#9290](https://github.com/Kong/kong/pull/9290)\n\n#### Configuration\n\n- The Kong constant `CREDENTIAL_USERNAME` with value of `X-Credential-Username` was\n removed. Kong plugins in general have moved (since [#5516](https://github.com/Kong/kong/pull/5516))\n to use constant `CREDENTIAL_IDENTIFIER` with value of `X-Credential-Identifier` when\n setting the upstream headers for a credential.\n [#8815](https://github.com/Kong/kong/pull/8815)\n- Change the default of `lua_ssl_trusted_certificate` to `system`\n [#8602](https://github.com/Kong/kong/pull/8602) to automatically load trusted CA list from system CA store.\n- Remove a warning of `AAAA` being experimental with `dns_order`.\n- It is no longer possible to use a .lua format to import a declarative config from the `kong`\n command-line tool, only json and yaml are supported. If your update procedure with kong involves\n executing `kong config db_import config.lua`, please create a `config.json` or `config.yml` and\n use that before upgrading.\n [#8898](https://github.com/Kong/kong/pull/8898)\n- We bumped the version number (`_format_version`) of declarative configuration to \"3.0\" because of changes on `route.path`.\n Declarative configuration with older version should be upgraded to \"3.0\" on the fly.\n [#9078](https://github.com/Kong/kong/pull/9078)\n\n#### Migrations\n\n- Postgres migrations can now have an `up_f` part like Cassandra\n migrations, designating a function to call. The `up_f` part is\n invoked after the `up` part has been executed against the database\n for both Postgres and Cassandra.\n- A new CLI command, `kong migrations status`, generates the status on a JSON file.\n\n### Dependencies\n\n- Bumped OpenResty from 1.19.9.1 to [1.21.4.1](https://openresty.org/en/changelog-1021004.html)\n [#8850](https://github.com/Kong/kong/pull/8850)\n- Bumped pgmoon from 1.13.0 to 1.15.0\n [#8908](https://github.com/Kong/kong/pull/8908)\n [#8429](https://github.com/Kong/kong/pull/8429)\n- Bumped OpenSSL from 1.1.1n to 1.1.1q\n [#9074](https://github.com/Kong/kong/pull/9074)\n [#8544](https://github.com/Kong/kong/pull/8544)\n [#8752](https://github.com/Kong/kong/pull/8752)\n [#8994](https://github.com/Kong/kong/pull/8994)\n- Bumped resty.openssl from 0.8.8 to 0.8.10\n [#8592](https://github.com/Kong/kong/pull/8592)\n [#8753](https://github.com/Kong/kong/pull/8753)\n [#9023](https://github.com/Kong/kong/pull/9023)\n- Bumped inspect from 3.1.2 to 3.1.3\n [#8589](https://github.com/Kong/kong/pull/8589)\n- Bumped resty.acme from 0.7.2 to 0.8.1\n [#8680](https://github.com/Kong/kong/pull/8680)\n [#9165](https://github.com/Kong/kong/pull/9165)\n- Bumped luarocks from 3.8.0 to 3.9.1\n [#8700](https://github.com/Kong/kong/pull/8700)\n [#9204](https://github.com/Kong/kong/pull/9204)\n- Bumped luasec from 1.0.2 to 1.2.0\n [#8754](https://github.com/Kong/kong/pull/8754)\n [#8754](https://github.com/Kong/kong/pull/9205)\n- Bumped resty.healthcheck from 1.5.0 to 1.6.1\n [#8755](https://github.com/Kong/kong/pull/8755)\n [#9018](https://github.com/Kong/kong/pull/9018)\n [#9150](https://github.com/Kong/kong/pull/9150)\n- Bumped resty.cassandra from 1.5.1 to 1.5.2\n [#8845](https://github.com/Kong/kong/pull/8845)\n- Bumped penlight from 1.12.0 to 1.13.1\n [#9206](https://github.com/Kong/kong/pull/9206)\n- Bumped lua-resty-mlcache from 2.5.0 to 2.6.0\n [#9287](https://github.com/Kong/kong/pull/9287)\n\n### Additions\n\n#### Performance\n\n- Do not register unnecessary event handlers on Hybrid mode Control Plane\n nodes [#8452](https://github.com/Kong/kong/pull/8452).\n- Use the new timer library to improve performance,\n except for the plugin server.\n [#8912](https://github.com/Kong/kong/pull/8912)\n- Increased use of caching for DNS queries by activating `additional_section` by default\n [#8895](https://github.com/Kong/kong/pull/8895)\n- `pdk.request.get_header` changed to a faster implementation, not to fetch all headers every time it's called\n [#8716](https://github.com/Kong/kong/pull/8716)\n- Conditional rebuilding of router, plugins iterator and balancer on DP\n [#8519](https://github.com/Kong/kong/pull/8519),\n [#8671](https://github.com/Kong/kong/pull/8671)\n- Made config loading code more cooperative by yielding\n [#8888](https://github.com/Kong/kong/pull/8888)\n- Use LuaJIT encoder instead of JSON to serialize values faster in LMDB\n [#8942](https://github.com/Kong/kong/pull/8942)\n- Move inflating and JSON decoding non-concurrent, which avoids blocking and makes DP reloads faster\n [#8959](https://github.com/Kong/kong/pull/8959)\n- Stop duplication of some events\n [#9082](https://github.com/Kong/kong/pull/9082)\n- Improve performance of config hash calculation by using string buffer and tablepool\n [#9073](https://github.com/Kong/kong/pull/9073)\n- Reduce cache usage in dbless by not using the kong cache for Routes and Services in LMDB\n [#8972](https://github.com/Kong/kong/pull/8972)\n\n\n#### Core\n\n- Implemented delayed response in stream mode\n [#6878](https://github.com/Kong/kong/pull/6878)\n- Added `cache_key` on target entity for uniqueness detection.\n [#8179](https://github.com/Kong/kong/pull/8179)\n- Introduced the tracing API which compatible with OpenTelemetry API spec and\n add build-in instrumentations.\n The tracing API is intend to be used with a external exporter plugin.\n Build-in instrumentation types and sampling rate are configuable through\n `opentelemetry_tracing` and `opentelemetry_tracing_sampling_rate` options.\n [#8724](https://github.com/Kong/kong/pull/8724)\n- Added `path`, `uri_capture`, and `query_arg` options to upstream `hash_on`\n for load balancing.\n [#8701](https://github.com/Kong/kong/pull/8701)\n- Introduced unix domain socket based `lua-resty-events` to\n replace shared memory based `lua-resty-worker-events`.\n [#8890](https://github.com/Kong/kong/pull/8890)\n- Introduced a new router implementation `atc-router`,\n which is written in Rust.\n [#8938](https://github.com/Kong/kong/pull/8938)\n- Introduce a new field for entities `table_name` that allows to specify a\n table name. Before the name was deduced by the entity `name` attribute.\n [#9182](https://github.com/Kong/kong/pull/9182)\n- Added `headers` on active healthcheck for upstreams.\n [#8255](https://github.com/Kong/kong/pull/8255)\n- Target entities using hostnames were resolved when they were not needed. Now\n when a target is removed or updated, the DNS record associated with it is\n removed from the list of hostnames to be resolved.\n [#8497](https://github.com/Kong/kong/pull/8497) [9265](https://github.com/Kong/kong/pull/9265)\n- Improved error handling and debugging info in the DNS code\n [#8902](https://github.com/Kong/kong/pull/8902)\n- Kong will now attempt to recover from an unclean shutdown by detecting and\n removing dangling unix sockets in the prefix directory\n [#9254](https://github.com/Kong/kong/pull/9254)\n\n#### Admin API\n\n- Added a new API `/timers` to get the timer statistics.\n [#8912](https://github.com/Kong/kong/pull/8912)\n and worker info\n [#8999](https://github.com/Kong/kong/pull/8999)\n- `/` endpoint now includes plugin priority\n [#8821](https://github.com/Kong/kong/pull/8821)\n\n#### Hybrid Mode\n\n- Add wRPC protocol support. Now configuration synchronization is over wRPC.\n wRPC is an RPC protocol that encodes with ProtoBuf and transports\n with WebSocket.\n [#8357](https://github.com/Kong/kong/pull/8357)\n- To keep compatibility with earlier versions,\n add support for CP to fall back to the previous protocol to support old DP.\n [#8834](https://github.com/Kong/kong/pull/8834)\n- Add support to negotiate services supported with wRPC protocol.\n We will support more services than config sync over wRPC in the future.\n [#8926](https://github.com/Kong/kong/pull/8926)\n- Declarative config exports happen inside a transaction in Postgres\n [#8586](https://github.com/Kong/kong/pull/8586)\n\n#### Plugins\n\n- Sync all plugin versions to the Kong version\n [#8772](https://github.com/Kong/kong/pull/8772)\n- Introduced the new **OpenTelemetry** plugin that export tracing instrumentations\n to any OTLP/HTTP compatible backend.\n `opentelemetry_tracing` configuration should be enabled to collect\n the core tracing spans of Kong.\n [#8826](https://github.com/Kong/kong/pull/8826)\n- **Zipkin**: add support for including HTTP path in span name\n through configuration property `http_span_name`.\n [#8150](https://github.com/Kong/kong/pull/8150)\n- **Zipkin**: add support for socket connect and send/read timeouts\n through configuration properties `connect_timeout`, `send_timeout`,\n and `read_timeout`. This can help mitigate `ngx.timer` saturation\n when upstream collectors are unavailable or slow.\n [#8735](https://github.com/Kong/kong/pull/8735)\n- **AWS-Lambda**: add support for cross account invocation through\n configuration properties `aws_assume_role_arn` and\n `aws_role_session_name`.[#8900](https://github.com/Kong/kong/pull/8900)\n [#8900](https://github.com/Kong/kong/pull/8900)\n- **AWS-Lambda**: accept string type `statusCode` as valid return when\n working in proxy integration mode.\n [#8765](https://github.com/Kong/kong/pull/8765)\n- **AWS-Lambda**: separate aws credential cache by IAM role ARN\n [#8907](https://github.com/Kong/kong/pull/8907)\n- **Statsd**: :fireworks: **Newly open-sourced plugin capabilities**: All capabilities of [Statsd Advanced](https://docs.konghq.com/hub/kong-inc/statsd-advanced/) are now bundled in [Statsd](https://docs.konghq.com/hub/kong-inc/statsd).\n [#9046](https://github.com/Kong/kong/pull/9046)\n\n#### Configuration\n\n- A new configuration item (`openresty_path`) has been added to allow\n developers/operators to specify the OpenResty installation to use when\n running Kong (instead of using the system-installed OpenResty)\n [#8412](https://github.com/Kong/kong/pull/8412)\n- Add `ipv6only` to listen options (e.g. `KONG_PROXY_LISTEN`)\n [#9225](https://github.com/Kong/kong/pull/9225)\n- Add `so_keepalive` to listen options (e.g. `KONG_PROXY_LISTEN`)\n [#9225](https://github.com/Kong/kong/pull/9225)\n- Add LMDB dbless config persistence and removed the JSON based\n config cache for faster startup time\n [#8670](https://github.com/Kong/kong/pull/8670)\n- `nginx_events_worker_connections=auto` has a lower bound of 1024\n [#9276](https://github.com/Kong/kong/pull/9276)\n- `nginx_main_worker_rlimit_nofile=auto` has a lower bound of 1024\n [#9276](https://github.com/Kong/kong/pull/9276)\n\n#### PDK\n\n- Added new PDK function: `kong.request.get_start_time()`\n [#8688](https://github.com/Kong/kong/pull/8688)\n- `kong.db.*.cache_key()` falls back to `.id` if nothing from `cache_key` is found\n [#8553](https://github.com/Kong/kong/pull/8553)\n\n### Fixes\n\n#### Core\n\n- The schema validator now correctly converts `null` from declarative\n configurations to `nil`.\n [#8483](https://github.com/Kong/kong/pull/8483)\n- Only reschedule router and plugin iterator timers after finishing previous\n execution, avoiding unnecessary concurrent executions.\n [#8567](https://github.com/Kong/kong/pull/8567)\n- External plugins now handle returned JSON with null member correctly.\n [#8611](https://github.com/Kong/kong/pull/8611)\n- Fixed an issue where the address of the environ variable could change but the code didn't\n assumed it was fixed after init\n [#8581](https://github.com/Kong/kong/pull/8581)\n- Fix issue where the Go plugin server instance would not be updated after\n a restart (e.g., upon a plugin server crash).\n [#8547](https://github.com/Kong/kong/pull/8547)\n- Fixed an issue on trying to reschedule the DNS resolving timer when Kong was\n being reloaded.\n [#8702](https://github.com/Kong/kong/pull/8702)\n- The private stream API has been rewritten to allow for larger message payloads\n [#8641](https://github.com/Kong/kong/pull/8641)\n- Fixed an issue that the client certificate sent to upstream was not updated when calling PATCH Admin API\n [#8934](https://github.com/Kong/kong/pull/8934)\n- Fixed an issue where the CP and wRPC modules would cause Kong to crash when calling `export_deflated_reconfigure_payload` without a pcall\n [#8668](https://github.com/Kong/kong/pull/8668)\n- Moved all `.proto` files to `/usr/local/kong/include` and ordered by priority.\n [#8914](https://github.com/Kong/kong/pull/8914)\n- Fixed an issue that cause unexpected 404 error on creating/updating configs with invalid options\n [#8831](https://github.com/Kong/kong/pull/8831)\n- Fixed an issue that causes crashes when calling some PDK APIs\n [#8604](https://github.com/Kong/kong/pull/8604)\n- Fixed an issue that cause crashes when go PDK calls return arrays\n [#8891](https://github.com/Kong/kong/pull/8891)\n- Plugin servers now shutdowns gracefully when Kong exits\n [#8923](https://github.com/Kong/kong/pull/8923)\n- CLI now prompts with `[y/n]` instead of `[Y/n]`, as it does not take `y` as default\n [#9114](https://github.com/Kong/kong/pull/9114)\n- Improved the error message when Kong cannot connect to Cassandra on init\n [#8847](https://github.com/Kong/kong/pull/8847)\n- Fixed an issue where Vault Subschema wasn't loaded in `off` strategy\n [#9174](https://github.com/Kong/kong/pull/9174)\n- The Schema now runs select transformations before process_auto_fields\n [#9049](https://github.com/Kong/kong/pull/9049)\n- Fixed an issue where Kong would use too many timers to keep track of upstreams when `worker_consistency`=`eventual`\n [#8694](https://github.com/Kong/kong/pull/8694),\n [#8858](https://github.com/Kong/kong/pull/8858)\n- Fixed an issue where it wasn't possible to set target status using only a hostname for targets set only by their hostname\n [#8797](https://github.com/Kong/kong/pull/8797)\n- Fixed pagination issue when getting to the second page while iterationg over a foreign key field using the DAO\n [#9255](https://github.com/Kong/kong/pull/9255)\n- Fixed an issue where cache entries of some entities were not being properly invalidated after a cascade delete\n [#9261](https://github.com/Kong/kong/pull/9261)\n- Running `kong start` when Kong is already running will no longer clobber\n the existing `.kong_env` file [#9254](https://github.com/Kong/kong/pull/9254)\n\n\n#### Admin API\n\n- Support HTTP/2 when requesting `/status`\n [#8690](https://github.com/Kong/kong/pull/8690)\n\n#### Plugins\n\n- Plugins with colliding priorities have now deterministic sorting based on their name\n [#8957](https://github.com/Kong/kong/pull/8957)\n- External Plugins: better handling of the logging when a plugin instance loses the instances_id in an event handler\n [#8652](https://github.com/Kong/kong/pull/8652)\n- **ACME**: `auth_method` default value is set to `token`\n [#8565](https://github.com/Kong/kong/pull/8565)\n- **ACME**: Added cache for `domains_matcher`\n [#9048](https://github.com/Kong/kong/pull/9048)\n- **syslog**: `conf.facility` default value is now set to `user`\n [#8564](https://github.com/Kong/kong/pull/8564)\n- **AWS-Lambda**: Removed `proxy_scheme` field from schema\n [#8566](https://github.com/Kong/kong/pull/8566)\n- **AWS-Lambda**: Change path from request_uri to upstream_uri, fix uri can not follow the rule defined in the request-transformer configuration\n [#9058](https://github.com/Kong/kong/pull/9058) [#9129](https://github.com/Kong/kong/pull/9129)\n- **hmac-auth**: Removed deprecated signature format using `ngx.var.uri`\n [#8558](https://github.com/Kong/kong/pull/8558)\n- Remove deprecated `blacklist`/`whitelist` config fields from bot-detection, ip-restriction and ACL plugins.\n [#8560](https://github.com/Kong/kong/pull/8560)\n- **Zipkin**: Correct the balancer spans' duration to include the connection time\n from Nginx to the upstream.\n [#8848](https://github.com/Kong/kong/pull/8848)\n- **Zipkin**: Correct the calculation of the header filter start time\n [#9230](https://github.com/Kong/kong/pull/9230)\n- **Zipkin**: Compatibility with the latest Jaeger header spec, which makes `parent_id` optional\n [#8352](https://github.com/Kong/kong/pull/8352)\n- **LDAP-Auth**: Refactored ASN.1 parser using OpenSSL API through FFI.\n [#8663](https://github.com/Kong/kong/pull/8663)\n- **Rate-Limiting** and **Response-ratelimiting**: Fix a disordered behaviour caused by `pairs` function\n which may cause Postgres DEADLOCK problem [#8968](https://github.com/Kong/kong/pull/8968)\n- **Response-rate-Limiting**: Fix a disordered behaviour caused by `pairs` function\n which may cause Postgres DEADLOCK problem [#8968](https://github.com/Kong/kong/pull/8968)\n- **gRPC gateway**: Fix the handling of boolean fields from URI arguments\n [#9180](https://github.com/Kong/kong/pull/9180)\n- **Serverless Functions**: Fix problem that could result in a crash\n [#9269](https://github.com/Kong/kong/pull/9269)\n- **Azure-functions**: Support working without dummy service\n [#9177](https://github.com/Kong/kong/pull/9177)\n\n\n#### Clustering\n\n- The cluster listener now uses the value of `admin_error_log` for its log file\n instead of `proxy_error_log` [#8583](https://github.com/Kong/kong/pull/8583)\n- Fixed a typo in some business logic that checks the Kong role before setting a\n value in cache at startup [#9060](https://github.com/Kong/kong/pull/9060)\n- Fixed DP get zero size config while service with plugin-enabled route is disabled\n [#8816](https://github.com/Kong/kong/pull/8816)\n- Localize `config_version` to avoid a race condition from the new yielding config loading code\n [#8188](https://github.com/Kong/kong/pull/8818)\n\n#### PDK\n\n- `kong.response.get_source()` now return an error instead of an exit when plugin throws\n runtime exception on access phase [#8599](https://github.com/Kong/kong/pull/8599)\n- `kong.tools.uri.normalize()` now does escaping of reserved and unreserved characters more correctly\n [#8140](https://github.com/Kong/kong/pull/8140)\n\n## Previous releases\n\nPlease see [CHANGELOG-OLD.md](CHANGELOG-OLD.md) file for < 3.0 releases.\n\n[Back to TOC](#table-of-contents)\n\n[3.3.0]: https://github.com/Kong/kong/compare/3.2.0...3.3.0\n[3.2.0]: https://github.com/Kong/kong/compare/3.1.0...3.2.0\n[3.1.0]: https://github.com/Kong/kong/compare/3.0.1...3.1.0\n[3.0.1]: https://github.com/Kong/kong/compare/3.0.0...3.0.1\n[3.0.0]: https://github.com/Kong/kong/compare/2.8.1...3.0.0\n" }, { "path": "CODE_OF_CONDUCT.md", "content": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nIn the interest of fostering an open and welcoming environment, we as\ncontributors and maintainers pledge to make participation in our project and\nour community a harassment-free experience for everyone, regardless of age, body\nsize, disability, ethnicity, gender identity and expression, level of experience,\nnationality, personal appearance, race, religion, or sexual identity and\norientation.\n\n## Our Standards\n\nExamples of behavior that contributes to creating a positive environment\ninclude:\n\n* Using welcoming and inclusive language\n* Being respectful of differing viewpoints and experiences\n* Gracefully accepting constructive criticism\n* Focusing on what is best for the community\n* Showing empathy towards other community members\n\nExamples of unacceptable behavior by participants include:\n\n* The use of sexualized language or imagery and unwelcome sexual attention or\nadvances\n* Trolling, insulting/derogatory comments, and personal or political attacks\n* Public or private harassment\n* Publishing others' private information, such as a physical or electronic\n address, without explicit permission\n* Other conduct which could reasonably be considered inappropriate in a\n professional setting\n\n## Our Responsibilities\n\nProject maintainers are responsible for clarifying the standards of acceptable\nbehavior and are expected to take appropriate and fair corrective action in\nresponse to any instances of unacceptable behavior.\n\nProject maintainers have the right and responsibility to remove, edit, or\nreject comments, commits, code, wiki edits, issues, and other contributions\nthat are not aligned to this Code of Conduct, or to ban temporarily or\npermanently any contributor for other behaviors that they deem inappropriate,\nthreatening, offensive, or harmful.\n\n## Scope\n\nThis Code of Conduct applies both within project spaces and in public spaces\nwhen an individual is representing the project or its community. Examples of\nrepresenting a project or community include using an official project e-mail\naddress, posting via an official social media account, or acting as an appointed\nrepresentative at an online or offline event. Representation of a project may be\nfurther defined and clarified by project maintainers.\n\n## Enforcement\n\nInstances of abusive, harassing, or otherwise unacceptable behavior may be\nreported by contacting the project team at support@konghq.com. All\ncomplaints will be reviewed and investigated and will result in a response that\nis deemed necessary and appropriate to the circumstances. The project team is\nobligated to maintain confidentiality with regard to the reporter of an incident.\nFurther details of specific enforcement policies may be posted separately.\n\nProject maintainers who do not follow or enforce the Code of Conduct in good\nfaith may face temporary or permanent repercussions as determined by other\nmembers of the project's leadership.\n\n## Attribution\n\nThis Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,\navailable at [http://contributor-covenant.org/version/1/4][version]\n\n[homepage]: http://contributor-covenant.org\n[version]: http://contributor-covenant.org/version/1/4/\n" }, { "path": "COMMUNITY_PLEDGE.md", "content": "# Our pledge to the open source community\n\nKong Gateway is not only an awesome open source project, but also part\nof the product offering of Kong Inc. We have a large team of product\npeople, software developers, testers and release engineers working on\nKong Gateway. We make many of the enhancements to Kong Gateway in the\nCommunity Edition, so our open source community directly benefits from\nthe commercial work that we do.\n\nRecognizing that we operate as a commercial entity, we face the\nchallenge of balancing our commercial interests with the desire to\naccommodate and support open source users and contributors\neffectively.\n\n## Response time to GitHub issues and pull requests\n\nIn the Kong Gateway team, we're committed to maintaining a rapid and\ntimely response to community contributions, promising to acknowledge\nand engage within a dedicated timeframe of 10 working days. It is\nimportant to note, however, that while we strive to be as responsive\nas possible, we may not always be able to offer immediate solutions to\nevery reported problem or incorporate every submitted pull request\ninto the product.\n\n## Maintaining an active working set\n\nWe will be closing pull requests or issue reports when we made the\ndecision that we will not be able to merge or resolve them in the\nforeseeable future. We do that in the interest of keeping our working\nset manageable, as accumulating pull requests and issues which don't\nmake progress does not help improving Kong Gateway in the long run.\n\nWe automatically close issues and pull requests for which we do not\nget responses to our questions or update requests within 3 weeks.\n" }, { "path": "CONTRIBUTING.md", "content": "# Contributing to Kong :monkey_face:\n\nHello, and welcome! Whether you are looking for help, trying to report a bug,\nthinking about getting involved in the project, or about to submit a patch, this\ndocument is for you! It intends to be both an entry point for newcomers to\nthe community (with various technical backgrounds), and a guide/reference for\ncontributors and maintainers.\n\nPlease have a look at our [Community Pledge](./COMMUNITY_PLEDGE.md) to\nunderstand how we work with our open-source contributors!\n\nConsult the Table of Contents below, and jump to the desired section.\n\n# Table of Contents\n\n* [Contributing to Kong :monkey_face:](#contributing-to-kong-monkey_face)\n * [Where to seek for help?](#where-to-seek-for-help)\n * [Enterprise Edition](#enterprise-edition)\n * [Community Edition](#community-edition)\n * [Where to report bugs?](#where-to-report-bugs)\n * [Where to submit feature requests?](#where-to-submit-feature-requests)\n * [Contributing](#contributing)\n * [Improving the documentation](#improving-the-documentation)\n * [Proposing a new plugin](#proposing-a-new-plugin)\n * [Submitting a patch](#submitting-a-patch)\n * [Git branches](#git-branches)\n * [Commit atomicity](#commit-atomicity)\n * [Commit message format](#commit-message-format)\n * [Type](#type)\n * [Scope](#scope)\n * [Subject](#subject)\n * [Body](#body)\n * [Footer](#footer)\n * [Examples](#examples)\n * [Static linting](#static-linting)\n * [Writing tests](#writing-tests)\n * [Writing changelog](#writing-changelog)\n * [Writing performant code](#writing-performant-code)\n * [Adding Changelog](#adding-changelog)\n * [Contributor Badge](#contributor-badge)\n * [Code style](#code-style)\n * [Table of Contents - Code style](#table-of-contents---code-style)\n * [Modules](#modules)\n * [Variables](#variables)\n * [Tables](#tables)\n * [Strings](#strings)\n * [Functions](#functions)\n * [Conditional expressions](#conditional-expressions)\n\n## Where to seek for help?\n\n### Enterprise Edition\n\nIf you are a Kong Enterprise customer, you may contact the Enterprise Support channels\nby opening an Enterprise support ticket on\n[https://support.konghq.com](https://support.konghq.com/).\n\nIf you are experiencing a P1 issue, please call the [24/7 Enterprise Support\nphone line](https://support.konghq.com/hc/en-us/articles/115004921808-Telephone-Support)\nfor immediate assistance, as published in the Customer Success Reference Guide.\n\nIf you are interested in becoming a Kong Enterprise customer, please visit\nhttps://konghq.com/kong-enterprise-edition/ or contact us at\n[sales@konghq.com](mailto:sales@konghq.com).\n\n[Back to TOC](#table-of-contents)\n\n### Community Edition\n\nFor questions about the use of the Community Edition, please use\n[GitHub Discussions](https://github.com/Kong/kong/discussions). You\ncan also join our [Community Slack](http://kongcommunity.slack.com/)\nfor real-time conversations around Kong Gateway.\n\n**Please avoid opening GitHub issues for general questions or help**, as those\nshould be reserved for actual bug reports. The Kong community is welcoming and\nmore than willing to assist you on those channels!\n\nOur public forum, [Kong Nation](https://discuss.konghq.com) is great\nfor asking questions, giving advice, and staying up-to-date with the\nlatest announcements.\n\n[Back to TOC](#table-of-contents)\n\n## Where to report bugs?\n\nFeel free to [submit an issue](https://github.com/Kong/kong/issues/new/choose) on\nthe GitHub repository, we would be grateful to hear about it! Please make sure that you\nrespect the GitHub issue template, and include:\n\n1. A summary of the issue\n2. A list of steps to help reproduce the issue\n3. The version of Kong that you encountered the issue with\n4. Your Kong configuration, or the parts that are relevant to your issue\n\nIf you wish, you are more than welcome to propose a patch to fix the issue!\nSee the [Submit a patch](#submitting-a-patch) section for more information\non how to best do so.\n\n[Back to TOC](#table-of-contents)\n\n## Where to submit feature requests?\n\nYou can [submit an issue](https://github.com/Kong/kong/issues/new/choose) for feature\nrequests. Please make sure to add as much detail as you can when doing so.\n\nYou are also welcome to propose patches adding new features. See the section\non [Submitting a patch](#submitting-a-patch) for details.\n\n[Back to TOC](#table-of-contents)\n\n## Contributing\n\nIn addition to code enhancements and bug fixes, you can contribute by\n\n- Reporting a bug (see the [report bugs](#where-to-report-bugs) section)\n- Helping other members of the community on the support channels\n- Fixing a typo in the code\n- Fixing a typo in the documentation at https://docs.konghq.com (see\n the [documentation contribution](#improving-the-documentation) section)\n- Providing your feedback on the proposed features and designs\n- Reviewing Pull Requests\n\nIf you wish to contribute code (features or bug fixes), see the [Submitting a\npatch](#submitting-a-patch) section.\n\n[Back to TOC](#table-of-contents)\n\n### Improving the documentation\n\nThe documentation hosted at https://docs.konghq.com is open source and built\nwith [Jekyll](https://jekyllrb.com/). You are very welcome to propose changes to it\n(correct typos, add examples or clarifications...) and contribute to the\n[Kong Hub](https://docs.konghq.com/hub/)!\n\nThe repository is also hosted on GitHub at:\nhttps://github.com/Kong/docs.konghq.com/\n\n[Back to TOC](#table-of-contents)\n\n### Proposing a new plugin\n\nWe **do not** generally accept new plugins into this repository. The\nplugins that are currently part of it form the foundational set of\nplugins which is available to all installations of Kong Gateway.\nSpecialized functionality should be implemented in plugins residing in\nseparate repository.\n\nIf you are interested in writing a new plugin for your own needs, you\nshould begin by reading the\n[Plugin Development Guide](https://docs.konghq.com/latest/plugin-development).\n\nIf you already wrote a plugin, and are thinking about making it available to\nthe community, we strongly encourage you to host it on a publicly available\nrepository (like GitHub), and distribute it via\n[LuaRocks](https://luarocks.org/search?q=kong). A good resource on how to do\nso is the [Distribution\nSection](https://docs.konghq.com/latest/plugin-development/distribution/#distributing-your-plugin)\nof the Plugin Development Guide.\n\nTo give visibility to your plugin, we advise that you:\n\n1. Add your plugin to the [Kong Hub](https://docs.konghq.com/hub/)\n2. Create a post in the [Announcements category of Kong\n Nation](https://discuss.konghq.com/c/announcements)\n\n[Back to TOC](#table-of-contents)\n\n### Submitting a patch\n\nFeel free to contribute fixes or minor features by opening a Pull\nRequest. Small contributions are more likely to be merged quicker\nthan changes which require a lot of time to review. If you are\nplanning to develop a larger feature, please talk to us first in the\n[GitHub Discussions](https://github.com/Kong/kong/discussions)\nsection!\n\nWhen contributing, please follow the guidelines provided in this document. They\nwill cover topics such as the different Git branches we use, the commit message\nformat to use, or the appropriate code style.\n\nOnce you have read them, and you feel that you are ready to submit your Pull Request, be sure\nto verify a few things:\n\n- Your commit history is clean: changes are atomic and the git message format\n was respected\n- Rebase your work on top of the base branch (seek help online on how to use\n `git rebase`; this is important to ensure your commit history is clean and\n linear)\n- The static linting is succeeding: run `make lint`, or `luacheck .` (see the\n development documentation for additional details)\n- The tests are passing: run `make test`, `make test-all`, or whichever is\n appropriate for your change\n- Do not update `CHANGELOG.md` inside your Pull Request. This file is automatically regenerated\n and maintained during the release process.\n\nIf the above guidelines are respected, your Pull Request has all its chances\nto be considered and will be reviewed by a maintainer.\n\nIf you are asked to update your patch by a reviewer, please do so! Remember:\n**You are responsible for pushing your patch forward**. If you contributed it,\nyou are probably the one in need of it. You must be ready to apply changes\nto it if necessary.\n\nIf your Pull Request was accepted and fixes a bug, adds functionality, or\nmakes it significantly easier to use or understand Kong, congratulations!\nYou are now an official contributor to Kong. Get in touch with us to receive\nyour very own [Contributor Badge](#contributor-badge)!\n\nYour change will be included in the subsequent release and its changelog, and we will\nnot forget to include your name if you are an external contributor. :wink:\n\n[Back to TOC](#table-of-contents)\n\n#### Git branches\n\nIf you have write access to the GitHub repository, please follow the following\nnaming scheme when pushing your branch(es):\n\n- `feat/foo-bar` for new features\n- `fix/foo-bar` for bug fixes\n- `tests/foo-bar` when the change concerns only the test suite\n- `refactor/foo-bar` when refactoring code without any behavior change\n- `style/foo-bar` when addressing some style issue\n- `docs/foo-bar` for updates to the README.md, this file, or similar documents\n- `chore/foo-bar` when the change does not concern the functional source\n- `perf/foo-bar` for performance improvements\n\n[Back to TOC](#table-of-contents)\n\n#### Commit atomicity\n\nWhen submitting patches, it is important that you organize your commits in\nlogical units of work. You are free to propose a patch with one or many\ncommits, as long as their atomicity is respected. This means that no unrelated\nchanges should be included in a commit.\n\nFor example: you are writing a patch to fix a bug, but in your endeavour, you\nspot another bug. **Do not fix both bugs in the same commit!** Finish your\nwork on the initial bug, propose your patch, and come back to the second bug\nlater on. This is also valid for unrelated style fixes, refactors, etc...\n\nYou should use your best judgment when facing such decisions. A good approach\nfor this is to put yourself in the shoes of the person who will review your\npatch: will they understand your changes and reasoning just by reading your\ncommit history? Will they find unrelated changes in a particular commit? They\nshouldn't!\n\nWriting meaningful commit messages that follow our commit message format will\nalso help you respect this mantra (see the below section).\n\n[Back to TOC](#table-of-contents)\n\n#### Commit message format\n\nTo maintain a healthy Git history, we ask of you that you write your commit\nmessages as follows:\n\n- The tense of your message must be **present**\n- Your message must be prefixed by a type, and a scope\n- The header of your message should not be longer than 50 characters\n- A blank line should be included between the header and the body\n- The body of your message should not contain lines longer than 72 characters\n\nWe strive to adapt the [conventional-commits](https://www.conventionalcommits.org/en/v1.0.0/)\nformat.\n\nHere is a template of what your commit message should look like:\n\n```\n(): \n\n\n\n